[Web] add mTLS Authentication

[Web] fix idp mailbox login
dovecot: corrected dockerfile inside nightly
2026-03-13 18:21:23 +00:00 · 2024-02-13 11:17:49 +01:00 · 2024-02-05 17:15:36 +01:00 · 2024-02-05 15:57:44 +01:00 · 2024-02-05 15:22:02 +01:00 · 2024-02-05 12:49:51 +01:00
931 changed files with 16862 additions and 42707 deletions
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1,2 +1 @@
 github: mailcow
 custom: ["https://www.servercow.de/mailcow?lang=en#sal"]
--- a/.github/ISSUE_TEMPLATE/Bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/Bug_report.yml
@@ -11,35 +11,22 @@ body:
        required: true
  - type: checkboxes
    attributes:
-      label: Checklist prior issue creation
+      label: I've found a bug and checked that ...
-      description: Prior to creating the issue...
+      description: Prior to placing the issue, please check following:** *(fill out each checkbox with an `X` once done)*
      options:
-      - label: I understand that failure to follow below instructions may cause this issue to be closed.
+      - label: ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
        required: true
-      - label: I understand that vague, incomplete or inaccurate information may cause this issue to be closed.
+      - label: ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
        required: true
-      - label: I understand that this form is intended solely for reporting software bugs and not for support-related inquiries.
+      - label: ... I have understood that answers are voluntary and community-driven, and not commercial support.
        required: true
-      - label: I understand that all responses are voluntary and community-driven, and do not constitute commercial support.
+      - label: ... I have verified that my issue has not been already answered in the past. I also checked previous [issues](https://github.com/mailcow/mailcow-dockerized/issues).
        required: true
      - label: I confirm that I have reviewed previous [issues](https://github.com/mailcow/mailcow-dockerized/issues) to ensure this matter has not already been addressed.
        required: true
      - label: I confirm that my environment meets all [prerequisite requirements](https://docs.mailcow.email/getstarted/prerequisite-system/) as specified in the official documentation.
        required: true
  - type: textarea
    attributes:
      label: Description
-      description: Please provide a brief description of the bug. If applicable, add screenshots to help explain your problem. (Very useful for bugs in mailcow UI.)
+      description: Please provide a brief description of the bug in 1-2 sentences. If applicable, add screenshots to help explain your problem. Very useful for bugs in mailcow UI.
-    validations:
+      render: plain text
      required: true
  - type: textarea
    attributes:
      label: "Steps to reproduce:"
      description: "Please describe the steps to reproduce the bug. Screenshots can be added, if helpful."
      placeholder: |-
        1. ...
        2. ...
        3. ...
    validations:
      required: true
  - type: textarea
@@ -49,36 +36,45 @@ body:
      render: plain text
    validations:
      required: true
  - type: textarea
    attributes:
      label: "Steps to reproduce:"
      description: "Please describe the steps to reproduce the bug. Screenshots can be added, if helpful."
      render: plain text
      placeholder: |-
        1. ...
        2. ...
        3. ...
    validations:
      required: true
  - type: markdown
    attributes:
      value: |
        ## System information
-        In this stage we would kindly ask you to attach general system information about your setup.
+        ### In this stage we would kindly ask you to attach general system information about your setup.
  - type: dropdown
    attributes:
      label: "Which branch are you using?"
-      description: "#### Run: `git rev-parse --abbrev-ref HEAD`"
+      description: "#### `git rev-parse --abbrev-ref HEAD`"
      multiple: false
      options:
-        - master (stable)
+        - master
        - staging
        - nightly
    validations:
      required: true
  - type: dropdown
    attributes:
      label: "Which architecture are you using?"
-      description: "#### Run: `uname -m`"
+      description: "#### `uname -m`"
      multiple: false
      options:
-        - x86_64
+        - x86
        - ARM64 (aarch64)
    validations:
      required: true
  - type: input
    attributes:
      label: "Operating System:"
      description: "#### Run: `lsb_release -ds`"
      placeholder: "e.g. Ubuntu 22.04 LTS"
    validations:
      required: true
@@ -97,44 +93,43 @@ body:
  - type: input
    attributes:
      label: "Virtualization technology:"
-      description: "LXC and OpenVZ are not supported!"
+      placeholder: "KVM, VMware, Xen, etc - **LXC and OpenVZ are not supported**"
      placeholder: "KVM, VMware ESXi, Xen, etc"
    validations:
      required: true
  - type: input
    attributes:
      label: "Docker version:"
-      description: "#### Run: `docker version`"
+      description: "#### `docker version`"
      placeholder: "20.10.21"
    validations:
      required: true
  - type: input
    attributes:
      label: "docker-compose version or docker compose version:"
-      description: "#### Run: `docker-compose version` or `docker compose version`"
+      description: "#### `docker-compose version` or `docker compose version`"
      placeholder: "v2.12.2"
    validations:
      required: true
  - type: input
    attributes:
      label: "mailcow version:"
-      description: "#### Run: ```git describe --tags `git rev-list --tags --max-count=1` ```"
+      description: "#### ```git describe --tags `git rev-list --tags --max-count=1` ```"
-      placeholder: "2022-08x"
+      placeholder: "2022-08"
    validations:
      required: true
  - type: input
    attributes:
      label: "Reverse proxy:"
-      placeholder: "e.g. nginx/Traefik, or none"
+      placeholder: "e.g. Nginx/Traefik"
    validations:
      required: true
  - type: textarea
    attributes:
      label: "Logs of git diff:"
-      description: "#### Output of `git diff origin/master`, any other changes to the code? Sanitize if needed. If so, **please post them**:"
+      description: "#### Output of `git diff origin/master`, any other changes to the code? If so, **please post them**:"
      render: plain text
    validations:
-      required: false
+      required: true
  - type: textarea
    attributes:
      label: "Logs of iptables -L -vn:"
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,7 +1,7 @@
 blank_issues_enabled: false
 contact_links:
  - name: ❓ Community-driven support (Free)
-    url: https://docs.mailcow.email/#community-support-and-chat
+    url: https://docs.mailcow.email/#get-support
    about: Please use the community forum for questions or assistance
  - name: 🔥 Premium Support (Paid)
    url: https://www.servercow.de/mailcow?lang=en#support
--- a/.github/ISSUE_TEMPLATE/pr_to_nighty_template.yml
+++ b/.github/ISSUE_TEMPLATE/pr_to_nighty_template.yml
@@ -1,3 +1,13 @@
 ## :memo:  Brief description
 <!-- Diff summary - START -->
 <!-- Diff summary - END -->
 ## :computer:  Commits
 <!-- Diff commits - START -->
 <!-- Diff commits - END -->
 ## :file_folder:  Modified files
 <!-- Diff files - START -->
 <!-- Diff files - END -->
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,38 +0,0 @@
 <!-- _Please make sure to review and check all of these items, otherwise we might refuse your PR:_ -->
 ## Contribution Guidelines
 * [ ] I've read the [contribution guidelines](https://github.com/mailcow/mailcow-dockerized/blob/master/CONTRIBUTING.md) and wholeheartedly agree them
 <!-- _NOTE: this tickbox is needed to fullfil on order to get your PR reviewed._ -->
 ## What does this PR include?
 ### Short Description
 <!-- Please write a short description, what your PR does here. -->
 ###  Affected Containers
 <!-- Please list all affected Docker containers here, which you commited changes to -->
 <!--
 Please list them like this:
 - container1
 - container2
 - container3
 etc.
 -->
 ## Did you run tests?
 ### What did you tested?
 <!-- Please write shortly, what you've tested (which components etc.). -->
 ### What were the final results? (Awaited, got)
 <!-- Please write shortly, what your final tests results were. What did you awaited? Was the outcome the awaited one? -->
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -15,6 +15,12 @@
    "data\/web\/inc\/lib\/vendor\/**"
  ],
  "regexManagers": [
    {
      "fileMatch": ["^helper-scripts\/nextcloud.sh$"],
      "matchStrings": [
        "#\\srenovate:\\sdatasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?( extractVersion=(?<extractVersion>.*?))?\\s.*?_VERSION=(?<currentValue>.*)"
       ]
    },
    {
      "fileMatch": ["(^|/)Dockerfile[^/]*$"],
      "matchStrings": [
--- a/.github/workflows/check_if_support_labeled.yml
+++ b/.github/workflows/check_if_support_labeled.yml
@@ -1,37 +0,0 @@
 name: Check if labeled support, if so send message and close issue
 on:
  issues:
    types:
      - labeled
 jobs:
  add-comment:
    if: github.event.label.name == 'support'
    runs-on: ubuntu-latest
    permissions:
      issues: write
    steps:
      - name: Add comment
        run: gh issue comment "$NUMBER" --body "$BODY"
        env:
          GH_TOKEN: ${{ secrets.SUPPORTISSUES_ACTION_PAT }}
          GH_REPO: ${{ github.repository }}
          NUMBER: ${{ github.event.issue.number }}
          BODY: |
              **THIS IS A AUTOMATED MESSAGE!**
              It seems your issue is not a bug.
              Therefore we highly advise you to get support!
              You can get support either by:
              - ordering a paid [support contract at Servercow](https://www.servercow.de/mailcow?lang=en#support/) (Directly from the developers) or
              - using the [community forum](https://community.mailcow.email) (**Based on volunteers! NO guaranteed answer**) or
              - using the [Telegram support channel](https://t.me/mailcow) (**Based on volunteers! NO guaranteed answer**)
              This issue will be closed. If you think your reported issue is not a support case feel free to comment above and if so the issue will reopened.
      - name: Close issue
        env:
          GH_TOKEN: ${{ secrets.SUPPORTISSUES_ACTION_PAT }}
          GH_REPO: ${{ github.repository }}
          NUMBER: ${{ github.event.issue.number }}
        run: gh issue close "$NUMBER" -r "not planned"
--- a/.github/workflows/check_prs_if_on_staging.yml
+++ b/.github/workflows/check_prs_if_on_staging.yml
@@ -10,9 +10,9 @@ jobs:
    if: github.event.pull_request.base.ref != 'staging' #check if the target branch is not staging
    steps:
      - name: Send message
-        uses: thollander/actions-comment-pull-request@v3.0.1
+        uses: thollander/actions-comment-pull-request@v2.4.3
        with:
-          github-token: ${{ secrets.CHECKIFPRISSTAGING_ACTION_PAT }}
+          GITHUB_TOKEN: ${{ secrets.CHECKIFPRISSTAGING_ACTION_PAT }}
          message: |
                   Thanks for contributing!
--- a/.github/workflows/close_old_issues_and_prs.yml
+++ b/.github/workflows/close_old_issues_and_prs.yml
@@ -14,7 +14,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Mark/Close Stale Issues and Pull Requests 🗑️
-        uses: actions/stale@v10.1.1
+        uses: actions/stale@v9.0.0
        with:
          repo-token: ${{ secrets.STALE_ACTION_PAT }}
          days-before-stale: 60
--- a/.github/workflows/image_builds.yml
+++ b/.github/workflows/image_builds.yml
@@ -23,11 +23,12 @@ jobs:
          - "postfix-mailcow"
          - "rspamd-mailcow"
          - "sogo-mailcow"
          - "solr-mailcow"
          - "unbound-mailcow"
          - "watchdog-mailcow"
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
      - name: Setup Docker
        run: |
          curl -sSL https://get.docker.com/ | CHANNEL=stable sudo sh
--- a/.github/workflows/pr_to_nightly.yml
+++ b/.github/workflows/pr_to_nightly.yml
@@ -8,11 +8,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Run the Action
-        uses: devops-infra/action-pull-request@v1.0.2
+        uses: devops-infra/action-pull-request@v0.5.5
        with:
          github_token: ${{ secrets.PRTONIGHTLY_ACTION_PAT }}
          title: Automatic PR to nightly from ${{ github.event.repository.updated_at}}
--- a/.github/workflows/rebuild_backup_image.yml
+++ b/.github/workflows/rebuild_backup_image.yml
@@ -9,11 +9,9 @@ on:
 jobs:
  docker_image_build:
    runs-on: ubuntu-latest
    permissions:
      packages: write
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
@@ -21,19 +19,17 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-      - name: Login to GHCR
+      - name: Login to Docker Hub
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
-          registry: ghcr.io
+          username: ${{ secrets.BACKUPIMAGEBUILD_ACTION_DOCKERHUB_USERNAME }}
-          username: ${{ github.repository_owner }}
+          password: ${{ secrets.BACKUPIMAGEBUILD_ACTION_DOCKERHUB_TOKEN }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          file: data/Dockerfiles/backup/Dockerfile
          push: true
-          tags: ghcr.io/mailcow/backup:latest
+          tags: mailcow/backup:latest
--- a/.github/workflows/update_postscreen_access_list.yml
+++ b/.github/workflows/update_postscreen_access_list.yml
@@ -15,14 +15,14 @@ jobs:
   runs-on: ubuntu-latest
   steps:
    - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@v4
    - name: Generate postscreen_access.cidr
      run: |
          bash helper-scripts/update_postscreen_whitelist.sh
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v7
+      uses: peter-evans/create-pull-request@v6
      with:
        token: ${{ secrets.mailcow_action_Update_postscreen_access_cidr_pat }}
        commit-message: update postscreen_access.cidr
--- a/.gitignore
+++ b/.gitignore
@@ -23,7 +23,6 @@ data/conf/dovecot/sni.conf
 data/conf/dovecot/sogo-sso.conf
 data/conf/dovecot/sogo_trusted_ip.conf
 data/conf/dovecot/sql
 data/conf/dovecot/conf.d/fts.conf
 data/conf/nextcloud-*.bak
 data/conf/nginx/*.active
 data/conf/nginx/*.bak
@@ -45,12 +44,8 @@ data/conf/rspamd/local.d/*
 data/conf/rspamd/override.d/*
 data/conf/sogo/custom-theme.js
 data/conf/sogo/plist_ldap
 data/conf/sogo/plist_ldap.sh
 data/conf/sogo/sieve.creds
-data/conf/sogo/cron.creds
+data/conf/sogo/sogo-full.svg
 data/conf/sogo/custom-fulllogo.svg
 data/conf/sogo/custom-shortlogo.svg
 data/conf/sogo/custom-fulllogo.png
 data/gitea/
 data/gogs/
 data/hooks/dovecot/*
@@ -75,4 +70,3 @@ refresh_images.sh
 update_diffs/
 create_cold_standby.sh
 !data/conf/nginx/mailcow_auth.conf
 data/conf/postfix/postfix-tlspol
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,56 +1,33 @@
-# Contribution Guidelines
+# Contribution Guidelines (Last modified on 18th December 2023)
 **_Last modified on 12th November 2025_**
 First of all, thank you for wanting to provide a bugfix or a new feature for the mailcow community, it's because of your help that the project can continue to grow!
-As we want to keep mailcow's development structured we setup these Guidelines which helps you to create your issue/pull request accordingly.
+## Pull Requests (Last modified on 18th December 2023)
 **PLEASE NOTE, THAT WE WILL CLOSE ISSUES/PULL REQUESTS IF THEY DON'T FULFILL OUR WRITTEN GUIDELINES WRITTEN INSIDE THIS DOCUMENT**. So please check this guidelines before you propose a Issue/Pull Request.
 ## Topics
 - [Pull Requests](#pull-requests)
 - [Issue Reporting](#issue-reporting)
    - [Guidelines](#issue-reporting-guidelines)
    - [Issue Report Guide](#issue-report-guide)
 ## Pull Requests
 **_Last modified on 15th August 2024_**
 However, please note the following regarding pull requests:
 1. **ALWAYS** create your PR using the staging branch of your locally cloned mailcow instance, as the pull request will end up in said staging branch of mailcow once approved. Ideally, you should simply create a new branch for your pull request that is named after the type of your PR (e.g. `feat/` for function updates or `fix/` for bug fixes) and the actual content (e.g. `sogo-6.0.0` for an update from SOGo to version 6 or `html-escape` for a fix that includes escaping HTML in mailcow).
-2. **ALWAYS** report/request issues/features in the english language, even though mailcow is a german based company. This is done to allow other GitHub users to reply to your issues/requests too which did not speak german or other languages besides english.
+2. Please **keep** this pull request branch **clean** and free of commits that have nothing to do with the changes you have made (e.g. commits from other users from other branches). *If you make changes to the `update.sh` script or other scripts that trigger a commit, there is usually a developer mode for clean working in this case.
-3. Please **keep** this pull request branch **clean** and free of commits that have nothing to do with the changes you have made (e.g. commits from other users from other branches). *If you make changes to the `update.sh` script or other scripts that trigger a commit, there is usually a developer mode for clean working in this case.*
+3. **Test your changes before you commit them as a pull request.** <ins>If possible</ins>, write a small **test log** or demonstrate the functionality with a **screenshot or GIF**. *We will of course also test your pull request ourselves, but proof from you will save us the question of whether you have tested your own changes yourself.*
-4. **Test your changes before you commit them as a pull request.** <ins>If possible</ins>, write a small **test log** or demonstrate the functionality with a **screenshot or GIF**. *We will of course also test your pull request ourselves, but proof from you will save us the question of whether you have tested your own changes yourself.*
+4. Please **ALWAYS** create the actual pull request against the staging branch and **NEVER** directly against the master branch. *If you forget to do this, our moobot will remind you to switch the branch to staging.*
-5. **Please use** the pull request template we provide once creating a pull request. *HINT: During editing you encounter comments which looks like: `<!-- CONTENT -->`. These can be removed or kept, as they will not rendered later on GitHub! Please only create actual content without the said comments.* 
+5. Wait for a merge commit: It may happen that we do not accept your pull request immediately or sometimes not at all for various reasons. Please do not be disappointed if this is the case. We always endeavor to incorporate any meaningful changes from the community into the mailcow project.
-6. Please **ALWAYS** create the actual pull request against the staging branch and **NEVER** directly against the master branch. *If you forget to do this, our moobot will remind you to switch the branch to staging.*
+6. If you are planning larger and therefore more complex pull requests, it would be advisable to first announce this in a separate issue and then start implementing it after the idea has been accepted in order to avoid unnecessary frustration and effort!
 7. Wait for a merge commit: It may happen that we do not accept your pull request immediately or sometimes not at all for various reasons. Please do not be disappointed if this is the case. We always endeavor to incorporate any meaningful changes from the community into the mailcow project.
 8. If you are planning larger and therefore more complex pull requests, it would be advisable to first announce this in a separate issue and then start implementing it after the idea has been accepted in order to avoid unnecessary frustration and effort!
 9. If your PR requires a Docker image rebuild (changes to Dockerfiles or files in data/Dockerfiles/), update the image tag in docker-compose.yml. Use the base-image versioning (e.g. ghcr.io/mailcow/sogo:5.12.4 → :5.12.5 for version bumps; append a letter for patch fixes, e.g. :5.12.4a). Follow this scheme.
 ---
-## Issue Reporting
+## Issue Reporting (Last modified on 18th December 2023)
 **_Last modified on 12th November 2025_**
 If you plan to report a issue within mailcow please read and understand the following rules:
 ### Security disclosures / Security-related fixes
 - Security vulnerabilities and security fixes must always be reported confidentially first to the contact address specified in SECURITY.md before they are integrated, published, or publicly disclosed in issues/PRs. Please wait for a response from the specified contact to ensure coordinated and responsible disclosure.
 ### Issue Reporting Guidelines
 1. **ONLY** use the issue tracker for bug reports or improvement requests and NOT for support questions. For support questions you can either contact the [mailcow community on Telegram](https://docs.mailcow.email/#community-support-and-chat) or the mailcow team directly in exchange for a [support fee](https://docs.mailcow.email/#commercial-support).
 2. **ONLY** report an error if you have the **necessary know-how (at least the basics)** for the administration of an e-mail server and the usage of Docker. mailcow is a complex and fully-fledged e-mail server including groupware components on a Docker basement and it requires a bit of technical know-how for debugging and operating.
-3. **ALWAYS** report/request issues/features in the english language, even though mailcow is a german based company. This is done to allow other GitHub users to reply to your issues/requests too which did not speak german or other languages besides english.
+3. **ONLY** report bugs that are contained in the latest mailcow release series. *The definition of the latest release series includes the last major patch (e.g. 2023-12) and all minor patches (revisions) below it (e.g. 2023-12a, b, c etc.).* New issue reports published starting from January 1, 2024 must meet this criterion, as versions below the latest releases are no longer supported by us.
-4. **ONLY** report bugs that are contained in the latest mailcow release series. *The definition of the latest release series includes the last major patch (e.g. 2023-12) and all minor patches (revisions) below it (e.g. 2023-12a, b, c etc.).* New issue reports published starting from January 1, 2024 must meet this criterion, as versions below the latest releases are no longer supported by us.
+4. When reporting a problem, please be as detailed as possible and include even the smallest changes to your mailcow installation. Simply fill out the corresponding bug report form in detail and accurately to minimize possible questions.
-5. When reporting a problem, please be as detailed as possible and include even the smallest changes to your mailcow installation. Simply fill out the corresponding bug report form in detail and accurately to minimize possible questions.
+5. **Before you open an issue/feature request**, please first check whether a similar request already exists in the mailcow tracker on GitHub. If so, please include yourself in this request.
-6. **Before you open an issue/feature request**, please first check whether a similar request already exists in the mailcow tracker on GitHub. If so, please include yourself in this request.
+6. When you create a issue/feature request: Please note that the creation does <ins>**not guarantee an instant implementation or fix by the mailcow team or the community**</ins>.
-7. When you create a issue/feature request: Please note that the creation does <ins>**not guarantee an instant implementation or fix by the mailcow team or the community**</ins>.
+7. Please **ALWAYS** anonymize any sensitive information in your bug report or feature request before submitting it.
 8. Please **ALWAYS** anonymize any sensitive information in your bug report or feature request before submitting it.
-### Issue Report Guide
+### Quick guide to reporting problems:
 1. Read your logs; follow them to see what the reason for your problem is.
 2. Follow the leads given to you in your logfiles and start investigating.
 3. Restarting the troubled service or the whole stack to see if the problem persists.
--- a/README.md
+++ b/README.md
@@ -13,22 +13,6 @@ You can also [get a SAL](https://www.servercow.de/mailcow?lang=en#sal) which is
 Or just spread the word: moo.
 ## Many thanks to our GitHub Sponsors ❤️
 A big thank you to everyone supporting us on GitHub Sponsors—your contributions mean the world to us! Special thanks to the following amazing supporters:
 ### 100$/Month Sponsors
  <a href="https://www.colba.net/" target=_blank><img
    src="https://avatars.githubusercontent.com/u/204464723" height="58"
  /></a>
  <a href="https://www.maehdros.com/" target=_blank><img
    src="https://avatars.githubusercontent.com/u/173894712" height="58"
  /></a>
 ### 50$/Month Sponsors
  <a href="https://github.com/vnukhr" target=_blank><img
    src="https://avatars.githubusercontent.com/u/7805987?s=52&v=4" height="58"
  /></a>
 ## Info, documentation and support
 Please see [the official documentation](https://docs.mailcow.email/) for installation and support instructions. 🐄
--- a/_modules/scripts/core.sh
+++ b/_modules/scripts/core.sh
@@ -1,230 +0,0 @@
 #!/usr/bin/env bash
 # _modules/scripts/core.sh
 # THIS SCRIPT IS DESIGNED TO BE RUNNING BY MAILCOW SCRIPTS ONLY!
 # DO NOT, AGAIN, NOT TRY TO RUN THIS SCRIPT STANDALONE!!!!!!
 # ANSI color for red errors
 RED='\e[31m'
 GREEN='\e[32m'
 YELLOW='\e[33m'
 BLUE='\e[34m'
 MAGENTA='\e[35m'
 LIGHT_RED='\e[91m'
 LIGHT_GREEN='\e[92m'
 NC='\e[0m'
 caller="${BASH_SOURCE[1]##*/}"
 get_installed_tools(){
    for bin in openssl curl docker git awk sha1sum grep cut jq; do
        if [[ -z $(command -v ${bin}) ]]; then
          echo "Error: Cannot find command '${bin}'. Cannot proceed."
          echo "Solution: Please review system requirements and install requirements. Then, re-run the script."
          echo "See System Requirements: https://docs.mailcow.email/getstarted/install/"
          echo "Exiting..."
          exit 1
        fi
    done
    if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo -e "${LIGHT_RED}BusyBox grep detected, please install gnu grep, \"apk add --no-cache --upgrade grep\"${NC}"; exit 1; fi
    # This will also cover sort
    if cp --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo -e "${LIGHT_RED}BusyBox cp detected, please install coreutils, \"apk add --no-cache --upgrade coreutils\"${NC}"; exit 1; fi
    if sed --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo -e "${LIGHT_RED}BusyBox sed detected, please install gnu sed, \"apk add --no-cache --upgrade sed\"${NC}"; exit 1; fi
 }
 get_docker_version(){
    # Check Docker Version (need at least 24.X)
    docker_version=$(docker version --format '{{.Server.Version}}' | cut -d '.' -f 1)
 }
 get_compose_type(){
  if docker compose > /dev/null 2>&1; then
    if docker compose version --short | grep -e "^[2-9]\." -e "^v[2-9]\." -e "^[1-9][0-9]\." -e "^v[1-9][0-9]\." > /dev/null 2>&1; then
      COMPOSE_VERSION=native
      COMPOSE_COMMAND="docker compose"
      if [[ "$caller" == "update.sh" ]]; then
        sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=native/' "$SCRIPT_DIR/mailcow.conf"
      fi
      echo -e "\e[33mFound Docker Compose Plugin (native).\e[0m"
      echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to native\e[0m"
      sleep 2
      echo -e "\e[33mNotice: You'll have to update this Compose Version via your Package Manager manually!\e[0m"
    else
      echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m"
      echo -e "\e[31mPlease update/install it manually regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
      exit 1
    fi
  elif docker-compose > /dev/null 2>&1; then
  if ! [[ $(alias docker-compose 2> /dev/null) ]] ; then
    if docker-compose version --short | grep -e "^[2-9]\." -e "^[1-9][0-9]\." > /dev/null 2>&1; then
      COMPOSE_VERSION=standalone
      COMPOSE_COMMAND="docker-compose"
      if [[ "$caller" == "update.sh" ]]; then
        sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=standalone/' "$SCRIPT_DIR/mailcow.conf"
      fi
      echo -e "\e[33mFound Docker Compose Standalone.\e[0m"
      echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to standalone\e[0m"
      sleep 2
      echo -e "\e[33mNotice: For an automatic update of docker-compose please use the update_compose.sh scripts located at the helper-scripts folder.\e[0m"
    else
      echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m"
      echo -e "\e[31mPlease update/install manually regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
      exit 1
    fi
  fi
  else
    echo -e "\e[31mCannot find Docker Compose.\e[0m"
    echo -e "\e[31mPlease install it regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
    exit 1
  fi
 }
 detect_bad_asn() {
  echo -e "\e[33mDetecting if your IP is listed on Spamhaus Bad ASN List...\e[0m"
  response=$(curl --connect-timeout 15 --max-time 30 -s -o /dev/null -w "%{http_code}" "https://asn-check.mailcow.email")
  if [ "$response" -eq 503 ]; then
    if [ -z "$SPAMHAUS_DQS_KEY" ]; then
      echo -e "\e[33mYour server's public IP uses an AS that is blocked by Spamhaus to use their DNS public blocklists for Postfix.\e[0m"
      echo -e "\e[33mmailcow did not detected a value for the variable SPAMHAUS_DQS_KEY inside mailcow.conf!\e[0m"
      sleep 2
      echo ""
      echo -e "\e[33mTo use the Spamhaus DNS Blocklists again, you will need to create a FREE account for their Data Query Service (DQS) at: https://www.spamhaus.com/free-trial/sign-up-for-a-free-data-query-service-account\e[0m"
      echo -e "\e[33mOnce done, enter your DQS API key in mailcow.conf and mailcow will do the rest for you!\e[0m"
      echo ""
      sleep 2
    else
      echo -e "\e[33mYour server's public IP uses an AS that is blocked by Spamhaus to use their DNS public blocklists for Postfix.\e[0m"
      echo -e "\e[32mmailcow detected a Value for the variable SPAMHAUS_DQS_KEY inside mailcow.conf. Postfix will use DQS with the given API key...\e[0m"
    fi
  elif [ "$response" -eq 200 ]; then
    echo -e "\e[33mCheck completed! Your IP is \e[32mclean\e[0m"
  elif [ "$response" -eq 429 ]; then
    echo -e "\e[33mCheck completed! \e[31mYour IP seems to be rate limited on the ASN Check service... please try again later!\e[0m"
  else
    echo -e "\e[31mCheck failed! \e[0mMaybe a DNS or Network problem?\e[0m"
  fi
 }
 check_online_status() {
  CHECK_ONLINE_DOMAINS=('https://github.com' 'https://hub.docker.com')
  for domain in "${CHECK_ONLINE_DOMAINS[@]}"; do
    if timeout 6 curl --head --silent --output /dev/null ${domain}; then
      return 0
    fi
  done
  return 1
 }
 prefetch_images() {
  [[ -z ${BRANCH} ]] && { echo -e "\e[33m\nUnknown branch...\e[0m"; exit 1; }
  git fetch origin #${BRANCH}
  while read image; do
    RET_C=0
    until docker pull "${image}"; do
      RET_C=$((RET_C + 1))
      echo -e "\e[33m\nError pulling $image, retrying...\e[0m"
      [ ${RET_C} -gt 3 ] && { echo -e "\e[31m\nToo many failed retries, exiting\e[0m"; exit 1; }
      sleep 1
    done
  done < <(git show "origin/${BRANCH}:docker-compose.yml" | grep "image:" | awk '{ gsub("image:","", $3); print $2 }')
 }
 docker_garbage() {
  SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../.." && pwd )"
  IMGS_TO_DELETE=()
  declare -A IMAGES_INFO
  COMPOSE_IMAGES=($(grep -oP "image: \K(ghcr\.io/)?mailcow.+" "${SCRIPT_DIR}/docker-compose.yml"))
  for existing_image in $(docker images --format "{{.ID}}:{{.Repository}}:{{.Tag}}" | grep -E '(mailcow/|ghcr\.io/mailcow/)'); do
      ID=$(echo "$existing_image" | cut -d ':' -f 1)
      REPOSITORY=$(echo "$existing_image" | cut -d ':' -f 2)
      TAG=$(echo "$existing_image" | cut -d ':' -f 3)
      if [[ "$REPOSITORY" == "mailcow/backup" || "$REPOSITORY" == "ghcr.io/mailcow/backup" ]]; then
          if [[ "$TAG" != "<none>" ]]; then
              continue
          fi
      fi
      if [[ " ${COMPOSE_IMAGES[@]} " =~ " ${REPOSITORY}:${TAG} " ]]; then
          continue
      else
          IMGS_TO_DELETE+=("$ID")
          IMAGES_INFO["$ID"]="$REPOSITORY:$TAG"
      fi
  done
  if [[ ! -z ${IMGS_TO_DELETE[*]} ]]; then
      echo "The following unused mailcow images were found:"
      for id in "${IMGS_TO_DELETE[@]}"; do
          echo "    ${IMAGES_INFO[$id]} ($id)"
      done
      if [ -z "$FORCE" ]; then
          read -r -p "Do you want to delete them to free up some space? [y/N] " response
          if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
              docker rmi ${IMGS_TO_DELETE[*]}
          else
              echo "OK, skipped."
          fi
      else
          echo "Running in forced mode! Force removing old mailcow images..."
          docker rmi ${IMGS_TO_DELETE[*]}
      fi
      echo -e "\e[32mFurther cleanup...\e[0m"
      echo "If you want to cleanup further garbage collected by Docker, please make sure all containers are up and running before cleaning your system by executing \"docker system prune\""
  fi
 }
 in_array() {
  local e match="$1"
  shift
  for e; do [[ "$e" == "$match" ]] && return 0; done
  return 1
 }
 detect_major_update() {
  if [ ${BRANCH} == "master" ]; then
    # Array with major versions
    # Add major versions here
    MAJOR_VERSIONS=(
      "2025-02"
      "2025-03"
      "2025-09"
    )
    current_version=""
    if [[ -f "${SCRIPT_DIR}/data/web/inc/app_info.inc.php" ]]; then
      current_version=$(grep 'MAILCOW_GIT_VERSION' ${SCRIPT_DIR}/data/web/inc/app_info.inc.php | sed -E 's/.*MAILCOW_GIT_VERSION="([^"]+)".*/\1/')
    fi
    if [[ -z "$current_version" ]]; then
      return 1
    fi
    release_url="https://github.com/mailcow/mailcow-dockerized/releases/tag"
    updates_to_apply=()
    for version in "${MAJOR_VERSIONS[@]}"; do
      if [[ "$current_version" < "$version" ]]; then
        updates_to_apply+=("$version")
      fi
    done
    if [[ ${#updates_to_apply[@]} -gt 0 ]]; then
      echo -e "\e[33m\nMAJOR UPDATES to be applied:\e[0m"
      for update in "${updates_to_apply[@]}"; do
        echo "$update - $release_url/$update"
      done
      echo -e "\nPlease read the release notes before proceeding."
      read -p "Do you want to proceed with the update? [y/n] " response
      if [[ "${response}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
        echo "Proceeding with the update..."
      else
        echo "Update canceled. Exiting."
        exit 1
      fi
    fi
  fi
 }
--- a/_modules/scripts/ipv6_controller.sh
+++ b/_modules/scripts/ipv6_controller.sh
@@ -1,272 +0,0 @@
 #!/usr/bin/env bash
 # _modules/scripts/ipv6_controller.sh
 # THIS SCRIPT IS DESIGNED TO BE RUNNING BY MAILCOW SCRIPTS ONLY!
 # DO NOT, AGAIN, NOT TRY TO RUN THIS SCRIPT STANDALONE!!!!!!
 # 1) Check if the host supports IPv6
 get_ipv6_support() {
  # ---- helper: probe external IPv6 connectivity without DNS ----
  _probe_ipv6_connectivity() {
    # Use literal, always-on IPv6 echo responders (no DNS required)
    local PROBE_IPS=("2001:4860:4860::8888" "2606:4700:4700::1111")
    local ip rc=1
    for ip in "${PROBE_IPS[@]}"; do
      if command -v ping6 &>/dev/null; then
        ping6 -c1 -W2 "$ip" &>/dev/null || ping6 -c1 -w2 "$ip" &>/dev/null
        rc=$?
      elif command -v ping &>/dev/null; then
        ping -6 -c1 -W2 "$ip" &>/dev/null || ping -6 -c1 -w2 "$ip" &>/dev/null
        rc=$?
      else
        rc=1
      fi
      [[ $rc -eq 0 ]] && return 0
    done
    return 1
  }
  if [[ ! -f /proc/net/if_inet6 ]] || grep -qs '^1' /proc/sys/net/ipv6/conf/all/disable_ipv6 2>/dev/null; then
    DETECTED_IPV6=false
    echo -e "${YELLOW}IPv6 not detected on host – ${LIGHT_RED}IPv6 is administratively disabled${YELLOW}.${NC}"
    return
  fi
  if ip -6 route show default 2>/dev/null | grep -qE '^default'; then
    echo -e "${YELLOW}Default IPv6 route found – testing external IPv6 connectivity...${NC}"
    if _probe_ipv6_connectivity; then
      DETECTED_IPV6=true
      echo -e "IPv6 detected on host – ${LIGHT_GREEN}leaving IPv6 support enabled${YELLOW}.${NC}"
    else
      DETECTED_IPV6=false
      echo -e "${YELLOW}Default IPv6 route present but external IPv6 connectivity failed – ${LIGHT_RED}disabling IPv6 support${YELLOW}.${NC}"
    fi
    return
  fi
  if ip -6 addr show scope global 2>/dev/null | grep -q 'inet6'; then
    DETECTED_IPV6=false
    echo -e "${YELLOW}Global IPv6 address present but no default route – ${LIGHT_RED}disabling IPv6 support${YELLOW}.${NC}"
    return
  fi
  if ip -6 addr show scope link 2>/dev/null | grep -q 'inet6'; then
    echo -e "${YELLOW}Only link-local IPv6 addresses found – testing external IPv6 connectivity...${NC}"
    if _probe_ipv6_connectivity; then
      DETECTED_IPV6=true
      echo -e "External IPv6 connectivity available – ${LIGHT_GREEN}leaving IPv6 support enabled${YELLOW}.${NC}"
    else
      DETECTED_IPV6=false
      echo -e "${YELLOW}Only link-local IPv6 present and no external connectivity – ${LIGHT_RED}disabling IPv6 support${YELLOW}.${NC}"
    fi
    return
  fi
  DETECTED_IPV6=false
  echo -e "${YELLOW}IPv6 not detected on host – ${LIGHT_RED}disabling IPv6 support${YELLOW}.${NC}"
 }
 # 2) Ensure Docker daemon.json has (or create) the required IPv6 settings
 docker_daemon_edit(){
  DOCKER_DAEMON_CONFIG="/etc/docker/daemon.json"
  DOCKER_MAJOR=$(docker version --format '{{.Server.Version}}' 2>/dev/null | cut -d. -f1)
  MISSING=()
  _has_kv() { grep -Eq "\"$1\"[[:space:]]*:[[:space:]]*$2" "$DOCKER_DAEMON_CONFIG" 2>/dev/null; }
  if [[ -f "$DOCKER_DAEMON_CONFIG" ]]; then
    # reject empty or whitespace-only file immediately
    if [[ ! -s "$DOCKER_DAEMON_CONFIG" ]] || ! grep -Eq '[{}]' "$DOCKER_DAEMON_CONFIG"; then
      echo -e "${RED}ERROR: $DOCKER_DAEMON_CONFIG exists but is empty or contains no JSON braces – please initialize it with valid JSON (e.g. {}).${NC}"
      exit 1
    fi
    # Validate JSON if jq is present
    if command -v jq &>/dev/null && ! jq empty "$DOCKER_DAEMON_CONFIG" &>/dev/null; then
      echo -e "${RED}ERROR: Invalid JSON in $DOCKER_DAEMON_CONFIG – please correct manually.${NC}"
      exit 1
    fi
    # Gather missing keys
    ! _has_kv ipv6 true && MISSING+=("ipv6: true")
    # For Docker < 28, keep requiring fixed-cidr-v6 (default bridge needs it on old engines)
    if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 28 ]]; then
      ! grep -Eq '"fixed-cidr-v6"[[:space:]]*:[[:space:]]*".+"' "$DOCKER_DAEMON_CONFIG" \
                                && MISSING+=('fixed-cidr-v6: "fd00:dead:beef:c0::/80"')
    fi
    # For Docker < 27, ip6tables needed and was tied to experimental in older releases
    if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 27 ]]; then
      _has_kv ipv6 true && ! _has_kv ip6tables true && MISSING+=("ip6tables: true")
      ! _has_kv experimental true && MISSING+=("experimental: true")
    fi
    # Fix if needed
    if ((${#MISSING[@]}>0)); then
      echo -e "${MAGENTA}Your daemon.json is missing: ${YELLOW}${MISSING[*]}${NC}"
      if [[ -n "$FORCE" ]]; then
        ans=Y
      else
        read -p "Would you like to update $DOCKER_DAEMON_CONFIG now? [Y/n] " ans
        ans=${ans:-Y}
      fi
      if [[ $ans =~ ^[Yy]$ ]]; then
        cp "$DOCKER_DAEMON_CONFIG" "${DOCKER_DAEMON_CONFIG}.bak"
        if command -v jq &>/dev/null; then
          TMP=$(mktemp)
          # Base filter: ensure ipv6 = true
          JQ_FILTER='.ipv6 = true'
          # Add fixed-cidr-v6 only for Docker < 28
          if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 28 ]]; then
            JQ_FILTER+=' | .["fixed-cidr-v6"] = (.["fixed-cidr-v6"] // "fd00:dead:beef:c0::/80")'
          fi
          # Add ip6tables/experimental only for Docker < 27
          if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 27 ]]; then
            JQ_FILTER+=' | .ip6tables = true | .experimental = true'
          fi
          jq "$JQ_FILTER" "$DOCKER_DAEMON_CONFIG" >"$TMP" && mv "$TMP" "$DOCKER_DAEMON_CONFIG"
          echo -e "${LIGHT_GREEN}daemon.json updated. Restarting Docker...${NC}"
          (command -v systemctl &>/dev/null && systemctl restart docker) || service docker restart
          echo -e "${YELLOW}Docker restarted.${NC}"
        else
          echo -e "${RED}Please install jq or manually update daemon.json and restart Docker.${NC}"
          exit 1
        fi
      else
        echo -e "${YELLOW}User declined Docker update – skipping Docker daemon configuration.${NC}"
        echo -e "${YELLOW}IPv6 will be disabled for mailcow.${NC}"
        echo ""
        echo -e "${YELLOW}If you change your mind later, please insert these changes manually to $DOCKER_DAEMON_CONFIG:${NC}"
        echo "${MISSING[*]}"
        echo ""
        return 1
      fi
    fi
  else
    # Create new daemon.json if missing
    if [[ -n "$FORCE" ]]; then
      ans=Y
    else
      read -p "$DOCKER_DAEMON_CONFIG not found. Create it with IPv6 settings? [Y/n] " ans
      ans=${ans:-Y}
    fi
    if [[ $ans =~ ^[Yy]$ ]]; then
      mkdir -p "$(dirname "$DOCKER_DAEMON_CONFIG")"
      if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 27 ]]; then
        cat > "$DOCKER_DAEMON_CONFIG" <<EOF
 {
  "ipv6": true,
  "fixed-cidr-v6": "fd00:dead:beef:c0::/80",
  "ip6tables": true,
  "experimental": true
 }
 EOF
      elif [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 28 ]]; then
        cat > "$DOCKER_DAEMON_CONFIG" <<EOF
 {
  "ipv6": true,
  "fixed-cidr-v6": "fd00:dead:beef:c0::/80"
 }
 EOF
      else
        # Docker 28+: ipv6 works without fixed-cidr-v6
        cat > "$DOCKER_DAEMON_CONFIG" <<EOF
 {
  "ipv6": true
 }
 EOF
      fi
      echo -e "${GREEN}Created $DOCKER_DAEMON_CONFIG with IPv6 settings.${NC}"
      echo "Restarting Docker..."
      (command -v systemctl &>/dev/null && systemctl restart docker) || service docker restart
      echo "Docker restarted."
    else
      echo -e "${YELLOW}User declined to create daemon.json – skipping Docker daemon configuration.${NC}"
      echo -e "${YELLOW}IPv6 will be disabled for mailcow.${NC}"
      echo ""
      echo -e "${YELLOW}If you change your mind later, please create $DOCKER_DAEMON_CONFIG with these settings:${NC}"
      if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 27 ]]; then
        echo '  "ipv6": true,'
        echo '  "fixed-cidr-v6": "fd00:dead:beef:c0::/80",'
        echo '  "ip6tables": true,'
        echo '  "experimental": true'
      elif [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 28 ]]; then
        echo '  "ipv6": true,'
        echo '  "fixed-cidr-v6": "fd00:dead:beef:c0::/80"'
      else
        echo '  "ipv6": true'
      fi
      echo ""
      return 1
    fi
  fi
 }
 # 3) Main wrapper for generate_config.sh and update.sh
 configure_ipv6() {
  # detect manual override if mailcow.conf is present
  if [[ -n "$MAILCOW_CONF" && -f "$MAILCOW_CONF" ]] && grep -q '^ENABLE_IPV6=' "$MAILCOW_CONF"; then
    MANUAL_SETTING=$(grep '^ENABLE_IPV6=' "$MAILCOW_CONF" | cut -d= -f2)
  elif [[ -z "$MAILCOW_CONF" ]] && [[ -n "${ENABLE_IPV6:-}" ]]; then
    MANUAL_SETTING="$ENABLE_IPV6"
  else
    MANUAL_SETTING=""
  fi
  get_ipv6_support
  # if user manually set it, check for mismatch
  if [[ "$DETECTED_IPV6" != "true" ]]; then
    if [[ -n "$MAILCOW_CONF" && -f "$MAILCOW_CONF" ]]; then
      if grep -q '^ENABLE_IPV6=' "$MAILCOW_CONF"; then
        sed -i 's/^ENABLE_IPV6=.*/ENABLE_IPV6=false/' "$MAILCOW_CONF"
      else
        echo "ENABLE_IPV6=false" >> "$MAILCOW_CONF"
      fi
    else
      export IPV6_BOOL=false
    fi
    echo "Skipping Docker IPv6 configuration because host does not support IPv6."
    echo "Make sure to check if your docker daemon.json does not include \"enable_ipv6\": true if you do not want IPv6."
    echo "IPv6 configuration complete: ENABLE_IPV6=false"
    sleep 2
    return
  fi
  if ! docker_daemon_edit; then
    # User declined Docker daemon configuration
    # When called from update.sh, MAILCOW_CONF is set and we modify the existing file
    # When called from generate_config.sh, MAILCOW_CONF is not set and we export IPV6_BOOL
    if [[ -n "$MAILCOW_CONF" && -f "$MAILCOW_CONF" ]]; then
      if grep -q '^ENABLE_IPV6=' "$MAILCOW_CONF"; then
        sed -i 's/^ENABLE_IPV6=.*/ENABLE_IPV6=false/' "$MAILCOW_CONF"
      else
        echo "ENABLE_IPV6=false" >> "$MAILCOW_CONF"
      fi
    else
      export IPV6_BOOL=false
    fi
    echo "IPv6 configuration complete: ENABLE_IPV6=false"
    return 0
  fi
  if [[ -n "$MAILCOW_CONF" && -f "$MAILCOW_CONF" ]]; then
    if grep -q '^ENABLE_IPV6=' "$MAILCOW_CONF"; then
      sed -i 's/^ENABLE_IPV6=.*/ENABLE_IPV6=true/' "$MAILCOW_CONF"
    else
      echo "ENABLE_IPV6=true" >> "$MAILCOW_CONF"
    fi
  else
    export IPV6_BOOL=true
  fi
  echo "IPv6 configuration complete: ENABLE_IPV6=true"
 }
--- a/_modules/scripts/migrate_options.sh
+++ b/_modules/scripts/migrate_options.sh
@@ -1,96 +0,0 @@
 #!/usr/bin/env bash
 # _modules/scripts/migrate_options.sh
 # THIS SCRIPT IS DESIGNED TO BE RUNNING BY MAILCOW SCRIPTS ONLY!
 # DO NOT, AGAIN, NOT TRY TO RUN THIS SCRIPT STANDALONE!!!!!!
 migrate_config_options() {
  sed -i --follow-symlinks '$a\' mailcow.conf
  KEYS=(
    SOLR_HEAP
    SKIP_SOLR
    SOLR_PORT
    FLATCURVE_EXPERIMENTAL
    DISABLE_IPv6
    ACME_CONTACT
  )
  for key in "${KEYS[@]}"; do
    if grep -q "${key}" mailcow.conf; then
      case "${key}" in
        SOLR_HEAP)
          echo "Removing ${key} in mailcow.conf"
          sed -i '/# Solr heap size in MB\b/d' mailcow.conf
          sed -i '/# Solr is a prone to run\b/d' mailcow.conf
          sed -i '/SOLR_HEAP\b/d' mailcow.conf
          ;;
        SKIP_SOLR)
          echo "Removing ${key} in mailcow.conf"
          sed -i '/\bSkip Solr on low-memory\b/d' mailcow.conf
          sed -i '/\bSolr is disabled by default\b/d' mailcow.conf
          sed -i '/\bDisable Solr or\b/d' mailcow.conf
          sed -i '/\bSKIP_SOLR\b/d' mailcow.conf
          ;;
        SOLR_PORT)
          echo "Removing ${key} in mailcow.conf"
          sed -i '/\bSOLR_PORT\b/d' mailcow.conf
          ;;
        FLATCURVE_EXPERIMENTAL)
          echo "Removing ${key} in mailcow.conf"
          sed -i '/\bFLATCURVE_EXPERIMENTAL\b/d' mailcow.conf
          ;;
        DISABLE_IPv6)
          echo "Migrating ${key} to ENABLE_IPv6 in mailcow.conf"
          local old=$(grep '^DISABLE_IPv6=' "mailcow.conf" | cut -d'=' -f2)
          local new
          if [[ "$old" == "y" ]]; then
            new="false"
          else
            new="true"
          fi
          sed -i '/^DISABLE_IPv6=/d' "mailcow.conf"
          echo "ENABLE_IPV6=$new" >> "mailcow.conf"
          ;;
        ACME_CONTACT)
          echo "Deleting obsoleted ${key} in mailcow.conf"
          sed -i '/^# Lets Encrypt registration contact information/d' mailcow.conf
          sed -i '/^# Optional: Leave empty for none/d' mailcow.conf
          sed -i '/^# This value is only used on first order!/d' mailcow.conf
          sed -i '/^# Setting it at a later point will require the following steps:/d' mailcow.conf
          sed -i '/^# https:\/\/docs.mailcow.email\/troubleshooting\/debug-reset_tls\//d' mailcow.conf
          sed -i '/^ACME_CONTACT=.*/d' mailcow.conf
          sed -i '/^#ACME_CONTACT=.*/d' mailcow.conf
          ;;
      esac
    fi
  done
  solr_volume=$(docker volume ls -qf name=^${COMPOSE_PROJECT_NAME}_solr-vol-1)
  if [[ -n $solr_volume ]]; then
    echo -e "\e[34mSolr has been replaced within mailcow since 2025-01.\nThe volume $solr_volume is unused.\e[0m"
    sleep 1
    if [ ! "$FORCE" ]; then
      read -r -p "Remove $solr_volume? [y/N] " response
      if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
        echo -e "\e[33mRemoving $solr_volume...\e[0m"
        docker volume rm $solr_volume || echo -e "\e[31mFailed to remove. Remove it manually!\e[0m"
        echo -e "\e[32mSuccessfully removed $solr_volume!\e[0m"
      else
        echo -e "Not removing $solr_volume. Run \`docker volume rm $solr_volume\` manually if needed."
      fi
    else
      echo -e "\e[33mForce removing $solr_volume...\e[0m"
      docker volume rm $solr_volume || echo -e "\e[31mFailed to remove. Remove it manually!\e[0m"
      echo -e "\e[32mSuccessfully removed $solr_volume!\e[0m"
    fi
  fi
  # Delete old fts.conf before forced switch to flatcurve to ensure update is working properly
  FTS_CONF_PATH="${SCRIPT_DIR}/data/conf/dovecot/conf.d/fts.conf"
  if [[ -f "$FTS_CONF_PATH" ]]; then
    if grep -q "Autogenerated by mailcow" "$FTS_CONF_PATH"; then
      rm -rf $FTS_CONF_PATH
    fi
  fi
 }
--- a/_modules/scripts/new_options.sh
+++ b/_modules/scripts/new_options.sh
@@ -1,300 +0,0 @@
 #!/usr/bin/env bash
 # _modules/scripts/new_options.sh
 # THIS SCRIPT IS DESIGNED TO BE RUNNING BY MAILCOW SCRIPTS ONLY!
 # DO NOT, AGAIN, NOT TRY TO RUN THIS SCRIPT STANDALONE!!!!!!
 adapt_new_options() {
  CONFIG_ARRAY=(
  "AUTODISCOVER_SAN"
  "SKIP_LETS_ENCRYPT"
  "SKIP_SOGO"
  "USE_WATCHDOG"
  "WATCHDOG_NOTIFY_EMAIL"
  "WATCHDOG_NOTIFY_WEBHOOK"
  "WATCHDOG_NOTIFY_WEBHOOK_BODY"
  "WATCHDOG_NOTIFY_BAN"
  "WATCHDOG_NOTIFY_START"
  "WATCHDOG_EXTERNAL_CHECKS"
  "WATCHDOG_SUBJECT"
  "SKIP_CLAMD"
  "SKIP_OLEFY"
  "SKIP_IP_CHECK"
  "ADDITIONAL_SAN"
  "DOVEADM_PORT"
  "IPV4_NETWORK"
  "IPV6_NETWORK"
  "LOG_LINES"
  "SNAT_TO_SOURCE"
  "SNAT6_TO_SOURCE"
  "COMPOSE_PROJECT_NAME"
  "DOCKER_COMPOSE_VERSION"
  "SQL_PORT"
  "API_KEY"
  "API_KEY_READ_ONLY"
  "API_ALLOW_FROM"
  "MAILDIR_GC_TIME"
  "MAILDIR_SUB"
  "ACL_ANYONE"
  "FTS_HEAP"
  "FTS_PROCS"
  "SKIP_FTS"
  "ENABLE_SSL_SNI"
  "ALLOW_ADMIN_EMAIL_LOGIN"
  "SKIP_HTTP_VERIFICATION"
  "SOGO_EXPIRE_SESSION"
  "SOGO_URL_ENCRYPTION_KEY"
  "REDIS_PORT"
  "REDISPASS"
  "DOVECOT_MASTER_USER"
  "DOVECOT_MASTER_PASS"
  "MAILCOW_PASS_SCHEME"
  "ADDITIONAL_SERVER_NAMES"
  "WATCHDOG_VERBOSE"
  "WEBAUTHN_ONLY_TRUSTED_VENDORS"
  "SPAMHAUS_DQS_KEY"
  "SKIP_UNBOUND_HEALTHCHECK"
  "DISABLE_NETFILTER_ISOLATION_RULE"
  "HTTP_REDIRECT"
  "ENABLE_IPV6"
  )
  sed -i --follow-symlinks '$a\' mailcow.conf
  for option in ${CONFIG_ARRAY[@]}; do
    if grep -q "${option}" mailcow.conf; then
      continue
    fi
    echo "Adding new option \"${option}\" to mailcow.conf"
    case "${option}" in
        AUTODISCOVER_SAN)
            echo '# Obtain certificates for autodiscover.* and autoconfig.* domains.' >> mailcow.conf
            echo '# This can be useful to switch off in case you are in a scenario where a reverse proxy already handles those.' >> mailcow.conf
            echo '# There are mixed scenarios where ports 80,443 are occupied and you do not want to share certs' >> mailcow.conf
            echo '# between services. So acme-mailcow obtains for maildomains and all web-things get handled' >> mailcow.conf
            echo '# in the reverse proxy.' >> mailcow.conf
            echo 'AUTODISCOVER_SAN=y' >> mailcow.conf
            ;;
        DOCKER_COMPOSE_VERSION)
            echo "# Used Docker Compose version" >> mailcow.conf
            echo "# Switch here between native (compose plugin) and standalone" >> mailcow.conf
            echo "# For more informations take a look at the mailcow docs regarding the configuration options." >> mailcow.conf
            echo "# Normally this should be untouched but if you decided to use either of those you can switch it manually here." >> mailcow.conf
            echo "# Please be aware that at least one of those variants should be installed on your machine or mailcow will fail." >> mailcow.conf
            echo "" >> mailcow.conf
            echo "DOCKER_COMPOSE_VERSION=${DOCKER_COMPOSE_VERSION}" >> mailcow.conf
            ;;
        DOVEADM_PORT)
            echo "DOVEADM_PORT=127.0.0.1:19991" >> mailcow.conf
            ;;
        LOG_LINES)
            echo '# Max log lines per service to keep in Redis logs' >> mailcow.conf
            echo "LOG_LINES=9999" >> mailcow.conf
            ;;
        IPV4_NETWORK)
            echo '# Internal IPv4 /24 subnet, format n.n.n. (expands to n.n.n.0/24)' >> mailcow.conf
            echo "IPV4_NETWORK=172.22.1" >> mailcow.conf
            ;;
        IPV6_NETWORK)
            echo '# Internal IPv6 subnet in fc00::/7' >> mailcow.conf
            echo "IPV6_NETWORK=fd4d:6169:6c63:6f77::/64" >> mailcow.conf
            ;;
        SQL_PORT)
            echo '# Bind SQL to 127.0.0.1 on port 13306' >> mailcow.conf
            echo "SQL_PORT=127.0.0.1:13306" >> mailcow.conf
            ;;
        API_KEY)
            echo '# Create or override API key for web UI' >> mailcow.conf
            echo "#API_KEY=" >> mailcow.conf
            ;;
        API_KEY_READ_ONLY)
            echo '# Create or override read-only API key for web UI' >> mailcow.conf
            echo "#API_KEY_READ_ONLY=" >> mailcow.conf
            ;;
        API_ALLOW_FROM)
            echo '# Must be set for API_KEY to be active' >> mailcow.conf
            echo '# IPs only, no networks (networks can be set via UI)' >> mailcow.conf
            echo "#API_ALLOW_FROM=" >> mailcow.conf
            ;;
        SNAT_TO_SOURCE)
            echo '# Use this IPv4 for outgoing connections (SNAT)' >> mailcow.conf
            echo "#SNAT_TO_SOURCE=" >> mailcow.conf
            ;;
        SNAT6_TO_SOURCE)
            echo '# Use this IPv6 for outgoing connections (SNAT)' >> mailcow.conf
            echo "#SNAT6_TO_SOURCE=" >> mailcow.conf
            ;;
        MAILDIR_GC_TIME)
            echo '# Garbage collector cleanup' >> mailcow.conf
            echo '# Deleted domains and mailboxes are moved to /var/vmail/_garbage/timestamp_sanitizedstring' >> mailcow.conf
            echo '# How long should objects remain in the garbage until they are being deleted? (value in minutes)' >> mailcow.conf
            echo '# Check interval is hourly' >> mailcow.conf
            echo 'MAILDIR_GC_TIME=1440' >> mailcow.conf
            ;;
        ACL_ANYONE)
            echo '# Set this to "allow" to enable the anyone pseudo user. Disabled by default.' >> mailcow.conf
            echo '# When enabled, ACL can be created, that apply to "All authenticated users"' >> mailcow.conf
            echo '# This should probably only be activated on mail hosts, that are used exclusively by one organisation.' >> mailcow.conf
            echo '# Otherwise a user might share data with too many other users.' >> mailcow.conf
            echo 'ACL_ANYONE=disallow' >> mailcow.conf
            ;;
        FTS_HEAP)
            echo '# Dovecot Indexing (FTS) Process maximum heap size in MB, there is no recommendation, please see Dovecot docs.' >> mailcow.conf
            echo '# Flatcurve is used as FTS Engine. It is supposed to be pretty efficient in CPU and RAM consumption.' >> mailcow.conf
            echo '# Please always monitor your Resource consumption!' >> mailcow.conf
            echo "FTS_HEAP=128" >> mailcow.conf
            ;;
        SKIP_FTS)
            echo '# Skip FTS (Fulltext Search) for Dovecot on low-memory, low-threaded systems or if you simply want to disable it.' >> mailcow.conf
            echo "# Dovecot inside mailcow use Flatcurve as FTS Backend." >> mailcow.conf
            echo "SKIP_FTS=y" >> mailcow.conf
            ;;
        FTS_PROCS)
            echo '# Controls how many processes the Dovecot indexing process can spawn at max.' >> mailcow.conf
            echo '# Too many indexing processes can use a lot of CPU and Disk I/O' >> mailcow.conf
            echo '# Please visit: https://doc.dovecot.org/configuration_manual/service_configuration/#indexer-worker for more informations' >> mailcow.conf
            echo "FTS_PROCS=1" >> mailcow.conf
            ;;
        ENABLE_SSL_SNI)
            echo '# Create seperate certificates for all domains - y/n' >> mailcow.conf
            echo '# this will allow adding more than 100 domains, but some email clients will not be able to connect with alternative hostnames' >> mailcow.conf
            echo '# see https://wiki.dovecot.org/SSL/SNIClientSupport' >> mailcow.conf
            echo "ENABLE_SSL_SNI=n" >> mailcow.conf
            ;;
        SKIP_SOGO)
            echo '# Skip SOGo: Will disable SOGo integration and therefore webmail, DAV protocols and ActiveSync support (experimental, unsupported, not fully implemented) - y/n' >> mailcow.conf
            echo "SKIP_SOGO=n" >> mailcow.conf
            ;;
        MAILDIR_SUB)
            echo '# MAILDIR_SUB defines a path in a users virtual home to keep the maildir in. Leave empty for updated setups.' >> mailcow.conf
            echo "#MAILDIR_SUB=Maildir" >> mailcow.conf
            echo "MAILDIR_SUB=" >> mailcow.conf
            ;;
        WATCHDOG_NOTIFY_WEBHOOK)
            echo '# Send notifications to a webhook URL that receives a POST request with the content type "application/json".' >> mailcow.conf
            echo '# You can use this to send notifications to services like Discord, Slack and others.' >> mailcow.conf
            echo '#WATCHDOG_NOTIFY_WEBHOOK=https://discord.com/api/webhooks/XXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' >> mailcow.conf
            ;;
        WATCHDOG_NOTIFY_WEBHOOK_BODY)
            echo '# JSON body included in the webhook POST request. Needs to be in single quotes.' >> mailcow.conf
            echo '# Following variables are available: SUBJECT, BODY' >> mailcow.conf
            WEBHOOK_BODY='{"username": "mailcow Watchdog", "content": "**${SUBJECT}**\n${BODY}"}'
            echo "#WATCHDOG_NOTIFY_WEBHOOK_BODY='${WEBHOOK_BODY}'" >> mailcow.conf
            ;;
        WATCHDOG_NOTIFY_BAN)
            echo '# Notify about banned IP. Includes whois lookup.' >> mailcow.conf
            echo "WATCHDOG_NOTIFY_BAN=y" >> mailcow.conf
            ;;
        WATCHDOG_NOTIFY_START)
            echo '# Send a notification when the watchdog is started.' >> mailcow.conf
            echo "WATCHDOG_NOTIFY_START=y" >> mailcow.conf
            ;;
        WATCHDOG_SUBJECT)
            echo '# Subject for watchdog mails. Defaults to "Watchdog ALERT" followed by the error message.' >> mailcow.conf
            echo "#WATCHDOG_SUBJECT=" >> mailcow.conf
            ;;
        WATCHDOG_EXTERNAL_CHECKS)
            echo '# Checks if mailcow is an open relay. Requires a SAL. More checks will follow.' >> mailcow.conf
            echo '# No data is collected. Opt-in and anonymous.' >> mailcow.conf
            echo '# Will only work with unmodified mailcow setups.' >> mailcow.conf
            echo "WATCHDOG_EXTERNAL_CHECKS=n" >> mailcow.conf
            ;;
        SOGO_EXPIRE_SESSION)
            echo '# SOGo session timeout in minutes' >> mailcow.conf
            echo "SOGO_EXPIRE_SESSION=480" >> mailcow.conf
            ;;
        REDIS_PORT)
            echo "REDIS_PORT=127.0.0.1:7654" >> mailcow.conf
            ;;
        DOVECOT_MASTER_USER)
            echo '# DOVECOT_MASTER_USER and _PASS must _both_ be provided. No special chars.' >> mailcow.conf
            echo '# Empty by default to auto-generate master user and password on start.' >> mailcow.conf
            echo '# User expands to DOVECOT_MASTER_USER@mailcow.local' >> mailcow.conf
            echo '# LEAVE EMPTY IF UNSURE' >> mailcow.conf
            echo "DOVECOT_MASTER_USER=" >> mailcow.conf
            ;;
        DOVECOT_MASTER_PASS)
            echo '# LEAVE EMPTY IF UNSURE' >> mailcow.conf
            echo "DOVECOT_MASTER_PASS=" >> mailcow.conf
            ;;
        MAILCOW_PASS_SCHEME)
            echo '# Password hash algorithm' >> mailcow.conf
            echo '# Only certain password hash algorithm are supported. For a fully list of supported schemes,' >> mailcow.conf
            echo '# see https://docs.mailcow.email/models/model-passwd/' >> mailcow.conf
            echo "MAILCOW_PASS_SCHEME=BLF-CRYPT" >> mailcow.conf
            ;;
        ADDITIONAL_SERVER_NAMES)
            echo '# Additional server names for mailcow UI' >> mailcow.conf
            echo '#' >> mailcow.conf
            echo '# Specify alternative addresses for the mailcow UI to respond to' >> mailcow.conf
            echo '# This is useful when you set mail.* as ADDITIONAL_SAN and want to make sure mail.maildomain.com will always point to the mailcow UI.' >> mailcow.conf
            echo '# If the server name does not match a known site, Nginx decides by best-guess and may redirect users to the wrong web root.' >> mailcow.conf
            echo '# You can understand this as server_name directive in Nginx.' >> mailcow.conf
            echo '# Comma separated list without spaces! Example: ADDITIONAL_SERVER_NAMES=a.b.c,d.e.f' >> mailcow.conf
            echo 'ADDITIONAL_SERVER_NAMES=' >> mailcow.conf
            ;;
        WEBAUTHN_ONLY_TRUSTED_VENDORS)
            echo "# WebAuthn device manufacturer verification" >> mailcow.conf
            echo '# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed' >> mailcow.conf
            echo '# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates' >> mailcow.conf
            echo 'WEBAUTHN_ONLY_TRUSTED_VENDORS=n' >> mailcow.conf
            ;;
        SPAMHAUS_DQS_KEY)
            echo "# Spamhaus Data Query Service Key" >> mailcow.conf
            echo '# Optional: Leave empty for none' >> mailcow.conf
            echo '# Enter your key here if you are using a blocked ASN (OVH, AWS, Cloudflare e.g) for the unregistered Spamhaus Blocklist.' >> mailcow.conf
            echo '# If empty, it will completely disable Spamhaus blocklists if it detects that you are running on a server using a blocked AS.' >> mailcow.conf
            echo '# Otherwise it will work as usual.' >> mailcow.conf
            echo 'SPAMHAUS_DQS_KEY=' >> mailcow.conf
            ;;
        WATCHDOG_VERBOSE)
            echo '# Enable watchdog verbose logging' >> mailcow.conf
            echo 'WATCHDOG_VERBOSE=n' >> mailcow.conf
            ;;
        SKIP_UNBOUND_HEALTHCHECK)
            echo '# Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!) - y/n' >> mailcow.conf
            echo 'SKIP_UNBOUND_HEALTHCHECK=n' >> mailcow.conf
            ;;
        DISABLE_NETFILTER_ISOLATION_RULE)
            echo '# Prevent netfilter from setting an iptables/nftables rule to isolate the mailcow docker network - y/n' >> mailcow.conf
            echo '# CAUTION: Disabling this may expose container ports to other neighbors on the same subnet, even if the ports are bound to localhost' >> mailcow.conf
            echo 'DISABLE_NETFILTER_ISOLATION_RULE=n' >> mailcow.conf
            ;;
        HTTP_REDIRECT)
            echo '# Redirect HTTP connections to HTTPS - y/n' >> mailcow.conf
            echo 'HTTP_REDIRECT=n' >> mailcow.conf
            ;;
        ENABLE_IPV6)
            echo '# IPv6 Controller Section' >> mailcow.conf
            echo '# This variable controls the usage of IPv6 within mailcow.' >> mailcow.conf
            echo '# Can either be true or false | Defaults to true' >> mailcow.conf
            echo '# WARNING: MAKE SURE TO PROPERLY CONFIGURE IPv6 ON YOUR HOST FIRST BEFORE ENABLING THIS AS FAULTY CONFIGURATIONS CAN LEAD TO OPEN RELAYS!' >> mailcow.conf
            echo '# A COMPLETE DOCKER STACK REBUILD (compose down && compose up -d) IS NEEDED TO APPLY THIS.' >> mailcow.conf
            echo ENABLE_IPV6=${IPV6_BOOL} >> mailcow.conf
            ;;
        SKIP_CLAMD)
            echo '# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n' >> mailcow.conf
            echo 'SKIP_CLAMD=n' >> mailcow.conf
            ;;
        SKIP_OLEFY)
            echo '# Skip Olefy (olefy-mailcow) anti-virus for Office documents (Rspamd will auto-detect a missing Olefy container) - y/n' >> mailcow.conf
            echo 'SKIP_OLEFY=n' >> mailcow.conf
            ;;
        REDISPASS)
            echo "REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2>/dev/null | head -c 28)" >> mailcow.conf
            ;;
        SOGO_URL_ENCRYPTION_KEY)
            echo '# SOGo URL encryption key (exactly 16 characters, limited to A–Z, a–z, 0–9)' >> mailcow.conf
            echo '# This key is used to encrypt email addresses within SOGo URLs' >> mailcow.conf
            echo "SOGO_URL_ENCRYPTION_KEY=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2>/dev/null | head -c 16)" >> mailcow.conf
            ;;
        *)
            echo "${option}=" >> mailcow.conf
            ;;
    esac
  done
 }
--- a/data/Dockerfiles/acme/Dockerfile
+++ b/data/Dockerfiles/acme/Dockerfile
@@ -1,7 +1,8 @@
-FROM alpine:3.21
+FROM alpine:3.18
-LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
+LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
 ARG PIP_BREAK_SYSTEM_PACKAGES=1
 RUN apk upgrade --no-cache \
  && apk add --update --no-cache \
  bash \
@@ -14,7 +15,9 @@ RUN apk upgrade --no-cache \
  tini \
  tzdata \
  python3 \
-  acme-tiny
+  py3-pip \
  && pip3 install --upgrade pip \
  && pip3 install acme-tiny
 COPY acme.sh /srv/acme.sh
 COPY functions.sh /srv/functions.sh
--- a/data/Dockerfiles/acme/acme.sh
+++ b/data/Dockerfiles/acme/acme.sh
@@ -4,9 +4,9 @@ exec 5>&1
 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  export REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+  export REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
 else
-  export REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+  export REDIS_CMDLINE="redis-cli -h redis -p 6379"
 fi
 until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
@@ -33,10 +33,6 @@ if [[ "${ONLY_MAILCOW_HOSTNAME}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  ONLY_MAILCOW_HOSTNAME=y
 fi
 if [[ "${AUTODISCOVER_SAN}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  AUTODISCOVER_SAN=y
 fi
 # Request individual certificate for every domain
 if [[ "${ENABLE_SSL_SNI}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  ENABLE_SSL_SNI=y
@@ -117,13 +113,13 @@ fi
 chmod 600 ${ACME_BASE}/key.pem
 log_f "Waiting for database..."
-while ! /usr/bin/mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent > /dev/null; do
+while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent > /dev/null; do
  sleep 2
 done
 log_f "Database OK"
 log_f "Waiting for Nginx..."
-until $(curl --output /dev/null --silent --head --fail http://nginx.${COMPOSE_PROJECT_NAME}_mailcow-network:8081); do
+until $(curl --output /dev/null --silent --head --fail http://nginx:8081); do
  sleep 2
 done
 log_f "Nginx OK"
@@ -137,8 +133,8 @@ log_f "Resolver OK"
 # Waiting for domain table
 log_f "Waiting for domain table..."
 while [[ -z ${DOMAIN_TABLE} ]]; do
-  curl --silent http://nginx.${COMPOSE_PROJECT_NAME}_mailcow-network/ >/dev/null 2>&1
+  curl --silent http://nginx/ >/dev/null 2>&1
-  DOMAIN_TABLE=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'domain'" -Bs)
+  DOMAIN_TABLE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'domain'" -Bs)
  [[ -z ${DOMAIN_TABLE} ]] && sleep 10
 done
 log_f "OK" no_date
@@ -159,6 +155,18 @@ while true; do
  fi
  if [[ ! -f ${ACME_BASE}/acme/account.pem ]]; then
    log_f "Generating missing Lets Encrypt account key..."
    if [[ ! -z ${ACME_CONTACT} ]]; then
      if ! verify_email "${ACME_CONTACT}"; then
        log_f "Invalid email address, will not start registration!"
        sleep 365d
        exec $(readlink -f "$0")
      else
        ACME_CONTACT_PARAMETER="--contact mailto:${ACME_CONTACT}"
        log_f "Valid email address, using ${ACME_CONTACT} for registration"
      fi
    else
      ACME_CONTACT_PARAMETER=""
    fi
    openssl genrsa 4096 > ${ACME_BASE}/acme/account.pem
  else
    log_f "Using existing Lets Encrypt account key ${ACME_BASE}/acme/account.pem"
@@ -203,11 +211,7 @@ while true; do
      ADDITIONAL_SAN_ARR+=($i)
    fi
  done
-
+  ADDITIONAL_WC_ARR+=('autodiscover' 'autoconfig')
  if [[ ${AUTODISCOVER_SAN} == "y" ]]; then
  # Fetch certs for autoconfig and autodiscover subdomains
  ADDITIONAL_WC_ARR+=('autodiscover' 'autoconfig' 'mta-sts')
  fi
  if [[ ${SKIP_IP_CHECK} != "y" ]]; then
  # Start IP detection
@@ -219,7 +223,7 @@ while true; do
  #########################################
  # IP and webroot challenge verification #
-  SQL_DOMAINS=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs)
+  SQL_DOMAINS=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs)
  if [[ ! $? -eq 0 ]]; then
    log_f "Failed to read SQL domains, retrying in 1 minute..."
    sleep 1m
@@ -287,7 +291,7 @@ while true; do
    VALIDATED_CERTIFICATES+=("${CERT_NAME}")
    # obtain server certificate if required
-    DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa
+    ACME_CONTACT_PARAMETER=${ACME_CONTACT_PARAMETER} DOMAINS=${SERVER_SAN_VALIDATED[@]} /srv/obtain-certificate.sh rsa
    RETURN="$?"
    if [[ "$RETURN" == "0" ]]; then # 0 = cert created successfully
      CERT_AMOUNT_CHANGED=1
--- a/data/Dockerfiles/acme/obtain-certificate.sh
+++ b/data/Dockerfiles/acme/obtain-certificate.sh
@@ -93,8 +93,8 @@ until dig letsencrypt.org +time=3 +tries=1 @unbound > /dev/null; do
  sleep 2
 done
 log_f "Resolver OK"
-log_f "Using command acme-tiny ${DIRECTORY_URL} --account-key ${ACME_BASE}/acme/account.pem --disable-check --csr ${CSR} --acme-dir /var/www/acme/"
+log_f "Using command acme-tiny ${DIRECTORY_URL} ${ACME_CONTACT_PARAMETER} --account-key ${ACME_BASE}/acme/account.pem --disable-check --csr ${CSR} --acme-dir /var/www/acme/"
-ACME_RESPONSE=$(acme-tiny ${DIRECTORY_URL} \
+ACME_RESPONSE=$(acme-tiny ${DIRECTORY_URL} ${ACME_CONTACT_PARAMETER} \
  --account-key ${ACME_BASE}/acme/account.pem \
  --disable-check \
  --csr ${CSR} \
@@ -124,7 +124,7 @@ case "$SUCCESS" in
    ;;
  *) # non-zero is non-fun
    log_f "Failed to obtain certificate ${CERT} for domains '${CERT_DOMAINS[*]}'"
-    redis-cli -h redis -a ${REDISPASS} --no-auth-warning SET ACME_FAIL_TIME "$(date +%s)"
+    redis-cli -h redis SET ACME_FAIL_TIME "$(date +%s)"
    exit 100${SUCCESS}
    ;;
 esac
--- a/data/Dockerfiles/acme/reload-configurations.sh
+++ b/data/Dockerfiles/acme/reload-configurations.sh
@@ -2,32 +2,32 @@
 # Reading container IDs
 # Wrapping as array to ensure trimmed content when calling $NGINX etc.
-NGINX=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"nginx-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
+NGINX=($(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"nginx-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
-DOVECOT=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"dovecot-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
+DOVECOT=($(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"dovecot-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
-POSTFIX=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"postfix-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
+POSTFIX=($(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"postfix-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
 reload_nginx(){
  echo "Reloading Nginx..."
-  NGINX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${NGINX}/exec -d '{"cmd":"reload", "task":"nginx"}' --silent -H 'Content-type: application/json' | jq -r .type)
+  NGINX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi/containers/${NGINX}/exec -d '{"cmd":"reload", "task":"nginx"}' --silent -H 'Content-type: application/json' | jq -r .type)
  [[ ${NGINX_RELOAD_RET} != 'success' ]] && { echo "Could not reload Nginx, restarting container..."; restart_container ${NGINX} ; }
 }
 reload_dovecot(){
  echo "Reloading Dovecot..."
-  DOVECOT_RELOAD_RET=$(curl -X POST --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${DOVECOT}/exec -d '{"cmd":"reload", "task":"dovecot"}' --silent -H 'Content-type: application/json' | jq -r .type)
+  DOVECOT_RELOAD_RET=$(curl -X POST --insecure https://dockerapi/containers/${DOVECOT}/exec -d '{"cmd":"reload", "task":"dovecot"}' --silent -H 'Content-type: application/json' | jq -r .type)
  [[ ${DOVECOT_RELOAD_RET} != 'success' ]] && { echo "Could not reload Dovecot, restarting container..."; restart_container ${DOVECOT} ; }
 }
 reload_postfix(){
  echo "Reloading Postfix..."
-  POSTFIX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${POSTFIX}/exec -d '{"cmd":"reload", "task":"postfix"}' --silent -H 'Content-type: application/json' | jq -r .type)
+  POSTFIX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi/containers/${POSTFIX}/exec -d '{"cmd":"reload", "task":"postfix"}' --silent -H 'Content-type: application/json' | jq -r .type)
  [[ ${POSTFIX_RELOAD_RET} != 'success' ]] && { echo "Could not reload Postfix, restarting container..."; restart_container ${POSTFIX} ; }
 }
 restart_container(){
  for container in $*; do
    echo "Restarting ${container}..."
-    C_REST_OUT=$(curl -X POST --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${container}/restart --silent | jq -r '.msg')
+    C_REST_OUT=$(curl -X POST --insecure https://dockerapi/containers/${container}/restart --silent | jq -r '.msg')
    echo "${C_REST_OUT}"
  done
 }
--- a/data/Dockerfiles/backup/Dockerfile
+++ b/data/Dockerfiles/backup/Dockerfile
@@ -1,3 +1,3 @@
-FROM debian:trixie-slim
+FROM debian:bullseye-slim
-RUN apt update && apt install pigz zstd -y --no-install-recommends
+RUN apt update && apt install pigz
--- a/data/Dockerfiles/clamd/Dockerfile
+++ b/data/Dockerfiles/clamd/Dockerfile
@@ -1,99 +1,14 @@
-FROM alpine:3.21 AS builder
+FROM alpine:3.19
-WORKDIR /src
+LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
 ENV CLAMD_VERSION=1.4.2
 RUN apk upgrade --no-cache \
  && apk add --update --no-cache \
-    g++ \
+  rsync \
-    gcc \
+  clamav \
-    gdb \
+  bind-tools \
-    make \
+  bash \
-    cmake \
+  tini
    py3-pytest \
    python3 \
    valgrind \
    bzip2-dev \
    check-dev \
    curl-dev \
    json-c-dev \
    libmilter-dev \
    libxml2-dev \
    linux-headers \
    ncurses-dev \
    openssl-dev \
    pcre2-dev \
    zlib-dev \
    cargo \
    rust
 RUN wget -P /src https://www.clamav.net/downloads/production/clamav-${CLAMD_VERSION}.tar.gz \
  && tar xzfv /src/clamav-${CLAMD_VERSION}.tar.gz \
  && cd /src/clamav-${CLAMD_VERSION} \
  && cmake . \
  -D CMAKE_BUILD_TYPE="Release"                                                       \
  -D CMAKE_INSTALL_PREFIX="/usr"                                                      \
  -D CMAKE_INSTALL_LIBDIR="/usr/lib"                                                  \
  -D APP_CONFIG_DIRECTORY="/etc/clamav"                                               \
  -D DATABASE_DIRECTORY="/var/lib/clamav"                                             \
  -D ENABLE_CLAMONACC=OFF                                                             \
  -D ENABLE_EXAMPLES=OFF                                                              \
  -D ENABLE_MILTER=ON                                                                 \
  -D ENABLE_MAN_PAGES=OFF                                                             \
  -D ENABLE_STATIC_LIB=OFF                                                            \
  -D ENABLE_JSON_SHARED=ON                                                            \ 
  && cmake --build . \
  && make DESTDIR="/clamav" -j$(($(nproc) - 1)) install \
  && rm -r "/clamav/usr/lib/pkgconfig/" \
  && sed -e "s|^\(Example\)|\# \1|" \
    -e "s|.*\(LocalSocket\) .*|\1 /tmp/clamd.sock|" \
    -e "s|.*\(TCPSocket\) .*|\1 3310|" \
    -e "s|.*\(TCPAddr\) .*|#\1 0.0.0.0|" \
    -e "s|.*\(User\) .*|\1 clamav|" \
    -e "s|^\#\(LogFile\) .*|\1 /var/log/clamav/clamd.log|" \
    -e "s|^\#\(LogTime\).*|\1 yes|" \
    "/clamav/etc/clamav/clamd.conf.sample" > "/clamav/etc/clamav/clamd.conf" \
  && sed -e "s|^\(Example\)|\# \1|" \
    -e "s|.*\(DatabaseOwner\) .*|\1 clamav|" \
    -e "s|^\#\(UpdateLogFile\) .*|\1 /var/log/clamav/freshclam.log|" \
    -e "s|^\#\(NotifyClamd\).*|\1 /etc/clamav/clamd.conf|" \
    -e "s|^\#\(ScriptedUpdates\).*|\1 yes|" \
    "/clamav/etc/clamav/freshclam.conf.sample" > "/clamav/etc/clamav/freshclam.conf" \
  && sed -e "s|^\(Example\)|\# \1|" \
  -e "s|.*\(MilterSocket\) .*|\1 inet:7357|" \
  -e "s|.*\(User\) .*|\1 clamav|" \
  -e "s|^\#\(LogFile\) .*|\1 /var/log/clamav/milter.log|" \
  -e "s|^\#\(LogTime\).*|\1 yes|" \
  -e "s|.*\(\ClamdSocket\) .*|\1 unix:/tmp/clamd.sock|" \
  "/clamav/etc/clamav/clamav-milter.conf.sample" > "/clamav/etc/clamav/clamav-milter.conf" || exit 1
 FROM alpine:3.21
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 RUN apk upgrade --no-cache \
  && apk add --update --no-cache \
    tzdata \
    rsync \
    bind-tools \
    bash \
    tini \
    json-c \
    libbz2 \
    libcurl \
    libmilter \
    libxml2 \
    ncurses-libs \
    pcre2 \
    zlib \
    libgcc \
  && addgroup -S "clamav" && \
    adduser -D -G "clamav" -h "/var/lib/clamav" -s "/bin/false" -S "clamav" && \
    install -d -m 755 -g "clamav" -o "clamav" "/var/log/clamav" && \
    chown -R clamav:clamav /var/lib/clamav
 COPY --from=builder "/clamav" "/"
 # init
 COPY clamd.sh /clamd.sh
--- a/data/Dockerfiles/clamd/clamd.sh
+++ b/data/Dockerfiles/clamd/clamd.sh
@@ -8,7 +8,7 @@ fi
 # Cleaning up garbage
 echo "Cleaning up tmp files..."
-rm -rf /var/lib/clamav/tmp.*
+rm -rf /var/lib/clamav/clamav-*.tmp
 # Prepare whitelist
@@ -91,7 +91,6 @@ done
 ) &
 BACKGROUND_TASKS+=($!)
 echo "$(clamd -V) is starting... please wait a moment."
 nice -n10 clamd &
 BACKGROUND_TASKS+=($!)
--- a/data/Dockerfiles/dockerapi/Dockerfile
+++ b/data/Dockerfiles/dockerapi/Dockerfile
@@ -1,6 +1,6 @@
-FROM alpine:3.21
+FROM alpine:3.19
-LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
+LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
 ARG PIP_BREAK_SYSTEM_PACKAGES=1
 WORKDIR /app
@@ -24,4 +24,4 @@ COPY main.py /app/main.py
 COPY modules/ /app/modules/
 ENTRYPOINT ["/bin/sh", "/app/docker-entrypoint.sh"]
-CMD ["python", "main.py"]
+CMD exec python main.py
--- a/data/Dockerfiles/dockerapi/main.py
+++ b/data/Dockerfiles/dockerapi/main.py
@@ -34,9 +34,9 @@ async def lifespan(app: FastAPI):
  # Init redis client
  if os.environ['REDIS_SLAVEOF_IP'] != "":
-    redis_client = redis = await aioredis.from_url(f"redis://{os.environ['REDIS_SLAVEOF_IP']}:{os.environ['REDIS_SLAVEOF_PORT']}/0", password=os.environ['REDISPASS'])
+    redis_client = redis = await aioredis.from_url(f"redis://{os.environ['REDIS_SLAVEOF_IP']}:{os.environ['REDIS_SLAVEOF_PORT']}/0")
  else:
-    redis_client = redis = await aioredis.from_url("redis://redis-mailcow:6379/0", password=os.environ['REDISPASS'])
+    redis_client = redis = await aioredis.from_url("redis://redis-mailcow:6379/0")
  # Init docker clients
  sync_docker_client = docker.DockerClient(base_url='unix://var/run/docker.sock', version='auto')
@@ -130,7 +130,7 @@ async def get_containers():
 async def post_containers(container_id : str, post_action : str, request: Request):
  global dockerapi
-  try:
+  try : 
    request_json = await request.json()
  except Exception as err:
    request_json = {}
@@ -241,9 +241,9 @@ async def handle_pubsub_messages(channel: aioredis.client.PubSub):
              else:
                dockerapi.logger.error("api call: missing container_name, post_action or request")
            else:
-              dockerapi.logger.error("Unknown PubSub received - %s" % json.dumps(data_json))
+              dockerapi.logger.error("Unknwon PubSub recieved - %s" % json.dumps(data_json))
          else:
-            dockerapi.logger.error("Unknown PubSub received - %s" % json.dumps(data_json))
+            dockerapi.logger.error("Unknwon PubSub recieved - %s" % json.dumps(data_json))
        await asyncio.sleep(0.0)
    except asyncio.TimeoutError:
--- a/data/Dockerfiles/dockerapi/modules/DockerApi.py
+++ b/data/Dockerfiles/dockerapi/modules/DockerApi.py
@@ -342,30 +342,6 @@ class DockerApi:
          cmd = ["/bin/bash", "-c", cmd_vmail]
        maildir_cleanup = container.exec_run(cmd, user='vmail')
        return self.exec_run_handler('generic', maildir_cleanup)
  # api call: container_post - post_action: exec - cmd: maildir - task: move
  def container_post__exec__maildir__move(self, request_json, **kwargs):
    if 'container_id' in kwargs:
      filters = {"id": kwargs['container_id']}
    elif 'container_name' in kwargs:
      filters = {"name": kwargs['container_name']}
    if 'old_maildir' in request_json and 'new_maildir' in request_json:
      for container in self.sync_docker_client.containers.list(filters=filters):
        vmail_name = request_json['old_maildir'].replace("'", "'\\''")
        new_vmail_name = request_json['new_maildir'].replace("'", "'\\''")
        cmd_vmail = f"if [[ -d '/var/vmail/{vmail_name}' ]]; then /bin/mv '/var/vmail/{vmail_name}' '/var/vmail/{new_vmail_name}'; fi"
        index_name = request_json['old_maildir'].split("/")
        new_index_name = request_json['new_maildir'].split("/")
        if len(index_name) > 1 and len(new_index_name) > 1:
          index_name = index_name[1].replace("'", "'\\''") + "@" + index_name[0].replace("'", "'\\''")
          new_index_name = new_index_name[1].replace("'", "'\\''") + "@" + new_index_name[0].replace("'", "'\\''")
          cmd_vmail_index = f"if [[ -d '/var/vmail_index/{index_name}' ]]; then /bin/mv '/var/vmail_index/{index_name}' '/var/vmail_index/{new_index_name}_index'; fi"
          cmd = ["/bin/bash", "-c", cmd_vmail + " && " + cmd_vmail_index]
        else:
          cmd = ["/bin/bash", "-c", cmd_vmail]
        maildir_move = container.exec_run(cmd, user='vmail')
        return self.exec_run_handler('generic', maildir_move)
  # api call: container_post - post_action: exec - cmd: rspamd - task: worker_password
  def container_post__exec__rspamd__worker_password(self, request_json, **kwargs):
    if 'container_id' in kwargs:
@@ -382,8 +358,8 @@ class DockerApi:
        for line in cmd_response.split("\n"):
          if '$2$' in line:
            hash = line.strip()
-            hash_out = re.search(r'\$2\$.+$', hash).group(0)
+            hash_out = re.search('\$2\$.+$', hash).group(0)
-            rspamd_passphrase_hash = re.sub(r'[^0-9a-zA-Z\$]+', '', hash_out.rstrip())
+            rspamd_passphrase_hash = re.sub('[^0-9a-zA-Z\$]+', '', hash_out.rstrip())
            rspamd_password_filename = "/etc/rspamd/override.d/worker-controller-password.inc"
            cmd = '''/bin/echo 'enable_password = "%s";' > %s && cat %s''' % (rspamd_passphrase_hash, rspamd_password_filename, rspamd_password_filename)
            cmd_response = self.exec_cmd_container(container, cmd, user="_rspamd")
@@ -398,121 +374,6 @@ class DockerApi:
          self.logger.error('failed changing Rspamd password')
          res = { 'type': 'danger', 'msg': 'command did not complete' }
          return Response(content=json.dumps(res, indent=4), media_type="application/json")
  # api call: container_post - post_action: exec - cmd: sogo - task: rename
  def container_post__exec__sogo__rename_user(self, request_json, **kwargs):
    if 'container_id' in kwargs:
      filters = {"id": kwargs['container_id']}
    elif 'container_name' in kwargs:
      filters = {"name": kwargs['container_name']}
    if 'old_username' in request_json and 'new_username' in request_json:
      for container in self.sync_docker_client.containers.list(filters=filters):
        old_username = request_json['old_username'].replace("'", "'\\''")
        new_username = request_json['new_username'].replace("'", "'\\''")
        sogo_return = container.exec_run(["/bin/bash", "-c", f"sogo-tool rename-user '{old_username}' '{new_username}'"], user='sogo')
        return self.exec_run_handler('generic', sogo_return)
  # api call: container_post - post_action: exec - cmd: doveadm - task: get_acl
  def container_post__exec__doveadm__get_acl(self, request_json, **kwargs):
    if 'container_id' in kwargs:
      filters = {"id": kwargs['container_id']}
    elif 'container_name' in kwargs:
      filters = {"name": kwargs['container_name']}
    for container in self.sync_docker_client.containers.list(filters=filters):
      id = request_json['id'].replace("'", "'\\''")
      shared_folders = container.exec_run(["/bin/bash", "-c", f"doveadm mailbox list -u '{id}'"])
      shared_folders = shared_folders.output.decode('utf-8')
      shared_folders = shared_folders.splitlines()
      formatted_acls = []
      mailbox_seen = []
      for shared_folder in shared_folders:
        if "Shared" not in shared_folder:
          mailbox = shared_folder.replace("'", "'\\''")
          if mailbox in mailbox_seen:
            continue
          acls = container.exec_run(["/bin/bash", "-c", f"doveadm acl get -u '{id}' '{mailbox}'"])
          acls = acls.output.decode('utf-8').strip().splitlines()
          if len(acls) >= 2:
            for acl in acls[1:]:
              user_id, rights = acl.split(maxsplit=1)
              user_id = user_id.split('=')[1]
              mailbox_seen.append(mailbox)
              formatted_acls.append({ 'user': id, 'id': user_id, 'mailbox': mailbox, 'rights': rights.split() })
        elif "Shared" in shared_folder and "/" in shared_folder:
          shared_folder = shared_folder.split("/")
          if len(shared_folder) < 3:
            continue
          user = shared_folder[1].replace("'", "'\\''")
          mailbox = '/'.join(shared_folder[2:]).replace("'", "'\\''")
          if mailbox in mailbox_seen:
            continue
          acls = container.exec_run(["/bin/bash", "-c", f"doveadm acl get -u '{user}' '{mailbox}'"])
          acls = acls.output.decode('utf-8').strip().splitlines()
          if len(acls) >= 2:
            for acl in acls[1:]:
              user_id, rights = acl.split(maxsplit=1)
              user_id = user_id.split('=')[1].replace("'", "'\\''")
              if user_id == id and mailbox not in mailbox_seen:
                mailbox_seen.append(mailbox)
                formatted_acls.append({ 'user': user, 'id': id, 'mailbox': mailbox, 'rights': rights.split() })
      return Response(content=json.dumps(formatted_acls, indent=4), media_type="application/json")
  # api call: container_post - post_action: exec - cmd: doveadm - task: delete_acl
  def container_post__exec__doveadm__delete_acl(self, request_json, **kwargs):
    if 'container_id' in kwargs:
      filters = {"id": kwargs['container_id']}
    elif 'container_name' in kwargs:
      filters = {"name": kwargs['container_name']}
    for container in self.sync_docker_client.containers.list(filters=filters):
      user = request_json['user'].replace("'", "'\\''")
      mailbox = request_json['mailbox'].replace("'", "'\\''")
      id = request_json['id'].replace("'", "'\\''")
      if user and mailbox and id:
        acl_delete_return = container.exec_run(["/bin/bash", "-c", f"doveadm acl delete -u '{user}' '{mailbox}' 'user={id}'"])
        return self.exec_run_handler('generic', acl_delete_return)
  # api call: container_post - post_action: exec - cmd: doveadm - task: set_acl
  def container_post__exec__doveadm__set_acl(self, request_json, **kwargs):
    if 'container_id' in kwargs:
      filters = {"id": kwargs['container_id']}
    elif 'container_name' in kwargs:
      filters = {"name": kwargs['container_name']}
    for container in self.sync_docker_client.containers.list(filters=filters):
      user = request_json['user'].replace("'", "'\\''")
      mailbox = request_json['mailbox'].replace("'", "'\\''")
      id = request_json['id'].replace("'", "'\\''")
      rights = ""
      available_rights = [
        "admin",
        "create",
        "delete",
        "expunge",
        "insert",
        "lookup",
        "post",
        "read",
        "write",
        "write-deleted",
        "write-seen"
      ]
      for right in request_json['rights']:
        right = right.replace("'", "'\\''").lower()
        if right in available_rights:
          rights += right + " "
      if user and mailbox and id and rights:
        acl_set_return = container.exec_run(["/bin/bash", "-c", f"doveadm acl set -u '{user}' '{mailbox}' 'user={id}' {rights}"])
        return self.exec_run_handler('generic', acl_set_return)
  # Collect host stats
  async def get_host_stats(self, wait=5):
--- a/data/Dockerfiles/dovecot/Dockerfile
+++ b/data/Dockerfiles/dovecot/Dockerfile
@@ -1,12 +1,10 @@
-FROM alpine:3.21
+FROM alpine:3.19
-
+LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
 # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
-ARG GOSU_VERSION=1.17
+ARG GOSU_VERSION=1.16
 ENV LC_ALL C
 ENV LANG=C.UTF-8
 ENV LC_ALL=C.UTF-8
 # Add groups and users before installing Dovecot to not break compatibility
 RUN addgroup -g 5000 vmail \
@@ -25,7 +23,6 @@ RUN addgroup -g 5000 vmail \
  envsubst \
  ca-certificates \
  curl \
  coreutils \
  jq \
  lua \
  lua-cjson \
@@ -68,8 +65,8 @@ RUN addgroup -g 5000 vmail \
  perl-package-stash-xs \
  perl-par-packer \
  perl-parse-recdescent \
-  perl-lockfile-simple \
+  perl-lockfile-simple --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community/ \
-  libproc2 \
+  libproc \
  perl-readonly \
  perl-regexp-common \
  perl-sys-meminfo \
@@ -109,12 +106,14 @@ RUN addgroup -g 5000 vmail \
  dovecot-submissiond \
  dovecot-pigeonhole-plugin \
  dovecot-pop3d \
-  dovecot-fts-flatcurve \
+  dovecot-fts-solr \
  && arch=$(arch | sed s/aarch64/arm64/ | sed s/x86_64/amd64/) \
  && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$arch" \
  && chmod +x /usr/local/bin/gosu \
  && gosu nobody true
 #RUN cpan LockFile::Simple
 COPY trim_logs.sh /usr/local/bin/trim_logs.sh
 COPY clean_q_aged.sh /usr/local/bin/clean_q_aged.sh
 COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
@@ -133,7 +132,6 @@ COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
 COPY quarantine_notify.py /usr/local/bin/quarantine_notify.py
 COPY quota_notify.py /usr/local/bin/quota_notify.py
 COPY repl_health.sh /usr/local/bin/repl_health.sh
 COPY optimize-fts.sh /usr/local/bin/optimize-fts.sh
 ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
+CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
--- a/data/Dockerfiles/dovecot/clean_q_aged.sh
+++ b/data/Dockerfiles/dovecot/clean_q_aged.sh
@@ -2,7 +2,7 @@
 source /source_env.sh
-MAX_AGE=$(redis-cli --raw -h redis-mailcow -a ${REDISPASS} --no-auth-warning GET Q_MAX_AGE)
+MAX_AGE=$(redis-cli --raw -h redis-mailcow GET Q_MAX_AGE)
 if [[ -z ${MAX_AGE} ]]; then
  echo "Max age for quarantine items not defined"
@@ -15,6 +15,6 @@ if ! [[ ${MAX_AGE} =~ ${NUM_REGEXP} ]] ; then
  exit 1
 fi
-TO_DELETE=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT COUNT(id) FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY" -BN)
+TO_DELETE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT COUNT(id) FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY" -BN)
-mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DELETE FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY"
+mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DELETE FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY"
 echo "Deleted ${TO_DELETE} items from quarantine table (max age is ${MAX_AGE//[!0-9]/} days)"
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -2,7 +2,7 @@
 set -e
 # Wait for MySQL to warm-up
-while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
+while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
  echo "Waiting for database to come up..."
  sleep 2
 done
@@ -14,9 +14,9 @@ done
 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+  REDIS_CMDLINE="redis-cli -h redis -p 6379"
 fi
 until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
@@ -29,7 +29,6 @@ ${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
 # Create missing directories
 [[ ! -d /etc/dovecot/sql/ ]] && mkdir -p /etc/dovecot/sql/
 [[ ! -d /etc/dovecot/auth/ ]] && mkdir -p /etc/dovecot/auth/
 [[ ! -d /etc/dovecot/conf.d/ ]] && mkdir -p /etc/dovecot/conf.d/
 [[ ! -d /var/vmail/_garbage ]] && mkdir -p /var/vmail/_garbage
 [[ ! -d /var/vmail/sieve ]] && mkdir -p /var/vmail/sieve
 [[ ! -d /etc/sogo ]] && mkdir -p /etc/sogo
@@ -110,16 +109,14 @@ EOF
 echo -n ${ACL_ANYONE} > /etc/dovecot/acl_anyone
-if [[ "${SKIP_FTS}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+if [[ "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-echo -e "\e[33mDetecting SKIP_FTS=y... not enabling Flatcurve (FTS) then...\e[0m"
+echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify listescape replication' > /etc/dovecot/mail_plugins
 echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify listescape replication lazy_expunge' > /etc/dovecot/mail_plugins
 echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify listescape replication mail_log' > /etc/dovecot/mail_plugins_imap
 echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
 else
-echo -e "\e[32mDetecting SKIP_FTS=n... enabling Flatcurve (FTS)\e[0m"
+echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify fts fts_solr listescape replication' > /etc/dovecot/mail_plugins
-echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify fts fts_flatcurve listescape replication lazy_expunge' > /etc/dovecot/mail_plugins
+echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify mail_log fts fts_solr listescape replication' > /etc/dovecot/mail_plugins_imap
-echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify mail_log fts fts_flatcurve listescape replication' > /etc/dovecot/mail_plugins_imap
+echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl fts fts_solr notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
 echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl fts fts_flatcurve notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
 fi
 chmod 644 /etc/dovecot/mail_plugins /etc/dovecot/mail_plugins_imap /etc/dovecot/mail_plugins_lmtp /templates/quarantine.tpl
@@ -131,7 +128,6 @@ user_query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format
 iterate_query = SELECT username FROM mailbox WHERE active = '1' OR active = '2';
 EOF
 # Migrate old sieve_after file
 [[ -f /etc/dovecot/sieve_after ]] && mv /etc/dovecot/sieve_after /etc/dovecot/global_sieve_after
 # Create global sieve scripts
@@ -208,13 +204,10 @@ cat <<EOF > /etc/dovecot/sogo-sso.conf
 # Autogenerated by mailcow
 passdb {
  driver = static
-  args = allow_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
+  args = allow_real_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
 }
 EOF
 # Creating additional creds file for SOGo notify crons (calendars, etc) (dummy user, sso password)
 echo -n ${RAND_USER}@mailcow.local:${RAND_PASS} > /etc/sogo/cron.creds
 if [[ "${MASTER}" =~ ^([nN][oO]|[nN])+$ ]]; then
  # Toggling MASTER will result in a rebuild of containers, so the quota script will be recreated
  cat <<'EOF' > /usr/local/bin/quota_notify.py
@@ -232,14 +225,6 @@ mail_replica = tcp:${MAILCOW_REPLICA_IP}:${DOVEADM_REPLICA_PORT}
 EOF
 fi
 # Setting variables for indexer-worker inside fts.conf automatically according to mailcow.conf settings
 if [[ "${SKIP_FTS}" =~ ^([nN][oO]|[nN])+$ ]]; then
  echo -e "\e[94mConfiguring FTS Settings...\e[0m"
  echo -e "\e[94mSetting FTS Memory Limit (per process) to ${FTS_HEAP} MB\e[0m"
  sed -i "s/vsz_limit\s*=\s*[0-9]*\s*MB*/vsz_limit=${FTS_HEAP} MB/" /etc/dovecot/conf.d/fts.conf
  echo -e "\e[94mSetting FTS Process Limit to ${FTS_PROCS}\e[0m"
  sed -i "s/process_limit\s*=\s*[0-9]*/process_limit=${FTS_PROCS}/" /etc/dovecot/conf.d/fts.conf
 fi
 # 401 is user dovecot
 if [[ ! -s /mail_crypt/ecprivkey.pem || ! -s /mail_crypt/ecpubkey.pem ]]; then
@@ -250,23 +235,20 @@ else
 	chown 401 /mail_crypt/ecprivkey.pem /mail_crypt/ecpubkey.pem
 fi
 # Fix OpenSSL 3.X TLS1.0, 1.1 support (https://community.mailcow.email/d/4062-hi-all/20)
 if grep -qE 'ssl_min_protocol\s*=\s*(TLSv1|TLSv1\.1)\s*$' /etc/dovecot/dovecot.conf /etc/dovecot/extra.conf; then
    sed -i '/\[openssl_init\]/a ssl_conf = ssl_configuration' /etc/ssl/openssl.cnf
    echo "[ssl_configuration]" >> /etc/ssl/openssl.cnf
    echo "system_default = tls_system_default" >> /etc/ssl/openssl.cnf
    echo "[tls_system_default]" >> /etc/ssl/openssl.cnf
    echo "MinProtocol = TLSv1" >> /etc/ssl/openssl.cnf
    echo "CipherString = DEFAULT@SECLEVEL=0" >> /etc/ssl/openssl.cnf
 fi
 # Compile sieve scripts
 sievec /var/vmail/sieve/global_sieve_before.sieve
 sievec /var/vmail/sieve/global_sieve_after.sieve
 sievec /usr/lib/dovecot/sieve/report-spam.sieve
 sievec /usr/lib/dovecot/sieve/report-ham.sieve
 for file in /var/vmail/*/*/sieve/*.sieve ; do
  if [[ "$file" == "/var/vmail/*/*/sieve/*.sieve" ]]; then
    continue
  fi
  sievec "$file" "$(dirname "$file")/../.dovecot.svbin"
  chown vmail:vmail "$(dirname "$file")/../.dovecot.svbin"
 done
 # Fix permissions
 chown root:root /etc/dovecot/sql/*.conf
 chown root:dovecot /etc/dovecot/sql/dovecot-dict-sql-sieve* /etc/dovecot/sql/dovecot-dict-sql-quota* /etc/dovecot/auth/passwd-verify.lua
@@ -287,8 +269,7 @@ chmod +x /usr/lib/dovecot/sieve/rspamd-pipe-ham \
  /usr/local/bin/maildir_gc.sh \
  /usr/local/sbin/stop-supervisor.sh \
  /usr/local/bin/quota_notify.py \
-  /usr/local/bin/repl_health.sh \
+  /usr/local/bin/repl_health.sh
  /usr/local/bin/optimize-fts.sh
 # Prepare environment file for cronjobs
 printenv | sed 's/^\(.*\)$/export \1/g' > /source_env.sh
@@ -298,15 +279,15 @@ printenv | sed 's/^\(.*\)$/export \1/g' > /source_env.sh
 # Clean stopped imapsync jobs
 rm -f /tmp/imapsync_busy.lock
-IMAPSYNC_TABLE=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'imapsync'" -Bs)
+IMAPSYNC_TABLE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'imapsync'" -Bs)
-[[ ! -z ${IMAPSYNC_TABLE} ]] && mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "UPDATE imapsync SET is_running='0'"
+[[ ! -z ${IMAPSYNC_TABLE} ]] && mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "UPDATE imapsync SET is_running='0'"
 # Envsubst maildir_gc
 echo "$(envsubst < /usr/local/bin/maildir_gc.sh)" > /usr/local/bin/maildir_gc.sh
 # GUID generation
 while [[ ${VERSIONS_OK} != 'OK' ]]; do
-  if [[ ! -z $(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = \"${DBNAME}\" AND TABLE_NAME = 'versions'") ]]; then
+  if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = \"${DBNAME}\" AND TABLE_NAME = 'versions'") ]]; then
    VERSIONS_OK=OK
  else
    echo "Waiting for versions table to be created..."
@@ -317,11 +298,11 @@ PUBKEY_MCRYPT=$(doveconf -P 2> /dev/null | grep -i mail_crypt_global_public_key
 if [ -f ${PUBKEY_MCRYPT} ]; then
  GUID=$(cat <(echo ${MAILCOW_HOSTNAME}) /mail_crypt/ecpubkey.pem | sha256sum | cut -d ' ' -f1 | tr -cd "[a-fA-F0-9.:/] ")
  if [ ${#GUID} -eq 64 ]; then
-    mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
+    mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
 REPLACE INTO versions (application, version) VALUES ("GUID", "${GUID}");
 EOF
  else
-    mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
+    mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
 REPLACE INTO versions (application, version) VALUES ("GUID", "INVALID");
 EOF
  fi
--- a/data/Dockerfiles/dovecot/imapsync_runner.pl
+++ b/data/Dockerfiles/dovecot/imapsync_runner.pl
@@ -132,8 +132,8 @@ while ($row = $sth->fetchrow_arrayref()) {
  "--tmpdir", "/tmp",
  "--nofoldersizes",
  "--addheader",
-  ($timeout1 le "0" ? () : ('--timeout1', $timeout1)),
+  ($timeout1 gt "0" ? () : ('--timeout1', $timeout1)),
-  ($timeout2 le "0" ? () : ('--timeout2', $timeout2)),
+  ($timeout2 gt "0" ? () : ('--timeout2', $timeout2)),
  ($exclude eq "" ? () : ("--exclude", $exclude)),
  ($subfolder2 eq "" ? () : ('--subfolder2', $subfolder2)),
  ($maxage eq "0" ? () : ('--maxage', $maxage)),
--- a/data/Dockerfiles/dovecot/optimize-fts.sh
+++ b/data/Dockerfiles/dovecot/optimize-fts.sh
@@ -1,7 +0,0 @@
 #!/bin/bash
 if [[ "${SKIP_FTS}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
    exit 0
 else
    doveadm fts optimize -A
 fi
--- a/data/Dockerfiles/dovecot/quarantine_notify.py
+++ b/data/Dockerfiles/dovecot/quarantine_notify.py
@@ -8,8 +8,7 @@ from email.mime.multipart import MIMEMultipart
 from email.mime.text import MIMEText
 from email.utils import COMMASPACE, formatdate
 import jinja2
-from jinja2 import TemplateError
+from jinja2 import Template
 from jinja2.sandbox import SandboxedEnvironment
 import json
 import redis
 import time
@@ -32,7 +31,7 @@ try:
  while True:
    try:
-      r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0, password=os.environ['REDISPASS'])
+      r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0)
      r.ping()
    except Exception as ex:
      print('%s - trying again...'  % (ex))
@@ -76,27 +75,22 @@ try:
  def notify_rcpt(rcpt, msg_count, quarantine_acl, category):
    if category == "add_header": category = "add header"
-    meta_query = query_mysql('SELECT `qhash`, id, subject, score, sender, created, action FROM quarantine WHERE notified = 0 AND rcpt = "%s" AND score < %f AND (action = "%s" OR "all" = "%s")' % (rcpt, max_score, category, category))
+    meta_query = query_mysql('SELECT SHA2(CONCAT(id, qid), 256) AS qhash, id, subject, score, sender, created, action FROM quarantine WHERE notified = 0 AND rcpt = "%s" AND score < %f AND (action = "%s" OR "all" = "%s")' % (rcpt, max_score, category, category))
    print("%s: %d of %d messages qualify for notification" % (rcpt, len(meta_query), msg_count))
    if len(meta_query) == 0:
      return
    msg_count = len(meta_query)
    env = SandboxedEnvironment()
    if r.get('Q_HTML'):
-        try:
+      try:
-            template = env.from_string(r.get('Q_HTML'))
+        template = Template(r.get('Q_HTML'))
-        except Exception:
+      except:
-            print("Error: Cannot parse quarantine template, falling back to default template.")
+        print("Error: Cannot parse quarantine template, falling back to default template.")
            with open('/templates/quarantine.tpl') as file_:
                template = env.from_string(file_.read())
    else:
        with open('/templates/quarantine.tpl') as file_:
-            template = env.from_string(file_.read())
+          template = Template(file_.read())
-    try:
+    else:
-        html = template.render(meta=meta_query, username=rcpt, counter=msg_count, hostname=mailcow_hostname, quarantine_acl=quarantine_acl)
+      with open('/templates/quarantine.tpl') as file_:
-    except (jinja2.exceptions.SecurityError, TemplateError) as ex:
+        template = Template(file_.read())
-        print(f"SecurityError or TemplateError in template rendering: {ex}")
+    html = template.render(meta=meta_query, username=rcpt, counter=msg_count, hostname=mailcow_hostname, quarantine_acl=quarantine_acl)
        return
    text = html2text.html2text(html)
    count = 0
    while count < 15:
--- a/data/Dockerfiles/dovecot/quota_notify.py
+++ b/data/Dockerfiles/dovecot/quota_notify.py
@@ -6,7 +6,7 @@ from email.mime.multipart import MIMEMultipart
 from email.mime.text import MIMEText
 from email.utils import COMMASPACE, formatdate
 import jinja2
-from jinja2.sandbox import SandboxedEnvironment
+from jinja2 import Template
 import redis
 import time
 import json
@@ -23,7 +23,7 @@ else:
 while True:
  try:
-    r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0, username='quota_notify', password='')
+    r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0)
    r.ping()
  except Exception as ex:
    print('%s - trying again...'  % (ex))
@@ -33,24 +33,16 @@ while True:
 if r.get('QW_HTML'):
  try:
-    env = SandboxedEnvironment()
+    template = Template(r.get('QW_HTML'))
-    template = env.from_string(r.get('QW_HTML'))
+  except:
-  except Exception:
+    print("Error: Cannot parse quarantine template, falling back to default template.")
    print("Error: Cannot parse quota template, falling back to default template.")
    with open('/templates/quota.tpl') as file_:
-      env = SandboxedEnvironment()
+      template = Template(file_.read())
      template = env.from_string(file_.read())
 else:
  with open('/templates/quota.tpl') as file_:
-    env = SandboxedEnvironment()
+    template = Template(file_.read())
    template = env.from_string(file_.read())
 try:
  html = template.render(username=username, percent=percent)
 except (jinja2.exceptions.SecurityError, jinja2.TemplateError) as ex:
  print(f"SecurityError or TemplateError in template rendering: {ex}")
  sys.exit(1)
 html = template.render(username=username, percent=percent)
 text = html2text.html2text(html)
 try:
--- a/data/Dockerfiles/dovecot/repl_health.sh
+++ b/data/Dockerfiles/dovecot/repl_health.sh
@@ -4,9 +4,9 @@ source /source_env.sh
 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+  REDIS_CMDLINE="redis-cli -h redis -p 6379"
 fi
 # Is replication active?
--- a/data/Dockerfiles/dovecot/rspamd-pipe-ham
+++ b/data/Dockerfiles/dovecot/rspamd-pipe-ham
@@ -3,8 +3,8 @@ FILE=/tmp/mail$$
 cat > $FILE
 trap "/bin/rm -f $FILE" 0 1 2 3 13 15
-cat ${FILE} | /usr/bin/curl -H "Flag: 11" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/fuzzydel
+cat ${FILE} | /usr/bin/curl -H "Flag: 11" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/fuzzydel
-cat ${FILE} | /usr/bin/curl -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/learnham
+cat ${FILE} | /usr/bin/curl -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/learnham
-cat ${FILE} | /usr/bin/curl -H "Flag: 13" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/fuzzyadd
+cat ${FILE} | /usr/bin/curl -H "Flag: 13" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/fuzzyadd
 exit 0
--- a/data/Dockerfiles/dovecot/rspamd-pipe-spam
+++ b/data/Dockerfiles/dovecot/rspamd-pipe-spam
@@ -3,8 +3,8 @@ FILE=/tmp/mail$$
 cat > $FILE
 trap "/bin/rm -f $FILE" 0 1 2 3 13 15
-cat ${FILE} | /usr/bin/curl -H "Flag: 13" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/fuzzydel
+cat ${FILE} | /usr/bin/curl -H "Flag: 13" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/fuzzydel
-cat ${FILE} | /usr/bin/curl -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/learnspam
+cat ${FILE} | /usr/bin/curl -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/learnspam
-cat ${FILE} | /usr/bin/curl -H "Flag: 11" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/fuzzyadd
+cat ${FILE} | /usr/bin/curl -H "Flag: 11" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/fuzzyadd
 exit 0
--- a/data/Dockerfiles/dovecot/sa-rules.sh
+++ b/data/Dockerfiles/dovecot/sa-rules.sh
@@ -11,25 +11,21 @@ else
 fi
 # Deploy
-if curl --connect-timeout 15 --retry 5 --max-time 30 https://www.spamassassin.heinlein-support.de/$(dig txt 1.4.3.spamassassin.heinlein-support.de +short | tr -d '"' | tr -dc '0-9').tar.gz --output /tmp/sa-rules-heinlein.tar.gz; then
+curl --connect-timeout 15 --retry 10 --max-time 30 http://www.spamassassin.heinlein-support.de/$(dig txt 1.4.3.spamassassin.heinlein-support.de +short | tr -d '"' | tr -dc '0-9').tar.gz --output /tmp/sa-rules-heinlein.tar.gz
-  if gzip -t /tmp/sa-rules-heinlein.tar.gz; then
+if gzip -t /tmp/sa-rules-heinlein.tar.gz; then
-    tar xfvz /tmp/sa-rules-heinlein.tar.gz -C /tmp/sa-rules-heinlein
+  tar xfvz /tmp/sa-rules-heinlein.tar.gz -C /tmp/sa-rules-heinlein
-    cat /tmp/sa-rules-heinlein/*cf > /etc/rspamd/custom/sa-rules
+  cat /tmp/sa-rules-heinlein/*cf > /etc/rspamd/custom/sa-rules
  fi
 else
  echo "Failed to download SA rules. Exiting."
  exit 0 # Must be 0 otherwise dovecot would not start at all
 fi
 sed -i -e 's/\([^\\]\)\$\([^\/]\)/\1\\$\2/g' /etc/rspamd/custom/sa-rules
 if [[ "$(cat /etc/rspamd/custom/sa-rules | md5sum | cut -d' ' -f1)" != "${HASH_SA_RULES}" ]]; then
  CONTAINER_NAME=rspamd-mailcow
-  CONTAINER_ID=$(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | \
+  CONTAINER_ID=$(curl --silent --insecure https://dockerapi/containers/json | \
    jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | \
    jq -rc "select( .name | tostring | contains(\"${CONTAINER_NAME}\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id")
  if [[ ! -z ${CONTAINER_ID} ]]; then
-    curl --silent --insecure -XPOST --connect-timeout 15 --max-time 120 https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/restart
+    curl --silent --insecure -XPOST --connect-timeout 15 --max-time 120 https://dockerapi/containers/${CONTAINER_ID}/restart
  fi
 fi
--- a/data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf
+++ b/data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf
@@ -7,7 +7,6 @@ options {
  use_fqdn(no);
  owner("root"); group("adm"); perm(0640);
  stats(freq(0));
  keep_timestamp(no);
  bad_hostname("^gconfd$");
 };
 source s_dgram {
@@ -20,7 +19,6 @@ destination d_redis_ui_log {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis1")
    port(`REDIS_SLAVEOF_PORT`)
    auth("`REDISPASS`")
    command("LPUSH" "DOVECOT_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -29,7 +27,6 @@ destination d_redis_f2b_channel {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis2")
    port(`REDIS_SLAVEOF_PORT`)
    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
@@ -38,13 +35,8 @@ filter f_replica {
  not match("User has no mail_replica in userdb" value("MESSAGE"));
  not match("Error: sync: Unknown user in remote" value("MESSAGE"));
 };
 filter f_dovecot_auth_try {
  not match("- trying the next passdb" value("MESSAGE")) and
  not match("- trying the next userdb" value("MESSAGE"));
 };
 log {
  source(s_dgram);
  filter(f_dovecot_auth_try);
  filter(f_replica);
  destination(d_stdout);
  filter(f_mail);
--- a/data/Dockerfiles/dovecot/syslog-ng.conf
+++ b/data/Dockerfiles/dovecot/syslog-ng.conf
@@ -7,7 +7,6 @@ options {
  use_fqdn(no);
  owner("root"); group("adm"); perm(0640);
  stats(freq(0));
  keep_timestamp(no);
  bad_hostname("^gconfd$");
 };
 source s_dgram {
@@ -20,7 +19,6 @@ destination d_redis_ui_log {
    host("redis-mailcow")
    persist-name("redis1")
    port(6379)
    auth("`REDISPASS`")
    command("LPUSH" "DOVECOT_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -29,7 +27,6 @@ destination d_redis_f2b_channel {
    host("redis-mailcow")
    persist-name("redis2")
    port(6379)
    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
@@ -38,13 +35,8 @@ filter f_replica {
  not match("User has no mail_replica in userdb" value("MESSAGE"));
  not match("Error: sync: Unknown user in remote" value("MESSAGE"));
 };
 filter f_dovecot_auth_try {
  not match("- trying the next passdb" value("MESSAGE")) and
  not match("- trying the next userdb" value("MESSAGE"));
 };
 log {
  source(s_dgram);
  filter(f_dovecot_auth_try);
  filter(f_replica);
  destination(d_stdout);
  filter(f_mail);
--- a/data/Dockerfiles/dovecot/trim_logs.sh
+++ b/data/Dockerfiles/dovecot/trim_logs.sh
@@ -10,9 +10,9 @@ catch_non_zero() {
 source /source_env.sh
 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+  REDIS_CMDLINE="redis-cli -h redis -p 6379"
 fi
 catch_non_zero "${REDIS_CMDLINE} LTRIM ACME_LOG 0 ${LOG_LINES}"
 catch_non_zero "${REDIS_CMDLINE} LTRIM POSTFIX_MAILLOG 0 ${LOG_LINES}"
--- a/data/Dockerfiles/netfilter/Dockerfile
+++ b/data/Dockerfiles/netfilter/Dockerfile
@@ -1,6 +1,5 @@
-FROM alpine:3.21
+FROM alpine:3.19
-
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 WORKDIR /app
--- a/data/Dockerfiles/netfilter/docker-entrypoint.sh
+++ b/data/Dockerfiles/netfilter/docker-entrypoint.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
-backend=nftables
+backend=iptables
 nft list table ip filter &>/dev/null
 nftables_found=$?
--- a/data/Dockerfiles/netfilter/main.py
+++ b/data/Dockerfiles/netfilter/main.py
@@ -1,7 +1,5 @@
 #!/usr/bin/env python3
 DEBUG = False
 import re
 import os
 import sys
@@ -22,13 +20,10 @@ from modules.Logger import Logger
 from modules.IPTables import IPTables
 from modules.NFTables import NFTables
 def logdebug(msg):
  if DEBUG:
    logger.logInfo("DEBUG: %s" % msg)
-# Globals
+# globals
 WHITELIST = []
-BLACKLIST = []
+BLACKLIST= []
 bans = {}
 quit_now = False
 exit_code = 0
@@ -38,10 +33,12 @@ r = None
 pubsub = None
 clear_before_quit = False
 def refreshF2boptions():
  global f2boptions
  global quit_now
  global exit_code
  f2boptions = {}
  if not r.get('F2B_OPTIONS'):
@@ -55,9 +52,8 @@ def refreshF2boptions():
  else:
    try:
      f2boptions = json.loads(r.get('F2B_OPTIONS'))
-    except ValueError as e:
+    except ValueError:
-      logger.logCrit(
+      logger.logCrit('Error loading F2B options: F2B_OPTIONS is not json')
        'Error loading F2B options: F2B_OPTIONS is not json. Exception: %s' % e)
      quit_now = True
      exit_code = 2
@@ -65,15 +61,15 @@ def refreshF2boptions():
  r.set('F2B_OPTIONS', json.dumps(f2boptions, ensure_ascii=False))
 def verifyF2boptions(f2boptions):
-  verifyF2boption(f2boptions, 'ban_time', 1800)
+  verifyF2boption(f2boptions,'ban_time', 1800)
-  verifyF2boption(f2boptions, 'max_ban_time', 10000)
+  verifyF2boption(f2boptions,'max_ban_time', 10000)
-  verifyF2boption(f2boptions, 'ban_time_increment', True)
+  verifyF2boption(f2boptions,'ban_time_increment', True)
-  verifyF2boption(f2boptions, 'max_attempts', 10)
+  verifyF2boption(f2boptions,'max_attempts', 10)
-  verifyF2boption(f2boptions, 'retry_window', 600)
+  verifyF2boption(f2boptions,'retry_window', 600)
-  verifyF2boption(f2boptions, 'netban_ipv4', 32)
+  verifyF2boption(f2boptions,'netban_ipv4', 32)
-  verifyF2boption(f2boptions, 'netban_ipv6', 128)
+  verifyF2boption(f2boptions,'netban_ipv6', 128)
-  verifyF2boption(f2boptions, 'banlist_id', str(uuid.uuid4()))
+  verifyF2boption(f2boptions,'banlist_id', str(uuid.uuid4()))
-  verifyF2boption(f2boptions, 'manage_external', 0)
+  verifyF2boption(f2boptions,'manage_external', 0)
 def verifyF2boption(f2boptions, f2boption, f2bdefault):
  f2boptions[f2boption] = f2boptions[f2boption] if f2boption in f2boptions and f2boptions[f2boption] is not None else f2bdefault
@@ -84,15 +80,16 @@ def refreshF2bregex():
  global exit_code
  if not r.get('F2B_REGEX'):
    f2bregex = {}
-    f2bregex[1] = r'mailcow UI: Invalid password for .+ by ([0-9a-f\.:]+)'
+    f2bregex[1] = 'mailcow UI: Invalid password for .+ by ([0-9a-f\.:]+)'
-    f2bregex[2] = r'Rspamd UI: Invalid password by ([0-9a-f\.:]+)'
+    f2bregex[2] = 'Rspamd UI: Invalid password by ([0-9a-f\.:]+)'
-    f2bregex[3] = r'warning: .*\[([0-9a-f\.:]+)\]: SASL .+ authentication failed: (?!.*Connection lost to authentication server).+'
+    f2bregex[3] = 'warning: .*\[([0-9a-f\.:]+)\]: SASL .+ authentication failed: (?!.*Connection lost to authentication server).+'
-    f2bregex[4] = r'warning: non-SMTP command from .*\[([0-9a-f\.:]+)]:.+'
+    f2bregex[4] = 'warning: non-SMTP command from .*\[([0-9a-f\.:]+)]:.+'
-    f2bregex[5] = r'NOQUEUE: reject: RCPT from \[([0-9a-f\.:]+)].+Protocol error.+'
+    f2bregex[5] = 'NOQUEUE: reject: RCPT from \[([0-9a-f\.:]+)].+Protocol error.+'
-    f2bregex[6] = r'\w+\([^,]+,([0-9a-f\.:]+),<[^>]+>\): Password mismatch \(SHA1 of given password: [a-f0-9]+\)'
+    f2bregex[6] = '-login: Disconnected.+ \(auth failed, .+\): user=.*, method=.+, rip=([0-9a-f\.:]+),'
-    f2bregex[7] = r'\w+\([^,]+,([0-9a-f\.:]+),<[^>]+>\): unknown user \(SHA1 of given password: [a-f0-9]+\)'
+    f2bregex[7] = '-login: Aborted login.+ \(auth failed .+\): user=.+, rip=([0-9a-f\.:]+), lip.+'
-    f2bregex[8] = r'SOGo.+ Login from \'([0-9a-f\.:]+)\' for user .+ might not have worked'
+    f2bregex[8] = '-login: Aborted login.+ \(tried to use disallowed .+\): user=.+, rip=([0-9a-f\.:]+), lip.+'
-    f2bregex[9] = r'([0-9a-f\.:]+) \"GET \/SOGo\/.* HTTP.+\" 403 .+'
+    f2bregex[9] = 'SOGo.+ Login from \'([0-9a-f\.:]+)\' for user .+ might not have worked'
    f2bregex[10] = '([0-9a-f\.:]+) \"GET \/SOGo\/.* HTTP.+\" 403 .+'
    r.set('F2B_REGEX', json.dumps(f2bregex, ensure_ascii=False))
  else:
    try:
@@ -115,93 +112,76 @@ def get_ip(address):
 def ban(address):
  global f2boptions
  global lock
-  logdebug("ban() called with address=%s" % address)
+
  refreshF2boptions()
  BAN_TIME = int(f2boptions['ban_time'])
  BAN_TIME_INCREMENT = bool(f2boptions['ban_time_increment'])
  MAX_ATTEMPTS = int(f2boptions['max_attempts'])
  RETRY_WINDOW = int(f2boptions['retry_window'])
  NETBAN_IPV4 = '/' + str(f2boptions['netban_ipv4'])
  NETBAN_IPV6 = '/' + str(f2boptions['netban_ipv6'])
  ip = get_ip(address)
-  if not ip:
+  if not ip: return
    logdebug("No valid IP -- skipping ban()")
    return
  address = str(ip)
  self_network = ipaddress.ip_network(address)
  with lock:
    temp_whitelist = set(WHITELIST)
-    logdebug("Checking if %s overlaps with any WHITELIST entries" % self_network)
+  if temp_whitelist:
-    if temp_whitelist:
+    for wl_key in temp_whitelist:
-      for wl_key in temp_whitelist:
+      wl_net = ipaddress.ip_network(wl_key, False)
-        wl_net = ipaddress.ip_network(wl_key, False)
+      if wl_net.overlaps(self_network):
-        logdebug("Checking overlap between %s and %s" % (self_network, wl_net))
+        logger.logInfo('Address %s is whitelisted by rule %s' % (self_network, wl_net))
-        if wl_net.overlaps(self_network):
+        return
          logger.logInfo(
            'Address %s is allowlisted by rule %s' % (self_network, wl_net))
          return
-  net = ipaddress.ip_network(
+  net = ipaddress.ip_network((address + (NETBAN_IPV4 if type(ip) is ipaddress.IPv4Address else NETBAN_IPV6)), strict=False)
    (address + (NETBAN_IPV4 if type(ip) is ipaddress.IPv4Address else NETBAN_IPV6)), strict=False)
  net = str(net)
  logdebug("Ban net: %s" % net)
  if not net in bans:
    bans[net] = {'attempts': 0, 'last_attempt': 0, 'ban_counter': 0}
    logdebug("Initing new ban counter for %s" % net)
  current_attempt = time.time()
  logdebug("Current attempt ts=%s, previous: %s, retry_window: %s" %
           (current_attempt, bans[net]['last_attempt'], RETRY_WINDOW))
  if current_attempt - bans[net]['last_attempt'] > RETRY_WINDOW:
    bans[net]['attempts'] = 0
    logdebug("Ban counter for %s reset as window expired" % net)
  bans[net]['attempts'] += 1
  bans[net]['last_attempt'] = current_attempt
  logdebug("%s attempts now %d" % (net, bans[net]['attempts']))
  if bans[net]['attempts'] >= MAX_ATTEMPTS:
    cur_time = int(round(time.time()))
-    NET_BAN_TIME = calcNetBanTime(bans[net]['ban_counter'])
+    NET_BAN_TIME = BAN_TIME if not BAN_TIME_INCREMENT else BAN_TIME * 2 ** bans[net]['ban_counter']
    logger.logCrit('Banning %s for %d minutes' % (net, NET_BAN_TIME / 60 ))
    if type(ip) is ipaddress.IPv4Address and int(f2boptions['manage_external']) != 1:
      with lock:
        logdebug("Calling tables.banIPv4(%s)" % net)
        tables.banIPv4(net)
    elif int(f2boptions['manage_external']) != 1:
      with lock:
        logdebug("Calling tables.banIPv6(%s)" % net)
        tables.banIPv6(net)
    logdebug("Updating F2B_ACTIVE_BANS[%s]=%d" %
              (net, cur_time + NET_BAN_TIME))
    r.hset('F2B_ACTIVE_BANS', '%s' % net, cur_time + NET_BAN_TIME)
  else:
-    logger.logWarn('%d more attempts in the next %d seconds until %s is banned' % (
+    logger.logWarn('%d more attempts in the next %d seconds until %s is banned' % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net))
      MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net))
 def unban(net):
  global lock
-  logdebug("Calling unban() with net=%s" % net)
+
  if not net in bans:
-    logger.logInfo(
+   logger.logInfo('%s is not banned, skipping unban and deleting from queue (if any)' % net)
-      '%s is not banned, skipping unban and deleting from queue (if any)' % net)
+   r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
-    r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
+   return
-    return
+
  logger.logInfo('Unbanning %s' % net)
  if type(ipaddress.ip_network(net)) is ipaddress.IPv4Network:
    with lock:
      logdebug("Calling tables.unbanIPv4(%s)" % net)
      tables.unbanIPv4(net)
  else:
    with lock:
      logdebug("Calling tables.unbanIPv6(%s)" % net)
      tables.unbanIPv6(net)
  r.hdel('F2B_ACTIVE_BANS', '%s' % net)
  r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
  if net in bans:
    logdebug("Unban for %s, setting attempts=0, ban_counter+=1" % net)
    bans[net]['attempts'] = 0
    bans[net]['ban_counter'] += 1
@@ -227,19 +207,17 @@ def permBan(net, unban=False):
  if is_unbanned:
    r.hdel('F2B_PERM_BANS', '%s' % net)
-    logger.logCrit('Removed host/network %s from denylist' % net)
+    logger.logCrit('Removed host/network %s from blacklist' % net)
  elif is_banned:
    r.hset('F2B_PERM_BANS', '%s' % net, int(round(time.time())))
-    logger.logCrit('Added host/network %s to denylist' % net)
+    logger.logCrit('Added host/network %s to blacklist' % net)
 def clear():
  global lock
  logger.logInfo('Clearing all bans')
  for net in bans.copy():
    logdebug("Unbanning net: %s" % net)
    unban(net)
  with lock:
    logdebug("Clearing IPv4/IPv6 table")
    tables.clearIPv4Table()
    tables.clearIPv6Table()
    try:
@@ -299,36 +277,23 @@ def snat6(snat_target):
      tables.snat6(snat_target, os.getenv('IPV6_NETWORK', 'fd4d:6169:6c63:6f77::/64'))
 def autopurge():
  global f2boptions
  logdebug("autopurge thread started")
  while not quit_now:
    logdebug("autopurge tick")
    time.sleep(10)
    refreshF2boptions()
    BAN_TIME = int(f2boptions['ban_time'])
    MAX_BAN_TIME = int(f2boptions['max_ban_time'])
    BAN_TIME_INCREMENT = bool(f2boptions['ban_time_increment'])
    MAX_ATTEMPTS = int(f2boptions['max_attempts'])
    QUEUE_UNBAN = r.hgetall('F2B_QUEUE_UNBAN')
    logdebug("QUEUE_UNBAN: %s" % QUEUE_UNBAN)
    if QUEUE_UNBAN:
      for net in QUEUE_UNBAN:
        logdebug("Autopurge: unbanning queued net: %s" % net)
        unban(str(net))
-    # Only check expiry for actively banned IPs:
+    for net in bans.copy():
-    active_bans = r.hgetall('F2B_ACTIVE_BANS')
+      if bans[net]['attempts'] >= MAX_ATTEMPTS:
-    now = time.time()
+        NET_BAN_TIME = BAN_TIME if not BAN_TIME_INCREMENT else BAN_TIME * 2 ** bans[net]['ban_counter']
-    for net_str, expire_str in active_bans.items():
+        TIME_SINCE_LAST_ATTEMPT = time.time() - bans[net]['last_attempt']
-      logdebug("Checking ban expiry for (actively banned): %s" % net_str)
+        if TIME_SINCE_LAST_ATTEMPT > NET_BAN_TIME or TIME_SINCE_LAST_ATTEMPT > MAX_BAN_TIME:
-      # Defensive: always process if timer missing or expired
+          unban(net)
      try:
        expire = float(expire_str)
      except Exception:
        logdebug("Invalid expire time for %s; unbanning" % net_str)
        unban(net_str)
        continue
      time_left = expire - now
      logdebug("Time left for %s: %.1f seconds" % (net_str, time_left))
      if time_left <= 0:
        logdebug("Ban expired for %s" % net_str)
        unban(net_str)
 def mailcowChainOrder():
  global lock
@@ -341,16 +306,6 @@ def mailcowChainOrder():
      if quit_now: return
      quit_now, exit_code = tables.checkIPv6ChainOrder()
 def calcNetBanTime(ban_counter):
  global f2boptions
  BAN_TIME = int(f2boptions['ban_time'])
  MAX_BAN_TIME = int(f2boptions['max_ban_time'])
  BAN_TIME_INCREMENT = bool(f2boptions['ban_time_increment'])
  NET_BAN_TIME = BAN_TIME if not BAN_TIME_INCREMENT else BAN_TIME * 2 ** ban_counter
  NET_BAN_TIME = max([BAN_TIME, min([NET_BAN_TIME, MAX_BAN_TIME])])
  return NET_BAN_TIME
 def isIpNetwork(address):
  try:
    ipaddress.ip_network(address, False)
@@ -398,7 +353,7 @@ def whitelistUpdate():
    with lock:
      if Counter(new_whitelist) != Counter(WHITELIST):
        WHITELIST = new_whitelist
-        logger.logInfo('Allowlist was changed, it has %s entries' % len(WHITELIST))
+        logger.logInfo('Whitelist was changed, it has %s entries' % len(WHITELIST))
    time.sleep(60.0 - ((time.time() - start_time) % 60.0))
 def blacklistUpdate():
@@ -414,7 +369,7 @@ def blacklistUpdate():
      addban = set(new_blacklist).difference(BLACKLIST)
      delban = set(BLACKLIST).difference(new_blacklist)
      BLACKLIST = new_blacklist
-      logger.logInfo('Denylist was changed, it has %s entries' % len(BLACKLIST))
+      logger.logInfo('Blacklist was changed, it has %s entries' % len(BLACKLIST))
      if addban:
        for net in addban:
          permBan(net=net)
@@ -425,43 +380,42 @@ def blacklistUpdate():
 def sigterm_quit(signum, frame):
  global clear_before_quit
  logdebug("SIGTERM received, setting clear_before_quit to True and exiting")
  clear_before_quit = True
  sys.exit(exit_code)
-def before_quit():
+def berfore_quit():
  logdebug("before_quit called, clear_before_quit=%s" % clear_before_quit)
  if clear_before_quit:
    clear()
  if pubsub is not None:
    pubsub.unsubscribe()
 if __name__ == '__main__':
-  logger = Logger()
+  atexit.register(berfore_quit)
  logdebug("Sys.argv: %s" % sys.argv)
  atexit.register(before_quit)
  signal.signal(signal.SIGTERM, sigterm_quit)
  # init Logger
  logger = Logger()
  # init backend
  backend = sys.argv[1]
  logdebug("Backend: %s" % backend)
  if backend == "nftables":
    logger.logInfo('Using NFTables backend')
    tables = NFTables(chain_name, logger)
  else:
    logger.logInfo('Using IPTables backend')
    logger.logWarn(
        "DEPRECATION: iptables-legacy is deprecated and will be removed in future releases. "
        "Please switch to nftables on your host to ensure complete compatibility."
    )
    time.sleep(5)
    tables = IPTables(chain_name, logger)
  # In case a previous session was killed without cleanup
  clear()
  # Reinit MAILCOW chain
  # Is called before threads start, no locking
  logger.logInfo("Initializing mailcow netfilter chain")
  tables.initChainIPv4()
  tables.initChainIPv6()
-  if os.getenv("DISABLE_NETFILTER_ISOLATION_RULE", "").lower() in ("y", "yes"):
+  if os.getenv("DISABLE_NETFILTER_ISOLATION_RULE").lower() in ("y", "yes"):
    logger.logInfo(f"Skipping {chain_name} isolation")
  else:
    logger.logInfo(f"Setting {chain_name} isolation")
@@ -472,28 +426,23 @@ if __name__ == '__main__':
    try:
      redis_slaveof_ip = os.getenv('REDIS_SLAVEOF_IP', '')
      redis_slaveof_port = os.getenv('REDIS_SLAVEOF_PORT', '')
      logdebug(
        "Connecting redis (SLAVEOF_IP:%s, PORT:%s)" % (redis_slaveof_ip, redis_slaveof_port))
      if "".__eq__(redis_slaveof_ip):
-        r = redis.StrictRedis(
+        r = redis.StrictRedis(host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0)
          host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0, password=os.environ['REDISPASS'])
      else:
-        r = redis.StrictRedis(
+        r = redis.StrictRedis(host=redis_slaveof_ip, decode_responses=True, port=redis_slaveof_port, db=0)
          host=redis_slaveof_ip, decode_responses=True, port=redis_slaveof_port, db=0, password=os.environ['REDISPASS'])
      r.ping()
      pubsub = r.pubsub()
    except Exception as ex:
-      logdebug(
+      print('%s - trying again in 3 seconds'  % (ex))
        'Redis connection failed: %s - trying again in 3 seconds' % (ex))
      time.sleep(3)
    else:
      break
  logger.set_redis(r)
  logdebug("Redis connection established, setting up F2B keys")
  # rename fail2ban to netfilter
  if r.exists('F2B_LOG'):
    logdebug("Renaming F2B_LOG to NETFILTER_LOG")
    r.rename('F2B_LOG', 'NETFILTER_LOG')
  # clear bans in redis
  r.delete('F2B_ACTIVE_BANS')
  r.delete('F2B_PERM_BANS')
@@ -508,7 +457,7 @@ if __name__ == '__main__':
      snat_ip = os.getenv('SNAT_TO_SOURCE')
      snat_ipo = ipaddress.ip_address(snat_ip)
      if type(snat_ipo) is ipaddress.IPv4Address:
-        snat4_thread = Thread(target=snat4, args=(snat_ip,))
+        snat4_thread = Thread(target=snat4,args=(snat_ip,))
        snat4_thread.daemon = True
        snat4_thread.start()
    except ValueError:
@@ -544,5 +493,4 @@ if __name__ == '__main__':
  while not quit_now:
    time.sleep(0.5)
  logdebug("Exiting with code %s" % exit_code)
  sys.exit(exit_code)
--- a/data/Dockerfiles/netfilter/modules/Logger.py
+++ b/data/Dockerfiles/netfilter/modules/Logger.py
@@ -1,6 +1,5 @@
 import time
 import json
 import datetime
 class Logger:
  def __init__(self):
@@ -9,28 +8,14 @@ class Logger:
  def set_redis(self, redis):
    self.r = redis
  def _format_timestamp(self):
    # Local time with milliseconds
    return datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  def log(self, priority, message):
-    # build redis-friendly dict
+    tolog = {}
-    tolog = {
+    tolog['time'] = int(round(time.time()))
-      'time': int(round(time.time())),  # keep raw timestamp for Redis
+    tolog['priority'] = priority
-      'priority': priority,
+    tolog['message'] = message
      'message': message
    }
    # print human-readable message with timestamp
    ts = self._format_timestamp()
    print(f"{ts} {priority.upper()}: {message}", flush=True)
    # also push JSON to Redis if connected
    if self.r is not None:
-      try:
+      self.r.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False))
-        self.r.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False))
+    print(message)
      except Exception as ex:
        print(f'{ts} WARN: Failed logging to redis: {ex}', flush=True)
  def logWarn(self, message):
    self.log('warn', message)
--- a/data/Dockerfiles/netfilter/modules/NFTables.py
+++ b/data/Dockerfiles/netfilter/modules/NFTables.py
@@ -41,7 +41,6 @@ class NFTables:
        exit_code = 2
      if chain_position > 0:
        chain_position += 1
        self.logger.logCrit(f'MAILCOW target is in position {chain_position} in the {filter_table} {chain} table, restarting container to fix it...')
        err = True
        exit_code = 2
@@ -310,8 +309,8 @@ class NFTables:
      rule_handle = rule["handle"]
      break
-    dest_net = ipaddress.ip_network(source_address, strict=False)
+    dest_net = ipaddress.ip_network(source_address)
-    target_net = ipaddress.ip_network(snat_target, strict=False)
+    target_net = ipaddress.ip_network(snat_target)
    if rule_found:
      saddr_ip = rule["expr"][0]["match"]["right"]["prefix"]["addr"]
@@ -322,9 +321,9 @@ class NFTables:
      target_ip = rule["expr"][3]["snat"]["addr"]
-      saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len), strict=False)
+      saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len))
-      daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len), strict=False)
+      daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len))
-      current_target_net = ipaddress.ip_network(target_ip, strict=False)
+      current_target_net = ipaddress.ip_network(target_ip)
      match = all((
                dest_net == saddr_net,
@@ -418,7 +417,7 @@ class NFTables:
    json_command = self.get_base_dict()
    expr_opt = []
-    ipaddr_net = ipaddress.ip_network(ipaddr, strict=False)
+    ipaddr_net = ipaddress.ip_network(ipaddr)
    right_dict = {'prefix': {'addr': str(ipaddr_net.network_address), 'len': int(ipaddr_net.prefixlen) } }
    left_dict = {'payload': {'protocol': _family, 'field': 'saddr'} }
@@ -452,8 +451,6 @@ class NFTables:
          continue
        rule = _object["rule"]["expr"][0]["match"]
        if not "payload" in rule["left"]:
          continue
        left_opt = rule["left"]["payload"]
        if not left_opt["protocol"] == _family:
          continue
@@ -469,7 +466,7 @@ class NFTables:
        current_rule_net = ipaddress.ip_network(current_rule_ip)
        # ip to ban
-        candidate_net = ipaddress.ip_network(ipaddr, strict=False)
+        candidate_net = ipaddress.ip_network(ipaddr)
        if current_rule_net == candidate_net:
          rule_handle = _object["rule"]["handle"]
--- a/data/Dockerfiles/nginx/Dockerfile
+++ b/data/Dockerfiles/nginx/Dockerfile
@@ -1,18 +0,0 @@
 FROM nginx:alpine
 LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 ENV PIP_BREAK_SYSTEM_PACKAGES=1
 RUN apk add --no-cache nginx \
  python3 \
  py3-pip && \
  pip install --upgrade pip && \
  pip install Jinja2
 RUN mkdir -p /etc/nginx/includes
 COPY ./bootstrap.py /
 COPY ./docker-entrypoint.sh /
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["nginx", "-g", "daemon off;"]
--- a/data/Dockerfiles/nginx/bootstrap.py
+++ b/data/Dockerfiles/nginx/bootstrap.py
@@ -1,100 +0,0 @@
 import os
 import subprocess
 from jinja2 import Environment, FileSystemLoader
 def includes_conf(env, template_vars):
  server_name = "server_name.active"
  listen_plain = "listen_plain.active"
  listen_ssl = "listen_ssl.active"
  server_name_config = f"server_name {template_vars['MAILCOW_HOSTNAME']} autodiscover.* autoconfig.* {' '.join(template_vars['ADDITIONAL_SERVER_NAMES'])};"
  listen_plain_config = f"listen {template_vars['HTTP_PORT']};"
  listen_ssl_config = f"listen {template_vars['HTTPS_PORT']};"
  if template_vars['ENABLE_IPV6']:
    listen_plain_config += f"\nlisten [::]:{template_vars['HTTP_PORT']};"
    listen_ssl_config += f"\nlisten [::]:{template_vars['HTTPS_PORT']} ssl;"
  listen_ssl_config += "\nhttp2 on;"
  with open(f"/etc/nginx/conf.d/{server_name}", "w") as f:
    f.write(server_name_config)
  with open(f"/etc/nginx/conf.d/{listen_plain}", "w") as f:
    f.write(listen_plain_config)
  with open(f"/etc/nginx/conf.d/{listen_ssl}", "w") as f:
    f.write(listen_ssl_config)
 def sites_default_conf(env, template_vars):
  config_name = "sites-default.conf"
  template = env.get_template(f"{config_name}.j2")
  config = template.render(template_vars)
  with open(f"/etc/nginx/includes/{config_name}", "w") as f:
    f.write(config)
 def nginx_conf(env, template_vars):
  config_name = "nginx.conf"
  template = env.get_template(f"{config_name}.j2")
  config = template.render(template_vars)
  with open(f"/etc/nginx/{config_name}", "w") as f:
    f.write(config)
 def prepare_template_vars():
  ipv4_network = os.getenv("IPV4_NETWORK", "172.22.1")
  additional_server_names = os.getenv("ADDITIONAL_SERVER_NAMES", "")
  trusted_proxies = os.getenv("TRUSTED_PROXIES", "")
  template_vars = {
    'IPV4_NETWORK': ipv4_network,
    'TRUSTED_PROXIES': [item.strip() for item in trusted_proxies.split(",") if item.strip()],
    'SKIP_RSPAMD': os.getenv("SKIP_RSPAMD", "n").lower() in ("y", "yes"),
    'SKIP_SOGO': os.getenv("SKIP_SOGO", "n").lower() in ("y", "yes"),
    'NGINX_USE_PROXY_PROTOCOL': os.getenv("NGINX_USE_PROXY_PROTOCOL", "n").lower() in ("y", "yes"),
    'MAILCOW_HOSTNAME': os.getenv("MAILCOW_HOSTNAME", ""),
    'ADDITIONAL_SERVER_NAMES': [item.strip() for item in additional_server_names.split(",") if item.strip()],
    'HTTP_PORT': os.getenv("HTTP_PORT", "80"),
    'HTTPS_PORT': os.getenv("HTTPS_PORT", "443"),
    'SOGOHOST': os.getenv("SOGOHOST", ipv4_network + ".248"),
    'RSPAMDHOST': os.getenv("RSPAMDHOST", "rspamd-mailcow"),
    'PHPFPMHOST': os.getenv("PHPFPMHOST", "php-fpm-mailcow"),
    'ENABLE_IPV6': os.getenv("ENABLE_IPV6", "true").lower() != "false",
    'HTTP_REDIRECT': os.getenv("HTTP_REDIRECT", "n").lower() in ("y", "yes"),
  }
  ssl_dir = '/etc/ssl/mail/'
  template_vars['valid_cert_dirs'] = []
  for d in os.listdir(ssl_dir):
    full_path = os.path.join(ssl_dir, d)
    if not os.path.isdir(full_path):
      continue
    cert_path = os.path.join(full_path, 'cert.pem')
    key_path = os.path.join(full_path, 'key.pem')
    domains_path = os.path.join(full_path, 'domains')
    if os.path.isfile(cert_path) and os.path.isfile(key_path) and os.path.isfile(domains_path):
      with open(domains_path, 'r') as file:
        domains = file.read().strip()
      domains_list = domains.split()
      if domains_list and template_vars["MAILCOW_HOSTNAME"] not in domains_list:
        template_vars['valid_cert_dirs'].append({
          'cert_path': full_path + '/',
          'domains': domains
        })
  return template_vars
 def main():
  env = Environment(loader=FileSystemLoader('./etc/nginx/conf.d/templates'))
  # Render config
  print("Render config")
  template_vars = prepare_template_vars()
  sites_default_conf(env, template_vars)
  nginx_conf(env, template_vars)
  includes_conf(env, template_vars)
 if __name__ == "__main__":
  main()
--- a/data/Dockerfiles/nginx/docker-entrypoint.sh
+++ b/data/Dockerfiles/nginx/docker-entrypoint.sh
@@ -1,26 +0,0 @@
 #!/bin/sh
 PHPFPMHOST=${PHPFPMHOST:-"php-fpm-mailcow"}
 SOGOHOST=${SOGOHOST:-"$IPV4_NETWORK.248"}
 RSPAMDHOST=${RSPAMDHOST:-"rspamd-mailcow"}
 until ping ${PHPFPMHOST} -c1 > /dev/null; do
  echo "Waiting for PHP..."
  sleep 1
 done
 if ! printf "%s\n" "${SKIP_SOGO}" | grep -E '^([yY][eE][sS]|[yY])+$' >/dev/null; then
  until ping ${SOGOHOST} -c1 > /dev/null; do
    echo "Waiting for SOGo..."
    sleep 1
  done
 fi
 if ! printf "%s\n" "${SKIP_RSPAMD}" | grep -E '^([yY][eE][sS]|[yY])+$' >/dev/null; then
  until ping ${RSPAMDHOST} -c1 > /dev/null; do
    echo "Waiting for Rspamd..."
    sleep 1
  done
 fi
 python3 /bootstrap.py
 exec "$@"
--- a/data/Dockerfiles/olefy/Dockerfile
+++ b/data/Dockerfiles/olefy/Dockerfile
@@ -1,6 +1,5 @@
-FROM alpine:3.21
+FROM alpine:3.19
-
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 ARG PIP_BREAK_SYSTEM_PACKAGES=1
 WORKDIR /app
--- a/data/Dockerfiles/olefy/olefy.py
+++ b/data/Dockerfiles/olefy/olefy.py
@@ -32,13 +32,6 @@ import time
 import magic
 import re
 skip_olefy = os.getenv('SKIP_OLEFY', '')
 if skip_olefy.lower() in ['yes', 'y']:
    print("SKIP_OLEFY=y, skipping Olefy...")
    time.sleep(365 * 24 * 60 * 60)
    sys.exit(0)
 # merge variables from /etc/olefy.conf and the defaults
 olefy_listen_addr_string = os.getenv('OLEFY_BINDADDRESS', '127.0.0.1,::1')
 olefy_listen_port = int(os.getenv('OLEFY_BINDPORT', '10050'))
--- a/data/Dockerfiles/phpfpm/Dockerfile
+++ b/data/Dockerfiles/phpfpm/Dockerfile
@@ -1,19 +1,18 @@
-FROM php:8.2-fpm-alpine3.21
+FROM php:8.2-fpm-alpine3.18
-
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 # renovate: datasource=github-tags depName=krakjoe/apcu versioning=semver-coerced extractVersion=^v(?<version>.*)$
-ARG APCU_PECL_VERSION=5.1.27
+ARG APCU_PECL_VERSION=5.1.23
 # renovate: datasource=github-tags depName=Imagick/imagick versioning=semver-coerced extractVersion=(?<version>.*)$
-ARG IMAGICK_PECL_VERSION=3.8.0
+ARG IMAGICK_PECL_VERSION=3.7.0
 # renovate: datasource=github-tags depName=php/pecl-mail-mailparse versioning=semver-coerced extractVersion=^v(?<version>.*)$
-ARG MAILPARSE_PECL_VERSION=3.1.9
+ARG MAILPARSE_PECL_VERSION=3.1.6
 # renovate: datasource=github-tags depName=php-memcached-dev/php-memcached versioning=semver-coerced extractVersion=^v(?<version>.*)$
-ARG MEMCACHED_PECL_VERSION=3.3.0
+ARG MEMCACHED_PECL_VERSION=3.2.0
 # renovate: datasource=github-tags depName=phpredis/phpredis versioning=semver-coerced extractVersion=(?<version>.*)$
-ARG REDIS_PECL_VERSION=6.2.0
+ARG REDIS_PECL_VERSION=6.0.2
 # renovate: datasource=github-tags depName=composer/composer versioning=semver-coerced extractVersion=(?<version>.*)$
-ARG COMPOSER_VERSION=2.8.6
+ARG COMPOSER_VERSION=2.6.6
 RUN apk add -U --no-cache autoconf \
  aspell-dev \
@@ -77,7 +76,7 @@ RUN apk add -U --no-cache autoconf \
    --with-webp \
    --with-xpm \
    --with-avif \
-  && docker-php-ext-install -j 4 exif gd gettext intl ldap opcache pcntl pdo pdo_mysql pspell soap sockets zip bcmath gmp \
+  && docker-php-ext-install -j 4 exif gd gettext intl ldap opcache pcntl pdo pdo_mysql pspell soap sockets sysvsem zip bcmath gmp \
  && docker-php-ext-configure imap --with-imap --with-imap-ssl \
  && docker-php-ext-install -j 4 imap \
  && curl --silent --show-error https://getcomposer.org/installer | php -- --version=${COMPOSER_VERSION} \
--- a/data/Dockerfiles/phpfpm/docker-entrypoint.sh
+++ b/data/Dockerfiles/phpfpm/docker-entrypoint.sh
@@ -3,37 +3,27 @@
 function array_by_comma { local IFS=","; echo "$*"; }
 # Wait for containers
-while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
+while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
  echo "Waiting for SQL..."
  sleep 2
 done
 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_HOST=$REDIS_SLAVEOF_IP
+  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
  REDIS_PORT=$REDIS_SLAVEOF_PORT
 else
-  REDIS_HOST="redis"
+  REDIS_CMDLINE="redis-cli -h redis -p 6379"
  REDIS_PORT="6379"
 fi
 REDIS_CMDLINE="redis-cli -h ${REDIS_HOST} -p ${REDIS_PORT} -a ${REDISPASS} --no-auth-warning"
 until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
  echo "Waiting for Redis..."
  sleep 2
 done
 # Set redis session store
 echo -n '
 session.save_handler = redis
 session.save_path = "tcp://'${REDIS_HOST}':'${REDIS_PORT}'?auth='${REDISPASS}'"
 ' > /usr/local/etc/php/conf.d/session_store.ini
 # Check mysql_upgrade (master and slave)
 CONTAINER_ID=
 until [[ ! -z "${CONTAINER_ID}" ]] && [[ "${CONTAINER_ID}" =~ ^[[:alnum:]]*$ ]]; do
-  CONTAINER_ID=$(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" 2> /dev/null | jq -rc "select( .name | tostring | contains(\"mysql-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" 2> /dev/null)
+  CONTAINER_ID=$(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" 2> /dev/null | jq -rc "select( .name | tostring | contains(\"mysql-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" 2> /dev/null)
  echo "Could not get mysql-mailcow container id... trying again"
  sleep 2
 done
 echo "MySQL @ ${CONTAINER_ID}"
@@ -44,7 +34,7 @@ until [[ ${SQL_UPGRADE_STATUS} == 'success' ]]; do
    echo "Tried to upgrade MySQL and failed, giving up after ${SQL_LOOP_C} retries and starting container (oops, not good)"
    break
  fi
-  SQL_FULL_UPGRADE_RETURN=$(curl --silent --insecure -XPOST https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/exec -d '{"cmd":"system", "task":"mysql_upgrade"}' --silent -H 'Content-type: application/json')
+  SQL_FULL_UPGRADE_RETURN=$(curl --silent --insecure -XPOST https://dockerapi/containers/${CONTAINER_ID}/exec -d '{"cmd":"system", "task":"mysql_upgrade"}' --silent -H 'Content-type: application/json')
  SQL_UPGRADE_STATUS=$(echo ${SQL_FULL_UPGRADE_RETURN} | jq -r .type)
  SQL_LOOP_C=$((SQL_LOOP_C+1))
  echo "SQL upgrade iteration #${SQL_LOOP_C}"
@@ -53,7 +43,7 @@ until [[ ${SQL_UPGRADE_STATUS} == 'success' ]]; do
    echo "MySQL applied an upgrade, debug output:"
    echo ${SQL_FULL_UPGRADE_RETURN}
    sleep 3
-    while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
+    while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
      echo "Waiting for SQL to return, please wait"
      sleep 2
    done
@@ -69,21 +59,21 @@ done
 # doing post-installation stuff, if SQL was upgraded (master and slave)
 if [ ${SQL_CHANGED} -eq 1 ]; then
-  POSTFIX=$(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" 2> /dev/null | jq -rc "select( .name | tostring | contains(\"postfix-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" 2> /dev/null)
+  POSTFIX=$(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" 2> /dev/null | jq -rc "select( .name | tostring | contains(\"postfix-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" 2> /dev/null)
  if [[ -z "${POSTFIX}" ]] || ! [[ "${POSTFIX}" =~ ^[[:alnum:]]*$ ]]; then
    echo "Could not determine Postfix container ID, skipping Postfix restart."
  else
    echo "Restarting Postfix"
-    curl -X POST --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${POSTFIX}/restart | jq -r '.msg'
+    curl -X POST --silent --insecure https://dockerapi/containers/${POSTFIX}/restart | jq -r '.msg'
    echo "Sleeping 5 seconds..."
    sleep 5
  fi
 fi
 # Check mysql tz import (master and slave)
-TZ_CHECK=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT CONVERT_TZ('2019-11-02 23:33:00','Europe/Berlin','UTC') AS time;" -BN 2> /dev/null)
+TZ_CHECK=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT CONVERT_TZ('2019-11-02 23:33:00','Europe/Berlin','UTC') AS time;" -BN 2> /dev/null)
 if [[ -z ${TZ_CHECK} ]] || [[ "${TZ_CHECK}" == "NULL" ]]; then
-  SQL_FULL_TZINFO_IMPORT_RETURN=$(curl --silent --insecure -XPOST https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/exec -d '{"cmd":"system", "task":"mysql_tzinfo_to_sql"}' --silent -H 'Content-type: application/json')
+  SQL_FULL_TZINFO_IMPORT_RETURN=$(curl --silent --insecure -XPOST https://dockerapi/containers/${CONTAINER_ID}/exec -d '{"cmd":"system", "task":"mysql_tzinfo_to_sql"}' --silent -H 'Content-type: application/json')
  echo "MySQL mysql_tzinfo_to_sql - debug output:"
  echo ${SQL_FULL_TZINFO_IMPORT_RETURN}
 fi
@@ -120,11 +110,11 @@ if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  while read line
  do
    DOMAIN_ARR+=("$line")
-  done < <(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain" -Bs)
+  done < <(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain" -Bs)
  while read line
  do
    DOMAIN_ARR+=("$line")
-  done < <(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT alias_domain FROM alias_domain" -Bs)
+  done < <(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT alias_domain FROM alias_domain" -Bs)
  if [[ ! -z ${DOMAIN_ARR} ]]; then
  for domain in "${DOMAIN_ARR[@]}"; do
@@ -146,13 +136,13 @@ if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
    VALIDATED_IPS=$(array_by_comma ${VALIDATED_API_ALLOW_FROM_ARR[*]})
    if [[ ! -z ${VALIDATED_IPS} ]]; then
      if [[ ${API_KEY} != "invalid" ]] && [[ ! -z ${API_KEY} ]]; then
-        mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
+        mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
 DELETE FROM api WHERE access = 'rw';
 INSERT INTO api (api_key, active, allow_from, access) VALUES ("${API_KEY}", "1", "${VALIDATED_IPS}", "rw");
 EOF
      fi
      if [[ ${API_KEY_READ_ONLY} != "invalid" ]] && [[ ! -z ${API_KEY_READ_ONLY} ]]; then
-        mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
+        mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
 DELETE FROM api WHERE access = 'ro';
 INSERT INTO api (api_key, active, allow_from, access) VALUES ("${API_KEY_READ_ONLY}", "1", "${VALIDATED_IPS}", "ro");
 EOF
@@ -161,13 +151,13 @@ EOF
  fi
  # Create events (master only, STATUS for event on slave will be SLAVESIDE_DISABLED)
-  mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
+  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
 DROP EVENT IF EXISTS clean_spamalias;
 DELIMITER //
 CREATE EVENT clean_spamalias
 ON SCHEDULE EVERY 1 DAY DO
 BEGIN
-  DELETE FROM spamalias WHERE validity < UNIX_TIMESTAMP() AND permanent = 0;
+  DELETE FROM spamalias WHERE validity < UNIX_TIMESTAMP();
 END;
 //
 DELIMITER ;
@@ -214,6 +204,17 @@ chown -R 82:82 /web/templates/cache
 # Clear cache
 find /web/templates/cache/* -not -name '.gitkeep' -delete
 # list client ca of all domains for
 CA_LIST="/etc/nginx/conf.d/client_cas.crt"
 # Clear the output file
 > "$CA_LIST"
 # Execute the query and append each value to the output file
 mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT ssl_client_ca FROM domain;" | while read -r ca; do
    echo "$ca" >> "$CA_LIST"
 done
 echo "SSL client CAs have been appended to $CA_LIST"
 # Run hooks
 for file in /hooks/*; do
  if [ -x "${file}" ]; then
--- a/data/Dockerfiles/postfix-tlspol/Dockerfile
+++ b/data/Dockerfiles/postfix-tlspol/Dockerfile
@@ -1,50 +0,0 @@
 FROM golang:1.25-bookworm AS builder
 WORKDIR /src
 ENV CGO_ENABLED=0 \
    GO111MODULE=on \
 		NOOPT=1 \
    VERSION=1.8.22
 RUN git clone --branch v${VERSION} https://github.com/Zuplu/postfix-tlspol && \
    cd /src/postfix-tlspol && \
    scripts/build.sh build-only
 FROM debian:bookworm-slim
 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
 ARG DEBIAN_FRONTEND=noninteractive
 ENV LC_ALL=C
 RUN apt-get update && apt-get install -y --no-install-recommends \
 	ca-certificates \
 	dirmngr \
  	dnsutils \
 	iputils-ping \
 	sudo \
 	supervisor \
 	redis-tools \
 	syslog-ng \
 	syslog-ng-core \
 	syslog-ng-mod-redis \
  	tzdata \
 	&& rm -rf /var/lib/apt/lists/* \
 	&& touch /etc/default/locale
 COPY supervisord.conf /etc/supervisor/supervisord.conf
 COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
 COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
 COPY postfix-tlspol.sh /opt/postfix-tlspol.sh
 COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 COPY --from=builder /src/postfix-tlspol/build/postfix-tlspol /usr/local/bin/postfix-tlspol
 RUN chmod +x /opt/postfix-tlspol.sh \
  /usr/local/sbin/stop-supervisor.sh \
  /docker-entrypoint.sh
 RUN rm -rf /tmp/* /var/tmp/*
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
--- a/data/Dockerfiles/postfix-tlspol/docker-entrypoint.sh
+++ b/data/Dockerfiles/postfix-tlspol/docker-entrypoint.sh
@@ -1,7 +0,0 @@
 #!/bin/bash
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
 fi
 exec "$@"
--- a/data/Dockerfiles/postfix-tlspol/postfix-tlspol.sh
+++ b/data/Dockerfiles/postfix-tlspol/postfix-tlspol.sh
@@ -1,52 +0,0 @@
 #!/bin/bash
 LOGLVL=info
 if [ ${DEV_MODE} != "n" ]; then
  echo -e "\e[31mEnabling debug mode\e[0m"
  set -x
  LOGLVL=debug
 fi
 [[ ! -d /etc/postfix-tlspol ]] && mkdir -p /etc/postfix-tlspol
 [[ ! -d /var/lib/postfix-tlspol ]] && mkdir -p /var/lib/postfix-tlspol
 until dig +short mailcow.email > /dev/null; do
  echo "Waiting for DNS..."
  sleep 1
 done
 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
  export REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
 else
  export REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
 fi
 until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
  echo "Waiting for Redis..."
  sleep 2
 done
 echo "Waiting for Postfix..."
 until ping postfix -c1 > /dev/null; do
  sleep 1
 done
 echo "Postfix OK"
 cat <<EOF > /etc/postfix-tlspol/config.yaml
 server:
  address: 0.0.0.0:8642
  log-level: ${LOGLVL}
  prefetch: true
  cache-file: /var/lib/postfix-tlspol/cache.db
 dns:
  # must support DNSSEC
  address: 127.0.0.11:53
 EOF
 /usr/local/bin/postfix-tlspol -config /etc/postfix-tlspol/config.yaml
--- a/data/Dockerfiles/postfix-tlspol/stop-supervisor.sh
+++ b/data/Dockerfiles/postfix-tlspol/stop-supervisor.sh
@@ -1,8 +0,0 @@
 #!/bin/bash
 printf "READY\n";
 while read line; do
  echo "Processing Event: $line" >&2;
  kill -3 $(cat "/var/run/supervisord.pid")
 done < /dev/stdin
--- a/data/Dockerfiles/postfix-tlspol/supervisord.conf
+++ b/data/Dockerfiles/postfix-tlspol/supervisord.conf
@@ -1,25 +0,0 @@
 [supervisord]
 pidfile=/var/run/supervisord.pid
 nodaemon=true
 user=root
 [program:syslog-ng]
 command=/usr/sbin/syslog-ng --foreground  --no-caps
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autostart=true
 [program:postfix-tlspol]
 startsecs=10
 autorestart=true
 command=/opt/postfix-tlspol.sh
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 [eventlistener:processes]
 command=/usr/local/sbin/stop-supervisor.sh
 events=PROCESS_STATE_STOPPED, PROCESS_STATE_EXITED, PROCESS_STATE_FATAL
--- a/data/Dockerfiles/postfix-tlspol/syslog-ng-redis_slave.conf
+++ b/data/Dockerfiles/postfix-tlspol/syslog-ng-redis_slave.conf
@@ -1,45 +0,0 @@
@version: 3.38
@include "scl.conf"
 options {
  chain_hostnames(off);
  flush_lines(0);
  use_dns(no);
  dns_cache(no);
  use_fqdn(no);
  owner("root"); group("adm"); perm(0640);
  stats_freq(0);
  bad_hostname("^gconfd$");
 };
 source s_src {
  unix-stream("/dev/log");
  internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
 destination d_redis_ui_log {
  redis(
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis1")
    port(`REDIS_SLAVEOF_PORT`)
    auth("`REDISPASS`")
    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
 filter f_mail { facility(mail); };
 # start
 # overriding warnings are still displayed when the entrypoint runs its initial check
 # warnings logged by postfix-mailcow to syslog are hidden to reduce repeating msgs
 # Some other warnings are ignored
 filter f_ignore {
  not match("overriding earlier entry" value("MESSAGE"));
  not match("TLS SNI from checks.mailcow.email" value("MESSAGE"));
  not match("no SASL support" value("MESSAGE"));
  not facility (local0, local1, local2, local3, local4, local5, local6, local7);
 };
 # end
 log {
  source(s_src);
  filter(f_ignore);
  destination(d_stdout);
  filter(f_mail);
  destination(d_redis_ui_log);
 };
--- a/data/Dockerfiles/postfix-tlspol/syslog-ng.conf
+++ b/data/Dockerfiles/postfix-tlspol/syslog-ng.conf
@@ -1,45 +0,0 @@
@version: 3.38
@include "scl.conf"
 options {
  chain_hostnames(off);
  flush_lines(0);
  use_dns(no);
  dns_cache(no);
  use_fqdn(no);
  owner("root"); group("adm"); perm(0640);
  stats_freq(0);
  bad_hostname("^gconfd$");
 };
 source s_src {
  unix-stream("/dev/log");
  internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
 destination d_redis_ui_log {
  redis(
    host("redis-mailcow")
    persist-name("redis1")
    port(6379)
    auth("`REDISPASS`")
    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
 filter f_mail { facility(mail); };
 # start
 # overriding warnings are still displayed when the entrypoint runs its initial check
 # warnings logged by postfix-mailcow to syslog are hidden to reduce repeating msgs
 # Some other warnings are ignored
 filter f_ignore {
  not match("overriding earlier entry" value("MESSAGE"));
  not match("TLS SNI from checks.mailcow.email" value("MESSAGE"));
  not match("no SASL support" value("MESSAGE"));
  not facility (local0, local1, local2, local3, local4, local5, local6, local7);
 };
 # end
 log {
  source(s_src);
  filter(f_ignore);
  destination(d_stdout);
  filter(f_mail);
  destination(d_redis_ui_log);
 };
--- a/data/Dockerfiles/postfix/Dockerfile
+++ b/data/Dockerfiles/postfix/Dockerfile
@@ -1,9 +1,8 @@
-FROM debian:bookworm-slim
+FROM debian:bullseye-slim
-
+LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
 ARG DEBIAN_FRONTEND=noninteractive
-ENV LC_ALL=C
+ENV LC_ALL C
 RUN dpkg-divert --local --rename --add /sbin/initctl \
 	&& ln -sf /bin/true /sbin/initctl \
@@ -60,4 +59,4 @@ EXPOSE 588
 ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
+CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
--- a/data/Dockerfiles/postfix/docker-entrypoint.sh
+++ b/data/Dockerfiles/postfix/docker-entrypoint.sh
@@ -12,15 +12,4 @@ if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
 fi
 # Fix OpenSSL 3.X TLS1.0, 1.1 support (https://community.mailcow.email/d/4062-hi-all/20)
 if grep -qE '\!SSLv2|\!SSLv3|>=TLSv1(\.[0-1])?$' /opt/postfix/conf/main.cf /opt/postfix/conf/extra.cf; then
    sed -i '/\[openssl_init\]/a ssl_conf = ssl_configuration' /etc/ssl/openssl.cnf
    echo "[ssl_configuration]" >> /etc/ssl/openssl.cnf
    echo "system_default = tls_system_default" >> /etc/ssl/openssl.cnf
    echo "[tls_system_default]" >> /etc/ssl/openssl.cnf
    echo "MinProtocol = TLSv1" >> /etc/ssl/openssl.cnf
    echo "CipherString = DEFAULT@SECLEVEL=0" >> /etc/ssl/openssl.cnf
 fi  
 exec "$@"
--- a/data/Dockerfiles/postfix/postfix.sh
+++ b/data/Dockerfiles/postfix/postfix.sh
@@ -5,7 +5,7 @@ trap "postfix stop" EXIT
 [[ ! -d /opt/postfix/conf/sql/ ]] && mkdir -p /opt/postfix/conf/sql/
 # Wait for MySQL to warm-up
-while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
+while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
  echo "Waiting for database to come up..."
  sleep 2
 done
@@ -390,7 +390,7 @@ hosts = unix:/var/run/mysqld/mysqld.sock
 dbname = ${DBNAME}
 query = SELECT goto FROM spamalias
  WHERE address='%s'
-    AND (validity >= UNIX_TIMESTAMP() OR permanent != 0)
+    AND validity >= UNIX_TIMESTAMP()
 EOF
 if [ ! -f /opt/postfix/conf/dns_blocklists.cf ]; then
@@ -403,6 +403,7 @@ postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
  list.dnswl.org=127.0.[0..255].1*-4
  list.dnswl.org=127.0.[0..255].2*-6
  list.dnswl.org=127.0.[0..255].3*-8
  ix.dnsbl.manitu.net*2
  bl.spamcop.net*2
  bl.suomispam.net*2
  hostkarma.junkemailfilter.com=127.0.0.2*3
@@ -414,12 +415,14 @@ postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
  b.barracudacentral.org=127.0.0.2*7
  bl.mailspike.net=127.0.0.2*5
  bl.mailspike.net=127.0.0.[10;11;12]*4
  dnsbl.sorbs.net=127.0.0.10*8
  dnsbl.sorbs.net=127.0.0.5*6
  dnsbl.sorbs.net=127.0.0.7*3
  dnsbl.sorbs.net=127.0.0.8*2
  dnsbl.sorbs.net=127.0.0.6*2
  dnsbl.sorbs.net=127.0.0.9*2
 EOF
 fi
 # Remove discontinued DNSBLs from existing dns_blocklists.cf
 sed -i '/ix\.dnsbl\.manitu\.net\*2/d' /opt/postfix/conf/dns_blocklists.cf # Nixspam
 DNSBL_CONFIG=$(grep -v '^#' /opt/postfix/conf/dns_blocklists.cf | grep '\S')
 if [ ! -z "$DNSBL_CONFIG" ]; then
@@ -510,11 +513,6 @@ chgrp -R postdrop /var/spool/postfix/public
 chgrp -R postdrop /var/spool/postfix/maildrop
 postfix set-permissions
 # Checking if there is a leftover of a crashed postfix container before starting a new one
 if [ -e /var/spool/postfix/pid/master.pid ]; then
  rm -rf /var/spool/postfix/pid/master.pid
 fi
 # Check Postfix configuration
 postconf -c /opt/postfix/conf > /dev/null
--- a/data/Dockerfiles/postfix/supervisord.conf
+++ b/data/Dockerfiles/postfix/supervisord.conf
@@ -18,7 +18,6 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autorestart=true
 startsecs=10
 [eventlistener:processes]
 command=/usr/local/sbin/stop-supervisor.sh
--- a/data/Dockerfiles/postfix/syslog-ng-redis_slave.conf
+++ b/data/Dockerfiles/postfix/syslog-ng-redis_slave.conf
@@ -1,4 +1,4 @@
-@version: 3.38
+@version: 3.28
@include "scl.conf"
 options {
  chain_hostnames(off);
@@ -20,7 +20,6 @@ destination d_redis_ui_log {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis1")
    port(`REDIS_SLAVEOF_PORT`)
    auth("`REDISPASS`")
    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -29,7 +28,6 @@ destination d_redis_f2b_channel {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis2")
    port(`REDIS_SLAVEOF_PORT`)
    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
--- a/data/Dockerfiles/postfix/syslog-ng.conf
+++ b/data/Dockerfiles/postfix/syslog-ng.conf
@@ -1,4 +1,4 @@
-@version: 3.38
+@version: 3.28
@include "scl.conf"
 options {
  chain_hostnames(off);
@@ -20,7 +20,6 @@ destination d_redis_ui_log {
    host("redis-mailcow")
    persist-name("redis1")
    port(6379)
    auth("`REDISPASS`")
    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -29,7 +28,6 @@ destination d_redis_f2b_channel {
    host("redis-mailcow")
    persist-name("redis2")
    port(6379)
    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
--- a/data/Dockerfiles/rspamd/Dockerfile
+++ b/data/Dockerfiles/rspamd/Dockerfile
@@ -1,10 +1,9 @@
 FROM debian:bookworm-slim
-LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 ARG DEBIAN_FRONTEND=noninteractive
 ARG RSPAMD_VER=rspamd_3.13.2-1~8bf602278
 ARG CODENAME=bookworm
-ENV LC_ALL=C
+ENV LC_ALL C
 RUN apt-get update && apt-get install -y --no-install-recommends \
  tzdata \
@@ -13,15 +12,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
  apt-transport-https \
  dnsutils \
  netcat-traditional \
-  wget \
+  && apt-key adv --fetch-keys https://rspamd.com/apt-stable/gpg.key \
-  redis-tools \
+  && echo "deb https://rspamd.com/apt-stable/ $CODENAME main" > /etc/apt/sources.list.d/rspamd.list \
-  procps \
+  && apt-get update \
-  nano \
+  && apt-get --no-install-recommends -y install rspamd redis-tools procps nano \
-  lua-cjson \
+  && rm -rf /var/lib/apt/lists/* \
  && arch=$(arch | sed s/aarch64/arm64/ | sed s/x86_64/amd64/) \
  && wget -P /tmp https://rspamd.com/apt-stable/pool/main/r/rspamd/${RSPAMD_VER}~${CODENAME}_${arch}.deb\
  && apt install -y /tmp/${RSPAMD_VER}~${CODENAME}_${arch}.deb \
  && rm -rf /var/lib/apt/lists/* /tmp/*\
  && apt-get autoremove --purge \
  && apt-get clean \
  && mkdir -p /run/rspamd \
@@ -30,6 +25,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
  && sed -i 's/#analysis_keyword_table > 0/analysis_cat_table.macro_exist == "M"/g' /usr/share/rspamd/lualib/lua_scanners/oletools.lua
 COPY settings.conf /etc/rspamd/settings.conf
 COPY metadata_exporter.lua /usr/share/rspamd/plugins/metadata_exporter.lua
 COPY set_worker_password.sh /set_worker_password.sh
 COPY docker-entrypoint.sh /docker-entrypoint.sh
--- a/data/Dockerfiles/rspamd/docker-entrypoint.sh
+++ b/data/Dockerfiles/rspamd/docker-entrypoint.sh
@@ -56,52 +56,27 @@ if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
  cat <<EOF > /etc/rspamd/local.d/redis.conf
 read_servers = "redis:6379";
 write_servers = "${REDIS_SLAVEOF_IP}:${REDIS_SLAVEOF_PORT}";
 password = "${REDISPASS}";
 timeout = 10;
 EOF
-  until [[ $(redis-cli -h redis-mailcow -a ${REDISPASS} --no-auth-warning PING) == "PONG" ]]; do
+  until [[ $(redis-cli -h redis-mailcow PING) == "PONG" ]]; do
    echo "Waiting for Redis @redis-mailcow..."
    sleep 2
  done
-  until [[ $(redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning PING) == "PONG" ]]; do
+  until [[ $(redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} PING) == "PONG" ]]; do
    echo "Waiting for Redis @${REDIS_SLAVEOF_IP}..."
    sleep 2
  done
-  redis-cli -h redis-mailcow -a ${REDISPASS} --no-auth-warning SLAVEOF ${REDIS_SLAVEOF_IP} ${REDIS_SLAVEOF_PORT}
+  redis-cli -h redis-mailcow SLAVEOF ${REDIS_SLAVEOF_IP} ${REDIS_SLAVEOF_PORT}
 else
  cat <<EOF > /etc/rspamd/local.d/redis.conf
 servers = "redis:6379";
 password = "${REDISPASS}";
 timeout = 10;
 EOF
-  until [[ $(redis-cli -h redis-mailcow -a ${REDISPASS} --no-auth-warning PING) == "PONG" ]]; do
+  until [[ $(redis-cli -h redis-mailcow PING) == "PONG" ]]; do
    echo "Waiting for Redis slave..."
    sleep 2
  done
-  redis-cli -h redis-mailcow -a ${REDISPASS} --no-auth-warning SLAVEOF NO ONE
+  redis-cli -h redis-mailcow SLAVEOF NO ONE
 fi
 if [[ "${SKIP_OLEFY}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  if [[ -f /etc/rspamd/local.d/external_services.conf ]]; then
    rm /etc/rspamd/local.d/external_services.conf
  fi
 else
  if [[ ! -f /etc/rspamd/local.d/external_services.conf ]]; then
    cat <<EOF > /etc/rspamd/local.d/external_services.conf
 oletools {
  # default olefy settings
  servers = "olefy:10055";
  # needs to be set explicitly for Rspamd < 1.9.5
  scan_mime_parts = true;
  # mime-part regex matching in content-type or filename
  # block all macros
  extended = true;
  max_size = 3145728;
  timeout = 20.0;
  retransmits = 1;
 }
 EOF
  fi
 fi
 # Provide additional lua modules
@@ -149,190 +124,4 @@ for file in /hooks/*; do
  fi
 done
 # If DQS KEY is set in mailcow.conf add Spamhaus DQS RBLs
 if [[ ! -z ${SPAMHAUS_DQS_KEY} ]]; then
    cat <<EOF > /etc/rspamd/custom/dqs-rbl.conf
  # Autogenerated by mailcow. DO NOT TOUCH!
    spamhaus {
        rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
        from = false;
    }
    spamhaus_from {
        from = true;
        received = false;
        rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
        returncodes {
          SPAMHAUS_ZEN = [ "127.0.0.2", "127.0.0.3", "127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7", "127.0.0.9", "127.0.0.10", "127.0.0.11" ];
        }
    }
    spamhaus_authbl_received {
        # Check if the sender client is listed in AuthBL (AuthBL is *not* part of ZEN)
        rbl = "${SPAMHAUS_DQS_KEY}.authbl.dq.spamhaus.net";
        from = false;
        received = true;
        ipv6 = true;
        returncodes {
          SH_AUTHBL_RECEIVED = "127.0.0.20"
        }
    }
    spamhaus_dbl {
        # Add checks on the HELO string
        rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
        helo = true;
        rdns = true;
        dkim = true;
        disable_monitoring = true;
        returncodes {
            RBL_DBL_SPAM = "127.0.1.2";
            RBL_DBL_PHISH = "127.0.1.4";
            RBL_DBL_MALWARE = "127.0.1.5";
            RBL_DBL_BOTNET = "127.0.1.6";
            RBL_DBL_ABUSED_SPAM = "127.0.1.102";
            RBL_DBL_ABUSED_PHISH = "127.0.1.104";
            RBL_DBL_ABUSED_MALWARE = "127.0.1.105";
            RBL_DBL_ABUSED_BOTNET = "127.0.1.106";
            RBL_DBL_DONT_QUERY_IPS = "127.0.1.255";
        }
    }
    spamhaus_dbl_fullurls {
        ignore_defaults = true;
        no_ip = true;
        rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
        selector = 'urls:get_host'
        disable_monitoring = true;
        returncodes {
            DBLABUSED_SPAM_FULLURLS = "127.0.1.102";
            DBLABUSED_PHISH_FULLURLS = "127.0.1.104";
            DBLABUSED_MALWARE_FULLURLS = "127.0.1.105";
            DBLABUSED_BOTNET_FULLURLS = "127.0.1.106";
        }
    }
    spamhaus_zrd {
        # Add checks on the HELO string also for DQS
        rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net";
        helo = true;
        rdns = true;
        dkim = true;
        disable_monitoring = true;
        returncodes {
            RBL_ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
            RBL_ZRD_FRESH_DOMAIN = [
              "127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"
            ];
            RBL_ZRD_DONT_QUERY_IPS = "127.0.2.255";
        }
    }
    "SPAMHAUS_ZEN_URIBL" {
      enabled = true;
      rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
      resolve_ip = true;
      checks = ['urls'];
      replyto = true;
      emails = true;
      ipv4 = true;
      ipv6 = true;
      emails_domainonly = true;
      returncodes {
        URIBL_SBL = "127.0.0.2";
        URIBL_SBL_CSS = "127.0.0.3";
        URIBL_XBL = ["127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7"];
        URIBL_PBL = ["127.0.0.10", "127.0.0.11"];
        URIBL_DROP = "127.0.0.9";
      }
    }
    SH_EMAIL_DBL {
      ignore_defaults = true;
      replyto = true;
      emails_domainonly = true;
      disable_monitoring = true;
      rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
      returncodes = {
        SH_EMAIL_DBL = [
          "127.0.1.2",
          "127.0.1.4",
          "127.0.1.5",
          "127.0.1.6"
        ];
        SH_EMAIL_DBL_ABUSED = [
          "127.0.1.102",
          "127.0.1.104",
          "127.0.1.105",
          "127.0.1.106"
        ];
        SH_EMAIL_DBL_DONT_QUERY_IPS = [ "127.0.1.255" ];
      }
    }
    SH_EMAIL_ZRD {
      ignore_defaults = true;
      replyto = true;
      emails_domainonly = true;
      disable_monitoring = true;
      rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net";
      returncodes = {
        SH_EMAIL_ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
        SH_EMAIL_ZRD_FRESH_DOMAIN = [
          "127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"
        ];
        SH_EMAIL_ZRD_DONT_QUERY_IPS = [ "127.0.2.255" ];
      }
    }
    "DBL" {
        # override the defaults for DBL defined in modules.d/rbl.conf
        rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
        disable_monitoring = true;
    }
    "ZRD" {
        ignore_defaults = true;
        rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net";
        no_ip = true;
        dkim = true;
        emails = true;
        emails_domainonly = true;
        urls = true;
        returncodes = {
            ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
            ZRD_FRESH_DOMAIN = ["127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"];
        }
    }
    spamhaus_sbl_url {
        ignore_defaults = true
        rbl = "${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net";
        checks = ['urls'];
        disable_monitoring = true;
        returncodes {
            SPAMHAUS_SBL_URL = "127.0.0.2";
        }
    }
    SH_HBL_EMAIL {
      ignore_defaults = true;
      rbl = "_email.${SPAMHAUS_DQS_KEY}.hbl.dq.spamhaus.net";
      emails_domainonly = false;
      selector = "from('smtp').lower;from('mime').lower";
      ignore_whitelist = true;
      checks = ['emails', 'replyto'];
      hash = "sha1";
      returncodes = {
        SH_HBL_EMAIL = [
          "127.0.3.2"
        ];
      }
    }
    spamhaus_dqs_hbl {
      symbol = "HBL_FILE_UNKNOWN";
      rbl = "_file.${SPAMHAUS_DQS_KEY}.hbl.dq.spamhaus.net.";
      selector = "attachments('rbase32', 'sha256')";
      ignore_whitelist = true;
      ignore_defaults = true;
      returncodes {
        SH_HBL_FILE_MALICIOUS = "127.0.3.10";
        SH_HBL_FILE_SUSPICIOUS = "127.0.3.15";
      }
    }
 EOF
 else
  rm -rf /etc/rspamd/custom/dqs-rbl.conf
 fi
 exec "$@"
--- a/data/Dockerfiles/rspamd/metadata_exporter.lua
+++ b/data/Dockerfiles/rspamd/metadata_exporter.lua
@@ -0,0 +1,632 @@
 --[[
 Copyright (c) 2016, Andrew Lewis <nerf@judo.za.org>
 Copyright (c) 2016, Vsevolod Stakhov <vsevolod@highsecure.ru>
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 ]]--
 if confighelp then
  return
 end
 -- A plugin that pushes metadata (or whole messages) to external services
 local redis_params
 local lua_util = require "lua_util"
 local rspamd_http = require "rspamd_http"
 local rspamd_util = require "rspamd_util"
 local rspamd_logger = require "rspamd_logger"
 local ucl = require "ucl"
 local E = {}
 local N = 'metadata_exporter'
 local settings = {
  pusher_enabled = {},
  pusher_format = {},
  pusher_select = {},
  mime_type = 'text/plain',
  defer = false,
  mail_from = '',
  mail_to = 'postmaster@localhost',
  helo = 'rspamd',
  email_template = [[From: "Rspamd" <$mail_from>
 To: $mail_to
 Subject: Spam alert
 Date: $date
 MIME-Version: 1.0
 Message-ID: <$our_message_id>
 Content-type: text/plain; charset=utf-8
 Content-Transfer-Encoding: 8bit
 Authenticated username: $user
 IP: $ip
 Queue ID: $qid
 SMTP FROM: $from
 SMTP RCPT: $rcpt
 MIME From: $header_from
 MIME To: $header_to
 MIME Date: $header_date
 Subject: $header_subject
 Message-ID: $message_id
 Action: $action
 Score: $score
 Symbols: $symbols]],
 }
 local function get_general_metadata(task, flatten, no_content)
  local r = {}
  local ip = task:get_from_ip()
  if ip and ip:is_valid() then
    r.ip = tostring(ip)
  else
    r.ip = 'unknown'
  end
  r.user = task:get_user() or 'unknown'
  r.qid = task:get_queue_id() or 'unknown'
  r.subject = task:get_subject() or 'unknown'
  r.action = task:get_metric_action('default')
  local s = task:get_metric_score('default')[1]
  r.score = flatten and string.format('%.2f', s) or s
  local fuzzy = task:get_mempool():get_variable("fuzzy_hashes", "fstrings")
  if fuzzy and #fuzzy > 0 then
    local fz = {}
    for _,h in ipairs(fuzzy) do
      table.insert(fz, h)
    end
    if not flatten then
      r.fuzzy = fz
    else
      r.fuzzy = table.concat(fz, ', ')
    end
  else
    r.fuzzy = 'unknown'
  end
  local rcpt = task:get_recipients('smtp')
  if rcpt then
    local l = {}
    for _, a in ipairs(rcpt) do
      table.insert(l, a['addr'])
    end
    if not flatten then
      r.rcpt = l
    else
      r.rcpt = table.concat(l, ', ')
    end
  else
    r.rcpt = 'unknown'
  end
  local from = task:get_from('smtp')
  if ((from or E)[1] or E).addr then
    r.from = from[1].addr
  else
    r.from = 'unknown'
  end
  local syminf = task:get_symbols_all()
  if flatten then
    local l = {}
    for _, sym in ipairs(syminf) do
      local txt
      if sym.options then
        local topt = table.concat(sym.options, ', ')
        txt = sym.name .. '(' .. string.format('%.2f', sym.score) .. ')' .. ' [' .. topt .. ']'
      else
        txt = sym.name .. '(' .. string.format('%.2f', sym.score) .. ')'
      end
      table.insert(l, txt)
    end
    r.symbols = table.concat(l, '\n\t')
  else
    r.symbols = syminf
  end
  local function process_header(name)
    local hdr = task:get_header_full(name)
    if hdr then
      local l = {}
      for _, h in ipairs(hdr) do
        table.insert(l, h.decoded)
      end
      if not flatten then
        return l
      else
        return table.concat(l, '\n')
      end
    else
      return 'unknown'
    end
  end
  if not no_content then
    r.header_from = process_header('from')
    r.header_to = process_header('to')
    r.header_subject = process_header('subject')
    r.header_date = process_header('date')
    r.message_id = task:get_message_id()
  end
  return r
 end
 local formatters = {
  default = function(task)
    return task:get_content(), {}
  end,
  email_alert = function(task, rule, extra)
    local meta = get_general_metadata(task, true)
    local display_emails = {}
    local mail_targets = {}
    meta.mail_from = rule.mail_from or settings.mail_from
    local mail_rcpt = rule.mail_to or settings.mail_to
    if type(mail_rcpt) ~= 'table' then
      table.insert(display_emails, string.format('<%s>', mail_rcpt))
      table.insert(mail_targets, mail_rcpt)
    else
      for _, e in ipairs(mail_rcpt) do
        table.insert(display_emails, string.format('<%s>', e))
        table.insert(mail_targets, mail_rcpt)
      end
    end
    if rule.email_alert_sender then
      local x = task:get_from('smtp')
      if x and string.len(x[1].addr) > 0 then
        table.insert(mail_targets, x)
        table.insert(display_emails, string.format('<%s>', x[1].addr))
      end
    end
    if rule.email_alert_user then
      local x = task:get_user()
      if x then
        table.insert(mail_targets, x)
        table.insert(display_emails, string.format('<%s>', x))
      end
    end
    if rule.email_alert_recipients then
      local x = task:get_recipients('smtp')
      if x then
        for _, e in ipairs(x) do
          if string.len(e.addr) > 0 then
            table.insert(mail_targets, e.addr)
            table.insert(display_emails, string.format('<%s>', e.addr))
          end
        end
      end
    end
    meta.mail_to = table.concat(display_emails, ', ')
    meta.our_message_id = rspamd_util.random_hex(12) .. '@rspamd'
    meta.date = rspamd_util.time_to_string(rspamd_util.get_time())
    return lua_util.template(rule.email_template or settings.email_template, meta), { mail_targets = mail_targets}
  end,
  json = function(task)
    return ucl.to_format(get_general_metadata(task), 'json-compact')
  end
 }
 local function is_spam(action)
  return (action == 'reject' or action == 'add header' or action == 'rewrite subject')
 end
 local selectors = {
  default = function(task)
    return true
  end,
  is_spam = function(task)
    local action = task:get_metric_action('default')
    return is_spam(action)
  end,
  is_spam_authed = function(task)
    if not task:get_user() then
      return false
    end
    local action = task:get_metric_action('default')
    return is_spam(action)
  end,
  is_reject = function(task)
    local action = task:get_metric_action('default')
    return (action == 'reject')
  end,
  is_reject_authed = function(task)
    if not task:get_user() then
      return false
    end
    local action = task:get_metric_action('default')
    return (action == 'reject')
  end,
 }
 local function maybe_defer(task, rule)
  if rule.defer then
    rspamd_logger.warnx(task, 'deferring message')
    task:set_pre_result('soft reject', 'deferred', N)
  end
 end
 local pushers = {
  redis_pubsub = function(task, formatted, rule)
    local _,ret,upstream
    local function redis_pub_cb(err)
      if err then
        rspamd_logger.errx(task, 'got error %s when publishing on server %s',
            err, upstream:get_addr())
        return maybe_defer(task, rule)
      end
      return true
    end
    ret,_,upstream = rspamd_redis_make_request(task,
      redis_params, -- connect params
      nil, -- hash key
      true, -- is write
      redis_pub_cb, --callback
      'PUBLISH', -- command
      {rule.channel, formatted} -- arguments
    )
    if not ret then
      rspamd_logger.errx(task, 'error connecting to redis')
      maybe_defer(task, rule)
    end
  end,
  http = function(task, formatted, rule)
    local function http_callback(err, code)
      if err then
        rspamd_logger.errx(task, 'got error %s in http callback', err)
        return maybe_defer(task, rule)
      end
      if code ~= 200 then
        rspamd_logger.errx(task, 'got unexpected http status: %s', code)
        return maybe_defer(task, rule)
      end
      return true
    end
    local hdrs = {}
    if rule.meta_headers then
      local gm = get_general_metadata(task, false, true)
      local pfx = rule.meta_header_prefix or 'X-Rspamd-'
      for k, v in pairs(gm) do
        if type(v) == 'table' then
          hdrs[pfx .. k] = ucl.to_format(v, 'json-compact')
        else
          hdrs[pfx .. k] = v
        end
      end
    end
    rspamd_http.request({
      task=task,
      url=rule.url,
      body=formatted,
      callback=http_callback,
      mime_type=rule.mime_type or settings.mime_type,
      headers=hdrs,
    })
  end,
  send_mail = function(task, formatted, rule, extra)
    local lua_smtp = require "lua_smtp"
    local function sendmail_cb(ret, err)
      if not ret then
        rspamd_logger.errx(task, 'SMTP export error: %s', err)
        maybe_defer(task, rule)
      end
    end
    lua_smtp.sendmail({
      task = task,
      host = rule.smtp,
      port = rule.smtp_port or settings.smtp_port or 25,
      from = rule.mail_from or settings.mail_from,
      recipients = extra.mail_targets or rule.mail_to or settings.mail_to,
      helo = rule.helo or settings.helo,
      timeout = rule.timeout or settings.timeout,
    }, formatted, sendmail_cb)
  end,
 }
 local opts = rspamd_config:get_all_opt(N)
 if not opts then return end
 local process_settings = {
  select = function(val)
    selectors.custom = assert(load(val))()
  end,
  format = function(val)
    formatters.custom = assert(load(val))()
  end,
  push = function(val)
    pushers.custom = assert(load(val))()
  end,
  custom_push = function(val)
    if type(val) == 'table' then
      for k, v in pairs(val) do
        pushers[k] = assert(load(v))()
      end
    end
  end,
  custom_select = function(val)
    if type(val) == 'table' then
      for k, v in pairs(val) do
        selectors[k] = assert(load(v))()
      end
    end
  end,
  custom_format = function(val)
    if type(val) == 'table' then
      for k, v in pairs(val) do
        formatters[k] = assert(load(v))()
      end
    end
  end,
  pusher_enabled = function(val)
    if type(val) == 'string' then
      if pushers[val] then
        settings.pusher_enabled[val] = true
      else
        rspamd_logger.errx(rspamd_config, 'Pusher type: %s is invalid', val)
      end
    elseif type(val) == 'table' then
      for _, v in ipairs(val) do
        if pushers[v] then
          settings.pusher_enabled[v] = true
        else
          rspamd_logger.errx(rspamd_config, 'Pusher type: %s is invalid', val)
        end
      end
    end
  end,
 }
 for k, v in pairs(opts) do
  local f = process_settings[k]
  if f then
    f(opts[k])
  else
    settings[k] = v
  end
 end
 if type(settings.rules) ~= 'table' then
  -- Legacy config
  settings.rules = {}
  if not next(settings.pusher_enabled) then
    if pushers.custom then
      rspamd_logger.infox(rspamd_config, 'Custom pusher implicitly enabled')
      settings.pusher_enabled.custom = true
    else
      -- Check legacy options
      if settings.url then
        rspamd_logger.warnx(rspamd_config, 'HTTP pusher implicitly enabled')
        settings.pusher_enabled.http = true
      end
      if settings.channel then
        rspamd_logger.warnx(rspamd_config, 'Redis Pubsub pusher implicitly enabled')
        settings.pusher_enabled.redis_pubsub = true
      end
      if settings.smtp and settings.mail_to then
        rspamd_logger.warnx(rspamd_config, 'SMTP pusher implicitly enabled')
        settings.pusher_enabled.send_mail = true
      end
    end
  end
  if not next(settings.pusher_enabled) then
    rspamd_logger.errx(rspamd_config, 'No push backend enabled')
    return
  end
  if settings.formatter then
    settings.format = formatters[settings.formatter]
    if not settings.format then
      rspamd_logger.errx(rspamd_config, 'No such formatter: %s', settings.formatter)
      return
    end
  end
  if settings.selector then
    settings.select = selectors[settings.selector]
    if not settings.select then
      rspamd_logger.errx(rspamd_config, 'No such selector: %s', settings.selector)
      return
    end
  end
  for k in pairs(settings.pusher_enabled) do
    local formatter = settings.pusher_format[k]
    local selector = settings.pusher_select[k]
    if not formatter then
      settings.pusher_format[k] = settings.formatter or 'default'
      rspamd_logger.infox(rspamd_config, 'Using default formatter for %s pusher', k)
    else
      if not formatters[formatter] then
        rspamd_logger.errx(rspamd_config, 'No such formatter: %s - disabling %s', formatter, k)
        settings.pusher_enabled.k = nil
      end
    end
    if not selector then
      settings.pusher_select[k] = settings.selector or 'default'
      rspamd_logger.infox(rspamd_config, 'Using default selector for %s pusher', k)
    else
      if not selectors[selector] then
        rspamd_logger.errx(rspamd_config, 'No such selector: %s - disabling %s', selector, k)
        settings.pusher_enabled.k = nil
      end
    end
  end
  if settings.pusher_enabled.redis_pubsub then
    redis_params = rspamd_parse_redis_server(N)
    if not redis_params then
      rspamd_logger.errx(rspamd_config, 'No redis servers are specified')
      settings.pusher_enabled.redis_pubsub = nil
    else
      local r = {}
      r.backend = 'redis_pubsub'
      r.channel = settings.channel
      r.defer = settings.defer
      r.selector = settings.pusher_select.redis_pubsub
      r.formatter = settings.pusher_format.redis_pubsub
      settings.rules[r.backend:upper()] = r
    end
  end
  if settings.pusher_enabled.http then
    if not settings.url then
      rspamd_logger.errx(rspamd_config, 'No URL is specified')
      settings.pusher_enabled.http = nil
    else
      local r = {}
      r.backend = 'http'
      r.url = settings.url
      r.mime_type = settings.mime_type
      r.defer = settings.defer
      r.selector = settings.pusher_select.http
      r.formatter = settings.pusher_format.http
      settings.rules[r.backend:upper()] = r
    end
  end
  if settings.pusher_enabled.send_mail then
    if not (settings.mail_to and settings.smtp) then
      rspamd_logger.errx(rspamd_config, 'No mail_to and/or smtp setting is specified')
      settings.pusher_enabled.send_mail = nil
    else
      local r = {}
      r.backend = 'send_mail'
      r.mail_to = settings.mail_to
      r.mail_from = settings.mail_from
      r.helo = settings.hello
      r.smtp = settings.smtp
      r.smtp_port = settings.smtp_port
      r.email_template = settings.email_template
      r.defer = settings.defer
      r.selector = settings.pusher_select.send_mail
      r.formatter = settings.pusher_format.send_mail
      settings.rules[r.backend:upper()] = r
    end
  end
  if not next(settings.pusher_enabled) then
    rspamd_logger.errx(rspamd_config, 'No push backend enabled')
    return
  end
 elseif not next(settings.rules) then
  lua_util.debugm(N, rspamd_config, 'No rules enabled')
  return
 end
 if not settings.rules or not next(settings.rules) then
  rspamd_logger.errx(rspamd_config, 'No rules enabled')
  return
 end
 local backend_required_elements = {
  http = {
    'url',
  },
  smtp = {
    'mail_to',
    'smtp',
  },
  redis_pubsub = {
    'channel',
  },
 }
 local check_element = {
  selector = function(k, v)
    if not selectors[v] then
      rspamd_logger.errx(rspamd_config, 'Rule %s has invalid selector %s', k, v)
      return false
    else
      return true
    end
  end,
  formatter = function(k, v)
    if not formatters[v] then
      rspamd_logger.errx(rspamd_config, 'Rule %s has invalid formatter %s', k, v)
      return false
    else
      return true
    end
  end,
 }
 local backend_check = {
  default = function(k, rule)
    local reqset = backend_required_elements[rule.backend]
    if reqset then
      for _, e in ipairs(reqset) do
        if not rule[e] then
          rspamd_logger.errx(rspamd_config, 'Rule %s misses required setting %s', k, e)
          settings.rules[k] = nil
        end
      end
    end
    for sett, v in pairs(rule) do
      local f = check_element[sett]
      if f then
        if not f(sett, v) then
          settings.rules[k] = nil
        end
      end
    end
  end,
 }
 backend_check.redis_pubsub = function(k, rule)
  if not redis_params then
    redis_params = rspamd_parse_redis_server(N)
  end
  if not redis_params then
    rspamd_logger.errx(rspamd_config, 'No redis servers are specified')
    settings.rules[k] = nil
  else
    backend_check.default(k, rule)
  end
 end
 setmetatable(backend_check, {
  __index = function()
    return backend_check.default
  end,
 })
 for k, v in pairs(settings.rules) do
  if type(v) == 'table' then
    local backend = v.backend
    if not backend then
      rspamd_logger.errx(rspamd_config, 'Rule %s has no backend', k)
      settings.rules[k] = nil
    elseif not pushers[backend] then
      rspamd_logger.errx(rspamd_config, 'Rule %s has invalid backend %s', k, backend)
      settings.rules[k] = nil
    else
      local f = backend_check[backend]
      f(k, v)
    end
  else
    rspamd_logger.errx(rspamd_config, 'Rule %s has bad type: %s', k, type(v))
    settings.rules[k] = nil
  end
 end
 local function gen_exporter(rule)
  return function (task)
    if task:has_flag('skip') then return end
    local selector = rule.selector or 'default'
    local selected = selectors[selector](task)
    if selected then
      lua_util.debugm(N, task, 'Message selected for processing')
      local formatter = rule.formatter or 'default'
      local formatted, extra = formatters[formatter](task, rule)
      if formatted then
        pushers[rule.backend](task, formatted, rule, extra)
      else
        lua_util.debugm(N, task, 'Formatter [%s] returned non-truthy value [%s]', formatter, formatted)
      end
    else
      lua_util.debugm(N, task, 'Selector [%s] returned non-truthy value [%s]', selector, selected)
    end
  end
 end
 if not next(settings.rules) then
  rspamd_logger.errx(rspamd_config, 'No rules enabled')
  lua_util.disable_module(N, "config")
 end
 for k, r in pairs(settings.rules) do
  rspamd_config:register_symbol({
    name = 'EXPORT_METADATA_' .. k,
    type = 'idempotent',
    callback = gen_exporter(r),
    priority = 10,
    flags = 'empty,explicit_disable,ignore_passthrough',
  })
 end
--- a/data/Dockerfiles/sogo/Dockerfile
+++ b/data/Dockerfiles/sogo/Dockerfile
@@ -1,13 +1,12 @@
 FROM debian:bookworm-slim
-
+LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
 ARG DEBIAN_FRONTEND=noninteractive
 ARG DEBIAN_VERSION=bookworm
-ARG SOGO_DEBIAN_REPOSITORY=https://packagingv2.sogo.nu/sogo-nightly-debian/
+ARG SOGO_DEBIAN_REPOSITORY=http://www.axis.cz/linux/debian
 # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
 ARG GOSU_VERSION=1.17
-ENV LC_ALL=C
+ENV LC_ALL C
 # Prerequisites
 RUN echo "Building from repository $SOGO_DEBIAN_REPOSITORY" \
@@ -33,13 +32,13 @@ RUN echo "Building from repository $SOGO_DEBIAN_REPOSITORY" \
  && gosu nobody true \
  && mkdir /usr/share/doc/sogo \
  && touch /usr/share/doc/sogo/empty.sh \
-  && wget -O- https://keys.openpgp.org/vks/v1/by-fingerprint/74FFC6D72B925A34B5D356BDF8A27B36A6E2EAE9 | gpg --dearmor | apt-key add - \
+  && apt-key adv --keyserver keys.openpgp.org --recv-key 74FFC6D72B925A34B5D356BDF8A27B36A6E2EAE9 \
-  && echo "deb [trusted=yes] ${SOGO_DEBIAN_REPOSITORY} ${DEBIAN_VERSION} main" > /etc/apt/sources.list.d/sogo.list \
+  && echo "deb [trusted=yes] ${SOGO_DEBIAN_REPOSITORY} ${DEBIAN_VERSION} sogo-v5" > /etc/apt/sources.list.d/sogo.list \
  && apt-get update && apt-get install -y --no-install-recommends \
    sogo \
    sogo-activesync \
  && apt-get autoclean \
-  && rm -rf /var/lib/apt/lists/* \
+  && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/sogo.list \
  && touch /etc/default/locale
 COPY ./bootstrap-sogo.sh /bootstrap-sogo.sh
@@ -47,7 +46,6 @@ COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
 COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
 COPY supervisord.conf /etc/supervisor/supervisord.conf
 COPY acl.diff /acl.diff
 COPY navMailcowBtns.diff /navMailcowBtns.diff
 COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
 COPY docker-entrypoint.sh /
@@ -56,4 +54,4 @@ RUN chmod +x /bootstrap-sogo.sh \
 ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
+CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
--- a/data/Dockerfiles/sogo/bootstrap-sogo.sh
+++ b/data/Dockerfiles/sogo/bootstrap-sogo.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 # Wait for MySQL to warm-up
-while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
+while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
  echo "Waiting for database to come up..."
  sleep 2
 done
@@ -14,20 +14,16 @@ do
 done
 # Wait for updated schema
-DBV_NOW=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'db_schema';" -BN)
+DBV_NOW=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'db_schema';" -BN)
 DBV_NEW=$(grep -oE '\$db_version = .*;' init_db.inc.php | sed 's/$db_version = //g;s/;//g' | cut -d \" -f2)
 while [[ "${DBV_NOW}" != "${DBV_NEW}" ]]; do
  echo "Waiting for schema update..."
-  DBV_NOW=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'db_schema';" -BN)
+  DBV_NOW=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'db_schema';" -BN)
  DBV_NEW=$(grep -oE '\$db_version = .*;' init_db.inc.php | sed 's/$db_version = //g;s/;//g' | cut -d \" -f2)
  sleep 5
 done
 echo "DB schema is ${DBV_NOW}"
 if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TRIGGER IF EXISTS sogo_update_password"
 fi
 # cat /dev/urandom seems to hang here occasionally and is not recommended anyway, better use openssl
 RAND_PASS=$(openssl rand -base64 16 | tr -dc _A-Z-a-z-0-9)
@@ -50,8 +46,6 @@ cat <<EOF > /var/lib/sogo/GNUstep/Defaults/sogod.plist
    <string>YES</string>
    <key>SOGoEncryptionKey</key>
    <string>${RAND_PASS}</string>
    <key>OCSAdminURL</key>
    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_admin</string>
    <key>OCSCacheFolderURL</key>
    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_cache_folder</string>
    <key>OCSEMailAlarmsFolderURL</key>
@@ -113,10 +107,10 @@ while read -r line gal
                </dict>" >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
  # Generate alternative LDAP authentication dict, when SQL authentication fails
  # This will nevertheless read attributes from LDAP
-  /etc/sogo/plist_ldap.sh ${line} ${gal} >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
+  line=${line} envsubst < /etc/sogo/plist_ldap >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
  echo "            </array>
        </dict>" >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
-done < <(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain, CASE gal WHEN '1' THEN 'YES' ELSE 'NO' END AS gal FROM domain;" -B -N)
+done < <(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain, CASE gal WHEN '1' THEN 'YES' ELSE 'NO' END AS gal FROM domain;" -B -N)
 # Generate footer
 echo '    </dict>
@@ -140,12 +134,8 @@ chmod 600 /var/lib/sogo/GNUstep/Defaults/sogod.plist
 #  fi
 #fi
-if patch -R -sfN --dry-run /usr/lib/GNUstep/SOGo/Templates/UIxTopnavToolbar.wox < /navMailcowBtns.diff > /dev/null; then
+# Copy logo, if any
-  patch -R /usr/lib/GNUstep/SOGo/Templates/UIxTopnavToolbar.wox < /navMailcowBtns.diff;
+[[ -f /etc/sogo/sogo-full.svg ]] && cp /etc/sogo/sogo-full.svg /usr/lib/GNUstep/SOGo/WebServerResources/img/sogo-full.svg
 fi
 # Rename custom logo, if any
 [[ -f /etc/sogo/sogo-full.svg ]] && mv /etc/sogo/sogo-full.svg /etc/sogo/custom-fulllogo.svg
 # Rsync web content
 echo "Syncing web content with named volume"
--- a/data/Dockerfiles/sogo/docker-entrypoint.sh
+++ b/data/Dockerfiles/sogo/docker-entrypoint.sh
@@ -10,8 +10,6 @@ if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
 fi
 echo "$TZ" > /etc/timezone
 # Run hooks
 for file in /hooks/*; do
  if [ -x "${file}" ]; then
--- a/data/Dockerfiles/sogo/navMailcowBtns.diff
+++ b/data/Dockerfiles/sogo/navMailcowBtns.diff
@@ -1,15 +0,0 @@
 60,65d58
 <                var:ng-click="navButtonClick"
 <                ng-href="/user">
 <       <md-icon>build</md-icon>
 <       <md-tooltip>mailcow <var:string label:value="Preferences"/></md-tooltip>
 <     </md-button>
 <     <md-button class="md-icon-button"
 83c76
 <                onclick="mc_logout();"
 ---
 >                ng-show="::activeUser.path.logoff.length"
 85c78
 <                ng-href="#">
 ---
 >                ng-href="{{::activeUser.path.logoff}}">
--- a/data/Dockerfiles/sogo/syslog-ng-redis_slave.conf
+++ b/data/Dockerfiles/sogo/syslog-ng-redis_slave.conf
@@ -1,4 +1,4 @@
-@version: 3.38
+@version: 3.28
@include "scl.conf"
 options {
  chain_hostnames(off);
@@ -22,7 +22,6 @@ destination d_redis_ui_log {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis1")
    port(`REDIS_SLAVEOF_PORT`)
    auth("`REDISPASS`")
    command("LPUSH" "SOGO_LOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -31,7 +30,6 @@ destination d_redis_f2b_channel {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis2")
    port(`REDIS_SLAVEOF_PORT`)
    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
--- a/data/Dockerfiles/sogo/syslog-ng.conf
+++ b/data/Dockerfiles/sogo/syslog-ng.conf
@@ -1,4 +1,4 @@
-@version: 3.38
+@version: 3.28
@include "scl.conf"
 options {
  chain_hostnames(off);
@@ -22,7 +22,6 @@ destination d_redis_ui_log {
    host("redis-mailcow")
    persist-name("redis1")
    port(6379)
    auth("`REDISPASS`")
    command("LPUSH" "SOGO_LOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -31,7 +30,6 @@ destination d_redis_f2b_channel {
    host("redis-mailcow")
    persist-name("redis2")
    port(6379)
    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
--- a/data/Dockerfiles/solr/Dockerfile
+++ b/data/Dockerfiles/solr/Dockerfile
@@ -0,0 +1,32 @@
 FROM solr:7.7-slim
 LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 USER root
 # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=(?<version>.*)$
 ARG GOSU_VERSION=1.17
 COPY solr.sh /
 COPY solr-config-7.7.0.xml /
 COPY solr-schema-7.7.0.xml /
 RUN dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
  && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
  && chmod +x /usr/local/bin/gosu \
  && gosu nobody true \
  && apt-get update && apt-get install -y --no-install-recommends \
  tzdata \
  curl \
  bash \
  zip \
  && apt-get autoclean \
  && rm -rf /var/lib/apt/lists/* \
  && chmod +x /solr.sh \
  && sync \
  && bash /solr.sh --bootstrap
 RUN zip -q -d /opt/solr/server/lib/ext/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
 RUN apt remove zip -y  
 CMD ["/solr.sh"]
--- a/data/Dockerfiles/solr/solr-config-7.7.0.xml
+++ b/data/Dockerfiles/solr/solr-config-7.7.0.xml
@@ -0,0 +1,289 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <!-- This is the default config with stuff non-essential to Dovecot removed. -->
 <config>
  <!-- Controls what version of Lucene various components of Solr
       adhere to.  Generally, you want to use the latest version to
       get all bug fixes and improvements. It is highly recommended
       that you fully re-index after changing this setting as it can
       affect both how text is indexed and queried.
  -->
  <luceneMatchVersion>7.7.0</luceneMatchVersion>
  <!-- A 'dir' option by itself adds any files found in the directory
       to the classpath, this is useful for including all jars in a
       directory.
       When a 'regex' is specified in addition to a 'dir', only the
       files in that directory which completely match the regex
       (anchored on both ends) will be included.
       If a 'dir' option (with or without a regex) is used and nothing
       is found that matches, a warning will be logged.
       The examples below can be used to load some solr-contribs along
       with their external dependencies.
    -->
  <lib dir="${solr.install.dir:../../../..}/contrib/extraction/lib" regex=".*\.jar" />
  <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-cell-\d.*\.jar" />
  <lib dir="${solr.install.dir:../../../..}/contrib/clustering/lib/" regex=".*\.jar" />
  <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-clustering-\d.*\.jar" />
  <lib dir="${solr.install.dir:../../../..}/contrib/langid/lib/" regex=".*\.jar" />
  <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-langid-\d.*\.jar" />
  <lib dir="${solr.install.dir:../../../..}/contrib/velocity/lib" regex=".*\.jar" />
  <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-velocity-\d.*\.jar" />
  <!-- Data Directory
       Used to specify an alternate directory to hold all index data
       other than the default ./data under the Solr home.  If
       replication is in use, this should match the replication
       configuration.
    -->
  <dataDir>${solr.data.dir:}</dataDir>
  <!-- The default high-performance update handler -->
  <updateHandler class="solr.DirectUpdateHandler2">
    <!-- Enables a transaction log, used for real-time get, durability, and
         and solr cloud replica recovery.  The log can grow as big as
         uncommitted changes to the index, so use of a hard autoCommit
         is recommended (see below).
         "dir" - the target directory for transaction logs, defaults to the
                solr data directory.
         "numVersionBuckets" - sets the number of buckets used to keep
                track of max version values when checking for re-ordered
                updates; increase this value to reduce the cost of
                synchronizing access to version buckets during high-volume
                indexing, this requires 8 bytes (long) * numVersionBuckets
                of heap space per Solr core.
    -->
    <updateLog>
      <str name="dir">${solr.ulog.dir:}</str>
      <int name="numVersionBuckets">${solr.ulog.numVersionBuckets:65536}</int>
    </updateLog>
    <!-- AutoCommit
         Perform a hard commit automatically under certain conditions.
         Instead of enabling autoCommit, consider using "commitWithin"
         when adding documents.
         http://wiki.apache.org/solr/UpdateXmlMessages
         maxDocs - Maximum number of documents to add since the last
                   commit before automatically triggering a new commit.
         maxTime - Maximum amount of time in ms that is allowed to pass
                   since a document was added before automatically
                   triggering a new commit.
         openSearcher - if false, the commit causes recent index changes
           to be flushed to stable storage, but does not cause a new
           searcher to be opened to make those changes visible.
         If the updateLog is enabled, then it's highly recommended to
         have some sort of hard autoCommit to limit the log size.
      -->
    <autoCommit>
      <maxTime>${solr.autoCommit.maxTime:15000}</maxTime>
      <openSearcher>false</openSearcher>
    </autoCommit>
    <!-- softAutoCommit is like autoCommit except it causes a
         'soft' commit which only ensures that changes are visible
         but does not ensure that data is synced to disk.  This is
         faster and more near-realtime friendly than a hard commit.
      -->
    <autoSoftCommit>
      <maxTime>${solr.autoSoftCommit.maxTime:-1}</maxTime>
    </autoSoftCommit>
    <!-- Update Related Event Listeners
         Various IndexWriter related events can trigger Listeners to
         take actions.
         postCommit - fired after every commit or optimize command
         postOptimize - fired after every optimize command
      -->
  </updateHandler>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       Query section - these settings control query time things like caches
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <query>
    <!-- Solr Internal Query Caches
         There are two implementations of cache available for Solr,
         LRUCache, based on a synchronized LinkedHashMap, and
         FastLRUCache, based on a ConcurrentHashMap.
         FastLRUCache has faster gets and slower puts in single
         threaded operation and thus is generally faster than LRUCache
         when the hit ratio of the cache is high (> 75%), and may be
         faster under other scenarios on multi-cpu systems.
    -->
    <!-- Filter Cache
         Cache used by SolrIndexSearcher for filters (DocSets),
         unordered sets of *all* documents that match a query.  When a
         new searcher is opened, its caches may be prepopulated or
         "autowarmed" using data from caches in the old searcher.
         autowarmCount is the number of items to prepopulate.  For
         LRUCache, the autowarmed items will be the most recently
         accessed items.
         Parameters:
           class - the SolrCache implementation LRUCache or
               (LRUCache or FastLRUCache)
           size - the maximum number of entries in the cache
           initialSize - the initial capacity (number of entries) of
               the cache.  (see java.util.HashMap)
           autowarmCount - the number of entries to prepopulate from
               and old cache.
           maxRamMB - the maximum amount of RAM (in MB) that this cache is allowed
                      to occupy. Note that when this option is specified, the size
                      and initialSize parameters are ignored.
      -->
    <filterCache class="solr.FastLRUCache"
                 size="512"
                 initialSize="512"
                 autowarmCount="0"/>
    <!-- Query Result Cache
         Caches results of searches - ordered lists of document ids
         (DocList) based on a query, a sort, and the range of documents requested.
         Additional supported parameter by LRUCache:
            maxRamMB - the maximum amount of RAM (in MB) that this cache is allowed
                       to occupy
      -->
    <queryResultCache class="solr.LRUCache"
                      size="512"
                      initialSize="512"
                      autowarmCount="0"/>
    <!-- Document Cache
         Caches Lucene Document objects (the stored fields for each
         document).  Since Lucene internal document ids are transient,
         this cache will not be autowarmed.
      -->
    <documentCache class="solr.LRUCache"
                   size="512"
                   initialSize="512"
                   autowarmCount="0"/>
    <!-- custom cache currently used by block join -->
    <cache name="perSegFilter"
           class="solr.search.LRUCache"
           size="10"
           initialSize="0"
           autowarmCount="10"
           regenerator="solr.NoOpRegenerator" />
    <!-- Lazy Field Loading
         If true, stored fields that are not requested will be loaded
         lazily.  This can result in a significant speed improvement
         if the usual case is to not load all stored fields,
         especially if the skipped fields are large compressed text
         fields.
    -->
    <enableLazyFieldLoading>true</enableLazyFieldLoading>
    <!-- Result Window Size
         An optimization for use with the queryResultCache.  When a search
         is requested, a superset of the requested number of document ids
         are collected.  For example, if a search for a particular query
         requests matching documents 10 through 19, and queryWindowSize is 50,
         then documents 0 through 49 will be collected and cached.  Any further
         requests in that range can be satisfied via the cache.
      -->
    <queryResultWindowSize>20</queryResultWindowSize>
    <!-- Maximum number of documents to cache for any entry in the
         queryResultCache.
      -->
    <queryResultMaxDocsCached>200</queryResultMaxDocsCached>
    <!-- Use Cold Searcher
         If a search request comes in and there is no current
         registered searcher, then immediately register the still
         warming searcher and use it.  If "false" then all requests
         will block until the first searcher is done warming.
      -->
    <useColdSearcher>false</useColdSearcher>
  </query>
  <!-- Request Dispatcher
       This section contains instructions for how the SolrDispatchFilter
       should behave when processing requests for this SolrCore.
    -->
  <requestDispatcher>
    <httpCaching never304="true" />
  </requestDispatcher>
  <!-- Request Handlers
       http://wiki.apache.org/solr/SolrRequestHandler
       Incoming queries will be dispatched to a specific handler by name
       based on the path specified in the request.
       If a Request Handler is declared with startup="lazy", then it will
       not be initialized until the first request that uses it.
    -->
  <!-- SearchHandler
       http://wiki.apache.org/solr/SearchHandler
       For processing Search Queries, the primary Request Handler
       provided with Solr is "SearchHandler" It delegates to a sequent
       of SearchComponents (see below) and supports distributed
       queries across multiple shards
    -->
  <requestHandler name="/select" class="solr.SearchHandler">
    <!-- default values for query parameters can be specified, these
         will be overridden by parameters in the request
      -->
    <lst name="defaults">
      <str name="echoParams">explicit</str>
      <int name="rows">10</int>
    </lst>
  </requestHandler>
  <initParams path="/update/**,/select">
    <lst name="defaults">
      <str name="df">_text_</str>
    </lst>
  </initParams>
  <!-- Response Writers
       http://wiki.apache.org/solr/QueryResponseWriter
       Request responses will be written using the writer specified by
       the 'wt' request parameter matching the name of a registered
       writer.
       The "default" writer is the default and will be used if 'wt' is
       not specified in the request.
    -->
  <queryResponseWriter name="xml"
                       default="true"
                       class="solr.XMLResponseWriter" />
 </config>
--- a/data/Dockerfiles/solr/solr-schema-7.7.0.xml
+++ b/data/Dockerfiles/solr/solr-schema-7.7.0.xml
@@ -0,0 +1,49 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <schema name="dovecot-fts" version="2.0">
  <fieldType name="string" class="solr.StrField" omitNorms="true" sortMissingLast="true"/>
  <fieldType name="long" class="solr.LongPointField" positionIncrementGap="0"/>
  <fieldType name="boolean" class="solr.BoolField" sortMissingLast="true"/>
  <fieldType name="text" class="solr.TextField" autoGeneratePhraseQueries="true" positionIncrementGap="100">
    <analyzer type="index">
      <tokenizer class="solr.StandardTokenizerFactory"/>
      <filter class="solr.EdgeNGramFilterFactory" minGramSize="3" maxGramSize="20"/>
      <filter class="solr.StopFilterFactory" words="stopwords.txt" ignoreCase="true"/>
      <filter class="solr.WordDelimiterGraphFilterFactory" catenateNumbers="1" generateNumberParts="1" splitOnCaseChange="1" generateWordParts="1" splitOnNumerics="1" catenateAll="1" catenateWords="1"/>
      <filter class="solr.FlattenGraphFilterFactory"/>
      <filter class="solr.LowerCaseFilterFactory"/>
      <filter class="solr.KeywordMarkerFilterFactory" protected="protwords.txt"/>
      <filter class="solr.PorterStemFilterFactory"/>
    </analyzer>
    <analyzer type="query">
      <tokenizer class="solr.StandardTokenizerFactory"/>
      <filter class="solr.SynonymGraphFilterFactory" expand="true" ignoreCase="true" synonyms="synonyms.txt"/>
      <filter class="solr.FlattenGraphFilterFactory"/>
      <filter class="solr.StopFilterFactory" words="stopwords.txt" ignoreCase="true"/>
      <filter class="solr.WordDelimiterGraphFilterFactory" catenateNumbers="1" generateNumberParts="1" splitOnCaseChange="1" generateWordParts="1" splitOnNumerics="1" catenateAll="1" catenateWords="1"/>
      <filter class="solr.LowerCaseFilterFactory"/>
      <filter class="solr.KeywordMarkerFilterFactory" protected="protwords.txt"/>
      <filter class="solr.PorterStemFilterFactory"/>
    </analyzer>
  </fieldType>
  <field name="id" type="string" indexed="true" required="true" stored="true"/>
  <field name="uid" type="long" indexed="true" required="true" stored="true"/>
  <field name="box" type="string" indexed="true" required="true" stored="true"/>
  <field name="user" type="string" indexed="true" required="true" stored="true"/>
  <field name="hdr" type="text" indexed="true" stored="false"/>
  <field name="body" type="text" indexed="true" stored="false"/>
  <field name="from" type="text" indexed="true" stored="false"/>
  <field name="to" type="text" indexed="true" stored="false"/>
  <field name="cc" type="text" indexed="true" stored="false"/>
  <field name="bcc" type="text" indexed="true" stored="false"/>
  <field name="subject" type="text" indexed="true" stored="false"/>
  <!-- Used by Solr internally: -->
  <field name="_version_" type="long" indexed="true" stored="true"/>
  <uniqueKey>id</uniqueKey>
 </schema>
--- a/data/Dockerfiles/solr/solr.sh
+++ b/data/Dockerfiles/solr/solr.sh
@@ -0,0 +1,61 @@
 #!/bin/bash
 if [[ "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  echo "SKIP_SOLR=y, skipping Solr..."
  sleep 365d
  exit 0
 fi
 MEM_TOTAL=$(awk '/MemTotal/ {print $2}' /proc/meminfo)
 if [[ "${1}" != "--bootstrap" ]]; then
  if [ ${MEM_TOTAL} -lt "2097152" ]; then
    echo "System memory less than 2 GB, skipping Solr..."
    sleep 365d
    exit 0
  fi
 fi
 set -e
 # run the optional initdb
 . /opt/docker-solr/scripts/run-initdb
 # fixing volume permission
 [[ -d /opt/solr/server/solr/dovecot-fts/data ]] && chown -R solr:solr /opt/solr/server/solr/dovecot-fts/data
 if [[ "${1}" != "--bootstrap" ]]; then
  sed -i '/SOLR_HEAP=/c\SOLR_HEAP="'${SOLR_HEAP:-1024}'m"' /opt/solr/bin/solr.in.sh
 else
  sed -i '/SOLR_HEAP=/c\SOLR_HEAP="256m"' /opt/solr/bin/solr.in.sh
 fi
 if [[ "${1}" == "--bootstrap" ]]; then
  echo "Creating initial configuration"
  echo "Modifying default config set"
  cp /solr-config-7.7.0.xml /opt/solr/server/solr/configsets/_default/conf/solrconfig.xml
  cp /solr-schema-7.7.0.xml /opt/solr/server/solr/configsets/_default/conf/schema.xml
  rm /opt/solr/server/solr/configsets/_default/conf/managed-schema
  echo "Starting local Solr instance to setup configuration"
  gosu solr start-local-solr
  echo "Creating core \"dovecot-fts\""
  gosu solr /opt/solr/bin/solr create -c "dovecot-fts"
  # See https://github.com/docker-solr/docker-solr/issues/27
  echo "Checking core"
  while ! wget -O - 'http://localhost:8983/solr/admin/cores?action=STATUS' | grep -q instanceDir; do
    echo "Could not find any cores, waiting..."
    sleep 3
  done
  echo "Created core \"dovecot-fts\""
  echo "Stopping local Solr"
  gosu solr stop-local-solr
  exit 0
 fi
 exec gosu solr solr-foreground
--- a/data/Dockerfiles/unbound/Dockerfile
+++ b/data/Dockerfiles/unbound/Dockerfile
@@ -1,36 +1,30 @@
-FROM alpine:3.21
+FROM alpine:3.18
-LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
+LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
 RUN apk add --update --no-cache \
 	curl \
 	bind-tools \
-	coreutils \
+	netcat-openbsd \
 	unbound \
 	bash \
 	openssl \
 	drill \
 	tzdata \
 	syslog-ng \
 	supervisor \
 	&& curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache \
 	&& chown root:unbound /etc/unbound \
-    && adduser unbound tty \
+  && adduser unbound tty \
 	&& chmod 775 /etc/unbound
 EXPOSE 53/udp 53/tcp
 COPY docker-entrypoint.sh /docker-entrypoint.sh
-# healthcheck (dig, ping)
+# healthcheck (nslookup)
 COPY healthcheck.sh /healthcheck.sh
 COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
 COPY supervisord.conf /etc/supervisor/supervisord.conf
 COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
 RUN chmod +x /healthcheck.sh
-HEALTHCHECK --interval=30s --timeout=10s \
+HEALTHCHECK --interval=5s --timeout=30s CMD [ "/healthcheck.sh" ]
  CMD sh -c '[ -f /tmp/healthcheck_status ] && [ "$(cat /tmp/healthcheck_status)" -eq 0 ] || exit 1'
 ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
+
 CMD ["/usr/sbin/unbound"]
--- a/data/Dockerfiles/unbound/healthcheck.sh
+++ b/data/Dockerfiles/unbound/healthcheck.sh
@@ -1,102 +1,99 @@
 #!/bin/bash
-STATUS_FILE="/tmp/healthcheck_status"
+# Skip Unbound (DNS Resolver) Healthchecks (NOT Recommended!)
-RUNS=0
+if [[ "${SKIP_UNBOUND_HEALTHCHECK}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
    SKIP_UNBOUND_HEALTHCHECK=y
 fi
-# Declare log function for logfile to stdout
+# Declare log function for logfile inside container
-function log_to_stdout() {
+function log_to_file() {
-echo "$(date +"%Y-%m-%d %H:%M:%S"): $1"
+    echo "$(date +"%Y-%m-%d %H:%M:%S"): $1" > /var/log/healthcheck.log
 }
 # General Ping function to check general pingability
 function check_ping() {
-declare -a ipstoping=("1.1.1.1" "8.8.8.8" "9.9.9.9")
+    declare -a ipstoping=("1.1.1.1" "8.8.8.8" "9.9.9.9")
 local fail_tolerance=1
 local failures=0
-for ip in "${ipstoping[@]}" ; do
+    for ip in "${ipstoping[@]}" ; do
-    success=false
+            ping -q -c 3 -w 5 "$ip"
-    for ((i=1; i<=3; i++)); do
+            if [ $? -ne 0 ]; then
-        ping -q -c 3 -w 5 "$ip" > /dev/null
+                log_to_file "Healthcheck: Couldn't ping $ip for 5 seconds... Gave up!"
-        if [ $? -eq 0 ]; then
+                log_to_file "Please check your internet connection or firewall rules to fix this error, because a simple ping test should always go through from the unbound container!"
-            success=true
+                return 1
-            break
+            fi
        else
            log_to_stdout "Healthcheck: Failed to ping $ip on attempt $i. Trying again..."
        fi
    done
-    if [ "$success" = false ]; then
+    log_to_file "Healthcheck: Ping Checks WORKING properly!"
-        log_to_stdout "Healthcheck: Couldn't ping $ip after 3 attempts. Marking this IP as failed."
+    return 0
        ((failures++))
    fi
 done
 if [ $failures -gt $fail_tolerance ]; then
    log_to_stdout "Healthcheck: Too many ping failures ($fail_tolerance failures allowed, you got $failures failures), marking Healthcheck as unhealthy..."
    return 1
 fi
 return 0
 }
 # General DNS Resolve Check against Unbound Resolver himself
 function check_dns() {
-declare -a domains=("fuzzy.mailcow.email" "github.com" "hub.docker.com")
+    declare -a domains=("mailcow.email" "github.com" "hub.docker.com")
 local fail_tolerance=1
 local failures=0
-for domain in "${domains[@]}" ; do
+    for domain in "${domains[@]}" ; do
-    success=false
+        for ((i=1; i<=3; i++)); do
-    for ((i=1; i<=3; i++)); do
+            dig +short +timeout=2 +tries=1 "$domain" @127.0.0.1 > /dev/null
-        dig_output=$(dig +short +timeout=2 +tries=1 "$domain" @127.0.0.1 2>/dev/null)
+        if [ $? -ne 0 ]; then
-        dig_rc=$?
+            log_to_file "Healthcheck: DNS Resolution Failed on $i attempt! Trying again..."
-
+            if [ $i -eq 3 ]; then
-        if [ $dig_rc -ne 0 ] || [ -z "$dig_output" ]; then
+                log_to_file "Healthcheck: DNS Resolution not possible after $i attempts... Gave up!"
-            log_to_stdout "Healthcheck: DNS Resolution Failed on attempt $i for $domain! Trying again..."
+                log_to_file "Maybe check your outbound firewall, as it needs to resolve DNS over TCP AND UDP!"
-        else
+                return 1
-            success=true
+            fi
            break
        fi
        done
    done
-    if [ "$success" = false ]; then
+    log_to_file "Healthcheck: DNS Resolver WORKING properly!"
-        log_to_stdout "Healthcheck: DNS Resolution not possible after 3 attempts for $domain... Gave up!"
+    return 0
        ((failures++))
    fi
 done
 if [ $failures -gt $fail_tolerance ]; then
    log_to_stdout "Healthcheck: Too many DNS failures ($fail_tolerance failures allowed, you got $failures failures), marking Healthcheck as unhealthy..."
    return 1
 fi
 return 0
 }
-while true; do
+# Simple Netcat Check to connect to common webports
 function check_netcat() {
    declare -a domains=("mailcow.email" "github.com" "hub.docker.com")
    declare -a ports=("80" "443")
-    if [[ ${SKIP_UNBOUND_HEALTHCHECK} == "y" ]]; then
+    for domain in "${domains[@]}" ; do
-    log_to_stdout "Healthcheck: ALL CHECKS WERE SKIPPED! Unbound is healthy!"
+        for port in "${ports[@]}" ; do
-    echo "0" > $STATUS_FILE
+            nc -z -w 2 $domain $port
-    sleep 365d
+            if [ $? -ne 0 ]; then
-    fi
+                log_to_file "Healthcheck: Could not reach $domain on Port $port... Gave up!"
                log_to_file "Please check your internet connection or firewall rules to fix this error."
                return 1
            fi
        done
    done
-    # run checks, if check is not returning 0 (return value if check is ok), healthcheck will exit with 1 (marked in docker as unhealthy)
+    log_to_file "Healthcheck: Netcat Checks WORKING properly!"
-    check_ping
+    return 0
    PING_STATUS=$?
-    check_dns
+}
    DNS_STATUS=$?
-    if [ $PING_STATUS -ne 0 ] || [ $DNS_STATUS -ne 0 ]; then
+if [[ ${SKIP_UNBOUND_HEALTHCHECK} == "y" ]]; then
-        echo "1" > $STATUS_FILE
+    log_to_file "Healthcheck: ALL CHECKS WERE SKIPPED! Unbound is healthy!"
    exit 0
 fi
-    else
+# run checks, if check is not returning 0 (return value if check is ok), healthcheck will exit with 1 (marked in docker as unhealthy)
-        echo "0" > $STATUS_FILE
+check_ping
    fi
-    sleep 30
+if [ $? -ne 0 ]; then
    exit 1
 fi
-done
+check_dns
 if [ $? -ne 0 ]; then
    exit 1
 fi
 check_netcat
 if [ $? -ne 0 ]; then
    exit 1
 fi
 log_to_file "Healthcheck: ALL CHECKS WERE SUCCESSFUL! Unbound is healthy!"
 exit 0
--- a/data/Dockerfiles/unbound/stop-supervisor.sh
+++ b/data/Dockerfiles/unbound/stop-supervisor.sh
@@ -1,10 +0,0 @@
 #!/bin/bash
 printf "READY\n";
 while read line; do
  echo "Processing Event: $line" >&2;
  kill -3 $(cat "/var/run/supervisord.pid")
 done < /dev/stdin
 rm -rf /tmp/healthcheck_status
--- a/data/Dockerfiles/unbound/supervisord.conf
+++ b/data/Dockerfiles/unbound/supervisord.conf
@@ -1,32 +0,0 @@
 [supervisord]
 nodaemon=true
 user=root
 pidfile=/var/run/supervisord.pid
 [program:syslog-ng]
 command=/usr/sbin/syslog-ng --foreground --no-caps
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autostart=true
 [program:unbound]
 command=/usr/sbin/unbound
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autorestart=true
 [program:unbound-healthcheck]
 command=/bin/bash /healthcheck.sh
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autorestart=true
 [eventlistener:processes]
 command=/usr/local/sbin/stop-supervisor.sh
 events=PROCESS_STATE_STOPPED, PROCESS_STATE_EXITED, PROCESS_STATE_FATAL
--- a/data/Dockerfiles/unbound/syslog-ng.conf
+++ b/data/Dockerfiles/unbound/syslog-ng.conf
@@ -1,21 +0,0 @@
@version: 4.5
@include "scl.conf"
 options {
  chain_hostnames(off);
  flush_lines(0);
  use_dns(no);
  use_fqdn(no);
  owner("root"); group("adm"); perm(0640);
  stats(freq(0));
  keep_timestamp(no);
  bad_hostname("^gconfd$");
 };
 source s_dgram {
  unix-dgram("/dev/log");
  internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
 log {
  source(s_dgram);
  destination(d_stdout);
 };
--- a/data/Dockerfiles/watchdog/Dockerfile
+++ b/data/Dockerfiles/watchdog/Dockerfile
@@ -1,6 +1,5 @@
-FROM alpine:3.21
+FROM alpine:3.18
-
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 # Installation
 RUN apk add --update \
@@ -16,6 +15,7 @@ RUN apk add --update \
  fcgi \
  openssl \
  nagios-plugins-mysql \
  nagios-plugins-dns \
  nagios-plugins-disk \
  bind-tools \
  redis \
@@ -31,11 +31,9 @@ RUN apk add --update \
  tzdata \
  whois \
  && curl https://raw.githubusercontent.com/mludvig/smtp-cli/v3.10/smtp-cli -o /smtp-cli \
-  && chmod +x smtp-cli \
+  && chmod +x smtp-cli
  && mkdir /usr/lib/mailcow
 COPY watchdog.sh /watchdog.sh
 COPY check_mysql_slavestatus.sh /usr/lib/nagios/plugins/check_mysql_slavestatus.sh
 COPY check_dns.sh /usr/lib/mailcow/check_dns.sh
-CMD ["/watchdog.sh"]
+CMD /watchdog.sh
--- a/data/Dockerfiles/watchdog/check_dns.sh
+++ b/data/Dockerfiles/watchdog/check_dns.sh
@@ -1,39 +0,0 @@
 #!/bin/sh
 while getopts "H:s:" opt; do
  case "$opt" in
    H) HOST="$OPTARG" ;;
    s) SERVER="$OPTARG" ;;
    *) echo "Usage: $0 -H host -s server"; exit 3 ;;
  esac
 done
 if [ -z "$SERVER" ]; then
  echo "No DNS Server provided"
  exit 3
 fi
 if [ -z "$HOST" ]; then
  echo "No host to test provided"
  exit 3
 fi
 # run dig and measure the time it takes to run
 START_TIME=$(date +%s%3N)
 dig_output=$(dig +short +timeout=2 +tries=1 "$HOST" @"$SERVER" 2>/dev/null)
 dig_rc=$?
 dig_output_ips=$(echo "$dig_output" | grep -E '^[0-9.]+$' | sort | paste -sd ',' -)
 END_TIME=$(date +%s%3N)
 ELAPSED_TIME=$((END_TIME - START_TIME))
 # validate and perform nagios like output and exit codes
 if [ $dig_rc -ne 0 ] || [ -z "$dig_output" ]; then
  echo "Domain $HOST was not found by the server"
  exit 2
 elif [ $dig_rc -eq 0 ]; then
  echo "DNS OK: $ELAPSED_TIME ms response time. $HOST returns $dig_output_ips"
  exit 0
 else
  echo "Unknown error"
  exit 3
 fi
--- a/data/Dockerfiles/watchdog/check_mysql_slavestatus.sh
+++ b/data/Dockerfiles/watchdog/check_mysql_slavestatus.sh
@@ -49,7 +49,7 @@
 # 2013101601 Optical clean up                                           #
 # 2013101602 Rewrite help output                                        #
 # 2013101700 Handle Slave IO in 'Connecting' state                      #
-# 2013101701 Minor changes in output, handling UNKNOWN situations now   #
+# 2013101701 Minor changes in output, handling UNKWNON situations now   #
 # 2013101702 Exit CRITICAL when Slave IO in Connecting state            #
 # 2013123000 Slave_SQL_Running also matched Slave_SQL_Running_State     #
 # 2015011600 Added 'moving' check to catch possible connection issues   #
@@ -132,9 +132,9 @@ fi
 # Connect to the DB server and store output in vars
 if [[ -n $socket ]]; then 
-  ConnectionResult=$(mariadb --skip-ssl ${optfile} ${socket} ${user} -e "show slave ${connection} status\G" 2>&1)
+  ConnectionResult=$(mysql ${optfile} ${socket} ${user} -e "show slave ${connection} status\G" 2>&1)
 else
-  ConnectionResult=$(mariadb --skip-ssl ${optfile} ${host} ${port} ${user} -e "show slave ${connection} status\G" 2>&1)
+  ConnectionResult=$(mysql ${optfile} ${host} ${port} ${user} -e "show slave ${connection} status\G" 2>&1)
 fi
 if [ -z "`echo "${ConnectionResult}" |grep Slave_IO_State`" ]; then
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -1,10 +1,5 @@
 #!/bin/bash
 if [ "${DEV_MODE}" != "n" ]; then
  echo -e "\e[31mEnabled Debug Mode\e[0m"
  set -x
 fi
 trap "exit" INT TERM
 trap "kill 0" EXIT
@@ -38,16 +33,16 @@ if [[ ! -p /tmp/com_pipe ]]; then
 fi
 # Wait for containers
-while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
+while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
  echo "Waiting for SQL..."
  sleep 2
 done
 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+  REDIS_CMDLINE="redis-cli -h redis -p 6379"
 fi
 until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
@@ -174,12 +169,8 @@ function notify_error() {
      return 1
    fi
    # Escape subject and body (https://stackoverflow.com/a/2705678)
    ESCAPED_SUBJECT=$(echo ${SUBJECT} | sed -e 's/[\/&]/\\&/g')
    ESCAPED_BODY=$(echo ${BODY} | sed -e 's/[\/&]/\\&/g')
    # Replace subject and body placeholders
-    WEBHOOK_BODY=$(echo ${WATCHDOG_NOTIFY_WEBHOOK_BODY} | sed -e "s/\$SUBJECT\|\${SUBJECT}/$ESCAPED_SUBJECT/g" -e "s/\$BODY\|\${BODY}/$ESCAPED_BODY/g")
+    WEBHOOK_BODY=$(echo ${WATCHDOG_NOTIFY_WEBHOOK_BODY} | sed "s/\$SUBJECT\|\${SUBJECT}/$SUBJECT/g" | sed "s/\$BODY\|\${BODY}/$BODY/g")
    # POST to webhook
    curl -X POST -H "Content-Type: application/json" ${CURL_VERBOSE} -d "${WEBHOOK_BODY}" ${WATCHDOG_NOTIFY_WEBHOOK}
@@ -200,12 +191,12 @@ get_container_ip() {
    else
      sleep 0.5
      # get long container id for exact match
-      CONTAINER_ID=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring == \"${1}\") | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id"))
+      CONTAINER_ID=($(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring == \"${1}\") | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id"))
      # returned id can have multiple elements (if scaled), shuffle for random test
      CONTAINER_ID=($(printf "%s\n" "${CONTAINER_ID[@]}" | shuf))
      if [[ ! -z ${CONTAINER_ID} ]]; then
        for matched_container in "${CONTAINER_ID[@]}"; do
-          CONTAINER_IPS=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${matched_container}/json | jq -r '.NetworkSettings.Networks[].IPAddress'))
+          CONTAINER_IPS=($(curl --silent --insecure https://dockerapi/containers/${matched_container}/json | jq -r '.NetworkSettings.Networks[].IPAddress'))
          for ip_match in "${CONTAINER_IPS[@]}"; do
            # grep will do nothing if one of these vars is empty
            [[ -z ${ip_match} ]] && continue
@@ -239,7 +230,7 @@ external_checks() {
  diff_c=0
  THRESHOLD=${EXTERNAL_CHECKS_THRESHOLD}
  # Reduce error count by 2 after restarting an unhealthy container
-  GUID=$(mariadb --skip-ssl -u${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'GUID'" -BN)
+  GUID=$(mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'GUID'" -BN)
  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    err_c_cur=${err_count}
@@ -302,7 +293,7 @@ unbound_checks() {
    touch /tmp/unbound-mailcow; echo "$(tail -50 /tmp/unbound-mailcow)" > /tmp/unbound-mailcow
    host_ip=$(get_container_ip unbound-mailcow)
    err_c_cur=${err_count}
-    /usr/lib/mailcow/check_dns.sh -s ${host_ip} -H stackoverflow.com 2>> /tmp/unbound-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_dns -s ${host_ip} -H stackoverflow.com 2>> /tmp/unbound-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
    DNSSEC=$(dig com +dnssec | egrep 'flags:.+ad')
    if [[ -z ${DNSSEC} ]]; then
      echo "DNSSEC failure" 2>> /tmp/unbound-mailcow 1>&2
@@ -335,7 +326,7 @@ redis_checks() {
    touch /tmp/redis-mailcow; echo "$(tail -50 /tmp/redis-mailcow)" > /tmp/redis-mailcow
    host_ip=$(get_container_ip redis-mailcow)
    err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_tcp -4 -H redis-mailcow -p 6379 -E -s "AUTH ${REDISPASS}\nPING\n" -q "QUIT" -e "PONG" 2>> /tmp/redis-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_tcp -4 -H redis-mailcow -p 6379 -E -s "PING\n" -q "QUIT" -e "PONG" 2>> /tmp/redis-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
    progress "Redis" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
@@ -450,31 +441,6 @@ postfix_checks() {
  return 1
 }
 postfix-tlspol_checks() {
  err_count=0
  diff_c=0
  THRESHOLD=${POSTFIX_TLSPOL_THRESHOLD}
  # Reduce error count by 2 after restarting an unhealthy container
  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    touch /tmp/postfix-tlspol-mailcow; echo "$(tail -50 /tmp/postfix-tlspol-mailcow)" > /tmp/postfix-tlspol-mailcow
    host_ip=$(get_container_ip postfix-tlspol-mailcow)
    err_c_cur=${err_count}
    /usr/lib/nagios/plugins/check_tcp -4 -H ${host_ip} -p 8642 2>> /tmp/postfix-tlspol-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
    progress "Postfix TLS Policy companion" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
    if [[ $? == 10 ]]; then
      diff_c=0
      sleep 1
    else
      diff_c=0
      sleep $(( ( RANDOM % 60 ) + 20 ))
    fi
  done
  return 1
 }
 clamd_checks() {
  err_count=0
  diff_c=0
@@ -533,12 +499,12 @@ dovecot_repl_checks() {
  err_count=0
  diff_c=0
  THRESHOLD=${DOVECOT_REPL_THRESHOLD}
-  D_REPL_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning -r GET DOVECOT_REPL_HEALTH)
+  D_REPL_STATUS=$(redis-cli -h redis -r GET DOVECOT_REPL_HEALTH)
  # Reduce error count by 2 after restarting an unhealthy container
  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    err_c_cur=${err_count}
-    D_REPL_STATUS=$(redis-cli --raw -h redis -a ${REDISPASS} --no-auth-warning GET DOVECOT_REPL_HEALTH)
+    D_REPL_STATUS=$(redis-cli --raw -h redis GET DOVECOT_REPL_HEALTH)
    if [[ "${D_REPL_STATUS}" != "1" ]]; then
      err_count=$(( ${err_count} + 1 ))
    fi
@@ -608,19 +574,19 @@ ratelimit_checks() {
  err_count=0
  diff_c=0
  THRESHOLD=${RATELIMIT_THRESHOLD}
-  RL_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning LRANGE RL_LOG 0 0 | jq .qid)
+  RL_LOG_STATUS=$(redis-cli -h redis LRANGE RL_LOG 0 0 | jq .qid)
  # Reduce error count by 2 after restarting an unhealthy container
  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    err_c_cur=${err_count}
    RL_LOG_STATUS_PREV=${RL_LOG_STATUS}
-    RL_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning LRANGE RL_LOG 0 0 | jq .qid)
+    RL_LOG_STATUS=$(redis-cli -h redis LRANGE RL_LOG 0 0 | jq .qid)
    if [[ ${RL_LOG_STATUS_PREV} != ${RL_LOG_STATUS} ]]; then
      err_count=$(( ${err_count} + 1 ))
      echo 'Last 10 applied ratelimits (may overlap with previous reports).' > /tmp/ratelimit
      echo 'Full ratelimit buckets can be emptied by deleting the ratelimit hash from within mailcow UI (see /debug -> Protocols -> Ratelimit):' >> /tmp/ratelimit
      echo >> /tmp/ratelimit
-      redis-cli --raw -h redis -a ${REDISPASS} --no-auth-warning LRANGE RL_LOG 0 10 | jq . >> /tmp/ratelimit
+      redis-cli --raw -h redis LRANGE RL_LOG 0 10 | jq . >> /tmp/ratelimit
    fi
    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
@@ -703,7 +669,7 @@ acme_checks() {
  err_count=0
  diff_c=0
  THRESHOLD=${ACME_THRESHOLD}
-  ACME_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning GET ACME_FAIL_TIME)
+  ACME_LOG_STATUS=$(redis-cli -h redis GET ACME_FAIL_TIME)
  if [[ -z "${ACME_LOG_STATUS}" ]]; then
    ${REDIS_CMDLINE} SET ACME_FAIL_TIME 0
    ACME_LOG_STATUS=0
@@ -715,7 +681,7 @@ acme_checks() {
    ACME_LOG_STATUS_PREV=${ACME_LOG_STATUS}
    ACME_LC=0
    until [[ ! -z ${ACME_LOG_STATUS} ]] || [ ${ACME_LC} -ge 3 ]; do
-      ACME_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning GET ACME_FAIL_TIME 2> /dev/null)
+      ACME_LOG_STATUS=$(redis-cli -h redis GET ACME_FAIL_TIME 2> /dev/null)
      sleep 3
      ACME_LC=$((ACME_LC+1))
    done
@@ -750,7 +716,7 @@ rspamd_checks() {
 From: watchdog@localhost
 Empty
-' | usr/bin/curl --max-time 10 -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/scan | jq -rc .default.required_score | sed 's/\..*//' )
+' | usr/bin/curl --max-time 10 -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/scan | jq -rc .default.required_score | sed 's/\..*//' )
    if [[ ${SCORE} -ne 9999 ]]; then
      echo "Rspamd settings check failed, score returned: ${SCORE}" 2>> /tmp/rspamd-mailcow 1>&2
      err_count=$(( ${err_count} + 1))
@@ -952,18 +918,6 @@ PID=$!
 echo "Spawned mailq_checks with PID ${PID}"
 BACKGROUND_TASKS+=(${PID})
 (
 while true; do
  if ! postfix-tlspol_checks; then
    log_msg "Postfix TLS Policy hit error limit"
    echo postfix-tlspol-mailcow > /tmp/com_pipe
  fi
 done
 ) &
 PID=$!
 echo "Spawned postfix-tlspol_checks with PID ${PID}"
 BACKGROUND_TASKS+=(${PID})
 (
 while true; do
  if ! dovecot_checks; then
@@ -1036,7 +990,6 @@ PID=$!
 echo "Spawned cert_checks with PID ${PID}"
 BACKGROUND_TASKS+=(${PID})
 if [[ "${SKIP_OLEFY}" =~ ^([nN][oO]|[nN])+$ ]]; then
 (
 while true; do
  if ! olefy_checks; then
@@ -1048,7 +1001,6 @@ done
 PID=$!
 echo "Spawned olefy_checks with PID ${PID}"
 BACKGROUND_TASKS+=(${PID})
 fi
 (
 while true; do
@@ -1143,12 +1095,12 @@ while true; do
  elif [[ ${com_pipe_answer} =~ .+-mailcow ]]; then
    kill -STOP ${BACKGROUND_TASKS[*]}
    sleep 10
-    CONTAINER_ID=$(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"${com_pipe_answer}\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id")
+    CONTAINER_ID=$(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"${com_pipe_answer}\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id")
    if [[ ! -z ${CONTAINER_ID} ]]; then
      if [[ "${com_pipe_answer}" == "php-fpm-mailcow" ]]; then
-        HAS_INITDB=$(curl --silent --insecure -XPOST https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/top | jq '.msg.Processes[] | contains(["php -c /usr/local/etc/php -f /web/inc/init_db.inc.php"])' | grep true)
+        HAS_INITDB=$(curl --silent --insecure -XPOST https://dockerapi/containers/${CONTAINER_ID}/top | jq '.msg.Processes[] | contains(["php -c /usr/local/etc/php -f /web/inc/init_db.inc.php"])' | grep true)
      fi
-      S_RUNNING=$(($(date +%s) - $(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/json | jq .State.StartedAt | xargs -n1 date +%s -d)))
+      S_RUNNING=$(($(date +%s) - $(curl --silent --insecure https://dockerapi/containers/${CONTAINER_ID}/json | jq .State.StartedAt | xargs -n1 date +%s -d)))
      if [ ${S_RUNNING} -lt 360 ]; then
        log_msg "Container is running for less than 360 seconds, skipping action..."
      elif [[ ! -z ${HAS_INITDB} ]]; then
@@ -1156,7 +1108,7 @@ while true; do
        sleep 60
      else
        log_msg "Sending restart command to ${CONTAINER_ID}..."
-        curl --silent --insecure -XPOST https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/restart
+        curl --silent --insecure -XPOST https://dockerapi/containers/${CONTAINER_ID}/restart
        notify_error "${com_pipe_answer}"
        log_msg "Wait for restarted container to settle and continue watching..."
        sleep 35
--- a/data/assets/nextcloud/nextcloud.conf
+++ b/data/assets/nextcloud/nextcloud.conf
@@ -0,0 +1,130 @@
 map $http_x_forwarded_proto $client_req_scheme_nc {
     default $scheme;
     https https;
 }
 server {
  include /etc/nginx/conf.d/listen_ssl.active;
  include /etc/nginx/conf.d/listen_plain.active;
  include /etc/nginx/mime.types;
  charset utf-8;
  override_charset on;
  ssl_certificate /etc/ssl/mail/cert.pem;
  ssl_certificate_key /etc/ssl/mail/key.pem;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
  ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 1d;
  ssl_session_tickets off;
  add_header Referrer-Policy "no-referrer" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header X-Download-Options "noopen" always;
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-Permitted-Cross-Domain-Policies "none" always;
  add_header X-Robots-Tag "noindex, nofollow" always;
  add_header X-XSS-Protection "1; mode=block" always;
  fastcgi_hide_header X-Powered-By;
  server_name NC_SUBD;
  root /web/nextcloud/;
  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }
  location = /.well-known/carddav {
    return 301 $client_req_scheme_nc://$host/remote.php/dav;
  }
  location = /.well-known/caldav {
    return 301 $client_req_scheme_nc://$host/remote.php/dav;
  }
  location = /.well-known/webfinger {
    return 301 $client_req_scheme_nc://$host/index.php/.well-known/webfinger;
  }
  location = /.well-known/nodeinfo {
    return 301 $client_req_scheme_nc://$host/index.php/.well-known/nodeinfo;
  }
  location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /web;
  }
  fastcgi_buffers 64 4K;
  gzip on;
  gzip_vary on;
  gzip_comp_level 4;
  gzip_min_length 256;
  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
  gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
  set_real_ip_from fc00::/7;
  set_real_ip_from 10.0.0.0/8;
  set_real_ip_from 172.16.0.0/12;
  set_real_ip_from 192.168.0.0/16;
  real_ip_header X-Forwarded-For;
  real_ip_recursive on;
  location / {
    rewrite ^ /index.php$uri;
  }
  location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
    deny all;
  }
  location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
  }
  location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+)\.php(?:$|\/) {
    fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
    set $path_info $fastcgi_path_info;
    try_files $fastcgi_script_name =404;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_param HTTPS on;
    # Avoid sending the security headers twice
    fastcgi_param modHeadersAvailable true;
    # Enable pretty urls
    fastcgi_param front_controller_active true;
    fastcgi_pass phpfpm:9002;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
    client_max_body_size 0;
    fastcgi_read_timeout 1200;
  }
  location ~ ^\/(?:updater|ocs-provider)(?:$|\/) {
    try_files $uri/ =404;
    index index.php;
  }
  location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
    try_files $uri /index.php$request_uri;
    add_header Cache-Control "public, max-age=15778463";
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;
    access_log off;
  }
  location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
    try_files $uri /index.php$request_uri;
    access_log off;
  }
 }
--- a/data/assets/nextcloud/occ
+++ b/data/assets/nextcloud/occ
@@ -0,0 +1,2 @@
 #!/bin/bash
 docker exec -it -u www-data $(docker ps -f name=php-fpm-mailcow -q) php /web/nextcloud/occ ${@}
--- a/data/assets/ssl-example/dhparams.pem
+++ b/data/assets/ssl-example/dhparams.pem
@@ -1,8 +1,8 @@
 -----BEGIN DH PARAMETERS-----
-MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+MIIBCAKCAQEA9iHB0CRDhV8wfBgqnmvuJpl0fzL3qL75R4ZvQHlfMNLrxuIz2x9D
-+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+9zcDhPcBTVzV5Ay0AAkke4wP6r6wDQqXqBP4Y8IOkYAyLh3jM40jfHQzQt+5JdQl
-87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+ond3kiscBsFOch/vMfSLMu3lAb0YhPNTvrxhMz7LcVAWYl82swASupdiKR+MgaQr
-YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+XsugpmDKsHW60VmIM9B7K9Y+rNHwvMWkmISd0KxA8oOy1WJvsVEissMALZDE3c4w
-7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+2xHmO2lXxgEx3aez28736t4m/KW3g9Zr31a1M0KusmfY//fGkPk4NUrLBOS2xrgp
-ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+Y/rG1qSBdcVyerM0Ki93qCyHKYu4ene0OwIBAg==
 -----END DH PARAMETERS-----
--- a/data/assets/templates/pw_reset_html.tpl
+++ b/data/assets/templates/pw_reset_html.tpl
@@ -1,29 +0,0 @@
 <html>
  <head>
  <meta name="x-apple-disable-message-reformatting" />
  <style>
  body {
    font-family: Helvetica, Arial, Sans-Serif;
  }
  /* mobile devices */
  @media all and (max-width: 480px) {
    .mob {
      display: none;
    }    
  }
  </style>
  </head>
  <body>
 Hello {{username2}},<br><br>
 Somebody requested a new password for the {{hostname}} account associated with {{username}}.<br>
 <small>Date of the password reset request: {{date}}</small><br><br>
 You can reset your password by clicking the link below:<br>
 <a href="{{link}}">{{link}}</a><br><br>
 The link will be valid for the next {{token_lifetime}} minutes.<br><br>
 If you did not request a new password, please ignore this email.<br>
  </body>
 </html>
--- a/data/assets/templates/pw_reset_text.tpl
+++ b/data/assets/templates/pw_reset_text.tpl
@@ -1,11 +0,0 @@
 Hello {{username2}},
 Somebody requested a new password for the {{hostname}} account associated with {{username}}.
 Date of the password reset request: {{date}}
 You can reset your password by clicking the link below:
 {{link}}
 The link will be valid for the next {{token_lifetime}} minutes.
 If you did not request a new password, please ignore this email.
--- a/data/conf/dovecot/auth/mailcowauth.php
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -22,25 +22,6 @@ if (file_exists('../../../web/inc/vars.local.inc.php')) {
 }
 require_once '../../../web/inc/lib/vendor/autoload.php';
 // Init Redis
 $redis = new Redis();
 try {
  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
  }
  else {
    $redis->connect('redis-mailcow', 6379);
  }
  $redis->auth(getenv("REDISPASS"));
 }
 catch (Exception $e) {
  error_log("MAILCOWAUTH: " . $e . PHP_EOL);
  http_response_code(500); // Internal Server Error
  echo json_encode($return);
  exit;
 }
 // Init database
 $dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
 $opt = [
@@ -63,49 +44,28 @@ require_once 'functions.inc.php';
 require_once 'functions.auth.inc.php';
 require_once 'sessions.inc.php';
 require_once 'functions.mailbox.inc.php';
-require_once 'functions.ratelimit.inc.php';
+
-require_once 'functions.acl.inc.php';
+// Init provider
 $iam_provider = identity_provider('init');
-$isSOGoRequest = $post['real_rip'] == getenv('IPV4_NETWORK') . '.248';
+$protocol = $post['protocol'];
-$result = false;
+if ($post['real_rip'] == getenv('IPV4_NETWORK') . '.248') {
-if ($isSOGoRequest) {
+  $protocol = null;
  // This is a SOGo Auth request. First check for SSO password.
  $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
  if ($sogo_sso_pass === $post['password']){
    error_log('MAILCOWAUTH: SOGo SSO auth for user ' . $post['username']);
    set_sasl_log($post['username'], $post['real_rip'], "SOGO");
    $result = true;
  }
 }
 $result = user_login($post['username'], $post['password'], $protocol, array('is_internal' => true));
 if ($result === false){
-  // If it's a SOGo Request, don't check for protocol access
+  $result = apppass_login($post['username'], $post['password'], $protocol, array(
  $service = ($isSOGoRequest) ? false : array($post['service'] => true);
  $result = apppass_login($post['username'], $post['password'], $service, array(
    'is_internal' => true,
    'remote_addr' => $post['real_rip']
  ));
  if ($result) {
    error_log('MAILCOWAUTH: App auth for user ' . $post['username'] . " with service " . $post['service'] . " from IP " . $post['real_rip']);
    set_sasl_log($post['username'], $post['real_rip'], $post['service']);
  }
 }
 if ($result === false){
  // Init Identity Provider
  $iam_provider = identity_provider('init');
  $iam_settings = identity_provider('get');
  $result = user_login($post['username'], $post['password'], array('is_internal' => true, 'service' => $post['service']));
  if ($result) {
    error_log('MAILCOWAUTH: User auth for user ' . $post['username'] . " with service " . $post['service'] . " from IP " . $post['real_rip']);
    set_sasl_log($post['username'], $post['real_rip'], $post['service']);
  }
 }
 if ($result) {
  http_response_code(200); // OK
  $return['success'] = true;
 } else {
-  error_log("MAILCOWAUTH: Login failed for user " . $post['username'] . " with service " . $post['service'] . " from IP " . $post['real_rip']);
+  error_log("MAILCOWAUTH: Login failed for user " . $post['username']);
  http_response_code(401); // Unauthorized
 }
--- a/data/conf/dovecot/auth/passwd-verify.lua
+++ b/data/conf/dovecot/auth/passwd-verify.lua
@@ -3,17 +3,18 @@ function auth_password_verify(request, password)
    return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
  end
-  local json = require "cjson"
+  json = require "cjson"
-  local ltn12 = require "ltn12"
+  ltn12 = require "ltn12"
-  local https = require "ssl.https"
+  https = require "ssl.https"
-  https.TIMEOUT = 30
+  https.TIMEOUT = 5
  local req = {
    username = request.user,
    password = password,
    real_rip = request.real_rip,
-    service = request.service
+    protocol = {}
  }
  req.protocol[request.service] = true
  local req_json = json.encode(req)
  local res = {} 
@@ -28,24 +29,8 @@ function auth_password_verify(request, password)
    sink = ltn12.sink.table(res),
    insecure = true
  }
-
+  local api_response = json.decode(table.concat(res))
-  -- Returning PASSDB_RESULT_PASSWORD_MISMATCH will reset the user's auth cache entry.
+  if api_response.success == true then
  -- Returning PASSDB_RESULT_INTERNAL_FAILURE keeps the existing cache entry,
  -- even if the TTL has expired. Useful to avoid cache eviction during backend issues.
  if c ~= 200 and c ~= 401 then
    dovecot.i_info("HTTP request failed with " .. c .. " for user " .. request.user)
    return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Upstream error"
  end
  local response_str = table.concat(res)
  local is_response_valid, response_json = pcall(json.decode, response_str)
  if not is_response_valid then
    dovecot.i_info("Invalid JSON received: " .. response_str)
    return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Invalid response format"
  end
  if response_json.success == true then
    return dovecot.auth.PASSDB_RESULT_OK, ""
  end
--- a/data/conf/dovecot/conf.d/fts.conf
+++ b/data/conf/dovecot/conf.d/fts.conf
@@ -1,37 +0,0 @@
 # mailcow FTS Flatcurve Settings, change them as you like.
 plugin {
    fts_autoindex = yes
    fts_autoindex_exclude = \Junk
    fts_autoindex_exclude2 = \Trash
    # Tweak this setting if you only want to ensure big and frequent folders are indexed, not all.
    fts_autoindex_max_recent_msgs = 20
    fts = flatcurve
    # Maximum term length can be set via the 'maxlen' argument (maxlen is
    # specified in bytes, not number of UTF-8 characters)
    fts_tokenizer_email_address = maxlen=100
    fts_tokenizer_generic = algorithm=simple maxlen=30
    # These are not flatcurve settings, but required for Dovecot FTS. See
    # Dovecot FTS Configuration link above for further information.
    fts_languages = en es de
    fts_tokenizers = generic email-address
    # OPTIONAL: Recommended default FTS core configuration
    fts_filters = normalizer-icu snowball stopwords
    fts_filters_en = lowercase snowball english-possessive stopwords
    fts_index_timeout = 300s
 }
 ### THIS PART WILL BE CHANGED BY MODIFYING mailcow.conf AUTOMATICALLY DURING RUNTIME! ###
 service indexer-worker {
  # Max amount of simultaniously running indexer jobs.
  process_limit=1
  # Max amount of RAM used by EACH indexer process.
  vsz_limit=128 MB
 }
 ### THIS PART WILL BE CHANGED BY MODIFYING mailcow.conf AUTOMATICALLY DURING RUNTIME! ###
--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@@ -10,7 +10,6 @@
 auth_mechanisms = plain login
 #mail_debug = yes
 #auth_debug = yes
 #log_debug = category=fts-flatcurve # Activate Logging for Flatcurve FTS Searchings
 log_path = syslog
 disable_plaintext_auth = yes
 # Uncomment on NFS share
@@ -53,7 +52,7 @@ mail_shared_explicit_inbox = yes
 mail_prefetch_count = 30
 passdb {
  driver = lua
-  args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes cache_key=%s:%u:%w
+  args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes
  result_success = return-ok
  result_failure = continue
  result_internalfail = continue
@@ -125,7 +124,6 @@ service managesieve-login {
 }
 service imap-login {
  service_count = 1
  process_min_avail = 2
  process_limit = 10000
  vsz_limit = 1G
  user = dovenull
@@ -141,7 +139,6 @@ service imap-login {
 }
 service pop3-login {
  service_count = 1
  process_min_avail = 1
  vsz_limit = 1G
  inet_listener pop3_haproxy {
    port = 10110
@@ -197,6 +194,9 @@ plugin {
  acl_shared_dict = file:/var/vmail/shared-mailboxes.db
  acl = vfile
  acl_user = %u
  fts = solr
  fts_autoindex = yes
  fts_solr = url=http://solr:8983/solr/dovecot-fts/
  quota = dict:Userquota::proxy::sqlquota
  quota_rule2 = Trash:storage=+100%%
  sieve = /var/vmail/sieve/%u.sieve
@@ -276,11 +276,10 @@ service stats {
  }
 }
 imap_max_line_length = 2 M
-auth_cache_verify_password_with_worker = yes
+#auth_cache_verify_password_with_worker = yes
-auth_cache_negative_ttl = 60s
+#auth_cache_negative_ttl = 0
-auth_cache_ttl = 300s
+#auth_cache_ttl = 30 s
-auth_cache_size = 10M
+#auth_cache_size = 2 M
 auth_verbose_passwords = sha1:6
 service replicator {
  process_min_avail = 1
 }
@@ -304,8 +303,8 @@ replication_dsync_parameters = -d -l 30 -U -n INBOX
 !include_try /etc/dovecot/sni.conf
 !include_try /etc/dovecot/sogo_trusted_ip.conf
 !include_try /etc/dovecot/extra.conf
 !include_try /etc/dovecot/sogo-sso.conf
 !include_try /etc/dovecot/shared_namespace.conf
 !include_try /etc/dovecot/conf.d/fts.conf
 # </Includes>
 default_client_limit = 10400
 default_vsz_limit = 1024 M
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
FreddleSpl0it	75eb1c42d5	[Web] add mTLS Authentication	2024-02-13 11:17:49 +01:00
FreddleSpl0it	a794c1ba6c	[Web] fix idp mailbox login	2024-02-05 17:15:36 +01:00
DerLinkman	b001097c54	dovecot: corrected dockerfile inside nightly	2024-02-05 15:57:44 +01:00
FreddleSpl0it	9e0d82e117	fix functions.inc.php, update sogo and dovecot nightly image	2024-02-05 15:22:02 +01:00
Geert Hauwaerts	6d6152a341	Fixed SQL query for retrieving SSO users.	2024-02-05 12:49:51 +01:00
FreddleSpl0it	9521a50dfb	[Web] add log messages to verify-sso function	2024-02-05 12:49:50 +01:00
FreddleSpl0it	24c4ea6f9e	[Web] add missing file to autodiscover.php	2024-02-05 12:49:50 +01:00
DerLinkman	95ee29dd6d	Updated Dovecot Image to use OpenSSL 3.0 fix	2024-02-05 12:49:42 +01:00
FreddleSpl0it	ca99280e5a	[Web] add configurable client scopes for generic-oidc	2024-02-05 12:49:12 +01:00
FreddleSpl0it	73fdf31144	[Web] dont rtrim generic-oidc urls	2024-02-05 12:49:12 +01:00
DerLinkman	a65f55d499	Update Dovecot to reuse lz4 compression	2024-02-05 12:48:57 +01:00
DerLinkman	a070a18f81	Use dedicated nightly images on nightly branch + updates of images itself	2024-02-05 12:48:16 +01:00
FreddleSpl0it	423211f317	fix keycloak mailpassword flow	2024-02-05 12:47:38 +01:00
Mirko Ceroni	39a3e58de6	Update sogo-auth.php	2024-02-05 12:47:38 +01:00
Mirko Ceroni	c792f6c172	Update sogo-auth.php initialize db before validating credentials	2024-02-05 12:47:38 +01:00
FreddleSpl0it	3a65da8a87	Fixes #5408	2024-02-05 12:47:37 +01:00
FreddleSpl0it	c92f3fea17	[Web] add missing break	2024-02-05 12:47:35 +01:00
FreddleSpl0it	4d9c10e4f7	[Web] fix user protocol badges	2024-02-05 12:47:02 +01:00
FreddleSpl0it	4f79d013d0	[Dovecot] remove passwd-verify.lua generation	2024-02-05 12:46:33 +01:00
DerLinkman	43ba5dfd09	Clamd using Alpine Packages instead self compile	2024-02-05 12:46:06 +01:00
DerLinkman	59ca84d6ff	Rebased Dovecot on Alpine + fixed logging	2024-02-05 12:45:15 +01:00
DerLinkman	7664eb6fb9	Small fixes for CLAMD Health Check	2024-02-05 12:42:51 +01:00
DerLinkman	be9db39a64	Added missing Labels to Dockerfiles	2024-02-05 12:40:19 +01:00
DerLinkman	2463405dfd	Optimized Build Process for Dovecot	2024-02-05 12:40:18 +01:00
DerLinkman	ddc0070d3a	Changed Dovecot Base to Bullseye again (Self compile)	2024-02-05 12:40:04 +01:00
DerLinkman	fbc8fb7ecb	Optimized CLAMAV Builds to match exact version instead of Repo	2024-02-05 12:39:14 +01:00
DerLinkman	ff8f4c31c5	Switched to Alpine Edge (for IMAPSYNC Deps)	2024-02-05 12:38:27 +01:00
DerLinkman	b556c2c9dd	Rebased Dovecot on Alpine 3.17 instead Bullseye (ARM64 Support)	2024-02-05 12:37:27 +01:00
DerLinkman	785c36bdf4	Removed Test self compiled SOGo Dockerfile	2024-02-05 12:36:22 +01:00
DerLinkman	d91c4de392	Changed Maintainer to tinc within Dockerfiles	2024-02-05 12:36:21 +01:00
DerLinkman	31783b5086	Updated Clamd Building to be x86 and ARM Compatible	2024-02-05 12:35:27 +01:00
DerLinkman	31a33af141	[Rspamd] Update to 3.6 (Ratelimit fix)	2024-02-05 12:35:10 +01:00
FreddleSpl0it	2725423838	[Web] minor fixes	2024-02-05 12:34:26 +01:00
FreddleSpl0it	b7324e5c25	[SOGo] deny direct login on external users	2024-02-05 12:34:25 +01:00
FreddleSpl0it	da29a7a736	[SOGo] remove sogo_view and triggers	2024-02-05 12:34:25 +01:00
FreddleSpl0it	a0e0dc92eb	[Web] catch update_sogo exceptions	2024-02-05 12:34:12 +01:00
FreddleSpl0it	016c028ec7	[Web] fix malformed_username check	2024-02-05 12:34:12 +01:00
FreddleSpl0it	c744ffd2c8	[Web] remove keycloak sync disabled warning	2024-02-05 12:34:12 +01:00
FreddleSpl0it	adc7d89b57	deny changes on identity provider if it's in use	2024-02-05 12:34:11 +01:00
FreddleSpl0it	2befafa8b1	rework auth - move dovecot sasl log to php	2024-02-05 12:34:11 +01:00
FreddleSpl0it	ce76b3d75f	[Web] allow mailbox authsource to be switchable	2024-02-05 12:34:10 +01:00
FreddleSpl0it	dd1a5d7775	[Web] fix identity-provider settings layout	2024-02-05 12:33:21 +01:00
FreddleSpl0it	e437e2cc5e	[Web] trim CRON_LOG	2024-02-05 12:33:21 +01:00
FreddleSpl0it	f093e3a054	[Web] remove unnecessary if block	2024-02-05 12:33:20 +01:00
FreddleSpl0it	5725ddf197	[Web] add curl timeouts to oidc requests	2024-02-05 12:33:20 +01:00
FreddleSpl0it	4293d184bd	[Web] update lang files	2024-02-05 12:33:20 +01:00
FreddleSpl0it	51ee8ce1a2	[Dovecot] mailcowauth minor fixes	2024-02-05 12:33:19 +01:00
FreddleSpl0it	6fe17c5d34	[Web] improve identity-provider template	2024-02-05 12:33:19 +01:00
FreddleSpl0it	7abf61478a	[Web] improve attribute sync performance & make authsource editable	2024-02-05 12:33:19 +01:00
FreddleSpl0it	4bb02f4bb0	[Web] add crontasks logs	2024-02-05 12:32:01 +01:00
FreddleSpl0it	dce3239809	[Web] add keycloak sync crontask	2024-02-05 12:32:01 +01:00
FreddleSpl0it	36c9e91efa	[Web] handle fatal errors on getAccessToken	2024-02-05 12:32:01 +01:00
FreddleSpl0it	1258ddcdc6	[Web] fix attribute mapping list	2024-02-05 12:32:00 +01:00
FreddleSpl0it	8c8eae965d	[Web] hide auth settings for external users	2024-02-05 12:32:00 +01:00
FreddleSpl0it	1bb9f70b96	[Web] fix bug on mailbox login	2024-02-05 12:32:00 +01:00
FreddleSpl0it	002eef51e1	[Web] update lang.en-gb.json	2024-02-05 12:31:59 +01:00
FreddleSpl0it	5923382831	[Web] update guzzlehttp/psr7	2024-02-05 12:31:59 +01:00
FreddleSpl0it	d4add71b33	[Web] update stevenmaguire/oauth2-keycloak and firebase/php-jwt	2024-02-05 12:31:59 +01:00
FreddleSpl0it	105016b1aa	[Web] add league/oauth2-client	2024-02-05 12:31:58 +01:00
FreddleSpl0it	ae9584ff8b	update gitignore	2024-02-05 12:31:58 +01:00
FreddleSpl0it	c8e18b0fdb	[Web] functions.auth.inc.php corrections	2024-02-05 12:31:58 +01:00
FreddleSpl0it	84c0f1e38b	[Web] remove ropc flow	2024-02-05 12:31:57 +01:00
FreddleSpl0it	00d826edf6	[Web] add "add mailbox_from_template" function	2024-02-05 12:31:57 +01:00
FreddleSpl0it	d2e656107f	[Web] add generic-oidc provider	2024-02-05 12:31:56 +01:00
FreddleSpl0it	821972767c	[Web] add "edit mailbox_from_template" function	2024-02-05 12:31:56 +01:00
FreddleSpl0it	35869d2f67	[Web] revert configurable authsource	2024-02-05 12:31:56 +01:00
FreddleSpl0it	8539d55c75	[Web] rename var for tab-config-identity-provider.twig	2024-02-05 12:31:55 +01:00
FreddleSpl0it	61559f3a66	[Web] add generic-oidc provider	2024-02-05 12:30:44 +01:00
FreddleSpl0it	412d8490d1	[Web] remove sso login alertbox	2024-02-05 12:30:05 +01:00
FreddleSpl0it	a331813790	[Web] move iam sso functions	2024-02-05 12:30:05 +01:00
FreddleSpl0it	9be79cb08e	[Dovecot] group auth files	2024-02-05 12:30:05 +01:00
FreddleSpl0it	73256b49b7	[Web] move /process/login to internal endpoint	2024-02-05 12:30:04 +01:00
FreddleSpl0it	974827cccc	[Web] iam - add switch for direct login flow	2024-02-05 12:30:04 +01:00
FreddleSpl0it	bb461bc0ad	[Dovecot] fix wrong lua syntax	2024-02-05 12:30:04 +01:00
FreddleSpl0it	b331baa123	[Web] add IAM delete button & fix add mbox modal	2024-02-05 12:30:03 +01:00
FreddleSpl0it	cd6f09fb18	[Web] IAM - add delete option & fix test connection	2024-02-05 12:30:03 +01:00
FreddleSpl0it	c7a7f2cd46	[Web] fix iam attribute mapping ui	2024-02-05 12:29:47 +01:00
FreddleSpl0it	a4244897c2	replace ropc flow with keycloak rest api flow	2024-02-05 12:29:47 +01:00
FreddleSpl0it	fb27b54ae3	[Web] rename role mapping to attribute mapping	2024-02-05 12:29:47 +01:00
FreddleSpl0it	b6bf98ed48	new dovecout lua auth - use https	2024-02-05 12:29:46 +01:00
FreddleSpl0it	61960be9c4	[Web] create ratelimit acl on iam mbox creation 2	2024-02-05 12:29:16 +01:00
FreddleSpl0it	590a4e73d4	[Web] create ratelimit acl on iam mbox creation	2024-02-05 12:29:16 +01:00
FreddleSpl0it	c7573752ce	[Web] fix broken sogo-sso	2024-02-05 12:29:15 +01:00
FreddleSpl0it	93d7610ae7	[Web] fix app_pass ignore_access	2024-02-05 12:29:15 +01:00
FreddleSpl0it	edd58e8f98	[Web] keycloak auth functions	2024-02-05 12:28:19 +01:00
FreddleSpl0it	560abc7a94	[Web] add manage identity provider	2024-02-05 12:28:18 +01:00
FreddleSpl0it	f3ed3060b0	[Web] remove u2f lib from prerequisites	2024-02-05 12:24:30 +01:00
FreddleSpl0it	04a423ec6a	[Web] add oauth2-keycloak lib	2024-02-05 12:24:30 +01:00
FreddleSpl0it	f2b78e3232	[Web] remove u2f lib	2024-02-05 12:24:29 +01:00
FreddleSpl0it	0b7e5c9d48	[Web] limit identity_provider function better	2024-02-05 12:24:29 +01:00
FreddleSpl0it	410ff40782	[Web] manage keycloak identity provider	2024-02-05 12:23:02 +01:00
FreddleSpl0it	7218095041	[Web] organize auth functions+api auth w/ dovecot	2024-02-05 12:21:27 +01:00
FreddleSpl0it	4f350d17e5	[Web] update de-de + en-gb lang	2024-02-05 12:06:19 +01:00
FreddleSpl0it	b57ec1323d	[Web] organize user landing	2024-02-05 12:05:20 +01:00
FreddleSpl0it	528077394e	[Web] fix user login history	2024-02-05 11:53:38 +01:00
FreddleSpl0it	7b965a60ed	[Web] add app hide option	2024-02-05 11:53:37 +01:00
FreddleSpl0it	c5dcae471b	[Web] add seperate link for logged in users	2024-02-05 11:53:14 +01:00
FreddleSpl0it	0468af5d79	[Web] few style changes	2024-02-05 11:52:33 +01:00
FreddleSpl0it	768304a32e	[Web] redirect to sogo after failed sogo-auth	2024-02-05 11:52:28 +01:00
`@@ -1,2 +1 @@`
	`github: mailcow`
	`custom: ["https://www.servercow.de/mailcow?lang=en#sal"]`	`custom: ["https://www.servercow.de/mailcow?lang=en#sal"]`
`@@ -1,3 +1,3 @@`
	`FROM debian:trixie-slim`	`FROM debian:bullseye-slim`

	`RUN apt update && apt install pigz zstd -y --no-install-recommends`	`RUN apt update && apt install pigz`
		`@@ -0,0 +1,2 @@`
							`#!/bin/bash`
							`docker exec -it -u www-data $(docker ps -f name=php-fpm-mailcow -q) php /web/nextcloud/occ ${@}`