Merge branch 'staging' into feat/valkey

[Web] Updated lang.zh-cn.json (#6826 )
Co-authored-by: Easton Man <me@eastonman.com>
2026-02-18 23:26:24 +00:00 · 2025-10-10 12:40:41 +02:00 · 2025-10-09 19:54:12 +02:00 · 2025-10-09 19:36:36 +02:00 · 2025-10-09 16:37:05 +02:00 · 2025-10-07 11:41:57 +02:00
138 changed files with 2640 additions and 1387 deletions
--- a/.github/ISSUE_TEMPLATE/Bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/Bug_report.yml
@@ -11,22 +11,35 @@ body:
        required: true
  - type: checkboxes
    attributes:
-      label: I've found a bug and checked that ...
-      description: Prior to placing the issue, please check following:** *(fill out each checkbox with an `X` once done)*
+      label: Checklist prior issue creation
+      description: Prior to creating the issue...
      options:
-      - label: ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
+      - label: I understand that failure to follow below instructions may cause this issue to be closed.
        required: true
-      - label: ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
+      - label: I understand that vague, incomplete or inaccurate information may cause this issue to be closed.
        required: true
-      - label: ... I have understood that answers are voluntary and community-driven, and not commercial support.
+      - label: I understand that this form is intended solely for reporting software bugs and not for support-related inquiries.
        required: true
-      - label: ... I have verified that my issue has not been already answered in the past. I also checked previous [issues](https://github.com/mailcow/mailcow-dockerized/issues).
+      - label: I understand that all responses are voluntary and community-driven, and do not constitute commercial support.
+        required: true
+      - label: I confirm that I have reviewed previous [issues](https://github.com/mailcow/mailcow-dockerized/issues) to ensure this matter has not already been addressed.
+        required: true
+      - label: I confirm that my environment meets all [prerequisite requirements](https://docs.mailcow.email/getstarted/prerequisite-system/) as specified in the official documentation.
        required: true
  - type: textarea
    attributes:
      label: Description
-      description: Please provide a brief description of the bug in 1-2 sentences. If applicable, add screenshots to help explain your problem. Very useful for bugs in mailcow UI.
-      render: plain text
+      description: Please provide a brief description of the bug. If applicable, add screenshots to help explain your problem. (Very useful for bugs in mailcow UI.)
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: "Steps to reproduce:"
+      description: "Please describe the steps to reproduce the bug. Screenshots can be added, if helpful."
+      placeholder: |-
+        1. ...
+        2. ...
+        3. ...
    validations:
      required: true
  - type: textarea
@@ -36,45 +49,36 @@ body:
      render: plain text
    validations:
      required: true
-  - type: textarea
-    attributes:
-      label: "Steps to reproduce:"
-      description: "Please describe the steps to reproduce the bug. Screenshots can be added, if helpful."
-      render: plain text
-      placeholder: |-
-        1. ...
-        2. ...
-        3. ...
-    validations:
-      required: true
  - type: markdown
    attributes:
      value: |
        ## System information
-        ### In this stage we would kindly ask you to attach general system information about your setup.
+        In this stage we would kindly ask you to attach general system information about your setup.
  - type: dropdown
    attributes:
      label: "Which branch are you using?"
-      description: "#### `git rev-parse --abbrev-ref HEAD`"
+      description: "#### Run: `git rev-parse --abbrev-ref HEAD`"
      multiple: false
      options:
-        - master
+        - master (stable)
+        - staging
        - nightly
    validations:
      required: true
  - type: dropdown
    attributes:
      label: "Which architecture are you using?"
-      description: "#### `uname -m`"
+      description: "#### Run: `uname -m`"
      multiple: false
      options:
-        - x86
+        - x86_64
        - ARM64 (aarch64)
    validations:
      required: true
  - type: input
    attributes:
      label: "Operating System:"
+      description: "#### Run: `lsb_release -ds`"
      placeholder: "e.g. Ubuntu 22.04 LTS"
    validations:
      required: true
@@ -93,43 +97,44 @@ body:
  - type: input
    attributes:
      label: "Virtualization technology:"
-      placeholder: "KVM, VMware, Xen, etc - **LXC and OpenVZ are not supported**"
+      description: "LXC and OpenVZ are not supported!"
+      placeholder: "KVM, VMware ESXi, Xen, etc"
    validations:
      required: true
  - type: input
    attributes:
      label: "Docker version:"
-      description: "#### `docker version`"
+      description: "#### Run: `docker version`"
      placeholder: "20.10.21"
    validations:
      required: true
  - type: input
    attributes:
      label: "docker-compose version or docker compose version:"
-      description: "#### `docker-compose version` or `docker compose version`"
+      description: "#### Run: `docker-compose version` or `docker compose version`"
      placeholder: "v2.12.2"
    validations:
      required: true
  - type: input
    attributes:
      label: "mailcow version:"
-      description: "#### ```git describe --tags `git rev-list --tags --max-count=1` ```"
-      placeholder: "2022-08"
+      description: "#### Run: ```git describe --tags `git rev-list --tags --max-count=1` ```"
+      placeholder: "2022-08x"
    validations:
      required: true
  - type: input
    attributes:
      label: "Reverse proxy:"
-      placeholder: "e.g. Nginx/Traefik"
+      placeholder: "e.g. nginx/Traefik, or none"
    validations:
      required: true
  - type: textarea
    attributes:
      label: "Logs of git diff:"
-      description: "#### Output of `git diff origin/master`, any other changes to the code? If so, **please post them**:"
+      description: "#### Output of `git diff origin/master`, any other changes to the code? Sanitize if needed. If so, **please post them**:"
      render: plain text
    validations:
-      required: true
+      required: false
  - type: textarea
    attributes:
      label: "Logs of iptables -L -vn:"
--- a/.github/workflows/close_old_issues_and_prs.yml
+++ b/.github/workflows/close_old_issues_and_prs.yml
@@ -14,7 +14,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Mark/Close Stale Issues and Pull Requests 🗑️
-        uses: actions/stale@v9.1.0
+        uses: actions/stale@v10.1.0
        with:
          repo-token: ${{ secrets.STALE_ACTION_PAT }}
          days-before-stale: 60
--- a/.github/workflows/image_builds.yml
+++ b/.github/workflows/image_builds.yml
@@ -27,7 +27,7 @@ jobs:
          - "watchdog-mailcow"
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - name: Setup Docker
        run: |
          curl -sSL https://get.docker.com/ | CHANNEL=stable sudo sh
--- a/.github/workflows/pr_to_nightly.yml
+++ b/.github/workflows/pr_to_nightly.yml
@@ -8,7 +8,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0
      - name: Run the Action
--- a/.github/workflows/rebuild_backup_image.yml
+++ b/.github/workflows/rebuild_backup_image.yml
@@ -13,7 +13,7 @@ jobs:
      packages: write
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
--- a/.github/workflows/update_postscreen_access_list.yml
+++ b/.github/workflows/update_postscreen_access_list.yml
@@ -15,7 +15,7 @@ jobs:
   runs-on: ubuntu-latest
   steps:
    - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5

    - name: Generate postscreen_access.cidr
      run: |
--- a/README.md
+++ b/README.md
@@ -23,9 +23,6 @@ A big thank you to everyone supporting us on GitHub Sponsors—your contribution
  <a href="https://www.maehdros.com/" target=_blank><img
    src="https://avatars.githubusercontent.com/u/173894712" height="58"
  /></a>
-  <a href="https://macarne.com/" target=_blank><img
-    src="https://avatars.githubusercontent.com/u/149550368?s=200&v=4" height="58"
-  /></a>

 ### 50$/Month Sponsors
  <a href="https://github.com/vnukhr" target=_blank><img
--- a/_modules/scripts/core.sh
+++ b/_modules/scripts/core.sh
@@ -17,7 +17,13 @@ caller="${BASH_SOURCE[1]##*/}"

 get_installed_tools(){
    for bin in openssl curl docker git awk sha1sum grep cut jq; do
-        if [[ -z $(command -v ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi
+        if [[ -z $(command -v ${bin}) ]]; then
+          echo "Error: Cannot find command '${bin}'. Cannot proceed."
+          echo "Solution: Please review system requirements and install requirements. Then, re-run the script."
+          echo "See System Requirements: https://docs.mailcow.email/getstarted/install/"
+          echo "Exiting..."
+          exit 1
+        fi
    done

    if grep --help 2>&1 | head -n 1 | grep -q -i "busybox"; then echo -e "${LIGHT_RED}BusyBox grep detected, please install gnu grep, \"apk add --no-cache --upgrade grep\"${NC}"; exit 1; fi
@@ -185,7 +191,7 @@ detect_major_update() {
    MAJOR_VERSIONS=(
      "2025-02"
      "2025-03"
-      "2025-08"
+      "2025-09"
    )

    current_version=""
@@ -221,4 +227,4 @@ detect_major_update() {
      fi
    fi
  fi
-}
+}
--- a/_modules/scripts/ipv6_controller.sh
+++ b/_modules/scripts/ipv6_controller.sh
@@ -5,14 +5,65 @@

 # 1) Check if the host supports IPv6
 get_ipv6_support() {
-  if grep -qs '^1' /proc/sys/net/ipv6/conf/all/disable_ipv6 2>/dev/null \
-    || ! ip -6 route show default &>/dev/null; then
+  # ---- helper: probe external IPv6 connectivity without DNS ----
+  _probe_ipv6_connectivity() {
+    # Use literal, always-on IPv6 echo responders (no DNS required)
+    local PROBE_IPS=("2001:4860:4860::8888" "2606:4700:4700::1111")
+    local ip rc=1
+
+    for ip in "${PROBE_IPS[@]}"; do
+      if command -v ping6 &>/dev/null; then
+        ping6 -c1 -W2 "$ip" &>/dev/null || ping6 -c1 -w2 "$ip" &>/dev/null
+        rc=$?
+      elif command -v ping &>/dev/null; then
+        ping -6 -c1 -W2 "$ip" &>/dev/null || ping -6 -c1 -w2 "$ip" &>/dev/null
+        rc=$?
+      else
+        rc=1
+      fi
+      [[ $rc -eq 0 ]] && return 0
+    done
+    return 1
+  }
+
+  if [[ ! -f /proc/net/if_inet6 ]] || grep -qs '^1' /proc/sys/net/ipv6/conf/all/disable_ipv6 2>/dev/null; then
    DETECTED_IPV6=false
-    echo -e "${YELLOW}IPv6 not detected on host – ${LIGHT_RED}disabling IPv6 support${YELLOW}.${NC}"
-  else
-    DETECTED_IPV6=true
-    echo -e "IPv6 detected on host – ${LIGHT_GREEN}leaving IPv6 support enabled${YELLOW}.${NC}"
+    echo -e "${YELLOW}IPv6 not detected on host – ${LIGHT_RED}IPv6 is administratively disabled${YELLOW}.${NC}"
+    return
  fi
+
+  if ip -6 route show default 2>/dev/null | grep -qE '^default'; then
+    echo -e "${YELLOW}Default IPv6 route found – testing external IPv6 connectivity...${NC}"
+    if _probe_ipv6_connectivity; then
+      DETECTED_IPV6=true
+      echo -e "IPv6 detected on host – ${LIGHT_GREEN}leaving IPv6 support enabled${YELLOW}.${NC}"
+    else
+      DETECTED_IPV6=false
+      echo -e "${YELLOW}Default IPv6 route present but external IPv6 connectivity failed – ${LIGHT_RED}disabling IPv6 support${YELLOW}.${NC}"
+    fi
+    return
+  fi
+
+  if ip -6 addr show scope global 2>/dev/null | grep -q 'inet6'; then
+    DETECTED_IPV6=false
+    echo -e "${YELLOW}Global IPv6 address present but no default route – ${LIGHT_RED}disabling IPv6 support${YELLOW}.${NC}"
+    return
+  fi
+
+  if ip -6 addr show scope link 2>/dev/null | grep -q 'inet6'; then
+    echo -e "${YELLOW}Only link-local IPv6 addresses found – testing external IPv6 connectivity...${NC}"
+    if _probe_ipv6_connectivity; then
+      DETECTED_IPV6=true
+      echo -e "External IPv6 connectivity available – ${LIGHT_GREEN}leaving IPv6 support enabled${YELLOW}.${NC}"
+    else
+      DETECTED_IPV6=false
+      echo -e "${YELLOW}Only link-local IPv6 present and no external connectivity – ${LIGHT_RED}disabling IPv6 support${YELLOW}.${NC}"
+    fi
+    return
+  fi
+
+  DETECTED_IPV6=false
+  echo -e "${YELLOW}IPv6 not detected on host – ${LIGHT_RED}disabling IPv6 support${YELLOW}.${NC}"
 }

 # 2) Ensure Docker daemon.json has (or create) the required IPv6 settings
@@ -21,7 +72,7 @@ docker_daemon_edit(){
  DOCKER_MAJOR=$(docker version --format '{{.Server.Version}}' 2>/dev/null | cut -d. -f1)
  MISSING=()

-  _has_kv() { grep -Eq "\"$1\"\s*:\s*$2" "$DOCKER_DAEMON_CONFIG" 2>/dev/null; }
+  _has_kv() { grep -Eq "\"$1\"[[:space:]]*:[[:space:]]*$2" "$DOCKER_DAEMON_CONFIG" 2>/dev/null; }

  if [[ -f "$DOCKER_DAEMON_CONFIG" ]]; then

@@ -38,12 +89,18 @@ docker_daemon_edit(){
    fi

    # Gather missing keys
-    ! _has_kv ipv6 true       && MISSING+=("ipv6: true")
-    ! grep -Eq '"fixed-cidr-v6"\s*:\s*".+"' "$DOCKER_DAEMON_CONFIG" \
-                              && MISSING+=('fixed-cidr-v6: "fd00:dead:beef:c0::/80"')
-    if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -le 27 ]]; then
+    ! _has_kv ipv6 true && MISSING+=("ipv6: true")
+
+    # For Docker < 28, keep requiring fixed-cidr-v6 (default bridge needs it on old engines)
+    if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 28 ]]; then
+      ! grep -Eq '"fixed-cidr-v6"[[:space:]]*:[[:space:]]*".+"' "$DOCKER_DAEMON_CONFIG" \
+                                && MISSING+=('fixed-cidr-v6: "fd00:dead:beef:c0::/80"')
+    fi
+
+    # For Docker < 27, ip6tables needed and was tied to experimental in older releases
+    if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 27 ]]; then
      _has_kv ipv6 true && ! _has_kv ip6tables true && MISSING+=("ip6tables: true")
-      ! _has_kv experimental true                 && MISSING+=("experimental: true")
+      ! _has_kv experimental true && MISSING+=("experimental: true")
    fi

    # Fix if needed
@@ -60,9 +117,19 @@ docker_daemon_edit(){
        cp "$DOCKER_DAEMON_CONFIG" "${DOCKER_DAEMON_CONFIG}.bak"
        if command -v jq &>/dev/null; then
          TMP=$(mktemp)
-          JQ_FILTER='.ipv6 = true | .["fixed-cidr-v6"] = "fd00:dead:beef:c0::/80"'
-          [[ "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 27 ]] \
-            && JQ_FILTER+=' | .ip6tables = true | .experimental = true'
+          # Base filter: ensure ipv6 = true
+          JQ_FILTER='.ipv6 = true'
+
+          # Add fixed-cidr-v6 only for Docker < 28
+          if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 28 ]]; then
+            JQ_FILTER+=' | .["fixed-cidr-v6"] = (.["fixed-cidr-v6"] // "fd00:dead:beef:c0::/80")'
+          fi
+
+          # Add ip6tables/experimental only for Docker < 27
+          if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 27 ]]; then
+            JQ_FILTER+=' | .ip6tables = true | .experimental = true'
+          fi
+
          jq "$JQ_FILTER" "$DOCKER_DAEMON_CONFIG" >"$TMP" && mv "$TMP" "$DOCKER_DAEMON_CONFIG"
          echo -e "${LIGHT_GREEN}daemon.json updated. Restarting Docker...${NC}"
          (command -v systemctl &>/dev/null && systemctl restart docker) || service docker restart
@@ -88,6 +155,7 @@ docker_daemon_edit(){
    fi

    if [[ $ans =~ ^[Yy]$ ]]; then
+      mkdir -p "$(dirname "$DOCKER_DAEMON_CONFIG")"
      if [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 27 ]]; then
        cat > "$DOCKER_DAEMON_CONFIG" <<EOF
 {
@@ -97,12 +165,19 @@ docker_daemon_edit(){
  "experimental": true
 }
 EOF
-      else
+      elif [[ -n "$DOCKER_MAJOR" && "$DOCKER_MAJOR" -lt 28 ]]; then
        cat > "$DOCKER_DAEMON_CONFIG" <<EOF
 {
  "ipv6": true,
  "fixed-cidr-v6": "fd00:dead:beef:c0::/80"
 }
+EOF
+      else
+        # Docker 28+: ipv6 works without fixed-cidr-v6
+        cat > "$DOCKER_DAEMON_CONFIG" <<EOF
+{
+  "ipv6": true
+}
 EOF
      fi
      echo -e "${GREEN}Created $DOCKER_DAEMON_CONFIG with IPv6 settings.${NC}"
@@ -122,7 +197,7 @@ configure_ipv6() {
  # detect manual override if mailcow.conf is present
  if [[ -n "$MAILCOW_CONF" && -f "$MAILCOW_CONF" ]] && grep -q '^ENABLE_IPV6=' "$MAILCOW_CONF"; then
    MANUAL_SETTING=$(grep '^ENABLE_IPV6=' "$MAILCOW_CONF" | cut -d= -f2)
-  elif [[ -z "$MAILCOW_CONF" ]] && [[ ! -z "${ENABLE_IPV6:-}" ]]; then
+  elif [[ -z "$MAILCOW_CONF" ]] && [[ -n "${ENABLE_IPV6:-}" ]]; then
    MANUAL_SETTING="$ENABLE_IPV6"
  else
    MANUAL_SETTING=""
@@ -131,38 +206,34 @@ configure_ipv6() {
  get_ipv6_support

  # if user manually set it, check for mismatch
-  if [[ -n "$MANUAL_SETTING" ]]; then
-    if [[ "$MANUAL_SETTING" == "false" && "$DETECTED_IPV6" == "true" ]]; then
-      echo -e "${RED}ERROR: You have ENABLE_IPV6=false but your host and Docker support IPv6.${NC}"
-      echo -e "${RED}This can create an open relay. Please set ENABLE_IPV6=true in your mailcow.conf and re-run.${NC}"
-      exit 1
-    elif [[ "$MANUAL_SETTING" == "true" && "$DETECTED_IPV6" == "false" ]]; then
-      echo -e "${RED}ERROR: You have ENABLE_IPV6=true but your host does not support IPv6.${NC}"
-      echo -e "${RED}Please disable or fix your host/Docker IPv6 support, or set ENABLE_IPV6=false.${NC}"
-      exit 1
+  if [[ "$DETECTED_IPV6" != "true" ]]; then
+    if [[ -n "$MAILCOW_CONF" && -f "$MAILCOW_CONF" ]]; then
+      if grep -q '^ENABLE_IPV6=' "$MAILCOW_CONF"; then
+        sed -i 's/^ENABLE_IPV6=.*/ENABLE_IPV6=false/' "$MAILCOW_CONF"
+      else
+        echo "ENABLE_IPV6=false" >> "$MAILCOW_CONF"
+      fi
    else
-      return
+      export IPV6_BOOL=false
    fi
-  fi
-
-  # no manual override: proceed to set or export
-  if [[ "$DETECTED_IPV6" == "true" ]]; then
-    docker_daemon_edit
-  else
    echo "Skipping Docker IPv6 configuration because host does not support IPv6."
+    echo "Make sure to check if your docker daemon.json does not include \"enable_ipv6\": true if you do not want IPv6."
+    echo "IPv6 configuration complete: ENABLE_IPV6=false"
+    sleep 2
+    return
  fi

-  # now write into mailcow.conf or export
+  docker_daemon_edit
+
  if [[ -n "$MAILCOW_CONF" && -f "$MAILCOW_CONF" ]]; then
-    LINE="ENABLE_IPV6=$DETECTED_IPV6"
    if grep -q '^ENABLE_IPV6=' "$MAILCOW_CONF"; then
-      sed -i "s/^ENABLE_IPV6=.*/$LINE/" "$MAILCOW_CONF"
+      sed -i 's/^ENABLE_IPV6=.*/ENABLE_IPV6=true/' "$MAILCOW_CONF"
    else
-      echo "$LINE" >> "$MAILCOW_CONF"
+      echo "ENABLE_IPV6=true" >> "$MAILCOW_CONF"
    fi
  else
-    export IPV6_BOOL="$DETECTED_IPV6"
+    export IPV6_BOOL=true
  fi

-  echo "IPv6 configuration complete: ENABLE_IPV6=$DETECTED_IPV6"
+  echo "IPv6 configuration complete: ENABLE_IPV6=true"
 }
--- a/_modules/scripts/new_options.sh
+++ b/_modules/scripts/new_options.sh
@@ -43,6 +43,7 @@ adapt_new_options() {
  "ALLOW_ADMIN_EMAIL_LOGIN"
  "SKIP_HTTP_VERIFICATION"
  "SOGO_EXPIRE_SESSION"
+  "SOGO_URL_ENCRYPTION_KEY"
  "REDIS_PORT"
  "REDISPASS"
  "DOVECOT_MASTER_USER"
@@ -94,7 +95,6 @@ adapt_new_options() {
            echo '# Max log lines per service to keep in Redis logs' >> mailcow.conf
            echo "LOG_LINES=9999" >> mailcow.conf
            ;;
-        
        IPV4_NETWORK)
            echo '# Internal IPv4 /24 subnet, format n.n.n. (expands to n.n.n.0/24)' >> mailcow.conf
            echo "IPV4_NETWORK=172.22.1" >> mailcow.conf
@@ -276,21 +276,22 @@ adapt_new_options() {
            echo '# A COMPLETE DOCKER STACK REBUILD (compose down && compose up -d) IS NEEDED TO APPLY THIS.' >> mailcow.conf
            echo ENABLE_IPV6=${IPV6_BOOL} >> mailcow.conf
            ;;
-    
        SKIP_CLAMD)
            echo '# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n' >> mailcow.conf
            echo 'SKIP_CLAMD=n' >> mailcow.conf
            ;;
-
        SKIP_OLEFY)
            echo '# Skip Olefy (olefy-mailcow) anti-virus for Office documents (Rspamd will auto-detect a missing Olefy container) - y/n' >> mailcow.conf
            echo 'SKIP_OLEFY=n' >> mailcow.conf
            ;;
-        
        REDISPASS)
            echo "REDISPASS=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2>/dev/null | head -c 28)" >> mailcow.conf
            ;;
-                  
+        SOGO_URL_ENCRYPTION_KEY)
+            echo '# SOGo URL encryption key (exactly 16 characters, limited to A–Z, a–z, 0–9)' >> mailcow.conf
+            echo '# This key is used to encrypt email addresses within SOGo URLs' >> mailcow.conf
+            echo "SOGO_URL_ENCRYPTION_KEY=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2>/dev/null | head -c 16)" >> mailcow.conf
+            ;;
        *)
            echo "${option}=" >> mailcow.conf
            ;;
--- a/data/Dockerfiles/acme/acme.sh
+++ b/data/Dockerfiles/acme/acme.sh
@@ -3,14 +3,14 @@ set -o pipefail
 exec 5>&1

 # Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  export REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  export VALKEY_CMDLINE="redis-cli -h ${VALKEY_SLAVEOF_IP} -p ${VALKEY_SLAVEOF_PORT} -a ${VALKEYPASS} --no-auth-warning"
 else
-  export REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+  export VALKEY_CMDLINE="redis-cli -h valkey-mailcow -p 6379 -a ${VALKEYPASS} --no-auth-warning"
 fi

-until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
-  echo "Waiting for Redis..."
+until [[ $(${VALKEY_CMDLINE} PING) == "PONG" ]]; do
+  echo "Waiting for Valkey..."
  sleep 2
 done

@@ -348,7 +348,7 @@ while true; do
  if [[ -z ${VALIDATED_CERTIFICATES[*]} ]]; then
    log_f "Cannot validate any hostnames, skipping Let's Encrypt for 1 hour."
    log_f "Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently."
-    ${REDIS_CMDLINE} SET ACME_FAIL_TIME "$(date +%s)"
+    ${VALKEY_CMDLINE} SET ACME_FAIL_TIME "$(date +%s)"
    sleep 1h
    exec $(readlink -f "$0")
  fi
@@ -389,7 +389,7 @@ while true; do
      DOVECOT_CERT_SERIAL_NEW="$(echo | openssl s_client -connect dovecot:143 -starttls imap 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2)"
      if [[ ${RELOAD_LOOP_C} -gt 3 ]]; then
        log_f "Some services do return old end dates, something went wrong!"
-        ${REDIS_CMDLINE} SET ACME_FAIL_TIME "$(date +%s)"
+        ${VALKEY_CMDLINE} SET ACME_FAIL_TIME "$(date +%s)"
        break;
      fi
    done
@@ -410,7 +410,7 @@ while true; do
      ;;
    *) # non-zero
      log_f "Some errors occurred, retrying in 30 minutes..."
-      ${REDIS_CMDLINE} SET ACME_FAIL_TIME "$(date +%s)"
+      ${VALKEY_CMDLINE} SET ACME_FAIL_TIME "$(date +%s)"
      sleep 30m
      exec $(readlink -f "$0")
      ;;
--- a/data/Dockerfiles/acme/functions.sh
+++ b/data/Dockerfiles/acme/functions.sh
@@ -5,13 +5,13 @@ log_f() {
    echo -n "$(date) - ${1}"
  elif [[ ${2} == "no_date" ]]; then
    echo "${1}"
-  elif [[ ${2} != "redis_only" ]]; then
+  elif [[ ${2} != "valkey_only" ]]; then
    echo "$(date) - ${1}"
  fi
  if [[ ${3} == "b64" ]]; then
-    ${REDIS_CMDLINE} LPUSH ACME_LOG "{\"time\":\"$(date +%s)\",\"message\":\"base64,$(printf '%s' "${MAILCOW_HOSTNAME} - ${1}")\"}" > /dev/null
+    ${VALKEY_CMDLINE} LPUSH ACME_LOG "{\"time\":\"$(date +%s)\",\"message\":\"base64,$(printf '%s' "${MAILCOW_HOSTNAME} - ${1}")\"}" > /dev/null
  else
-    ${REDIS_CMDLINE} LPUSH ACME_LOG "{\"time\":\"$(date +%s)\",\"message\":\"$(printf '%s' "${MAILCOW_HOSTNAME} - ${1}" | \
+    ${VALKEY_CMDLINE} LPUSH ACME_LOG "{\"time\":\"$(date +%s)\",\"message\":\"$(printf '%s' "${MAILCOW_HOSTNAME} - ${1}" | \
      tr '%&;$"[]{}-\r\n' ' ')\"}" > /dev/null
  fi
 }
--- a/data/Dockerfiles/acme/obtain-certificate.sh
+++ b/data/Dockerfiles/acme/obtain-certificate.sh
@@ -101,7 +101,7 @@ ACME_RESPONSE=$(acme-tiny ${DIRECTORY_URL} \
  --acme-dir /var/www/acme/ 2>&1 > /tmp/_cert.pem | tee /dev/fd/5; exit ${PIPESTATUS[0]})
 SUCCESS="$?"
 ACME_RESPONSE_B64=$(echo "${ACME_RESPONSE}" | openssl enc -e -A -base64)
-log_f "${ACME_RESPONSE_B64}" redis_only b64
+log_f "${ACME_RESPONSE_B64}" valkey_only b64
 case "$SUCCESS" in
  0) # cert requested
    log_f "Deploying certificate ${CERT}..."
@@ -124,7 +124,7 @@ case "$SUCCESS" in
    ;;
  *) # non-zero is non-fun
    log_f "Failed to obtain certificate ${CERT} for domains '${CERT_DOMAINS[*]}'"
-    redis-cli -h redis -a ${REDISPASS} --no-auth-warning SET ACME_FAIL_TIME "$(date +%s)"
+    redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning SET ACME_FAIL_TIME "$(date +%s)"
    exit 100${SUCCESS}
    ;;
 esac
--- a/data/Dockerfiles/clamd/clamd.sh
+++ b/data/Dockerfiles/clamd/clamd.sh
@@ -8,7 +8,7 @@ fi

 # Cleaning up garbage
 echo "Cleaning up tmp files..."
-rm -rf /var/lib/clamav/clamav-*.tmp
+rm -rf /var/lib/clamav/tmp.*

 # Prepare whitelist

--- a/data/Dockerfiles/dockerapi/main.py
+++ b/data/Dockerfiles/dockerapi/main.py
@@ -32,21 +32,21 @@ async def lifespan(app: FastAPI):

  logger.info("Init APP")

-  # Init redis client
-  if os.environ['REDIS_SLAVEOF_IP'] != "":
-    redis_client = redis = await aioredis.from_url(f"redis://{os.environ['REDIS_SLAVEOF_IP']}:{os.environ['REDIS_SLAVEOF_PORT']}/0", password=os.environ['REDISPASS'])
+  # Init valkey client
+  if os.environ['VALKEY_SLAVEOF_IP'] != "":
+    valkey_client = valkey = await aioredis.from_url(f"redis://{os.environ['VALKEY_SLAVEOF_IP']}:{os.environ['VALKEY_SLAVEOF_PORT']}/0", password=os.environ['VALKEYPASS'])
  else:
-    redis_client = redis = await aioredis.from_url("redis://redis-mailcow:6379/0", password=os.environ['REDISPASS'])
+    valkey_client = valkey = await aioredis.from_url("redis://valkey-mailcow:6379/0", password=os.environ['VALKEYPASS'])

  # Init docker clients
  sync_docker_client = docker.DockerClient(base_url='unix://var/run/docker.sock', version='auto')
  async_docker_client = aiodocker.Docker(url='unix:///var/run/docker.sock')

-  dockerapi = DockerApi(redis_client, sync_docker_client, async_docker_client, logger)
+  dockerapi = DockerApi(valkey_client, sync_docker_client, async_docker_client, logger)

-  logger.info("Subscribe to redis channel")
-  # Subscribe to redis channel
-  dockerapi.pubsub = redis.pubsub()
+  logger.info("Subscribe to valkey channel")
+  # Subscribe to valkey channel
+  dockerapi.pubsub = valkey.pubsub()
  await dockerapi.pubsub.subscribe("MC_CHANNEL")
  asyncio.create_task(handle_pubsub_messages(dockerapi.pubsub))

@@ -57,9 +57,9 @@ async def lifespan(app: FastAPI):
  dockerapi.sync_docker_client.close()
  await dockerapi.async_docker_client.close()

-  # Close redis
+  # Close valkey
  await dockerapi.pubsub.unsubscribe("MC_CHANNEL")
-  await dockerapi.redis_client.close()
+  await dockerapi.valkey_client.close()

 app = FastAPI(lifespan=lifespan)

@@ -73,11 +73,11 @@ async def get_host_update_stats():
    dockerapi.host_stats_isUpdating = True

  while True:
-    if await dockerapi.redis_client.exists('host_stats'):
+    if await dockerapi.valkey_client.exists('host_stats'):
      break
    await asyncio.sleep(1.5)

-  stats = json.loads(await dockerapi.redis_client.get('host_stats'))
+  stats = json.loads(await dockerapi.valkey_client.get('host_stats'))
  return Response(content=json.dumps(stats, indent=4), media_type="application/json")

@app.get("/containers/{container_id}/json")
@@ -185,11 +185,11 @@ async def post_container_update_stats(container_id : str):
    dockerapi.containerIds_to_update.append(container_id)

  while True:
-    if await dockerapi.redis_client.exists(container_id + '_stats'):
+    if await dockerapi.valkey_client.exists(container_id + '_stats'):
      break
    await asyncio.sleep(1.5)

-  stats = json.loads(await dockerapi.redis_client.get(container_id + '_stats'))
+  stats = json.loads(await dockerapi.valkey_client.get(container_id + '_stats'))
  return Response(content=json.dumps(stats, indent=4), media_type="application/json")


--- a/data/Dockerfiles/dockerapi/modules/DockerApi.py
+++ b/data/Dockerfiles/dockerapi/modules/DockerApi.py
@@ -10,8 +10,8 @@ from datetime import datetime
 from fastapi import FastAPI, Response, Request

 class DockerApi:
-  def __init__(self, redis_client, sync_docker_client, async_docker_client, logger):
-    self.redis_client = redis_client
+  def __init__(self, valkey_client, sync_docker_client, async_docker_client, logger):
+    self.valkey_client = valkey_client
    self.sync_docker_client = sync_docker_client
    self.async_docker_client = async_docker_client
    self.logger = logger
@@ -533,7 +533,7 @@ class DockerApi:
        "architecture": platform.machine()
      }

-      await self.redis_client.set('host_stats', json.dumps(host_stats), ex=10)
+      await self.valkey_client.set('host_stats', json.dumps(host_stats), ex=10)
    except Exception as e:
      res = {
        "type": "danger",
@@ -550,14 +550,14 @@ class DockerApi:
          if container._id == container_id:
            res = await container.stats(stream=False)

-            if await self.redis_client.exists(container_id + '_stats'):
-              stats = json.loads(await self.redis_client.get(container_id + '_stats'))
+            if await self.valkey_client.exists(container_id + '_stats'):
+              stats = json.loads(await self.valkey_client.get(container_id + '_stats'))
            else:
              stats = []
            stats.append(res[0])
            if len(stats) > 3:
              del stats[0]
-            await self.redis_client.set(container_id + '_stats', json.dumps(stats), ex=60)
+            await self.valkey_client.set(container_id + '_stats', json.dumps(stats), ex=60)
      except Exception as e:
        res = {
          "type": "danger",
--- a/data/Dockerfiles/dovecot/Dockerfile
+++ b/data/Dockerfiles/dovecot/Dockerfile
@@ -118,7 +118,7 @@ RUN addgroup -g 5000 vmail \
 COPY trim_logs.sh /usr/local/bin/trim_logs.sh
 COPY clean_q_aged.sh /usr/local/bin/clean_q_aged.sh
 COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
-COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY syslog-ng-valkey_slave.conf /etc/syslog-ng/syslog-ng-valkey_slave.conf
 COPY imapsync /usr/local/bin/imapsync
 COPY imapsync_runner.pl /usr/local/bin/imapsync_runner.pl
 COPY report-spam.sieve /usr/lib/dovecot/sieve/report-spam.sieve
--- a/data/Dockerfiles/dovecot/clean_q_aged.sh
+++ b/data/Dockerfiles/dovecot/clean_q_aged.sh
@@ -2,7 +2,7 @@

 source /source_env.sh

-MAX_AGE=$(redis-cli --raw -h redis-mailcow -a ${REDISPASS} --no-auth-warning GET Q_MAX_AGE)
+MAX_AGE=$(redis-cli --raw -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning GET Q_MAX_AGE)

 if [[ -z ${MAX_AGE} ]]; then
  echo "Max age for quarantine items not defined"
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -13,18 +13,18 @@ until dig +short mailcow.email > /dev/null; do
 done

 # Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  VALKEY_CMDLINE="redis-cli -h ${VALKEY_SLAVEOF_IP} -p ${VALKEY_SLAVEOF_PORT} -a ${VALKEYPASS} --no-auth-warning"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+  VALKEY_CMDLINE="redis-cli -h valkey-mailcow -p 6379 -a ${VALKEYPASS} --no-auth-warning"
 fi

-until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
-  echo "Waiting for Redis..."
+until [[ $(${VALKEY_CMDLINE} PING) == "PONG" ]]; do
+  echo "Waiting for Valkey..."
  sleep 2
 done

-${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
+${VALKEY_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null

 # Create missing directories
 [[ ! -d /etc/dovecot/sql/ ]] && mkdir -p /etc/dovecot/sql/
@@ -341,8 +341,8 @@ done
 # May be related to something inside Docker, I seriously don't know
 touch /etc/dovecot/auth/passwd-verify.lua

-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  cp /etc/syslog-ng/syslog-ng-valkey_slave.conf /etc/syslog-ng/syslog-ng.conf
 fi

 exec "$@"
--- a/data/Dockerfiles/dovecot/imapsync_runner.pl
+++ b/data/Dockerfiles/dovecot/imapsync_runner.pl
@@ -132,8 +132,8 @@ while ($row = $sth->fetchrow_arrayref()) {
  "--tmpdir", "/tmp",
  "--nofoldersizes",
  "--addheader",
-  ($timeout1 gt "0" ? () : ('--timeout1', $timeout1)),
-  ($timeout2 gt "0" ? () : ('--timeout2', $timeout2)),
+  ($timeout1 le "0" ? () : ('--timeout1', $timeout1)),
+  ($timeout2 le "0" ? () : ('--timeout2', $timeout2)),
  ($exclude eq "" ? () : ("--exclude", $exclude)),
  ($subfolder2 eq "" ? () : ('--subfolder2', $subfolder2)),
  ($maxage eq "0" ? () : ('--maxage', $maxage)),
--- a/data/Dockerfiles/dovecot/quarantine_notify.py
+++ b/data/Dockerfiles/dovecot/quarantine_notify.py
@@ -32,7 +32,7 @@ try:

  while True:
    try:
-      r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0, password=os.environ['REDISPASS'])
+      r = redis.StrictRedis(host='valkey-mailcow', decode_responses=True, port=6379, db=0, password=os.environ['VALKEYPASS'])
      r.ping()
    except Exception as ex:
      print('%s - trying again...'  % (ex))
--- a/data/Dockerfiles/dovecot/quota_notify.py
+++ b/data/Dockerfiles/dovecot/quota_notify.py
@@ -23,7 +23,7 @@ else:

 while True:
  try:
-    r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0, username='quota_notify', password='')
+    r = redis.StrictRedis(host='valkey-mailcow', decode_responses=True, port=6379, db=0, username='quota_notify', password='')
    r.ping()
  except Exception as ex:
    print('%s - trying again...'  % (ex))
--- a/data/Dockerfiles/dovecot/repl_health.sh
+++ b/data/Dockerfiles/dovecot/repl_health.sh
@@ -3,16 +3,16 @@
 source /source_env.sh

 # Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  VALKEY_CMDLINE="redis-cli -h ${VALKEY_SLAVEOF_IP} -p ${VALKEY_SLAVEOF_PORT} -a ${VALKEYPASS} --no-auth-warning"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+  VALKEY_CMDLINE="redis-cli -h valkey-mailcow -p 6379 -a ${VALKEYPASS} --no-auth-warning"
 fi

 # Is replication active?
 # grep on file is less expensive than doveconf
 if [ -n ${MAILCOW_REPLICA_IP} ]; then
-  ${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
+  ${VALKEY_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
  exit
 fi

@@ -22,7 +22,7 @@ FAILED_SYNCS=$(doveadm replicator status | grep "Waiting 'failed' requests" | gr
 # 1 failed job for mailcow.local is expected and healthy
 if [[ "${FAILED_SYNCS}" != 0 ]] && [[ "${FAILED_SYNCS}" != 1 ]]; then
  printf "Dovecot replicator has %d failed jobs\n" "${FAILED_SYNCS}"
-  ${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH "${FAILED_SYNCS}" > /dev/null
+  ${VALKEY_CMDLINE} SET DOVECOT_REPL_HEALTH "${FAILED_SYNCS}" > /dev/null
 else
-  ${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
+  ${VALKEY_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
 fi
--- a/data/Dockerfiles/dovecot/syslog-ng-valkey_slave.conf
+++ b/data/Dockerfiles/dovecot/syslog-ng-valkey_slave.conf
@@ -15,21 +15,21 @@ source s_dgram {
  internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
-destination d_redis_ui_log {
+destination d_valkey_ui_log {
  redis(
-    host("`REDIS_SLAVEOF_IP`")
-    persist-name("redis1")
-    port(`REDIS_SLAVEOF_PORT`)
-    auth("`REDISPASS`")
+    host("`VALKEY_SLAVEOF_IP`")
+    persist-name("valkey1")
+    port(`VALKEY_SLAVEOF_PORT`)
+    auth("`VALKEYPASS`")
    command("LPUSH" "DOVECOT_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
-destination d_redis_f2b_channel {
+destination d_valkey_f2b_channel {
  redis(
-    host("`REDIS_SLAVEOF_IP`")
-    persist-name("redis2")
-    port(`REDIS_SLAVEOF_PORT`)
-    auth("`REDISPASS`")
+    host("`VALKEY_SLAVEOF_IP`")
+    persist-name("valkey2")
+    port(`VALKEY_SLAVEOF_PORT`)
+    auth("`VALKEYPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
@@ -48,6 +48,6 @@ log {
  filter(f_replica);
  destination(d_stdout);
  filter(f_mail);
-  destination(d_redis_ui_log);
-  destination(d_redis_f2b_channel);
+  destination(d_valkey_ui_log);
+  destination(d_valkey_f2b_channel);
 };
--- a/data/Dockerfiles/dovecot/syslog-ng.conf
+++ b/data/Dockerfiles/dovecot/syslog-ng.conf
@@ -15,21 +15,21 @@ source s_dgram {
  internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
-destination d_redis_ui_log {
+destination d_valkey_ui_log {
  redis(
-    host("redis-mailcow")
-    persist-name("redis1")
+    host("valkey-mailcow")
+    persist-name("valkey1")
    port(6379)
-    auth("`REDISPASS`")
+    auth("`VALKEYPASS`")
    command("LPUSH" "DOVECOT_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
-destination d_redis_f2b_channel {
+destination d_valkey_f2b_channel {
  redis(
-    host("redis-mailcow")
-    persist-name("redis2")
+    host("valkey-mailcow")
+    persist-name("valkey2")
    port(6379)
-    auth("`REDISPASS`")
+    auth("`VALKEYPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
@@ -48,6 +48,6 @@ log {
  filter(f_replica);
  destination(d_stdout);
  filter(f_mail);
-  destination(d_redis_ui_log);
-  destination(d_redis_f2b_channel);
+  destination(d_valkey_ui_log);
+  destination(d_valkey_f2b_channel);
 };
--- a/data/Dockerfiles/dovecot/trim_logs.sh
+++ b/data/Dockerfiles/dovecot/trim_logs.sh
@@ -9,18 +9,17 @@ catch_non_zero() {
 }
 source /source_env.sh
 # Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  VALKEY_CMDLINE="redis-cli -h ${VALKEY_SLAVEOF_IP} -p ${VALKEY_SLAVEOF_PORT} -a ${VALKEYPASS} --no-auth-warning"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+  VALKEY_CMDLINE="redis-cli -h valkey-mailcow -p 6379 -a ${VALKEYPASS} --no-auth-warning"
 fi
-catch_non_zero "${REDIS_CMDLINE} LTRIM ACME_LOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM POSTFIX_MAILLOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM DOVECOT_MAILLOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM SOGO_LOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM NETFILTER_LOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM AUTODISCOVER_LOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM API_LOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM RL_LOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM WATCHDOG_LOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM CRON_LOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM ACME_LOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM POSTFIX_MAILLOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM DOVECOT_MAILLOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM SOGO_LOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM NETFILTER_LOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM AUTODISCOVER_LOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM API_LOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM RL_LOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM WATCHDOG_LOG 0 ${LOG_LINES}"
--- a/data/Dockerfiles/netfilter/docker-entrypoint.sh
+++ b/data/Dockerfiles/netfilter/docker-entrypoint.sh
@@ -1,6 +1,6 @@
 #!/bin/sh

-backend=iptables
+backend=nftables

 nft list table ip filter &>/dev/null
 nftables_found=$?
--- a/data/Dockerfiles/netfilter/main.py
+++ b/data/Dockerfiles/netfilter/main.py
@@ -44,25 +44,24 @@ def refreshF2boptions():
  global exit_code
  f2boptions = {}

-  if not r.get('F2B_OPTIONS'):
-    f2boptions['ban_time'] = r.get('F2B_BAN_TIME')
-    f2boptions['max_ban_time'] = r.get('F2B_MAX_BAN_TIME')
-    f2boptions['ban_time_increment'] = r.get('F2B_BAN_TIME_INCREMENT')
-    f2boptions['max_attempts'] = r.get('F2B_MAX_ATTEMPTS')
-    f2boptions['retry_window'] = r.get('F2B_RETRY_WINDOW')
-    f2boptions['netban_ipv4'] = r.get('F2B_NETBAN_IPV4')
-    f2boptions['netban_ipv6'] = r.get('F2B_NETBAN_IPV6')
+  if not valkey.get('F2B_OPTIONS'):
+    f2boptions['ban_time'] = valkey.get('F2B_BAN_TIME')
+    f2boptions['max_ban_time'] = valkey.get('F2B_MAX_BAN_TIME')
+    f2boptions['ban_time_increment'] = valkey.get('F2B_BAN_TIME_INCREMENT')
+    f2boptions['max_attempts'] = valkey.get('F2B_MAX_ATTEMPTS')
+    f2boptions['retry_window'] = valkey.get('F2B_RETRY_WINDOW')
+    f2boptions['netban_ipv4'] = valkey.get('F2B_NETBAN_IPV4')
+    f2boptions['netban_ipv6'] = valkey.get('F2B_NETBAN_IPV6')
  else:
    try:
-      f2boptions = json.loads(r.get('F2B_OPTIONS'))
-    except ValueError as e:
-      logger.logCrit(
-        'Error loading F2B options: F2B_OPTIONS is not json. Exception: %s' % e)
+      f2boptions = json.loads(valkey.get('F2B_OPTIONS'))
+    except ValueError:
+      logger.logCrit('Error loading F2B options: F2B_OPTIONS is not json')
      quit_now = True
      exit_code = 2

  verifyF2boptions(f2boptions)
-  r.set('F2B_OPTIONS', json.dumps(f2boptions, ensure_ascii=False))
+  valkey.set('F2B_OPTIONS', json.dumps(f2boptions, ensure_ascii=False))

 def verifyF2boptions(f2boptions):
  verifyF2boption(f2boptions, 'ban_time', 1800)
@@ -82,7 +81,7 @@ def refreshF2bregex():
  global f2bregex
  global quit_now
  global exit_code
-  if not r.get('F2B_REGEX'):
+  if not valkey.get('F2B_REGEX'):
    f2bregex = {}
    f2bregex[1] = r'mailcow UI: Invalid password for .+ by ([0-9a-f\.:]+)'
    f2bregex[2] = r'Rspamd UI: Invalid password by ([0-9a-f\.:]+)'
@@ -93,11 +92,11 @@ def refreshF2bregex():
    f2bregex[7] = r'\w+\([^,]+,([0-9a-f\.:]+),<[^>]+>\): unknown user \(SHA1 of given password: [a-f0-9]+\)'
    f2bregex[8] = r'SOGo.+ Login from \'([0-9a-f\.:]+)\' for user .+ might not have worked'
    f2bregex[9] = r'([0-9a-f\.:]+) \"GET \/SOGo\/.* HTTP.+\" 403 .+'
-    r.set('F2B_REGEX', json.dumps(f2bregex, ensure_ascii=False))
+    valkey.set('F2B_REGEX', json.dumps(f2bregex, ensure_ascii=False))
  else:
    try:
      f2bregex = {}
-      f2bregex = json.loads(r.get('F2B_REGEX'))
+      f2bregex = json.loads(valkey.get('F2B_REGEX'))
    except ValueError:
      logger.logCrit('Error loading F2B options: F2B_REGEX is not json')
      quit_now = True
@@ -176,7 +175,7 @@ def ban(address):

    logdebug("Updating F2B_ACTIVE_BANS[%s]=%d" %
              (net, cur_time + NET_BAN_TIME))
-    r.hset('F2B_ACTIVE_BANS', '%s' % net, cur_time + NET_BAN_TIME)
+    valkey.hset('F2B_ACTIVE_BANS', '%s' % net, cur_time + NET_BAN_TIME)
  else:
    logger.logWarn('%d more attempts in the next %d seconds until %s is banned' % (
      MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net))
@@ -187,7 +186,7 @@ def unban(net):
  if not net in bans:
    logger.logInfo(
      '%s is not banned, skipping unban and deleting from queue (if any)' % net)
-    r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
+    valkey.hdel('F2B_QUEUE_UNBAN', '%s' % net)
    return
  logger.logInfo('Unbanning %s' % net)
  if type(ipaddress.ip_network(net)) is ipaddress.IPv4Network:
@@ -198,8 +197,8 @@ def unban(net):
    with lock:
      logdebug("Calling tables.unbanIPv6(%s)" % net)
      tables.unbanIPv6(net)
-  r.hdel('F2B_ACTIVE_BANS', '%s' % net)
-  r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
+  valkey.hdel('F2B_ACTIVE_BANS', '%s' % net)
+  valkey.hdel('F2B_QUEUE_UNBAN', '%s' % net)
  if net in bans:
    logdebug("Unban for %s, setting attempts=0, ban_counter+=1" % net)
    bans[net]['attempts'] = 0
@@ -226,10 +225,10 @@ def permBan(net, unban=False):


  if is_unbanned:
-    r.hdel('F2B_PERM_BANS', '%s' % net)
+    valkey.hdel('F2B_PERM_BANS', '%s' % net)
    logger.logCrit('Removed host/network %s from denylist' % net)
  elif is_banned:
-    r.hset('F2B_PERM_BANS', '%s' % net, int(round(time.time())))
+    valkey.hset('F2B_PERM_BANS', '%s' % net, int(round(time.time())))
    logger.logCrit('Added host/network %s to denylist' % net)

 def clear():
@@ -244,17 +243,17 @@ def clear():
    tables.clearIPv6Table()
    try:
      if r is not None:
-        r.delete('F2B_ACTIVE_BANS')
-        r.delete('F2B_PERM_BANS')
+        valkey.delete('F2B_ACTIVE_BANS')
+        valkey.delete('F2B_PERM_BANS')
    except Exception as ex:
-      logger.logWarn('Error clearing redis keys F2B_ACTIVE_BANS and F2B_PERM_BANS: %s' % ex)
+      logger.logWarn('Error clearing valkey keys F2B_ACTIVE_BANS and F2B_PERM_BANS: %s' % ex)

 def watch():
  global pubsub
  global quit_now
  global exit_code

-  logger.logInfo('Watching Redis channel F2B_CHANNEL')
+  logger.logInfo('Watching Valkey channel F2B_CHANNEL')
  pubsub.subscribe('F2B_CHANNEL')

  while not quit_now:
@@ -306,7 +305,7 @@ def autopurge():
    time.sleep(10)
    refreshF2boptions()
    MAX_ATTEMPTS = int(f2boptions['max_attempts'])
-    QUEUE_UNBAN = r.hgetall('F2B_QUEUE_UNBAN')
+    QUEUE_UNBAN = valkey.hgetall('F2B_QUEUE_UNBAN')
    logdebug("QUEUE_UNBAN: %s" % QUEUE_UNBAN)
    if QUEUE_UNBAN:
      for net in QUEUE_UNBAN:
@@ -391,7 +390,7 @@ def whitelistUpdate():
  global WHITELIST
  while not quit_now:
    start_time = time.time()
-    list = r.hgetall('F2B_WHITELIST')
+    list = valkey.hgetall('F2B_WHITELIST')
    new_whitelist = []
    if list:
      new_whitelist = genNetworkList(list)
@@ -406,7 +405,7 @@ def blacklistUpdate():
  global BLACKLIST
  while not quit_now:
    start_time = time.time()
-    list = r.hgetall('F2B_BLACKLIST')
+    list = valkey.hgetall('F2B_BLACKLIST')
    new_blacklist = []
    if list:
      new_blacklist = genNetworkList(list)
@@ -449,6 +448,11 @@ if __name__ == '__main__':
    tables = NFTables(chain_name, logger)
  else:
    logger.logInfo('Using IPTables backend')
+    logger.logWarn(
+        "DEPRECATION: iptables-legacy is deprecated and will be removed in future releases. "
+        "Please switch to nftables on your host to ensure complete compatibility."
+    )
+    time.sleep(5)
    tables = IPTables(chain_name, logger)

  clear()
@@ -462,35 +466,35 @@ if __name__ == '__main__':
    logger.logInfo(f"Setting {chain_name} isolation")
    tables.create_mailcow_isolation_rule("br-mailcow", [3306, 6379, 8983, 12345], os.getenv("MAILCOW_REPLICA_IP"))

-  # connect to redis
+  # connect to valkey
  while True:
    try:
-      redis_slaveof_ip = os.getenv('REDIS_SLAVEOF_IP', '')
-      redis_slaveof_port = os.getenv('REDIS_SLAVEOF_PORT', '')
+      valkey_slaveof_ip = os.getenv('VALKEY_SLAVEOF_IP', '')
+      valkey_slaveof_port = os.getenv('VALKEY_SLAVEOF_PORT', '')
      logdebug(
-        "Connecting redis (SLAVEOF_IP:%s, PORT:%s)" % (redis_slaveof_ip, redis_slaveof_port))
-      if "".__eq__(redis_slaveof_ip):
-        r = redis.StrictRedis(
-          host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0, password=os.environ['REDISPASS'])
+        "Connecting valkey (SLAVEOF_IP:%s, PORT:%s)" % (valkey_slaveof_ip, valkey_slaveof_port))
+      if "".__eq__(valkey_slaveof_ip):
+        valkey = redis.StrictRedis(
+          host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0, password=os.environ['VALKEYPASS'])
      else:
-        r = redis.StrictRedis(
-          host=redis_slaveof_ip, decode_responses=True, port=redis_slaveof_port, db=0, password=os.environ['REDISPASS'])
-      r.ping()
-      pubsub = r.pubsub()
+        valkey = redis.StrictRedis(
+          host=valkey_slaveof_ip, decode_responses=True, port=valkey_slaveof_port, db=0, password=os.environ['VALKEYPASS'])
+      valkey.ping()
+      pubsub = valkey.pubsub()
    except Exception as ex:
      logdebug(
        'Redis connection failed: %s - trying again in 3 seconds' % (ex))
      time.sleep(3)
    else:
      break
-  logger.set_redis(r)
-  logdebug("Redis connection established, setting up F2B keys")
+  logger.set_valkey(valkey)
+  logdebug("Valkey connection established, setting up F2B keys")

-  if r.exists('F2B_LOG'):
+  if valkey.exists('F2B_LOG'):
    logdebug("Renaming F2B_LOG to NETFILTER_LOG")
-    r.rename('F2B_LOG', 'NETFILTER_LOG')
-  r.delete('F2B_ACTIVE_BANS')
-  r.delete('F2B_PERM_BANS')
+    valkey.rename('F2B_LOG', 'NETFILTER_LOG')
+  valkey.delete('F2B_ACTIVE_BANS')
+  valkey.delete('F2B_PERM_BANS')

  refreshF2boptions()

--- a/data/Dockerfiles/netfilter/modules/Logger.py
+++ b/data/Dockerfiles/netfilter/modules/Logger.py
@@ -1,24 +1,36 @@
 import time
 import json
+import datetime

 class Logger:
  def __init__(self):
-    self.r = None
+    self.valkey = None

-  def set_redis(self, redis):
-    self.r = redis
+  def set_valkey(self, valkey):
+    self.valkey = valkey
+
+  def _format_timestamp(self):
+    # Local time with milliseconds
+    return datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")

  def log(self, priority, message):
-    tolog = {}
-    tolog['time'] = int(round(time.time()))
-    tolog['priority'] = priority
-    tolog['message'] = message
-    print(message)
-    if self.r is not None:
+    # build valkey-friendly dict
+    tolog = {
+      'time': int(round(time.time())),  # keep raw timestamp for Valkey
+      'priority': priority,
+      'message': message
+    }
+
+    # print human-readable message with timestamp
+    ts = self._format_timestamp()
+    print(f"{ts} {priority.upper()}: {message}", flush=True)
+
+    # also push JSON to Redis if connected
+    if self.valkey is not None:
      try:
-        self.r.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False))
+        self.valkey.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False))
      except Exception as ex:
-        print('Failed logging to redis: %s'  % (ex))
+        print(f'{ts} WARN: Failed logging to valkey: {ex}', flush=True)

  def logWarn(self, message):
    self.log('warn', message)
@@ -27,4 +39,4 @@ class Logger:
    self.log('crit', message)

  def logInfo(self, message):
-    self.log('info', message)
+    self.log('info', message)
--- a/data/Dockerfiles/nginx/bootstrap.py
+++ b/data/Dockerfiles/nginx/bootstrap.py
@@ -10,7 +10,7 @@ def includes_conf(env, template_vars):
  server_name_config = f"server_name {template_vars['MAILCOW_HOSTNAME']} autodiscover.* autoconfig.* {' '.join(template_vars['ADDITIONAL_SERVER_NAMES'])};"
  listen_plain_config = f"listen {template_vars['HTTP_PORT']};"
  listen_ssl_config = f"listen {template_vars['HTTPS_PORT']};"
-  if not template_vars['ENABLE_IPV6']:
+  if template_vars['ENABLE_IPV6']:
    listen_plain_config += f"\nlisten [::]:{template_vars['HTTP_PORT']};"
    listen_ssl_config += f"\nlisten [::]:{template_vars['HTTPS_PORT']} ssl;"
  listen_ssl_config += "\nhttp2 on;"
--- a/data/Dockerfiles/phpfpm/docker-entrypoint.sh
+++ b/data/Dockerfiles/phpfpm/docker-entrypoint.sh
@@ -9,24 +9,24 @@ while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u
 done

 # Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_HOST=$REDIS_SLAVEOF_IP
-  REDIS_PORT=$REDIS_SLAVEOF_PORT
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  VALKEY_HOST=$VALKEY_SLAVEOF_IP
+  VALKEY_PORT=$VALKEY_SLAVEOF_PORT
 else
-  REDIS_HOST="redis"
-  REDIS_PORT="6379"
+  VALKEY_HOST="valkey-mailcow"
+  VALKEY_PORT="6379"
 fi
-REDIS_CMDLINE="redis-cli -h ${REDIS_HOST} -p ${REDIS_PORT} -a ${REDISPASS} --no-auth-warning"
+VALKEY_CMDLINE="redis-cli -h ${VALKEY_HOST} -p ${VALKEY_PORT} -a ${VALKEYPASS} --no-auth-warning"

-until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
-  echo "Waiting for Redis..."
+until [[ $(${VALKEY_CMDLINE} PING) == "PONG" ]]; do
+  echo "Waiting for Valkey..."
  sleep 2
 done

-# Set redis session store
+# Set valkey session store
 echo -n '
 session.save_handler = redis
-session.save_path = "tcp://'${REDIS_HOST}':'${REDIS_PORT}'?auth='${REDISPASS}'"
+session.save_path = "tcp://'${VALKEY_HOST}':'${VALKEY_PORT}'?auth='${VALKEYPASS}'"
 ' > /usr/local/etc/php/conf.d/session_store.ini

 # Check mysql_upgrade (master and slave)
@@ -91,22 +91,22 @@ fi
 if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  echo "We are master, preparing..."
  # Set a default release format
-  if [[ -z $(${REDIS_CMDLINE} --raw GET Q_RELEASE_FORMAT) ]]; then
-    ${REDIS_CMDLINE} --raw SET Q_RELEASE_FORMAT raw
+  if [[ -z $(${VALKEY_CMDLINE} --raw GET Q_RELEASE_FORMAT) ]]; then
+    ${VALKEY_CMDLINE} --raw SET Q_RELEASE_FORMAT raw
  fi

  # Set max age of q items - if unset
-  if [[ -z $(${REDIS_CMDLINE} --raw GET Q_MAX_AGE) ]]; then
-    ${REDIS_CMDLINE} --raw SET Q_MAX_AGE 365
+  if [[ -z $(${VALKEY_CMDLINE} --raw GET Q_MAX_AGE) ]]; then
+    ${VALKEY_CMDLINE} --raw SET Q_MAX_AGE 365
  fi

  # Set default password policy - if unset
-  if [[ -z $(${REDIS_CMDLINE} --raw HGET PASSWD_POLICY length) ]]; then
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY length 6
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY chars 0
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY special_chars 0
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY lowerupper 0
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY numbers 0
+  if [[ -z $(${VALKEY_CMDLINE} --raw HGET PASSWD_POLICY length) ]]; then
+    ${VALKEY_CMDLINE} --raw HSET PASSWD_POLICY length 6
+    ${VALKEY_CMDLINE} --raw HSET PASSWD_POLICY chars 0
+    ${VALKEY_CMDLINE} --raw HSET PASSWD_POLICY special_chars 0
+    ${VALKEY_CMDLINE} --raw HSET PASSWD_POLICY lowerupper 0
+    ${VALKEY_CMDLINE} --raw HSET PASSWD_POLICY numbers 0
  fi

  # Trigger db init
@@ -114,9 +114,9 @@ if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  php -c /usr/local/etc/php -f /web/inc/init_db.inc.php

  # Recreating domain map
-  echo "Rebuilding domain map in Redis..."
+  echo "Rebuilding domain map in Valkey..."
  declare -a DOMAIN_ARR
-    ${REDIS_CMDLINE} DEL DOMAIN_MAP > /dev/null
+    ${VALKEY_CMDLINE} DEL DOMAIN_MAP > /dev/null
  while read line
  do
    DOMAIN_ARR+=("$line")
@@ -128,7 +128,7 @@ if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then

  if [[ ! -z ${DOMAIN_ARR} ]]; then
  for domain in "${DOMAIN_ARR[@]}"; do
-    ${REDIS_CMDLINE} HSET DOMAIN_MAP ${domain} 1 > /dev/null
+    ${VALKEY_CMDLINE} HSET DOMAIN_MAP ${domain} 1 > /dev/null
  done
  fi

--- a/data/Dockerfiles/postfix-tlspol/Dockerfile
+++ b/data/Dockerfiles/postfix-tlspol/Dockerfile
@@ -3,6 +3,7 @@ WORKDIR /src

 ENV CGO_ENABLED=0 \
    GO111MODULE=on \
+		NOOPT=1 \
    VERSION=1.8.14

 RUN git clone --branch v${VERSION} https://github.com/Zuplu/postfix-tlspol && \
@@ -33,7 +34,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \

 COPY supervisord.conf /etc/supervisor/supervisord.conf
 COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
-COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY syslog-ng-valkey_slave.conf /etc/syslog-ng/syslog-ng-valkey_slave.conf
 COPY postfix-tlspol.sh /opt/postfix-tlspol.sh
 COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
 COPY docker-entrypoint.sh /docker-entrypoint.sh
--- a/data/Dockerfiles/postfix-tlspol/docker-entrypoint.sh
+++ b/data/Dockerfiles/postfix-tlspol/docker-entrypoint.sh
@@ -1,7 +1,7 @@
 #!/bin/bash

-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  cp /etc/syslog-ng/syslog-ng-valkey_slave.conf /etc/syslog-ng/syslog-ng.conf
 fi

 exec "$@"
--- a/data/Dockerfiles/postfix-tlspol/postfix-tlspol.sh
+++ b/data/Dockerfiles/postfix-tlspol/postfix-tlspol.sh
@@ -17,14 +17,14 @@ until dig +short mailcow.email > /dev/null; do
 done

 # Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  export REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  export VALKEY_CMDLINE="redis-cli -h ${VALKEY_SLAVEOF_IP} -p ${VALKEY_SLAVEOF_PORT} -a ${VALKEYPASS} --no-auth-warning"
 else
-  export REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+  export VALKEY_CMDLINE="redis-cli -h valkey -p 6379 -a ${VALKEYPASS} --no-auth-warning"
 fi

-until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
-  echo "Waiting for Redis..."
+until [[ $(${VALKEY_CMDLINE} PING) == "PONG" ]]; do
+  echo "Waiting for Valkey..."
  sleep 2
 done

--- a/data/Dockerfiles/postfix-tlspol/syslog-ng-valkey_slave.conf
+++ b/data/Dockerfiles/postfix-tlspol/syslog-ng-valkey_slave.conf
@@ -15,12 +15,12 @@ source s_src {
  internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
-destination d_redis_ui_log {
+destination d_valkey_ui_log {
  redis(
-    host("`REDIS_SLAVEOF_IP`")
-    persist-name("redis1")
-    port(`REDIS_SLAVEOF_PORT`)
-    auth("`REDISPASS`")
+    host("`VALKEY_SLAVEOF_IP`")
+    persist-name("valkey1")
+    port(`VALKEY_SLAVEOF_PORT`)
+    auth("`VALKEYPASS`")
    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -41,5 +41,5 @@ log {
  filter(f_ignore);
  destination(d_stdout);
  filter(f_mail);
-  destination(d_redis_ui_log);
+  destination(d_valkey_ui_log);
 };
--- a/data/Dockerfiles/postfix-tlspol/syslog-ng.conf
+++ b/data/Dockerfiles/postfix-tlspol/syslog-ng.conf
@@ -15,12 +15,12 @@ source s_src {
  internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
-destination d_redis_ui_log {
+destination d_valkey_ui_log {
  redis(
-    host("redis-mailcow")
-    persist-name("redis1")
+    host("valkey-mailcow")
+    persist-name("valkey1")
    port(6379)
-    auth("`REDISPASS`")
+    auth("`VALKEYPASS`")
    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -41,5 +41,5 @@ log {
  filter(f_ignore);
  destination(d_stdout);
  filter(f_mail);
-  destination(d_redis_ui_log);
+  destination(d_valkey_ui_log);
 };
--- a/data/Dockerfiles/postfix/Dockerfile
+++ b/data/Dockerfiles/postfix/Dockerfile
@@ -41,7 +41,7 @@ RUN groupadd -g 102 postfix \

 COPY supervisord.conf /etc/supervisor/supervisord.conf
 COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
-COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY syslog-ng-valkey_slave.conf /etc/syslog-ng/syslog-ng-valkey_slave.conf
 COPY postfix.sh /opt/postfix.sh
 COPY rspamd-pipe-ham /usr/local/bin/rspamd-pipe-ham
 COPY rspamd-pipe-spam /usr/local/bin/rspamd-pipe-spam
--- a/data/Dockerfiles/postfix/docker-entrypoint.sh
+++ b/data/Dockerfiles/postfix/docker-entrypoint.sh
@@ -8,8 +8,8 @@ for file in /hooks/*; do
  fi
 done

-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  cp /etc/syslog-ng/syslog-ng-valkey_slave.conf /etc/syslog-ng/syslog-ng.conf
 fi

 # Fix OpenSSL 3.X TLS1.0, 1.1 support (https://community.mailcow.email/d/4062-hi-all/20)
@@ -21,6 +21,6 @@ if grep -qE '\!SSLv2|\!SSLv3|>=TLSv1(\.[0-1])?$' /opt/postfix/conf/main.cf /opt/
    echo "[tls_system_default]" >> /etc/ssl/openssl.cnf
    echo "MinProtocol = TLSv1" >> /etc/ssl/openssl.cnf
    echo "CipherString = DEFAULT@SECLEVEL=0" >> /etc/ssl/openssl.cnf
-fi  
+fi

 exec "$@"
--- a/data/Dockerfiles/postfix/syslog-ng-valkey_slave.conf
+++ b/data/Dockerfiles/postfix/syslog-ng-valkey_slave.conf
@@ -15,21 +15,21 @@ source s_src {
  internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
-destination d_redis_ui_log {
+destination d_valkey_ui_log {
  redis(
-    host("`REDIS_SLAVEOF_IP`")
-    persist-name("redis1")
-    port(`REDIS_SLAVEOF_PORT`)
-    auth("`REDISPASS`")
+    host("`VALKEY_SLAVEOF_IP`")
+    persist-name("valkey1")
+    port(`VALKEY_SLAVEOF_PORT`)
+    auth("`VALKEYPASS`")
    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
-destination d_redis_f2b_channel {
+destination d_valkey_f2b_channel {
  redis(
-    host("`REDIS_SLAVEOF_IP`")
-    persist-name("redis2")
-    port(`REDIS_SLAVEOF_PORT`)
-    auth("`REDISPASS`")
+    host("`VALKEY_SLAVEOF_IP`")
+    persist-name("valkey2")
+    port(`VALKEY_SLAVEOF_PORT`)
+    auth("`VALKEYPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
@@ -50,6 +50,6 @@ log {
  filter(f_ignore);
  destination(d_stdout);
  filter(f_mail);
-  destination(d_redis_ui_log);
-  destination(d_redis_f2b_channel);
+  destination(d_valkey_ui_log);
+  destination(d_valkey_f2b_channel);
 };
--- a/data/Dockerfiles/postfix/syslog-ng.conf
+++ b/data/Dockerfiles/postfix/syslog-ng.conf
@@ -15,21 +15,21 @@ source s_src {
  internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
-destination d_redis_ui_log {
+destination d_valkey_ui_log {
  redis(
-    host("redis-mailcow")
-    persist-name("redis1")
+    host("valkey-mailcow")
+    persist-name("valkey1")
    port(6379)
-    auth("`REDISPASS`")
+    auth("`VALKEYPASS`")
    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
-destination d_redis_f2b_channel {
+destination d_valkey_f2b_channel {
  redis(
-    host("redis-mailcow")
-    persist-name("redis2")
+    host("valkey-mailcow")
+    persist-name("valkey2")
    port(6379)
-    auth("`REDISPASS`")
+    auth("`VALKEYPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
@@ -50,6 +50,6 @@ log {
  filter(f_ignore);
  destination(d_stdout);
  filter(f_mail);
-  destination(d_redis_ui_log);
-  destination(d_redis_f2b_channel);
+  destination(d_valkey_ui_log);
+  destination(d_valkey_f2b_channel);
 };
--- a/data/Dockerfiles/rspamd/docker-entrypoint.sh
+++ b/data/Dockerfiles/rspamd/docker-entrypoint.sh
@@ -52,33 +52,33 @@ if [[ ! -z ${RSPAMD_V6} ]]; then
  echo ${RSPAMD_V6}/128 >> /etc/rspamd/custom/rspamd_trusted.map
 fi

-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
  cat <<EOF > /etc/rspamd/local.d/redis.conf
-read_servers = "redis:6379";
-write_servers = "${REDIS_SLAVEOF_IP}:${REDIS_SLAVEOF_PORT}";
-password = "${REDISPASS}";
+read_servers = "valkey-mailcow:6379";
+write_servers = "${VALKEY_SLAVEOF_IP}:${VALKEY_SLAVEOF_PORT}";
+password = "${VALKEYPASS}";
 timeout = 10;
 EOF
-  until [[ $(redis-cli -h redis-mailcow -a ${REDISPASS} --no-auth-warning PING) == "PONG" ]]; do
-    echo "Waiting for Redis @redis-mailcow..."
+  until [[ $(redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning PING) == "PONG" ]]; do
+    echo "Waiting for Valkey @valkey-mailcow..."
    sleep 2
  done
-  until [[ $(redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning PING) == "PONG" ]]; do
-    echo "Waiting for Redis @${REDIS_SLAVEOF_IP}..."
+  until [[ $(redis-cli -h ${VALKEY_SLAVEOF_IP} -p ${VALKEY_SLAVEOF_PORT} -a ${VALKEYPASS} --no-auth-warning PING) == "PONG" ]]; do
+    echo "Waiting for Valkey @${VALKEY_SLAVEOF_IP}..."
    sleep 2
  done
-  redis-cli -h redis-mailcow -a ${REDISPASS} --no-auth-warning SLAVEOF ${REDIS_SLAVEOF_IP} ${REDIS_SLAVEOF_PORT}
+  redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning SLAVEOF ${VALKEY_SLAVEOF_IP} ${VALKEY_SLAVEOF_PORT}
 else
  cat <<EOF > /etc/rspamd/local.d/redis.conf
-servers = "redis:6379";
-password = "${REDISPASS}";
+servers = "valkey-mailcow:6379";
+password = "${VALKEYPASS}";
 timeout = 10;
 EOF
-  until [[ $(redis-cli -h redis-mailcow -a ${REDISPASS} --no-auth-warning PING) == "PONG" ]]; do
-    echo "Waiting for Redis slave..."
+  until [[ $(redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning PING) == "PONG" ]]; do
+    echo "Waiting for Valkey slave..."
    sleep 2
  done
-  redis-cli -h redis-mailcow -a ${REDISPASS} --no-auth-warning SLAVEOF NO ONE
+  redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning SLAVEOF NO ONE
 fi

 if [[ "${SKIP_OLEFY}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
@@ -86,7 +86,8 @@ if [[ "${SKIP_OLEFY}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
    rm /etc/rspamd/local.d/external_services.conf
  fi
 else
-  cat <<EOF > /etc/rspamd/local.d/external_services.conf
+  if [[ ! -f /etc/rspamd/local.d/external_services.conf ]]; then
+    cat <<EOF > /etc/rspamd/local.d/external_services.conf
 oletools {
  # default olefy settings
  servers = "olefy:10055";
@@ -100,6 +101,7 @@ oletools {
  retransmits = 1;
 }
 EOF
+  fi
 fi

 # Provide additional lua modules
--- a/data/Dockerfiles/sogo/Dockerfile
+++ b/data/Dockerfiles/sogo/Dockerfile
@@ -44,7 +44,7 @@ RUN echo "Building from repository $SOGO_DEBIAN_REPOSITORY" \

 COPY ./bootstrap-sogo.sh /bootstrap-sogo.sh
 COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
-COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY syslog-ng-valkey_slave.conf /etc/syslog-ng/syslog-ng-valkey_slave.conf
 COPY supervisord.conf /etc/supervisor/supervisord.conf
 COPY acl.diff /acl.diff
 COPY navMailcowBtns.diff /navMailcowBtns.diff
--- a/data/Dockerfiles/sogo/bootstrap-sogo.sh
+++ b/data/Dockerfiles/sogo/bootstrap-sogo.sh
@@ -24,6 +24,10 @@ while [[ "${DBV_NOW}" != "${DBV_NEW}" ]]; do
 done
 echo "DB schema is ${DBV_NOW}"

+if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+  mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TRIGGER IF EXISTS sogo_update_password"
+fi
+
 # cat /dev/urandom seems to hang here occasionally and is not recommended anyway, better use openssl
 RAND_PASS=$(openssl rand -base64 16 | tr -dc _A-Z-a-z-0-9)

@@ -46,6 +50,10 @@ cat <<EOF > /var/lib/sogo/GNUstep/Defaults/sogod.plist
    <string>YES</string>
    <key>SOGoEncryptionKey</key>
    <string>${RAND_PASS}</string>
+    <key>SOGoURLEncryptionEnabled</key>
+    <string>YES</string>
+    <key>SOGoURLEncryptionPassphrase</key>
+    <string>${SOGO_URL_ENCRYPTION_KEY}</string>
    <key>OCSAdminURL</key>
    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_admin</string>
    <key>OCSCacheFolderURL</key>
--- a/data/Dockerfiles/sogo/docker-entrypoint.sh
+++ b/data/Dockerfiles/sogo/docker-entrypoint.sh
@@ -6,8 +6,8 @@ if [[ "${SKIP_SOGO}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  exit 0
 fi

-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  cp /etc/syslog-ng/syslog-ng-valkey_slave.conf /etc/syslog-ng/syslog-ng.conf
 fi

 echo "$TZ" > /etc/timezone
--- a/data/Dockerfiles/sogo/syslog-ng-valkey_slave.conf
+++ b/data/Dockerfiles/sogo/syslog-ng-valkey_slave.conf
@@ -17,28 +17,28 @@ source s_sogo {
  pipe("/dev/sogo_log" owner(sogo) group(sogo));
 };
 destination d_stdout { pipe("/dev/stdout"); };
-destination d_redis_ui_log {
+destination d_valkey_ui_log {
  redis(
-    host("`REDIS_SLAVEOF_IP`")
-    persist-name("redis1")
-    port(`REDIS_SLAVEOF_PORT`)
-    auth("`REDISPASS`")
+    host("`VALKEY_SLAVEOF_IP`")
+    persist-name("valkey1")
+    port(`VALKEY_SLAVEOF_PORT`)
+    auth("`VALKEYPASS`")
    command("LPUSH" "SOGO_LOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
-destination d_redis_f2b_channel {
+destination d_valkey_f2b_channel {
  redis(
-    host("`REDIS_SLAVEOF_IP`")
-    persist-name("redis2")
-    port(`REDIS_SLAVEOF_PORT`)
-    auth("`REDISPASS`")
+    host("`VALKEY_SLAVEOF_IP`")
+    persist-name("valkey2")
+    port(`VALKEY_SLAVEOF_PORT`)
+    auth("`VALKEYPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
 log {
  source(s_sogo);
-  destination(d_redis_ui_log);
-  destination(d_redis_f2b_channel);
+  destination(d_valkey_ui_log);
+  destination(d_valkey_f2b_channel);
 };
 log {
  source(s_sogo);
--- a/data/Dockerfiles/sogo/syslog-ng.conf
+++ b/data/Dockerfiles/sogo/syslog-ng.conf
@@ -17,28 +17,28 @@ source s_sogo {
  pipe("/dev/sogo_log" owner(sogo) group(sogo));
 };
 destination d_stdout { pipe("/dev/stdout"); };
-destination d_redis_ui_log {
+destination d_valkey_ui_log {
  redis(
-    host("redis-mailcow")
-    persist-name("redis1")
+    host("valkey-mailcow")
+    persist-name("valkey1")
    port(6379)
-    auth("`REDISPASS`")
+    auth("`VALKEYPASS`")
    command("LPUSH" "SOGO_LOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
-destination d_redis_f2b_channel {
+destination d_valkey_f2b_channel {
  redis(
-    host("redis-mailcow")
-    persist-name("redis2")
+    host("valkey-mailcow")
+    persist-name("valkey2")
    port(6379)
-    auth("`REDISPASS`")
+    auth("`VALKEYPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
 log {
  source(s_sogo);
-  destination(d_redis_ui_log);
-  destination(d_redis_f2b_channel);
+  destination(d_valkey_ui_log);
+  destination(d_valkey_f2b_channel);
 };
 log {
  source(s_sogo);
--- a/data/Dockerfiles/valkeymigrator/Dockerfile
+++ b/data/Dockerfiles/valkeymigrator/Dockerfile
@@ -0,0 +1,8 @@
+FROM python:3.13.2-alpine3.21
+
+WORKDIR /app
+
+COPY migrate.py /app/migrate.py
+RUN pip install --no-cache-dir redis
+
+CMD ["python", "/app/migrate.py"]
--- a/data/Dockerfiles/valkeymigrator/migrate.py
+++ b/data/Dockerfiles/valkeymigrator/migrate.py
@@ -0,0 +1,78 @@
+import subprocess
+import redis
+import time
+import os
+
+# Container names
+SOURCE_CONTAINER = "redis-old-mailcow"
+DEST_CONTAINER = "valkey-mailcow"
+VALKEYPASS = os.getenv("VALKEYPASS")
+
+
+def migrate_redis():
+    src_redis = redis.StrictRedis(host=SOURCE_CONTAINER, port=6379, db=0, password=VALKEYPASS, decode_responses=False)
+    dest_redis = redis.StrictRedis(host=DEST_CONTAINER, port=6379, db=0, password=VALKEYPASS, decode_responses=False)
+
+    cursor = 0
+    batch_size = 100
+    migrated_count = 0
+
+    print("Starting migration...")
+
+    while True:
+        cursor, keys = src_redis.scan(cursor=cursor, match="*", count=batch_size)
+        keys_to_migrate = [key for key in keys if not key.startswith(b"PHPREDIS_SESSION:")]
+
+        for key in keys_to_migrate:
+            key_type = src_redis.type(key)
+            print(f"Import {key} of type {key_type}")
+
+            if key_type == b"string":
+                value = src_redis.get(key)
+                dest_redis.set(key, value)
+
+            elif key_type == b"hash":
+                value = src_redis.hgetall(key)
+                dest_redis.hset(key, mapping=value)
+
+            elif key_type == b"list":
+                value = src_redis.lrange(key, 0, -1)
+                for v in value:
+                    dest_redis.rpush(key, v)
+
+            elif key_type == b"set":
+                value = src_redis.smembers(key)
+                for v in value:
+                    dest_redis.sadd(key, v)
+
+            elif key_type == b"zset":
+                value = src_redis.zrange(key, 0, -1, withscores=True)
+                for v, score in value:
+                    dest_redis.zadd(key, {v: score})
+
+            # Preserve TTL if exists
+            ttl = src_redis.ttl(key)
+            if ttl > 0:
+                dest_redis.expire(key, ttl)
+
+            migrated_count += 1
+
+        if cursor == 0:
+            break  # No more keys to scan
+
+    print(f"Migration completed! {migrated_count} keys migrated.")
+
+    print("Forcing Valkey to save data...")
+    try:
+        dest_redis.save()  # Immediate RDB save (blocking)
+        dest_redis.bgrewriteaof()  # Rewrites the AOF file in the background
+        print("Data successfully saved to disk.")
+    except Exception as e:
+        print(f"Failed to save data: {e}")
+
+# Main script execution
+if __name__ == "__main__":
+    try:
+        migrate_redis()
+    finally:
+        pass
--- a/data/Dockerfiles/watchdog/Dockerfile
+++ b/data/Dockerfiles/watchdog/Dockerfile
@@ -16,7 +16,6 @@ RUN apk add --update \
  fcgi \
  openssl \
  nagios-plugins-mysql \
-  nagios-plugins-dns \
  nagios-plugins-disk \
  bind-tools \
  redis \
@@ -32,9 +31,11 @@ RUN apk add --update \
  tzdata \
  whois \
  && curl https://raw.githubusercontent.com/mludvig/smtp-cli/v3.10/smtp-cli -o /smtp-cli \
-  && chmod +x smtp-cli
+  && chmod +x smtp-cli \
+  && mkdir /usr/lib/mailcow

 COPY watchdog.sh /watchdog.sh
 COPY check_mysql_slavestatus.sh /usr/lib/nagios/plugins/check_mysql_slavestatus.sh
+COPY check_dns.sh /usr/lib/mailcow/check_dns.sh

 CMD ["/watchdog.sh"]
--- a/data/Dockerfiles/watchdog/check_dns.sh
+++ b/data/Dockerfiles/watchdog/check_dns.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+while getopts "H:s:" opt; do
+  case "$opt" in
+    H) HOST="$OPTARG" ;;
+    s) SERVER="$OPTARG" ;;
+    *) echo "Usage: $0 -H host -s server"; exit 3 ;;
+  esac
+done
+
+if [ -z "$SERVER" ]; then
+  echo "No DNS Server provided"
+  exit 3
+fi
+
+if [ -z "$HOST" ]; then
+  echo "No host to test provided"
+  exit 3
+fi
+
+# run dig and measure the time it takes to run
+START_TIME=$(date +%s%3N)
+dig_output=$(dig +short +timeout=2 +tries=1 "$HOST" @"$SERVER" 2>/dev/null)
+dig_rc=$?
+dig_output_ips=$(echo "$dig_output" | grep -E '^[0-9.]+$' | sort | paste -sd ',' -)
+END_TIME=$(date +%s%3N)
+ELAPSED_TIME=$((END_TIME - START_TIME))
+
+# validate and perform nagios like output and exit codes
+if [ $dig_rc -ne 0 ] || [ -z "$dig_output" ]; then
+  echo "Domain $HOST was not found by the server"
+  exit 2
+elif [ $dig_rc -eq 0 ]; then
+  echo "DNS OK: $ELAPSED_TIME ms response time. $HOST returns $dig_output_ips"
+  exit 0
+else
+  echo "Unknown error"
+  exit 3
+fi
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -1,5 +1,10 @@
 #!/bin/bash

+if [ "${DEV_MODE}" != "n" ]; then
+  echo -e "\e[31mEnabled Debug Mode\e[0m"
+  set -x
+fi
+
 trap "exit" INT TERM
 trap "kill 0" EXIT

@@ -39,18 +44,18 @@ while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u
 done

 # Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  VALKEY_CMDLINE="redis-cli -h ${VALKEY_SLAVEOF_IP} -p ${VALKEY_SLAVEOF_PORT} -a ${VALKEYPASS} --no-auth-warning"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+  VALKEY_CMDLINE="redis-cli -h valkey-mailcow -p 6379 -a ${VALKEYPASS} --no-auth-warning"
 fi

-until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
-  echo "Waiting for Redis..."
+until [[ $(${VALKEY_CMDLINE} PING) == "PONG" ]]; do
+  echo "Waiting for Valkey..."
  sleep 2
 done

-${REDIS_CMDLINE} DEL F2B_RES > /dev/null
+${VALKEY_CMDLINE} DEL F2B_RES > /dev/null

 # Common functions
 get_ipv6(){
@@ -85,15 +90,15 @@ progress() {
  [[ ${CURRENT} -gt ${TOTAL} ]] && return
  [[ ${CURRENT} -lt 0 ]] && CURRENT=0
  PERCENT=$(( 200 * ${CURRENT} / ${TOTAL} % 2 + 100 * ${CURRENT} / ${TOTAL} ))
-  ${REDIS_CMDLINE} LPUSH WATCHDOG_LOG "{\"time\":\"$(date +%s)\",\"service\":\"${SERVICE}\",\"lvl\":\"${PERCENT}\",\"hpnow\":\"${CURRENT}\",\"hptotal\":\"${TOTAL}\",\"hpdiff\":\"${DIFF}\"}" > /dev/null
-  log_msg "${SERVICE} health level: ${PERCENT}% (${CURRENT}/${TOTAL}), health trend: ${DIFF}" no_redis
+  ${VALKEY_CMDLINE} LPUSH WATCHDOG_LOG "{\"time\":\"$(date +%s)\",\"service\":\"${SERVICE}\",\"lvl\":\"${PERCENT}\",\"hpnow\":\"${CURRENT}\",\"hptotal\":\"${TOTAL}\",\"hpdiff\":\"${DIFF}\"}" > /dev/null
+  log_msg "${SERVICE} health level: ${PERCENT}% (${CURRENT}/${TOTAL}), health trend: ${DIFF}" no_valkey
  # Return 10 to indicate a dead service
  [ ${CURRENT} -le 0 ] && return 10
 }

 log_msg() {
-  if [[ ${2} != "no_redis" ]]; then
-    ${REDIS_CMDLINE} LPUSH WATCHDOG_LOG "{\"time\":\"$(date +%s)\",\"message\":\"$(printf '%s' "${1}" | \
+  if [[ ${2} != "no_valkey" ]]; then
+    ${VALKEY_CMDLINE} LPUSH WATCHDOG_LOG "{\"time\":\"$(date +%s)\",\"message\":\"$(printf '%s' "${1}" | \
      tr '\r\n%&;$"_[]{}-' ' ')\"}" > /dev/null
  fi
  echo $(date) $(printf '%s\n' "${1}")
@@ -109,10 +114,10 @@ function notify_error() {
  # If exists, mail will be throttled by argument in seconds
  [[ ! -z ${3} ]] && THROTTLE=${3}
  if [[ ! -z ${THROTTLE} ]]; then
-    TTL_LEFT="$(${REDIS_CMDLINE} TTL THROTTLE_${1} 2> /dev/null)"
+    TTL_LEFT="$(${VALKEY_CMDLINE} TTL THROTTLE_${1} 2> /dev/null)"
    if [[ "${TTL_LEFT}" == "-2" ]]; then
      # Delay key not found, setting a delay key now
-      ${REDIS_CMDLINE} SET THROTTLE_${1} 1 EX ${THROTTLE}
+      ${VALKEY_CMDLINE} SET THROTTLE_${1} 1 EX ${THROTTLE}
    else
      log_msg "Not sending notification email now, blocked for ${TTL_LEFT} seconds..."
      return 1
@@ -297,7 +302,7 @@ unbound_checks() {
    touch /tmp/unbound-mailcow; echo "$(tail -50 /tmp/unbound-mailcow)" > /tmp/unbound-mailcow
    host_ip=$(get_container_ip unbound-mailcow)
    err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_dns -s ${host_ip} -H stackoverflow.com 2>> /tmp/unbound-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/mailcow/check_dns.sh -s ${host_ip} -H stackoverflow.com 2>> /tmp/unbound-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
    DNSSEC=$(dig com +dnssec | egrep 'flags:.+ad')
    if [[ -z ${DNSSEC} ]]; then
      echo "DNSSEC failure" 2>> /tmp/unbound-mailcow 1>&2
@@ -319,21 +324,21 @@ unbound_checks() {
  return 1
 }

-redis_checks() {
-  # A check for the local redis container
+valkey_checks() {
+  # A check for the local valkey container
  err_count=0
  diff_c=0
-  THRESHOLD=${REDIS_THRESHOLD}
+  THRESHOLD=${VALKEY_THRESHOLD}
  # Reduce error count by 2 after restarting an unhealthy container
  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
  while [ ${err_count} -lt ${THRESHOLD} ]; do
-    touch /tmp/redis-mailcow; echo "$(tail -50 /tmp/redis-mailcow)" > /tmp/redis-mailcow
-    host_ip=$(get_container_ip redis-mailcow)
+    touch /tmp/valkey-mailcow; echo "$(tail -50 /tmp/valkey-mailcow)" > /tmp/valkey-mailcow
+    host_ip=$(get_container_ip valkey-mailcow)
    err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_tcp -4 -H redis-mailcow -p 6379 -E -s "AUTH ${REDISPASS}\nPING\n" -q "QUIT" -e "PONG" 2>> /tmp/redis-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_tcp -4 -H valkey-mailcow -p 6379 -E -s "AUTH ${VALKEYPASS}\nPING\n" -q "QUIT" -e "PONG" 2>> /tmp/valkey-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
-    progress "Redis" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    progress "Valkey" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
    if [[ $? == 10 ]]; then
      diff_c=0
      sleep 1
@@ -445,6 +450,31 @@ postfix_checks() {
  return 1
 }

+postfix-tlspol_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=${POSTFIX_TLSPOL_THRESHOLD}
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    touch /tmp/postfix-tlspol-mailcow; echo "$(tail -50 /tmp/postfix-tlspol-mailcow)" > /tmp/postfix-tlspol-mailcow
+    host_ip=$(get_container_ip postfix-tlspol-mailcow)
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_tcp -4 -H ${host_ip} -p 8642 2>> /tmp/postfix-tlspol-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "Postfix TLS Policy companion" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    if [[ $? == 10 ]]; then
+      diff_c=0
+      sleep 1
+    else
+      diff_c=0
+      sleep $(( ( RANDOM % 60 ) + 20 ))
+    fi
+  done
+  return 1
+}
+
 clamd_checks() {
  err_count=0
  diff_c=0
@@ -503,12 +533,12 @@ dovecot_repl_checks() {
  err_count=0
  diff_c=0
  THRESHOLD=${DOVECOT_REPL_THRESHOLD}
-  D_REPL_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning -r GET DOVECOT_REPL_HEALTH)
+  D_REPL_STATUS=$(redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning -r GET DOVECOT_REPL_HEALTH)
  # Reduce error count by 2 after restarting an unhealthy container
  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    err_c_cur=${err_count}
-    D_REPL_STATUS=$(redis-cli --raw -h redis -a ${REDISPASS} --no-auth-warning GET DOVECOT_REPL_HEALTH)
+    D_REPL_STATUS=$(redis-cli --raw -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning GET DOVECOT_REPL_HEALTH)
    if [[ "${D_REPL_STATUS}" != "1" ]]; then
      err_count=$(( ${err_count} + 1 ))
    fi
@@ -578,19 +608,19 @@ ratelimit_checks() {
  err_count=0
  diff_c=0
  THRESHOLD=${RATELIMIT_THRESHOLD}
-  RL_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning LRANGE RL_LOG 0 0 | jq .qid)
+  RL_LOG_STATUS=$(redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning LRANGE RL_LOG 0 0 | jq .qid)
  # Reduce error count by 2 after restarting an unhealthy container
  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    err_c_cur=${err_count}
    RL_LOG_STATUS_PREV=${RL_LOG_STATUS}
-    RL_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning LRANGE RL_LOG 0 0 | jq .qid)
+    RL_LOG_STATUS=$(redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning LRANGE RL_LOG 0 0 | jq .qid)
    if [[ ${RL_LOG_STATUS_PREV} != ${RL_LOG_STATUS} ]]; then
      err_count=$(( ${err_count} + 1 ))
      echo 'Last 10 applied ratelimits (may overlap with previous reports).' > /tmp/ratelimit
      echo 'Full ratelimit buckets can be emptied by deleting the ratelimit hash from within mailcow UI (see /debug -> Protocols -> Ratelimit):' >> /tmp/ratelimit
      echo >> /tmp/ratelimit
-      redis-cli --raw -h redis -a ${REDISPASS} --no-auth-warning LRANGE RL_LOG 0 10 | jq . >> /tmp/ratelimit
+      redis-cli --raw -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning LRANGE RL_LOG 0 10 | jq . >> /tmp/ratelimit
    fi
    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
@@ -639,20 +669,20 @@ fail2ban_checks() {
  err_count=0
  diff_c=0
  THRESHOLD=${FAIL2BAN_THRESHOLD}
-  F2B_LOG_STATUS=($(${REDIS_CMDLINE} --raw HKEYS F2B_ACTIVE_BANS))
+  F2B_LOG_STATUS=($(${VALKEY_CMDLINE} --raw HKEYS F2B_ACTIVE_BANS))
  F2B_RES=
  # Reduce error count by 2 after restarting an unhealthy container
  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    err_c_cur=${err_count}
    F2B_LOG_STATUS_PREV=(${F2B_LOG_STATUS[@]})
-    F2B_LOG_STATUS=($(${REDIS_CMDLINE} --raw HKEYS F2B_ACTIVE_BANS))
+    F2B_LOG_STATUS=($(${VALKEY_CMDLINE} --raw HKEYS F2B_ACTIVE_BANS))
    array_diff F2B_RES F2B_LOG_STATUS F2B_LOG_STATUS_PREV
    if [[ ! -z "${F2B_RES}" ]]; then
      err_count=$(( ${err_count} + 1 ))
-      echo -n "${F2B_RES[@]}" | tr -cd "[a-fA-F0-9.:/] " | timeout 3s ${REDIS_CMDLINE} -x SET F2B_RES > /dev/null
+      echo -n "${F2B_RES[@]}" | tr -cd "[a-fA-F0-9.:/] " | timeout 3s ${VALKEY_CMDLINE} -x SET F2B_RES > /dev/null
      if [ $? -ne 0 ]; then
-         ${REDIS_CMDLINE} -x DEL F2B_RES
+         ${VALKEY_CMDLINE} -x DEL F2B_RES
      fi
    fi
    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
@@ -673,9 +703,9 @@ acme_checks() {
  err_count=0
  diff_c=0
  THRESHOLD=${ACME_THRESHOLD}
-  ACME_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning GET ACME_FAIL_TIME)
+  ACME_LOG_STATUS=$(redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning GET ACME_FAIL_TIME)
  if [[ -z "${ACME_LOG_STATUS}" ]]; then
-    ${REDIS_CMDLINE} SET ACME_FAIL_TIME 0
+    ${VALKEY_CMDLINE} SET ACME_FAIL_TIME 0
    ACME_LOG_STATUS=0
  fi
  # Reduce error count by 2 after restarting an unhealthy container
@@ -685,7 +715,7 @@ acme_checks() {
    ACME_LOG_STATUS_PREV=${ACME_LOG_STATUS}
    ACME_LC=0
    until [[ ! -z ${ACME_LOG_STATUS} ]] || [ ${ACME_LC} -ge 3 ]; do
-      ACME_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning GET ACME_FAIL_TIME 2> /dev/null)
+      ACME_LOG_STATUS=$(redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning GET ACME_FAIL_TIME 2> /dev/null)
      sleep 3
      ACME_LC=$((ACME_LC+1))
    done
@@ -834,14 +864,14 @@ BACKGROUND_TASKS+=(${PID})

 (
 while true; do
-  if ! redis_checks; then
-    log_msg "Local Redis hit error limit"
-    echo redis-mailcow > /tmp/com_pipe
+  if ! valkey_checks; then
+    log_msg "Local Valkey hit error limit"
+    echo valkey-mailcow > /tmp/com_pipe
  fi
 done
 ) &
 PID=$!
-echo "Spawned redis_checks with PID ${PID}"
+echo "Spawned valkey_checks with PID ${PID}"
 BACKGROUND_TASKS+=(${PID})

 (
@@ -922,6 +952,18 @@ PID=$!
 echo "Spawned mailq_checks with PID ${PID}"
 BACKGROUND_TASKS+=(${PID})

+(
+while true; do
+  if ! postfix-tlspol_checks; then
+    log_msg "Postfix TLS Policy hit error limit"
+    echo postfix-tlspol-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+PID=$!
+echo "Spawned postfix-tlspol_checks with PID ${PID}"
+BACKGROUND_TASKS+=(${PID})
+
 (
 while true; do
  if ! dovecot_checks; then
@@ -1087,9 +1129,9 @@ while true; do
    # Define $2 to override message text, else print service was restarted at ...
    notify_error "${com_pipe_answer}" "Please check acme-mailcow for further information."
  elif [[ ${com_pipe_answer} == "fail2ban" ]]; then
-    F2B_RES=($(timeout 4s ${REDIS_CMDLINE} --raw GET F2B_RES 2> /dev/null))
+    F2B_RES=($(timeout 4s ${VALKEY_CMDLINE} --raw GET F2B_RES 2> /dev/null))
    if [[ ! -z "${F2B_RES}" ]]; then
-      ${REDIS_CMDLINE} DEL F2B_RES > /dev/null
+      ${VALKEY_CMDLINE} DEL F2B_RES > /dev/null
      host=
      for host in "${F2B_RES[@]}"; do
        log_msg "Banned ${host}"
--- a/data/conf/dovecot/auth/mailcowauth.php
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -23,16 +23,16 @@ if (file_exists('../../../web/inc/vars.local.inc.php')) {
 require_once '../../../web/inc/lib/vendor/autoload.php';


-// Init Redis
-$redis = new Redis();
+// Init Valkey
+$valkey = new Redis();
 try {
-  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
-    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
+  if (!empty(getenv('VALKEY_SLAVEOF_IP'))) {
+    $valkey->connect(getenv('VALKEY_SLAVEOF_IP'), getenv('VALKEY_SLAVEOF_PORT'));
  }
  else {
-    $redis->connect('redis-mailcow', 6379);
+    $valkey->connect('valkey-mailcow', 6379);
  }
-  $redis->auth(getenv("REDISPASS"));
+  $valkey->auth(getenv("VALKEYPASS"));
 }
 catch (Exception $e) {
  error_log("MAILCOWAUTH: " . $e . PHP_EOL);
@@ -86,7 +86,7 @@ if ($result === false){
    'remote_addr' => $post['real_rip']
  ));
  if ($result) {
-    error_log('MAILCOWAUTH: App auth for user ' . $post['username']);
+    error_log('MAILCOWAUTH: App auth for user ' . $post['username'] . " with service " . $post['service'] . " from IP " . $post['real_rip']);
    set_sasl_log($post['username'], $post['real_rip'], $post['service']);
  }
 }
@@ -94,9 +94,9 @@ if ($result === false){
  // Init Identity Provider
  $iam_provider = identity_provider('init');
  $iam_settings = identity_provider('get');
-  $result = user_login($post['username'], $post['password'], array('is_internal' => true));
+  $result = user_login($post['username'], $post['password'], array('is_internal' => true, 'service' => $post['service']));
  if ($result) {
-    error_log('MAILCOWAUTH: User auth for user ' . $post['username']);
+    error_log('MAILCOWAUTH: User auth for user ' . $post['username'] . " with service " . $post['service'] . " from IP " . $post['real_rip']);
    set_sasl_log($post['username'], $post['real_rip'], $post['service']);
  }
 }
@@ -105,7 +105,7 @@ if ($result) {
  http_response_code(200); // OK
  $return['success'] = true;
 } else {
-  error_log("MAILCOWAUTH: Login failed for user " . $post['username']);
+  error_log("MAILCOWAUTH: Login failed for user " . $post['username'] . " with service " . $post['service'] . " from IP " . $post['real_rip']);
  http_response_code(401); // Unauthorized
 }

--- a/data/conf/nginx/templates/nginx.conf.j2
+++ b/data/conf/nginx/templates/nginx.conf.j2
@@ -78,7 +78,7 @@ http {
        {%endif%}
        listen {{ HTTPS_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%} ssl;

-        {% if not DISABLE_IPv6 %}
+        {% if ENABLE_IPV6 %}
        {% if not HTTP_REDIRECT %}
        listen [::]:{{ HTTP_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%};
        {%endif%}
@@ -105,7 +105,7 @@ http {
        {%endif%}
        listen {{ HTTPS_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%} ssl;

-        {% if not DISABLE_IPv6 %}
+        {% if ENABLE_IPV6 %}
        {% if not HTTP_REDIRECT %}
        listen [::]:{{ HTTP_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%};
        {%endif%}
@@ -126,7 +126,7 @@ http {
    # rspamd dynmaps:
    server {
        listen 8081;
-        {% if not DISABLE_IPv6 %}
+        {% if ENABLE_IPV6 %}
        listen [::]:8081;
        {%endif%}
        index index.php index.html;
@@ -199,7 +199,7 @@ http {
        {%endif%}
        listen {{ HTTPS_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%} ssl;

-        {% if not DISABLE_IPv6 %}
+        {% if ENABLE_IPV6 %}
        {% if not HTTP_REDIRECT %}
        listen [::]:{{ HTTP_PORT }}{% if NGINX_USE_PROXY_PROTOCOL %} proxy_protocol{%endif%};
        {%endif%}
--- a/data/conf/phpfpm/crons/keycloak-sync.php
+++ b/data/conf/phpfpm/crons/keycloak-sync.php
@@ -23,16 +23,16 @@ catch (PDOException $e) {
  exit;
 }

-// Init Redis
-$redis = new Redis();
+// Init Valkey
+$valkey = new Redis();
 try {
-  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
-    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
+  if (!empty(getenv('VALKEY_SLAVEOF_IP'))) {
+    $valkey->connect(getenv('VALKEY_SLAVEOF_IP'), getenv('VALKEY_SLAVEOF_PORT'));
  }
  else {
-    $redis->connect('redis-mailcow', 6379);
+    $valkey->connect('valkey-mailcow', 6379);
  }
-  $redis->auth(getenv("REDISPASS"));
+  $valkey->auth(getenv("VALKEYPASS"));
 }
 catch (Exception $e) {
  echo "Exiting: " . $e->getMessage();
@@ -41,7 +41,7 @@ catch (Exception $e) {
 }

 function logMsg($priority, $message, $task = "Keycloak Sync") {
-  global $redis;
+  global $valkey;

  $finalMsg = array(
    "time" => time(),
@@ -49,7 +49,7 @@ function logMsg($priority, $message, $task = "Keycloak Sync") {
    "task" => $task,
    "message" => $message
  );
-  $redis->lPush('CRON_LOG', json_encode($finalMsg));
+  $valkey->lPush('CRON_LOG', json_encode($finalMsg));
 }

 // Load core functions first
--- a/data/conf/phpfpm/crons/ldap-sync.php
+++ b/data/conf/phpfpm/crons/ldap-sync.php
@@ -23,16 +23,16 @@ catch (PDOException $e) {
  exit;
 }

-// Init Redis
-$redis = new Redis();
+// Init Valkey
+$valkey = new Redis();
 try {
-  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
-    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
+  if (!empty(getenv('VALKEY_SLAVEOF_IP'))) {
+    $valkey->connect(getenv('VALKEY_SLAVEOF_IP'), getenv('VALKEY_SLAVEOF_PORT'));
  }
  else {
-    $redis->connect('redis-mailcow', 6379);
+    $valkey->connect('valkey-mailcow', 6379);
  }
-  $redis->auth(getenv("REDISPASS"));
+  $valkey->auth(getenv("VALKEYPASS"));
 }
 catch (Exception $e) {
  echo "Exiting: " . $e->getMessage();
@@ -41,7 +41,7 @@ catch (Exception $e) {
 }

 function logMsg($priority, $message, $task = "LDAP Sync") {
-  global $redis;
+  global $valkey;

  $finalMsg = array(
    "time" => time(),
@@ -49,7 +49,7 @@ function logMsg($priority, $message, $task = "LDAP Sync") {
    "task" => $task,
    "message" => $message
  );
-  $redis->lPush('CRON_LOG', json_encode($finalMsg));
+  $valkey->lPush('CRON_LOG', json_encode($finalMsg));
 }

 // Load core functions first
--- a/data/conf/postfix/postscreen_access.cidr
+++ b/data/conf/postfix/postscreen_access.cidr
@@ -1,13 +1,26 @@
-# Whitelist generated by Postwhite v3.4 on Fri Aug  1 00:24:14 UTC 2025
+# Whitelist generated by Postwhite v3.4 on Wed Oct  1 00:21:33 UTC 2025
 # https://github.com/stevejenkins/postwhite/
-# 2166 total rules
+# 2216 total rules
 2a00:1450:4000::/36	permit
 2a01:111:f400::/48	permit
-2a01:111:f403:8000::/50	permit
+2a01:111:f403:2800::/53	permit
 2a01:111:f403:8000::/51	permit
 2a01:111:f403::/49	permit
 2a01:111:f403:c000::/51	permit
+2a01:111:f403:d000::/53	permit
 2a01:111:f403:f000::/52	permit
+2a01:238:20a:202:5370::1	permit
+2a01:238:20a:202:5372::1	permit
+2a01:238:20a:202:5373::1	permit
+2a01:238:400:101:53::1	permit
+2a01:238:400:102:53::1	permit
+2a01:238:400:103:53::1	permit
+2a01:238:400:301:53::1	permit
+2a01:238:400:302:53::1	permit
+2a01:238:400:303:53::1	permit
+2a01:238:400:470:53::1	permit
+2a01:238:400:471:53::1	permit
+2a01:238:400:472:53::1	permit
 2a01:b747:3000:200::/56	permit
 2a01:b747:3001:200::/56	permit
 2a01:b747:3002:200::/56	permit
@@ -17,16 +30,17 @@
 2a01:b747:3006:200::/56	permit
 2a02:a60:0:5::/64	permit
 2c0f:fb50:4000::/36	permit
-2.207.151.53	permit
 2.207.217.30	permit
 3.64.237.68	permit
 3.65.3.180	permit
 3.70.123.177	permit
 3.72.182.33	permit
 3.74.81.189	permit
+3.74.125.228	permit
 3.75.33.185	permit
 3.93.157.0/24	permit
 3.94.40.108	permit
+3.121.107.214	permit
 3.129.120.190	permit
 3.210.190.0/24	permit
 3.211.80.218	permit
@@ -42,7 +56,8 @@
 8.40.222.0/23	permit
 8.40.222.250/31	permit
 12.130.86.238	permit
-13.107.253.40	permit
+13.107.213.41	permit
+13.107.246.41	permit
 13.110.208.0/21	permit
 13.110.209.0/24	permit
 13.110.216.0/22	permit
@@ -64,6 +79,8 @@
 18.97.2.64/26	permit
 18.156.89.250	permit
 18.156.205.64	permit
+18.157.70.148	permit
+18.157.114.255	permit
 18.157.243.190	permit
 18.158.153.154	permit
 18.194.95.56	permit
@@ -75,9 +92,7 @@
 18.216.232.154	permit
 18.235.27.253	permit
 18.236.40.242	permit
-18.236.56.161	permit
 20.51.6.32/30	permit
-20.51.98.61	permit
 20.52.52.2	permit
 20.52.128.133	permit
 20.59.80.4/30	permit
@@ -153,7 +168,6 @@
 34.212.163.75	permit
 34.215.104.144	permit
 34.218.115.239	permit
-34.218.116.3	permit
 34.225.212.172	permit
 34.241.242.183	permit
 35.83.148.184	permit
@@ -162,6 +176,7 @@
 35.161.32.253	permit
 35.162.73.231	permit
 35.167.93.243	permit
+35.174.145.124	permit
 35.176.132.251	permit
 35.205.92.9	permit
 35.228.216.85	permit
@@ -178,6 +193,7 @@
 40.233.64.216	permit
 40.233.83.78	permit
 40.233.88.28	permit
+43.239.212.33	permit
 44.206.138.57	permit
 44.210.169.44	permit
 44.217.45.156	permit
@@ -188,7 +204,10 @@
 44.246.68.102	permit
 44.246.77.92	permit
 45.14.148.0/22	permit
-46.19.170.16	permit
+45.143.132.0/24	permit
+45.143.133.0/24	permit
+45.143.134.0/24	permit
+45.143.135.0/24	permit
 46.226.48.0/21	permit
 46.228.36.37	permit
 46.228.36.38/31	permit
@@ -324,6 +343,7 @@
 54.255.61.23	permit
 56.124.6.228	permit
 57.103.64.0/18	permit
+57.129.93.249	permit
 62.13.128.0/24	permit
 62.13.129.128/25	permit
 62.13.136.0/21	permit
@@ -643,6 +663,11 @@
 77.238.189.142	permit
 77.238.189.146/31	permit
 77.238.189.148/30	permit
+79.135.106.0/24	permit
+79.135.107.0/24	permit
+81.169.146.243	permit
+81.169.146.245	permit
+81.169.146.246	permit
 81.223.46.0/27	permit
 82.165.159.2	permit
 82.165.159.3	permit
@@ -658,7 +683,17 @@
 82.165.159.45	permit
 82.165.159.130	permit
 82.165.159.131	permit
+85.9.206.169	permit
+85.9.210.45	permit
 85.158.136.0/21	permit
+85.215.255.39	permit
+85.215.255.40	permit
+85.215.255.41	permit
+85.215.255.45	permit
+85.215.255.46	permit
+85.215.255.47	permit
+85.215.255.48	permit
+85.215.255.49	permit
 86.61.88.25	permit
 87.238.80.0/21	permit
 87.248.103.12	permit
@@ -1198,16 +1233,14 @@
 99.83.190.102	permit
 103.9.96.0/22	permit
 103.28.42.0/24	permit
-103.122.78.238	permit
+103.84.217.238	permit
+103.89.75.238	permit
 103.151.192.0/23	permit
 103.168.172.128/27	permit
 103.237.104.0/22	permit
 104.43.243.237	permit
 104.44.112.128/25	permit
 104.47.0.0/17	permit
-104.47.20.0/23	permit
-104.47.75.0/24	permit
-104.47.108.0/23	permit
 104.130.96.0/28	permit
 104.130.122.0/23	permit
 106.10.144.64/27	permit
@@ -1342,9 +1375,8 @@
 108.174.6.215	permit
 108.175.18.45	permit
 108.175.30.45	permit
-108.177.8.0/22	permit
-108.177.96.0/19	permit
 108.179.144.0/20	permit
+109.224.244.0/24	permit
 109.237.142.0/24	permit
 111.221.23.128/25	permit
 111.221.26.0/27	permit
@@ -1508,7 +1540,7 @@
 148.105.0.0/16	permit
 148.105.8.0/21	permit
 149.72.0.0/16	permit
-149.72.223.204	permit
+149.72.234.184	permit
 149.72.248.236	permit
 149.97.173.180	permit
 150.230.98.160	permit
@@ -1564,6 +1596,7 @@
 159.183.0.0/16	permit
 159.183.68.71	permit
 159.183.79.38	permit
+159.183.129.172	permit
 160.1.62.192	permit
 161.38.192.0/20	permit
 161.38.204.0/22	permit
@@ -1581,6 +1614,7 @@
 163.114.134.16	permit
 163.114.135.16	permit
 163.116.128.0/17	permit
+163.192.116.87	permit
 164.152.23.32	permit
 164.152.25.241	permit
 164.177.132.168/30	permit
@@ -1620,10 +1654,10 @@
 169.148.131.0/24	permit
 169.148.138.0/24	permit
 169.148.142.10	permit
+169.148.142.33	permit
 169.148.144.0/25	permit
 169.148.144.10	permit
 169.148.146.0/23	permit
-169.148.174.33	permit
 169.148.175.3	permit
 169.148.188.0/24	permit
 169.148.188.182	permit
@@ -1632,11 +1666,7 @@
 170.10.132.56/29	permit
 170.10.132.64/29	permit
 170.10.133.0/24	permit
-172.217.0.0/19	permit
 172.217.32.0/20	permit
-172.217.128.0/19	permit
-172.217.160.0/20	permit
-172.217.192.0/19	permit
 172.253.56.0/21	permit
 172.253.112.0/20	permit
 173.0.84.0/29	permit
@@ -1671,6 +1701,9 @@
 185.12.80.0/22	permit
 185.28.196.0/22	permit
 185.58.84.93	permit
+185.70.40.0/24	permit
+185.70.41.0/24	permit
+185.70.43.0/24	permit
 185.80.93.204	permit
 185.80.93.227	permit
 185.80.95.31	permit
@@ -1732,6 +1765,7 @@
 188.125.85.234/31	permit
 188.125.85.236/31	permit
 188.125.85.238	permit
+188.165.51.139	permit
 188.172.128.0/20	permit
 192.0.64.0/18	permit
 192.18.139.154	permit
@@ -1758,6 +1792,8 @@
 193.142.157.191	permit
 193.142.157.198	permit
 194.19.134.0/25	permit
+194.25.134.16/28	permit
+194.25.134.80/28	permit
 194.64.234.129	permit
 194.97.196.0/24	permit
 194.97.196.3	permit
@@ -1957,8 +1993,6 @@
 208.71.42.212/31	permit
 208.71.42.214	permit
 208.72.249.240/29	permit
-208.74.204.5	permit
-208.74.204.9	permit
 208.75.120.0/22	permit
 208.76.62.0/24	permit
 208.76.63.0/24	permit
@@ -2022,6 +2056,8 @@
 212.227.15.4	permit
 212.227.15.5	permit
 212.227.15.6	permit
+212.227.15.7	permit
+212.227.15.8	permit
 212.227.15.14	permit
 212.227.15.15	permit
 212.227.15.18	permit
@@ -2038,16 +2074,30 @@
 212.227.15.53	permit
 212.227.15.54	permit
 212.227.15.55	permit
+212.227.17.1	permit
+212.227.17.2	permit
+212.227.17.7	permit
 212.227.17.11	permit
 212.227.17.12	permit
+212.227.17.16	permit
+212.227.17.17	permit
 212.227.17.18	permit
 212.227.17.19	permit
 212.227.17.20	permit
 212.227.17.21	permit
 212.227.17.22	permit
 212.227.17.26	permit
+212.227.17.27	permit
 212.227.17.28	permit
 212.227.17.29	permit
+212.227.126.206	permit
+212.227.126.207	permit
+212.227.126.208	permit
+212.227.126.209	permit
+212.227.126.220	permit
+212.227.126.221	permit
+212.227.126.222	permit
+212.227.126.223	permit
 212.227.126.224	permit
 212.227.126.225	permit
 212.227.126.226	permit
@@ -2167,4 +2217,5 @@
 2620:119:50c0:207::/64	permit
 2620:119:50c0:207::215	permit
 2800:3f0:4000::/36	permit
-194.25.134.0/24 permit # t-online.de
+49.12.4.251 permit # checks.mailcow.email
+2a01:4f8:c17:7906::10 permit # checks.mailcow.email
--- a/data/conf/redis/redis-conf.sh
+++ b/data/conf/redis/redis-conf.sh
@@ -1,12 +0,0 @@
-#!/bin/sh
-
-cat <<EOF > /redis.conf
-requirepass $REDISPASS
-user quota_notify on nopass ~QW_* -@all +get +hget +ping
-EOF
-
-if [ -n "$REDISMASTERPASS" ]; then
-  echo "masterauth $REDISMASTERPASS" >> /redis.conf
-fi
-
-exec redis-server /redis.conf
--- a/data/conf/rspamd/dynmaps/aliasexp.php
+++ b/data/conf/rspamd/dynmaps/aliasexp.php
@@ -22,10 +22,10 @@ catch (PDOException $e) {
  exit;
 }

-// Init Redis
-$redis = new Redis();
-$redis->connect('redis-mailcow', 6379);
-$redis->auth(getenv("REDISPASS"));
+// Init Valkey
+$valkey = new Redis();
+$valkey->connect('valkey-mailcow', 6379);
+$valkey->auth(getenv("VALKEYPASS"));

 function parse_email($email) {
  if(!filter_var($email, FILTER_VALIDATE_EMAIL)) return false;
@@ -60,7 +60,7 @@ $rcpt_final_mailboxes = array();

 // Skip if not a mailcow handled domain
 try {
-  if (!$redis->hGet('DOMAIN_MAP', $parsed_rcpt['domain'])) {
+  if (!$valkey->hGet('DOMAIN_MAP', $parsed_rcpt['domain'])) {
    exit;
  }
 }
@@ -122,7 +122,7 @@ try {
      }
      else {
        $parsed_goto = parse_email($goto);
-        if (!$redis->hGet('DOMAIN_MAP', $parsed_goto['domain'])) {
+        if (!$valkey->hGet('DOMAIN_MAP', $parsed_goto['domain'])) {
          error_log("ALIAS EXPANDER:" . $goto . " is not a mailcow handled mailbox or alias address" . PHP_EOL);
        }
        else {
@@ -133,7 +133,7 @@ try {
            error_log("ALIAS EXPANDER: http pipe: goto address " . $goto . " is an alias branch for " . $goto_branch . PHP_EOL);
            $goto_branch_array = explode(',', $goto_branch);
          } else {
-            $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain AND `active` AND '1'");
+            $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain AND `active` = '1'");
            $stmt->execute(array(':domain' => $parsed_goto['domain']));
            $goto_branch = $stmt->fetch(PDO::FETCH_ASSOC)['target_domain'];
            if ($goto_branch) {
--- a/data/conf/rspamd/dynmaps/forwardinghosts.php
+++ b/data/conf/rspamd/dynmaps/forwardinghosts.php
@@ -2,9 +2,9 @@
 header('Content-Type: text/plain');
 ini_set('error_reporting', 0);

-$redis = new Redis();
-$redis->connect('redis-mailcow', 6379);
-$redis->auth(getenv("REDISPASS"));
+$valkey = new Redis();
+$valkey->connect('valkey-mailcow', 6379);
+$valkey->auth(getenv("VALKEYPASS"));

 function in_net($addr, $net) {
  $net = explode('/', $net);
@@ -31,7 +31,7 @@ function in_net($addr, $net) {

 if (isset($_GET['host'])) {
  try {
-    foreach ($redis->hGetAll('WHITELISTED_FWD_HOST') as $host => $source) {
+    foreach ($valkey->hGetAll('WHITELISTED_FWD_HOST') as $host => $source) {
      if (in_net($_GET['host'], $host)) {
        echo '200 PERMIT';
        exit;
@@ -46,7 +46,7 @@ if (isset($_GET['host'])) {
 } else {
  try {
    echo '240.240.240.240' . PHP_EOL;
-    foreach ($redis->hGetAll('WHITELISTED_FWD_HOST') as $host => $source) {
+    foreach ($valkey->hGetAll('WHITELISTED_FWD_HOST') as $host => $source) {
      echo $host . PHP_EOL;
    }
  }
--- a/data/conf/rspamd/dynmaps/settings.php
+++ b/data/conf/rspamd/dynmaps/settings.php
@@ -56,7 +56,7 @@ function normalize_email($email) {
    $email = explode('@', $email);
    $email[0] = str_replace('.', '', $email[0]);
    $email = implode('@', $email);
-  } 
+  }
  $gm_alt = "@googlemail.com";
  if (substr_compare($email, $gm_alt, -strlen($gm_alt)) == 0) {
    $email = explode('@', $email);
@@ -114,7 +114,7 @@ function ucl_rcpts($object, $type) {
      $rcpt[] = str_replace('/', '\/', $row['address']);
    }
    // Aliases by alias domains
-    $stmt = $pdo->prepare("SELECT CONCAT(`local_part`, '@', `alias_domain`.`alias_domain`) AS `alias` FROM `mailbox` 
+    $stmt = $pdo->prepare("SELECT CONCAT(`local_part`, '@', `alias_domain`.`alias_domain`) AS `alias` FROM `mailbox`
      LEFT OUTER JOIN `alias_domain` ON `mailbox`.`domain` = `alias_domain`.`target_domain`
      WHERE `mailbox`.`username` = :object");
    $stmt->execute(array(
@@ -184,7 +184,7 @@ while ($row = array_shift($rows)) {
    rcpt = <?=json_encode($rcpt, JSON_UNESCAPED_SLASHES);?>;
 <?php
  }
-  $stmt = $pdo->prepare("SELECT `option`, `value` FROM `filterconf` 
+  $stmt = $pdo->prepare("SELECT `option`, `value` FROM `filterconf`
    WHERE (`option` = 'highspamlevel' OR `option` = 'lowspamlevel')
      AND `object`= :object");
  $stmt->execute(array(':object' => $row['object']));
@@ -468,4 +468,36 @@ while ($row = array_shift($rows)) {
 <?php
 }
 ?>
+
+<?php
+// Start internal aliases
+
+$stmt = $pdo->query("SELECT `id`, `address`, `domain` FROM `alias` WHERE `active` = '1' AND `internal` = '1'");
+$aliases = $stmt->fetchAll(PDO::FETCH_ASSOC);
+while ($alias = array_shift($aliases)) {
+  // build allowed_domains regex and add target domain and alias domains
+  $stmt = $pdo->prepare("SELECT `alias_domain` FROM `alias_domain` WHERE `active` = '1' AND `target_domain` = :target_domain");
+  $stmt->execute(array(':target_domain' => $alias['domain']));
+  $allowed_domains = $stmt->fetchAll(PDO::FETCH_ASSOC);
+  $allowed_domains = array_map(function($item) {
+    return str_replace('.', '\.', $item['alias_domain']);
+  }, $allowed_domains);
+  $allowed_domains[] = str_replace('.', '\.', $alias['domain']);
+  $allowed_domains = implode('|', $allowed_domains);
+?>
+  internal_alias_<?=$alias['id'];?> {
+    priority = 10;
+    rcpt = "<?=$alias['address'];?>";
+    from = "/^((?!.*@(<?=$allowed_domains;?>)).)*$/";
+    apply "default" {
+      MAILCOW_INTERNAL_ALIAS = 9999.0;
+    }
+    symbols [
+      "MAILCOW_INTERNAL_ALIAS"
+    ]
+  }
+<?php
+}
+?>
+
 }
--- a/data/conf/rspamd/lua/rspamd.local.lua
+++ b/data/conf/rspamd/lua/rspamd.local.lua
@@ -454,12 +454,18 @@ rspamd_config:register_symbol({
    local redis_params = rspamd_parse_redis_server('dyn_rl')
    local rspamd_logger = require "rspamd_logger"
    local envfrom = task:get_from(1)
+    local envrcpt = task:get_recipients(1) or {}
    local uname = task:get_user()
    if not envfrom or not uname then
      return false
    end
+
    local uname = uname:lower()

+    if #envrcpt == 1 and envrcpt[1].addr:lower() == uname then
+      return false
+    end
+
    local env_from_domain = envfrom[1].domain:lower() -- get smtp from domain in lower case

    local function redis_cb_user(err, data)
@@ -544,13 +550,13 @@ rspamd_config:register_symbol({
    -- determine newline type
    local function newline(task)
      local t = task:get_newlines_type()
-    
+
      if t == 'cr' then
        return '\r'
      elseif t == 'lf' then
        return '\n'
      end
-    
+
      return '\r\n'
    end
    -- retrieve footer
@@ -558,7 +564,7 @@ rspamd_config:register_symbol({
      if err or type(data) ~= 'string' then
        rspamd_logger.infox(rspamd_config, "domain wide footer request for user %s returned invalid or empty data (\"%s\") or error (\"%s\")", uname, data, err)
      else
-        
+
        -- parse json string
        local footer = cjson.decode(data)
        if not footer then
@@ -607,26 +613,30 @@ rspamd_config:register_symbol({
            if footer.plain and footer.plain ~= "" then
              footer.plain = lua_util.jinja_template(footer.plain, replacements, true)
            end
-  
+
            -- add footer
            local out = {}
            local rewrite = lua_mime.add_text_footer(task, footer.html, footer.plain) or {}
-        
+
            local seen_cte
            local newline_s = newline(task)
-        
+
            local function rewrite_ct_cb(name, hdr)
              if rewrite.need_rewrite_ct then
                if name:lower() == 'content-type' then
-                  local nct = string.format('%s: %s/%s; charset=utf-8',
-                      'Content-Type', rewrite.new_ct.type, rewrite.new_ct.subtype)
+                  -- include boundary if present
+                  local boundary_part = rewrite.new_ct.boundary and
+                    string.format('; boundary="%s"', rewrite.new_ct.boundary) or ''
+                  local nct = string.format('%s: %s/%s; charset=utf-8%s',
+                      'Content-Type', rewrite.new_ct.type, rewrite.new_ct.subtype, boundary_part)
                  out[#out + 1] = nct
-                  -- update Content-Type header
+                  -- update Content-Type header (include boundary if present)
                  task:set_milter_reply({
                    remove_headers = {['Content-Type'] = 0},
                  })
                  task:set_milter_reply({
-                    add_headers = {['Content-Type'] = string.format('%s/%s; charset=utf-8', rewrite.new_ct.type, rewrite.new_ct.subtype)}
+                    add_headers = {['Content-Type'] = string.format('%s/%s; charset=utf-8%s',
+                      rewrite.new_ct.type, rewrite.new_ct.subtype, boundary_part)}
                  })
                  return
                elseif name:lower() == 'content-transfer-encoding' then
@@ -645,16 +655,16 @@ rspamd_config:register_symbol({
              end
              out[#out + 1] = hdr.raw:gsub('\r?\n?$', '')
            end
-        
+
            task:headers_foreach(rewrite_ct_cb, {full = true})
-        
+
            if not seen_cte and rewrite.need_rewrite_ct then
              out[#out + 1] = string.format('%s: %s', 'Content-Transfer-Encoding', 'quoted-printable')
            end
-        
+
            -- End of headers
            out[#out + 1] = newline_s
-        
+
            if rewrite.out then
              for _,o in ipairs(rewrite.out) do
                out[#out + 1] = o
--- a/data/conf/rspamd/meta_exporter/pipe.php
+++ b/data/conf/rspamd/meta_exporter/pipe.php
@@ -21,10 +21,10 @@ catch (PDOException $e) {
  http_response_code(501);
  exit;
 }
-// Init Redis
-$redis = new Redis();
-$redis->connect('redis-mailcow', 6379);
-$redis->auth(getenv("REDISPASS"));
+// Init Valkey
+$valkey = new Redis();
+$valkey->connect('valkey-mailcow', 6379);
+$valkey->auth(getenv("VALKEYPASS"));

 // Functions
 function parse_email($email) {
@@ -74,16 +74,16 @@ if ($fuzzy == 'unknown') {
 }

 try {
-  $max_size = (int)$redis->Get('Q_MAX_SIZE');
+  $max_size = (int)$valkey->Get('Q_MAX_SIZE');
  if (($max_size * 1048576) < $raw_size) {
    error_log(sprintf("QUARANTINE: Message too large: %d b exceeds %d b", $raw_size, ($max_size * 1048576)) . PHP_EOL);
    http_response_code(505);
    exit;
  }
-  if ($exclude_domains = $redis->Get('Q_EXCLUDE_DOMAINS')) {
+  if ($exclude_domains = $valkey->Get('Q_EXCLUDE_DOMAINS')) {
    $exclude_domains = json_decode($exclude_domains, true);
  }
-  $retention_size = (int)$redis->Get('Q_RETENTION_SIZE');
+  $retention_size = (int)$valkey->Get('Q_RETENTION_SIZE');
 }
 catch (RedisException $e) {
  error_log("QUARANTINE: " . $e . PHP_EOL);
@@ -103,7 +103,7 @@ foreach (json_decode($rcpts, true) as $rcpt) {

  // Skip if not a mailcow handled domain
  try {
-    if (!$redis->hGet('DOMAIN_MAP', $parsed_rcpt['domain'])) {
+    if (!$valkey->hGet('DOMAIN_MAP', $parsed_rcpt['domain'])) {
      continue;
    }
  }
@@ -171,7 +171,7 @@ foreach (json_decode($rcpts, true) as $rcpt) {
        }
        else {
          $parsed_goto = parse_email($goto);
-          if (!$redis->hGet('DOMAIN_MAP', $parsed_goto['domain'])) {
+          if (!$valkey->hGet('DOMAIN_MAP', $parsed_goto['domain'])) {
            error_log("RCPT RESOVLER:" . $goto . " is not a mailcow handled mailbox or alias address" . PHP_EOL);
          }
          else {
@@ -182,7 +182,7 @@ foreach (json_decode($rcpts, true) as $rcpt) {
              error_log("RCPT RESOVLER: http pipe: goto address " . $goto . " is an alias branch for " . $goto_branch . PHP_EOL);
              $goto_branch_array = explode(',', $goto_branch);
            } else {
-              $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain AND `active` AND '1'");
+              $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain AND `active` = '1'");
              $stmt->execute(array(':domain' => $parsed_goto['domain']));
              $goto_branch = $stmt->fetch(PDO::FETCH_ASSOC)['target_domain'];
              if ($goto_branch) {
--- a/data/conf/rspamd/meta_exporter/pipe_rl.php
+++ b/data/conf/rspamd/meta_exporter/pipe_rl.php
@@ -5,16 +5,16 @@ header('Content-Type: text/plain');
 require_once "vars.inc.php";
 // Do not show errors, we log to using error_log
 ini_set('error_reporting', 0);
-// Init Redis
-$redis = new Redis();
+// Init Valkey
+$valkey = new Redis();
 try {
-  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
-    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
+  if (!empty(getenv('VALKEY_SLAVEOF_IP'))) {
+    $valkey->connect(getenv('VALKEY_SLAVEOF_IP'), getenv('VALKEY_SLAVEOF_PORT'));
  }
  else {
-    $redis->connect('redis-mailcow', 6379);
+    $valkey->connect('valkey-mailcow', 6379);
  }
-  $redis->auth(getenv("REDISPASS"));
+  $valkey->auth(getenv("VALKEYPASS"));
 }
 catch (Exception $e) {
  exit;
@@ -44,6 +44,6 @@ $data['message_id'] = $raw_data_decoded['message_id'];
 $data['header_subject'] = implode(' ', $raw_data_decoded['header_subject']);
 $data['header_from'] = implode(', ', $raw_data_decoded['header_from']);

-$redis->lpush('RL_LOG', json_encode($data));
+$valkey->lpush('RL_LOG', json_encode($data));
 exit;

--- a/data/conf/rspamd/meta_exporter/pushover.php
+++ b/data/conf/rspamd/meta_exporter/pushover.php
@@ -21,10 +21,10 @@ catch (PDOException $e) {
  http_response_code(501);
  exit;
 }
-// Init Redis
-$redis = new Redis();
-$redis->connect('redis-mailcow', 6379);
-$redis->auth(getenv("REDISPASS"));
+// Init Valkey
+$valkey = new Redis();
+$valkey->connect('valkey-mailcow', 6379);
+$valkey->auth(getenv("VALKEYPASS"));

 // Functions
 function parse_email($email) {
@@ -94,7 +94,7 @@ foreach (json_decode($rcpts, true) as $rcpt) {

  // Skip if not a mailcow handled domain
  try {
-    if (!$redis->hGet('DOMAIN_MAP', $parsed_rcpt['domain'])) {
+    if (!$valkey->hGet('DOMAIN_MAP', $parsed_rcpt['domain'])) {
      continue;
    }
  }
@@ -156,7 +156,7 @@ foreach (json_decode($rcpts, true) as $rcpt) {
        }
        else {
          $parsed_goto = parse_email($goto);
-          if (!$redis->hGet('DOMAIN_MAP', $parsed_goto['domain'])) {
+          if (!$valkey->hGet('DOMAIN_MAP', $parsed_goto['domain'])) {
            error_log("RCPT RESOVLER:" . $goto . " is not a mailcow handled mailbox or alias address" . PHP_EOL);
          }
          else {
@@ -167,7 +167,7 @@ foreach (json_decode($rcpts, true) as $rcpt) {
              error_log("RCPT RESOVLER: http pipe: goto address " . $goto . " is an alias branch for " . $goto_branch . PHP_EOL);
              $goto_branch_array = explode(',', $goto_branch);
            } else {
-              $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain AND `active` AND '1'");
+              $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain AND `active` = '1'");
              $stmt->execute(array(':domain' => $parsed_goto['domain']));
              $goto_branch = $stmt->fetch(PDO::FETCH_ASSOC)['target_domain'];
              if ($goto_branch) {
--- a/data/conf/valkey/valkey-conf.sh
+++ b/data/conf/valkey/valkey-conf.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+cat <<EOF > /valkey.conf
+requirepass $VALKEYPASS
+user quota_notify on nopass ~QW_* -@all +get +hget +ping
+EOF
+
+if [ -n "$VALKEYMASTERPASS" ]; then
+  echo "masterauth $VALKEYMASTERPASS" >> /valkey.conf
+fi
+
+exec "$@"
--- a/data/web/_rspamderror.php
+++ b/data/web/_rspamderror.php
@@ -1,13 +1,13 @@
 <?php
-$redis = new Redis();
+$valkey = new Redis();
 try {
-  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
-    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
+  if (!empty(getenv('VALKEY_SLAVEOF_IP'))) {
+    $valkey->connect(getenv('VALKEY_SLAVEOF_IP'), getenv('VALKEY_SLAVEOF_PORT'));
  }
  else {
-    $redis->connect('redis-mailcow', 6379);
+    $valkey->connect('valkey-mailcow', 6379);
  }
-  $redis->auth(getenv("REDISPASS"));
+  $valkey->auth(getenv("VALKEYPASS"));
 }
 catch (Exception $e) {
  exit;
@@ -15,4 +15,4 @@ catch (Exception $e) {
 header('Content-Type: application/json');
 echo '{"error":"Unauthorized"}';
 error_log("Rspamd UI: Invalid password by " . $_SERVER['REMOTE_ADDR']);
-$redis->publish("F2B_CHANNEL", "Rspamd UI: Invalid password by " . $_SERVER['REMOTE_ADDR']);
+$valkey->publish("F2B_CHANNEL", "Rspamd UI: Invalid password by " . $_SERVER['REMOTE_ADDR']);
--- a/data/web/admin/dashboard.php
+++ b/data/web/admin/dashboard.php
@@ -21,7 +21,7 @@ $clamd_status = (preg_match("/^([yY][eE][sS]|[yY])+$/", $_ENV["SKIP_CLAMD"])) ?
 $olefy_status = (preg_match("/^([yY][eE][sS]|[yY])+$/", $_ENV["SKIP_OLEFY"])) ? false : true;


-if (!isset($_SESSION['gal']) && $license_cache = $redis->Get('LICENSE_STATUS_CACHE')) {
+if (!isset($_SESSION['gal']) && $license_cache = $valkey->Get('LICENSE_STATUS_CACHE')) {
  $_SESSION['gal'] = json_decode($license_cache, true);
 }

--- a/data/web/api/openapi.yaml
+++ b/data/web/api/openapi.yaml
@@ -5412,9 +5412,9 @@ paths:
                      started_at: "2019-12-22T21:00:07.186717617Z"
                      state: running
                      type: info
-                    redis-mailcow:
-                      container: redis-mailcow
-                      image: "redis:5-alpine"
+                    valkey-mailcow:
+                      container: valkey-mailcow
+                      image: "valkey:7.2.8-alpine"
                      started_at: "2019-12-22T20:59:56.827166834Z"
                      state: running
                      type: info
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@@ -10,16 +10,16 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';
 $default_autodiscover_config = $autodiscover_config;
 $autodiscover_config = array_merge($default_autodiscover_config, $autodiscover_config);

-// Redis
-$redis = new Redis();
+// Valkey
+$valkey = new Redis();
 try {
-  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
-    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
+  if (!empty(getenv('VALKEY_SLAVEOF_IP'))) {
+    $valkey->connect(getenv('VALKEY_SLAVEOF_IP'), getenv('VALKEY_SLAVEOF_PORT'));
  }
  else {
-    $redis->connect('redis-mailcow', 6379);
+    $valkey->connect('valkey-mailcow', 6379);
  }
-  $redis->auth(getenv("REDISPASS"));
+  $valkey->auth(getenv("VALKEYPASS"));
 }
 catch (Exception $e) {
  exit;
@@ -71,7 +71,7 @@ if (empty($_SERVER['PHP_AUTH_USER']) || empty($_SERVER['PHP_AUTH_PW'])) {
      "service" => "Error: must be authenticated"
    )
  );
-  $redis->lPush('AUTODISCOVER_LOG', $json);
+  $valkey->lPush('AUTODISCOVER_LOG', $json);
  header('WWW-Authenticate: Basic realm="' . $_SERVER['HTTP_HOST'] . '"');
  header('HTTP/1.0 401 Unauthorized');
  exit(0);
@@ -96,13 +96,13 @@ if ($login_role === "user") {
          "service" => "Error: invalid or missing request data"
        )
      );
-      $redis->lPush('AUTODISCOVER_LOG', $json);
-      $redis->lTrim('AUTODISCOVER_LOG', 0, 100);
+      $valkey->lPush('AUTODISCOVER_LOG', $json);
+      $valkey->lTrim('AUTODISCOVER_LOG', 0, 100);
    }
    catch (RedisException $e) {
      $_SESSION['return'][] = array(
        'type' => 'danger',
-        'msg' => 'Redis: '.$e
+        'msg' => 'Valkey: '.$e
      );
      return false;
    }
@@ -151,13 +151,13 @@ if ($login_role === "user") {
        "service" => $autodiscover_config['autodiscoverType']
      )
    );
-    $redis->lPush('AUTODISCOVER_LOG', $json);
-    $redis->lTrim('AUTODISCOVER_LOG', 0, 100);
+    $valkey->lPush('AUTODISCOVER_LOG', $json);
+    $valkey->lTrim('AUTODISCOVER_LOG', 0, 100);
  }
  catch (RedisException $e) {
    $_SESSION['return'][] = array(
      'type' => 'danger',
-      'msg' => 'Redis: '.$e
+      'msg' => 'Valkey: '.$e
    );
    return false;
  }
--- a/data/web/inc/footer.inc.php
+++ b/data/web/inc/footer.inc.php
@@ -26,23 +26,25 @@ if (is_array($alertbox_log_parser)) {

 // map tfa details for twig
 $pending_tfa_authmechs = [];
-foreach($_SESSION['pending_tfa_methods'] as $authdata){
-  $pending_tfa_authmechs[$authdata['authmech']] = false;
-}
-if (isset($pending_tfa_authmechs['webauthn'])) {
-  $pending_tfa_authmechs['webauthn'] = true;
-}
-if (!isset($pending_tfa_authmechs['webauthn']) 
-    && isset($pending_tfa_authmechs['yubi_otp'])) {
-  $pending_tfa_authmechs['yubi_otp'] = true;
-}
-if (!isset($pending_tfa_authmechs['webauthn']) 
-    && !isset($pending_tfa_authmechs['yubi_otp'])
-    && isset($pending_tfa_authmechs['totp'])) {
-  $pending_tfa_authmechs['totp'] = true;
-}
-if (isset($pending_tfa_authmechs['u2f'])) {
-  $pending_tfa_authmechs['u2f'] = true;
+if (array_key_exists('pending_tfa_methods', $_SESSION)) {
+  foreach($_SESSION['pending_tfa_methods'] as $authdata){
+    $pending_tfa_authmechs[$authdata['authmech']] = false;
+  }
+  if (isset($pending_tfa_authmechs['webauthn'])) {
+    $pending_tfa_authmechs['webauthn'] = true;
+  }
+  if (!isset($pending_tfa_authmechs['webauthn']) 
+      && isset($pending_tfa_authmechs['yubi_otp'])) {
+    $pending_tfa_authmechs['yubi_otp'] = true;
+  }
+  if (!isset($pending_tfa_authmechs['webauthn']) 
+      && !isset($pending_tfa_authmechs['yubi_otp'])
+      && isset($pending_tfa_authmechs['totp'])) {
+    $pending_tfa_authmechs['totp'] = true;
+  }
+  if (isset($pending_tfa_authmechs['u2f'])) {
+    $pending_tfa_authmechs['u2f'] = true;
+  }
 }

 // globals
--- a/data/web/inc/functions.app_passwd.inc.php
+++ b/data/web/inc/functions.app_passwd.inc.php
@@ -1,7 +1,7 @@
 <?php
 function app_passwd($_action, $_data = null) {
-	global $pdo;
-	global $lang;
+  global $pdo;
+  global $lang;
  $_data_log = $_data;
  !isset($_data_log['app_passwd']) ?: $_data_log['app_passwd'] = '*';
  !isset($_data_log['app_passwd2']) ?: $_data_log['app_passwd2'] = '*';
@@ -43,20 +43,7 @@ function app_passwd($_action, $_data = null) {
        );
        return false;
      }
-      if (!preg_match('/' . $GLOBALS['PASSWD_REGEP'] . '/', $password)) {
-        $_SESSION['return'][] = array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => 'password_complexity'
-        );
-        return false;
-      }
-      if ($password != $password2) {
-        $_SESSION['return'][] = array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => 'password_mismatch'
-        );
+      if (password_check($password, $password2) !== true) {
        return false;
      }
      $password_hashed = hash_password($password);
@@ -88,15 +75,15 @@ function app_passwd($_action, $_data = null) {
        'log' => array(__FUNCTION__, $_action, $_data_log),
        'msg' => 'app_passwd_added'
      );
-    break;
+      break;
    case 'edit':
      $ids = (array)$_data['id'];
      foreach ($ids as $id) {
        $is_now = app_passwd('details', $id);
        if (!empty($is_now)) {
          $app_name = (!empty($_data['app_name'])) ? $_data['app_name'] : $is_now['name'];
-          $password = (!empty($_data['password'])) ? $_data['password'] : null;
-          $password2 = (!empty($_data['password2'])) ? $_data['password2'] : null;
+          $password = (!empty($_data['app_passwd'])) ? $_data['app_passwd'] : null;
+          $password2 = (!empty($_data['app_passwd2'])) ? $_data['app_passwd2'] : null;
          if (isset($_data['protocols'])) {
            $protocols = (array)$_data['protocols'];
            $imap_access = (in_array('imap_access', $protocols)) ? 1 : 0;
@@ -126,20 +113,7 @@ function app_passwd($_action, $_data = null) {
        }
        $app_name = htmlspecialchars(trim($app_name));
        if (!empty($password) && !empty($password2)) {
-          if (!preg_match('/' . $GLOBALS['PASSWD_REGEP'] . '/', $password)) {
-            $_SESSION['return'][] = array(
-              'type' => 'danger',
-              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-              'msg' => 'password_complexity'
-            );
-            continue;
-          }
-          if ($password != $password2) {
-            $_SESSION['return'][] = array(
-              'type' => 'danger',
-              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-              'msg' => 'password_mismatch'
-            );
+          if (password_check($password, $password2) !== true) {
            continue;
          }
          $password_hashed = hash_password($password);
@@ -182,7 +156,7 @@ function app_passwd($_action, $_data = null) {
          'msg' => array('object_modified', htmlspecialchars(implode(', ', $ids)))
        );
      }
-    break;
+      break;
    case 'delete':
      $ids = (array)$_data['id'];
      foreach ($ids as $id) {
@@ -213,19 +187,17 @@ function app_passwd($_action, $_data = null) {
          'msg' => array('app_passwd_removed', htmlspecialchars($id))
        );
      }
-    break;
+      break;
    case 'get':
      $app_passwds = array();
      $stmt = $pdo->prepare("SELECT `id`, `name` FROM `app_passwd` WHERE `mailbox` = :username");
      $stmt->execute(array(':username' => $username));
      $app_passwds = $stmt->fetchAll(PDO::FETCH_ASSOC);
      return $app_passwds;
-    break;
+      break;
    case 'details':
      $app_passwd_data = array();
-      $stmt = $pdo->prepare("SELECT *
-          FROM `app_passwd`
-            WHERE `id` = :id");
+      $stmt = $pdo->prepare("SELECT * FROM `app_passwd` WHERE `id` = :id");
      $stmt->execute(array(':id' => $_data));
      $app_passwd_data = $stmt->fetch(PDO::FETCH_ASSOC);
      if (empty($app_passwd_data)) {
@@ -237,6 +209,6 @@ function app_passwd($_action, $_data = null) {
      }
      $app_passwd_data['name'] = htmlspecialchars(trim($app_passwd_data['name']));
      return $app_passwd_data;
-    break;
+      break;
  }
 }
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -1,7 +1,7 @@
 <?php
 function check_login($user, $pass, $app_passwd_data = false, $extra = null) {
  global $pdo;
-  global $redis;
+  global $valkey;

  $is_internal = $extra['is_internal'];
  $role = $extra['role'];
@@ -62,12 +62,12 @@ function check_login($user, $pass, $app_passwd_data = false, $extra = null) {

  if (!isset($_SESSION['ldelay'])) {
    $_SESSION['ldelay'] = "0";
-    $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
+    $valkey->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
    error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
  }
  elseif (!isset($_SESSION['mailcow_cc_username'])) {
    $_SESSION['ldelay'] = $_SESSION['ldelay']+0.5;
-    $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
+    $valkey->publish("F2B_CHANNEL", "mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
    error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
  }
  $_SESSION['return'][] =  array(
@@ -193,6 +193,7 @@ function user_login($user, $pass, $extra = null){
  global $iam_settings;

  $is_internal = $extra['is_internal'];
+  $service = $extra['service'];

  if (!filter_var($user, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $user))) {
    if (!$is_internal){
@@ -235,6 +236,14 @@ function user_login($user, $pass, $extra = null){
      $row = $stmt->fetch(PDO::FETCH_ASSOC);

      if (!empty($row)) {
+        // check if user has access to service (imap, smtp, pop3, sieve) if service is set
+        $row['attributes'] = json_decode($row['attributes'], true);
+        if (isset($service)) {
+          $key = strtolower($service) . "_access";
+          if (isset($row['attributes'][$key]) && $row['attributes'][$key] != '1') {
+            return false;
+          }
+        }
        return true;
      }
    }
@@ -242,7 +251,14 @@ function user_login($user, $pass, $extra = null){
    return false;
  }

+  // check if user has access to service (imap, smtp, pop3, sieve) if service is set
  $row['attributes'] = json_decode($row['attributes'], true);
+  if (isset($service)) {
+    $key = strtolower($service) . "_access";
+    if (isset($row['attributes'][$key]) && $row['attributes'][$key] != '1') {
+      return false;
+    }
+  }
  switch ($row['authsource']) {
    case 'keycloak':
      // user authsource is keycloak, try using via rest flow
--- a/data/web/inc/functions.customize.inc.php
+++ b/data/web/inc/functions.customize.inc.php
@@ -1,6 +1,6 @@
 <?php
 function customize($_action, $_item, $_data = null) {
-	global $redis;
+	global $valkey;
 	global $lang;
  global $LOGO_LIMITS;

@@ -82,13 +82,13 @@ function customize($_action, $_item, $_data = null) {
            return false;
          }
          try {
-            $redis->Set(strtoupper($_item), 'data:' . $_data[$_item]['type'] . ';base64,' . base64_encode(file_get_contents($_data[$_item]['tmp_name'])));
+            $valkey->Set(strtoupper($_item), 'data:' . $_data[$_item]['type'] . ';base64,' . base64_encode(file_get_contents($_data[$_item]['tmp_name'])));
          }
          catch (RedisException $e) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_item, $_data),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            );
            return false;
          }
@@ -134,13 +134,13 @@ function customize($_action, $_item, $_data = null) {
              ));
            }
            try {
-              $redis->set('APP_LINKS', json_encode($out));
+              $valkey->set('APP_LINKS', json_encode($out));
            }
            catch (RedisException $e) {
              $_SESSION['return'][] = array(
                'type' => 'danger',
                'log' => array(__FUNCTION__, $_action, $_item, $_data),
-                'msg' => array('redis_error', $e)
+                'msg' => array('valkey_error', $e)
              );
              return false;
            }
@@ -162,20 +162,20 @@ function customize($_action, $_item, $_data = null) {
          $ui_announcement_active = (!empty($_data['ui_announcement_active']) ? 1 : 0);

          try {
-            $redis->set('TITLE_NAME', htmlspecialchars($title_name));
-            $redis->set('MAIN_NAME', htmlspecialchars($main_name));
-            $redis->set('APPS_NAME', htmlspecialchars($apps_name));
-            $redis->set('HELP_TEXT', $help_text);
-            $redis->set('UI_FOOTER', $ui_footer);
-            $redis->set('UI_ANNOUNCEMENT_TEXT', $ui_announcement_text);
-            $redis->set('UI_ANNOUNCEMENT_TYPE', $ui_announcement_type);
-            $redis->set('UI_ANNOUNCEMENT_ACTIVE', $ui_announcement_active);
+            $valkey->set('TITLE_NAME', htmlspecialchars($title_name));
+            $valkey->set('MAIN_NAME', htmlspecialchars($main_name));
+            $valkey->set('APPS_NAME', htmlspecialchars($apps_name));
+            $valkey->set('HELP_TEXT', $help_text);
+            $valkey->set('UI_FOOTER', $ui_footer);
+            $valkey->set('UI_ANNOUNCEMENT_TEXT', $ui_announcement_text);
+            $valkey->set('UI_ANNOUNCEMENT_TYPE', $ui_announcement_type);
+            $valkey->set('UI_ANNOUNCEMENT_ACTIVE', $ui_announcement_active);
          }
          catch (RedisException $e) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_item, $_data),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            );
            return false;
          }
@@ -188,13 +188,13 @@ function customize($_action, $_item, $_data = null) {
        case 'ip_check':
          $ip_check = ($_data['ip_check_opt_in'] == "1") ? 1 : 0;
          try {
-            $redis->set('IP_CHECK', $ip_check);
+            $valkey->set('IP_CHECK', $ip_check);
          }
          catch (RedisException $e) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_item, $_data),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            );
            return false;
          }
@@ -217,7 +217,7 @@ function customize($_action, $_item, $_data = null) {
            "force_sso" => $force_sso,
          );
          try {
-            $redis->set('CUSTOM_LOGIN', json_encode($custom_login));
+            $valkey->set('CUSTOM_LOGIN', json_encode($custom_login));
          }
          catch (RedisException $e) {
            $_SESSION['return'][] = array(
@@ -257,7 +257,7 @@ function customize($_action, $_item, $_data = null) {
        case 'main_logo':
        case 'main_logo_dark':
          try {
-            if ($redis->del(strtoupper($_item))) {
+            if ($valkey->del(strtoupper($_item))) {
              $_SESSION['return'][] = array(
                'type' => 'success',
                'log' => array(__FUNCTION__, $_action, $_item, $_data),
@@ -270,7 +270,7 @@ function customize($_action, $_item, $_data = null) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_item, $_data),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            );
            return false;
          }
@@ -281,19 +281,19 @@ function customize($_action, $_item, $_data = null) {
      switch ($_item) {
        case 'app_links':
          try {
-            $app_links = json_decode($redis->get('APP_LINKS'), true);
+            $app_links = json_decode($valkey->get('APP_LINKS'), true);
          }
          catch (RedisException $e) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_item, $_data),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            );
            return false;
          }

          if (empty($app_links)){
-            return false;
+            return [];
          }

          // convert from old style
@@ -312,38 +312,40 @@ function customize($_action, $_item, $_data = null) {
        case 'main_logo':
        case 'main_logo_dark':
          try {
-            return $redis->get(strtoupper($_item));
+            return $valkey->get(strtoupper($_item));
          }
          catch (RedisException $e) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_item, $_data),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            );
            return false;
          }
        break;
        case 'ui_texts':
          try {
-            $data['title_name'] = ($title_name = $redis->get('TITLE_NAME')) ? $title_name : 'mailcow UI';
-            $data['main_name'] = ($main_name = $redis->get('MAIN_NAME')) ? $main_name : 'mailcow UI';
-            $data['apps_name'] = ($apps_name = $redis->get('APPS_NAME')) ? $apps_name : $lang['header']['apps'];
-            $data['help_text'] = ($help_text = $redis->get('HELP_TEXT')) ? $help_text : false;
-            if (!empty($redis->get('UI_IMPRESS'))) {
-              $redis->set('UI_FOOTER', $redis->get('UI_IMPRESS'));
-              $redis->del('UI_IMPRESS');
+            $mailcow_hostname = strtolower(getenv("MAILCOW_HOSTNAME"));
+
+            $data['title_name'] = ($title_name = $valkey->get('TITLE_NAME')) ? $title_name : "$mailcow_hostname - mail UI";
+            $data['main_name'] = ($main_name = $valkey->get('MAIN_NAME')) ? $main_name : "$mailcow_hostname - mail UI";
+            $data['apps_name'] = ($apps_name = $valkey->get('APPS_NAME')) ? $apps_name : $lang['header']['apps'];
+            $data['help_text'] = ($help_text = $valkey->get('HELP_TEXT')) ? $help_text : false;
+            if (!empty($valkey->get('UI_IMPRESS'))) {
+              $valkey->set('UI_FOOTER', $valkey->get('UI_IMPRESS'));
+              $valkey->del('UI_IMPRESS');
            }
-            $data['ui_footer'] = ($ui_footer = $redis->get('UI_FOOTER')) ? $ui_footer : false;
-            $data['ui_announcement_text'] = ($ui_announcement_text = $redis->get('UI_ANNOUNCEMENT_TEXT')) ? $ui_announcement_text : false;
-            $data['ui_announcement_type'] = ($ui_announcement_type = $redis->get('UI_ANNOUNCEMENT_TYPE')) ? $ui_announcement_type : false;
-            $data['ui_announcement_active'] = ($redis->get('UI_ANNOUNCEMENT_ACTIVE') == 1) ? 1 : 0;
+            $data['ui_footer'] = ($ui_footer = $valkey->get('UI_FOOTER')) ? $ui_footer : false;
+            $data['ui_announcement_text'] = ($ui_announcement_text = $valkey->get('UI_ANNOUNCEMENT_TEXT')) ? $ui_announcement_text : false;
+            $data['ui_announcement_type'] = ($ui_announcement_type = $valkey->get('UI_ANNOUNCEMENT_TYPE')) ? $ui_announcement_type : false;
+            $data['ui_announcement_active'] = ($valkey->get('UI_ANNOUNCEMENT_ACTIVE') == 1) ? 1 : 0;
            return $data;
          }
          catch (RedisException $e) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_item, $_data),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            );
            return false;
          }
@@ -374,21 +376,21 @@ function customize($_action, $_item, $_data = null) {
        break;
        case 'ip_check':
          try {
-            $ip_check = ($ip_check = $redis->get('IP_CHECK')) ? $ip_check : 0;
+            $ip_check = ($ip_check = $valkey->get('IP_CHECK')) ? $ip_check : 0;
            return $ip_check;
          }
          catch (RedisException $e) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_item, $_data),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            );
            return false;
          }
        break;
        case 'custom_login':
          try {
-            $custom_login = $redis->get('CUSTOM_LOGIN');
+            $custom_login = $valkey->get('CUSTOM_LOGIN');
            return $custom_login ? json_decode($custom_login, true) : array();
          }
          catch (RedisException $e) {
--- a/data/web/inc/functions.dkim.inc.php
+++ b/data/web/inc/functions.dkim.inc.php
@@ -1,7 +1,7 @@
 <?php

 function dkim($_action, $_data = null, $privkey = false) {
-  global $redis;
+  global $valkey;
  global $lang;
  switch ($_action) {
    case 'add':
@@ -18,7 +18,7 @@ function dkim($_action, $_data = null, $privkey = false) {
          );
          continue;
        }
-        if ($redis->hGet('DKIM_PUB_KEYS', $domain)) {
+        if ($valkey->hGet('DKIM_PUB_KEYS', $domain)) {
          $_SESSION['return'][] = array(
            'type' => 'danger',
            'log' => array(__FUNCTION__, $_action, $_data),
@@ -54,30 +54,30 @@ function dkim($_action, $_data = null, $privkey = false) {
              explode(PHP_EOL, $key_details['key'])
            ), 1, -1)
          );
-          // Save public key and selector to redis
+          // Save public key and selector to valkey
          try {
-            $redis->hSet('DKIM_PUB_KEYS', $domain, $pubKey);
-            $redis->hSet('DKIM_SELECTORS', $domain, $dkim_selector);
+            $valkey->hSet('DKIM_PUB_KEYS', $domain, $pubKey);
+            $valkey->hSet('DKIM_SELECTORS', $domain, $dkim_selector);
          }
          catch (RedisException $e) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_data),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            );
            continue;
          }
-          // Export private key and save private key to redis
+          // Export private key and save private key to valkey
          openssl_pkey_export($keypair_ressource, $privKey);
          if (isset($privKey) && !empty($privKey)) {
            try {
-              $redis->hSet('DKIM_PRIV_KEYS', $dkim_selector . '.' . $domain, trim($privKey));
+              $valkey->hSet('DKIM_PRIV_KEYS', $dkim_selector . '.' . $domain, trim($privKey));
            }
            catch (RedisException $e) {
              $_SESSION['return'][] = array(
                'type' => 'danger',
                'log' => array(__FUNCTION__, $_action, $_data),
-                'msg' => array('redis_error', $e)
+                'msg' => array('valkey_error', $e)
              );
              continue;
            }
@@ -121,15 +121,15 @@ function dkim($_action, $_data = null, $privkey = false) {
      $to_domains = array_filter($to_domains);
      foreach ($to_domains as $to_domain) {
        try {
-          $redis->hSet('DKIM_PUB_KEYS', $to_domain, $from_domain_dkim['pubkey']);
-          $redis->hSet('DKIM_SELECTORS', $to_domain, $from_domain_dkim['dkim_selector']);
-          $redis->hSet('DKIM_PRIV_KEYS', $from_domain_dkim['dkim_selector'] . '.' . $to_domain, base64_decode(trim($from_domain_dkim['privkey'])));
+          $valkey->hSet('DKIM_PUB_KEYS', $to_domain, $from_domain_dkim['pubkey']);
+          $valkey->hSet('DKIM_SELECTORS', $to_domain, $from_domain_dkim['dkim_selector']);
+          $valkey->hSet('DKIM_PRIV_KEYS', $from_domain_dkim['dkim_selector'] . '.' . $to_domain, base64_decode(trim($from_domain_dkim['privkey'])));
        }
        catch (RedisException $e) {
          $_SESSION['return'][] = array(
            'type' => 'danger',
            'log' => array(__FUNCTION__, $_action, $_data),
-            'msg' => array('redis_error', $e)
+            'msg' => array('valkey_error', $e)
          );
          continue;
        }
@@ -178,7 +178,7 @@ function dkim($_action, $_data = null, $privkey = false) {
        );
        return false;
      }
-      if ($redis->hGet('DKIM_PUB_KEYS', $domain)) {
+      if ($valkey->hGet('DKIM_PUB_KEYS', $domain)) {
        if ($overwrite_existing == 0) {
          $_SESSION['return'][] = array(
            'type' => 'danger',
@@ -198,15 +198,15 @@ function dkim($_action, $_data = null, $privkey = false) {
      }
      try {
        dkim('delete', array('domains' => $domain));
-        $redis->hSet('DKIM_PUB_KEYS', $domain, $pem_public_key);
-        $redis->hSet('DKIM_SELECTORS', $domain, $dkim_selector);
-        $redis->hSet('DKIM_PRIV_KEYS', $dkim_selector . '.' . $domain, $private_key_normalized);
+        $valkey->hSet('DKIM_PUB_KEYS', $domain, $pem_public_key);
+        $valkey->hSet('DKIM_SELECTORS', $domain, $dkim_selector);
+        $valkey->hSet('DKIM_PRIV_KEYS', $dkim_selector . '.' . $domain, $private_key_normalized);
      }
      catch (RedisException $e) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $_action, $_data),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
@@ -219,7 +219,7 @@ function dkim($_action, $_data = null, $privkey = false) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $_action, $_data),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
@@ -235,8 +235,8 @@ function dkim($_action, $_data = null, $privkey = false) {
        return false;
      }
      $dkimdata = array();
-      if ($redis_dkim_key_data = $redis->hGet('DKIM_PUB_KEYS', $_data)) {
-        $dkimdata['pubkey'] = $redis_dkim_key_data;
+      if ($valkey_dkim_key_data = $valkey->hGet('DKIM_PUB_KEYS', $_data)) {
+        $dkimdata['pubkey'] = $valkey_dkim_key_data;
        if (strlen($dkimdata['pubkey']) < 391) {
          $dkimdata['length'] = "1024";
        }
@@ -253,15 +253,15 @@ function dkim($_action, $_data = null, $privkey = false) {
          $dkimdata['length'] = ">= 8192";
        }
        if ($GLOBALS['SPLIT_DKIM_255'] === true) {
-          $dkim_txt_tmp = str_split('v=DKIM1;k=rsa;t=s;s=email;p=' . $redis_dkim_key_data, 255);
+          $dkim_txt_tmp = str_split('v=DKIM1;k=rsa;t=s;s=email;p=' . $valkey_dkim_key_data, 255);
          $dkimdata['dkim_txt'] = sprintf('"%s"', implode('" "', (array)$dkim_txt_tmp ) );
        }
        else {
-          $dkimdata['dkim_txt'] = 'v=DKIM1;k=rsa;t=s;s=email;p=' . $redis_dkim_key_data;
+          $dkimdata['dkim_txt'] = 'v=DKIM1;k=rsa;t=s;s=email;p=' . $valkey_dkim_key_data;
        }
-        $dkimdata['dkim_selector'] = $redis->hGet('DKIM_SELECTORS', $_data);
+        $dkimdata['dkim_selector'] = $valkey->hGet('DKIM_SELECTORS', $_data);
        if ($GLOBALS['SHOW_DKIM_PRIV_KEYS'] || $privkey == true) {
-          $dkimdata['privkey'] = base64_encode($redis->hGet('DKIM_PRIV_KEYS', $dkimdata['dkim_selector'] . '.' . $_data));
+          $dkimdata['privkey'] = base64_encode($valkey->hGet('DKIM_PRIV_KEYS', $dkimdata['dkim_selector'] . '.' . $_data));
        }
        else {
          $dkimdata['privkey'] = '';
@@ -279,8 +279,8 @@ function dkim($_action, $_data = null, $privkey = false) {
        return false;
      }
      $blinddkim = array();
-      foreach ($redis->hKeys('DKIM_PUB_KEYS') as $redis_dkim_domain) {
-        $blinddkim[] = $redis_dkim_domain;
+      foreach ($valkey->hKeys('DKIM_PUB_KEYS') as $valkey_dkim_domain) {
+        $blinddkim[] = $valkey_dkim_domain;
      }
      return array_diff($blinddkim, array_merge(mailbox('get', 'domains'), mailbox('get', 'alias_domains')));
    break;
@@ -304,16 +304,16 @@ function dkim($_action, $_data = null, $privkey = false) {
          continue;
        }
        try {
-          $selector = $redis->hGet('DKIM_SELECTORS', $domain);
-          $redis->hDel('DKIM_PUB_KEYS', $domain);
-          $redis->hDel('DKIM_PRIV_KEYS', $selector . '.' . $domain);
-          $redis->hDel('DKIM_SELECTORS', $domain);
+          $selector = $valkey->hGet('DKIM_SELECTORS', $domain);
+          $valkey->hDel('DKIM_PUB_KEYS', $domain);
+          $valkey->hDel('DKIM_PRIV_KEYS', $selector . '.' . $domain);
+          $valkey->hDel('DKIM_SELECTORS', $domain);
        }
        catch (RedisException $e) {
          $_SESSION['return'][] = array(
            'type' => 'danger',
            'log' => array(__FUNCTION__, $_action, $_data),
-            'msg' => array('redis_error', $e)
+            'msg' => array('valkey_error', $e)
          );
          continue;
        }
--- a/data/web/inc/functions.docker.inc.php
+++ b/data/web/inc/functions.docker.inc.php
@@ -1,7 +1,7 @@
 <?php
 function docker($action, $service_name = null, $attr1 = null, $attr2 = null, $extra_headers = null) {
  global $DOCKER_TIMEOUT;
-  global $redis;
+  global $valkey;
  $curl = curl_init();
  curl_setopt($curl, CURLOPT_HTTPHEADER,array('Content-Type: application/json' ));
  // We are using our mail certificates for dockerapi, the names will not match, the certs are trusted anyway
@@ -102,7 +102,7 @@ function docker($action, $service_name = null, $attr1 = null, $attr2 = null, $ex
            }
          }
          else {
-            if (isset($decoded_response['Config']['Labels']['com.docker.compose.project']) 
+            if (isset($decoded_response['Config']['Labels']['com.docker.compose.project'])
              && strtolower($decoded_response['Config']['Labels']['com.docker.compose.project']) == strtolower(getenv('COMPOSE_PROJECT_NAME'))) {
              unset($container['Config']['Env']);
              $out[$decoded_response['Config']['Labels']['com.docker.compose.service']]['State'] = $decoded_response['State'];
@@ -200,7 +200,7 @@ function docker($action, $service_name = null, $attr1 = null, $attr2 = null, $ex
        "request" => $attr2
      );

-      $redis->publish("MC_CHANNEL", json_encode($request));
+      $valkey->publish("MC_CHANNEL", json_encode($request));
      return true;
    break;
  }
--- a/data/web/inc/functions.fail2ban.inc.php
+++ b/data/web/inc/functions.fail2ban.inc.php
@@ -1,6 +1,6 @@
 <?php
 function fail2ban($_action, $_data = null, $_extra = null) {
-  global $redis;
+  global $valkey;
  $_data_log = $_data;
  switch ($_action) {
    case 'get':
@@ -9,9 +9,9 @@ function fail2ban($_action, $_data = null, $_extra = null) {
        return false;
      }
      try {
-        $f2b_options = json_decode($redis->Get('F2B_OPTIONS'), true);
-        $f2b_options['regex'] = json_decode($redis->Get('F2B_REGEX'), true);
-        $wl = $redis->hGetAll('F2B_WHITELIST');
+        $f2b_options = json_decode($valkey->Get('F2B_OPTIONS'), true);
+        $f2b_options['regex'] = json_decode($valkey->Get('F2B_REGEX'), true);
+        $wl = $valkey->hGetAll('F2B_WHITELIST');
        if (is_array($wl)) {
          foreach ($wl as $key => $value) {
            $tmp_wl_data[] = $key;
@@ -27,7 +27,7 @@ function fail2ban($_action, $_data = null, $_extra = null) {
        else {
          $f2b_options['whitelist'] = "";
        }
-        $bl = $redis->hGetAll('F2B_BLACKLIST');
+        $bl = $valkey->hGetAll('F2B_BLACKLIST');
        if (is_array($bl)) {
          foreach ($bl as $key => $value) {
            $tmp_bl_data[] = $key;
@@ -43,7 +43,7 @@ function fail2ban($_action, $_data = null, $_extra = null) {
        else {
          $f2b_options['blacklist'] = "";
        }
-        $pb = $redis->hGetAll('F2B_PERM_BANS');
+        $pb = $valkey->hGetAll('F2B_PERM_BANS');
        if (is_array($pb)) {
          foreach ($pb as $key => $value) {
            $f2b_options['perm_bans'][] = array(
@@ -56,8 +56,8 @@ function fail2ban($_action, $_data = null, $_extra = null) {
        else {
          $f2b_options['perm_bans'] = "";
        }
-        $active_bans = $redis->hGetAll('F2B_ACTIVE_BANS');
-        $queue_unban = $redis->hGetAll('F2B_QUEUE_UNBAN');
+        $active_bans = $valkey->hGetAll('F2B_ACTIVE_BANS');
+        $queue_unban = $valkey->hGetAll('F2B_QUEUE_UNBAN');
        if (is_array($active_bans)) {
          foreach ($active_bans as $network => $banned_until) {
            $queued_for_unban = (isset($queue_unban[$network]) && $queue_unban[$network] == 1) ? 1 : 0;
@@ -78,7 +78,7 @@ function fail2ban($_action, $_data = null, $_extra = null) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
@@ -98,22 +98,22 @@ function fail2ban($_action, $_data = null, $_extra = null) {
        // Reset regex filters
        if ($_data['action'] == "reset-regex") {
          try {
-            $redis->Del('F2B_REGEX');
+            $valkey->Del('F2B_REGEX');
          }
          catch (RedisException $e) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_data_log),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            );
            return false;
          }
          // Rules will also be recreated on log events, but rules may seem empty for a second in the UI
          docker('post', 'netfilter-mailcow', 'restart');
          $fail_count = 0;
-          $regex_result = json_decode($redis->Get('F2B_REGEX'), true);
+          $regex_result = json_decode($valkey->Get('F2B_REGEX'), true);
          while (empty($regex_result) && $fail_count < 10) {
-            $regex_result = json_decode($redis->Get('F2B_REGEX'), true);
+            $regex_result = json_decode($valkey->Get('F2B_REGEX'), true);
            $fail_count++;
            sleep(1);
          }
@@ -135,7 +135,7 @@ function fail2ban($_action, $_data = null, $_extra = null) {
              $rule_id++;
            }
            if (!empty($regex_array)) {
-              $redis->Set('F2B_REGEX', json_encode($regex_array, JSON_UNESCAPED_SLASHES));
+              $valkey->Set('F2B_REGEX', json_encode($regex_array, JSON_UNESCAPED_SLASHES));
            }
          }
          $_SESSION['return'][] = array(
@@ -154,13 +154,13 @@ function fail2ban($_action, $_data = null, $_extra = null) {
            if ($_data['action'] == "unban") {
              if (valid_network($network)) {
                try {
-                  $redis->hSet('F2B_QUEUE_UNBAN', $network, 1);
+                  $valkey->hSet('F2B_QUEUE_UNBAN', $network, 1);
                }
                catch (RedisException $e) {
                  $_SESSION['return'][] = array(
                    'type' => 'danger',
                    'log' => array(__FUNCTION__, $_action, $_data_log),
-                    'msg' => array('redis_error', $e)
+                    'msg' => array('valkey_error', $e)
                  );
                  continue;
                }
@@ -171,15 +171,15 @@ function fail2ban($_action, $_data = null, $_extra = null) {
              if (empty($network)) { continue; }
              if (valid_network($network)) {
                try {
-                  $redis->hSet('F2B_WHITELIST', $network, 1);
-                  $redis->hDel('F2B_BLACKLIST', $network, 1);
-                  $redis->hSet('F2B_QUEUE_UNBAN', $network, 1);
+                  $valkey->hSet('F2B_WHITELIST', $network, 1);
+                  $valkey->hDel('F2B_BLACKLIST', $network, 1);
+                  $valkey->hSet('F2B_QUEUE_UNBAN', $network, 1);
                }
                catch (RedisException $e) {
                  $_SESSION['return'][] = array(
                    'type' => 'danger',
                    'log' => array(__FUNCTION__, $_action, $_data_log),
-                    'msg' => array('redis_error', $e)
+                    'msg' => array('valkey_error', $e)
                  );
                  continue;
                }
@@ -204,15 +204,15 @@ function fail2ban($_action, $_data = null, $_extra = null) {
                getenv('IPV6_NETWORK')
              ))) {
                try {
-                  $redis->hSet('F2B_BLACKLIST', $network, 1);
-                  $redis->hDel('F2B_WHITELIST', $network, 1);
+                  $valkey->hSet('F2B_BLACKLIST', $network, 1);
+                  $valkey->hDel('F2B_WHITELIST', $network, 1);
                  //$response = docker('post', 'netfilter-mailcow', 'restart');
                }
                catch (RedisException $e) {
                  $_SESSION['return'][] = array(
                    'type' => 'danger',
                    'log' => array(__FUNCTION__, $_action, $_data_log),
-                    'msg' => array('redis_error', $e)
+                    'msg' => array('valkey_error', $e)
                  );
                  continue;
                }
@@ -270,16 +270,16 @@ function fail2ban($_action, $_data = null, $_extra = null) {
      $f2b_options['banlist_id'] = $is_now['banlist_id'];
      $f2b_options['manage_external'] = ($manage_external > 0) ? 1 : 0;
      try {
-        $redis->Set('F2B_OPTIONS', json_encode($f2b_options));
-        $redis->Del('F2B_WHITELIST');
-        $redis->Del('F2B_BLACKLIST');
+        $valkey->Set('F2B_OPTIONS', json_encode($f2b_options));
+        $valkey->Del('F2B_WHITELIST');
+        $valkey->Del('F2B_BLACKLIST');
        if(!empty($wl)) {
          $wl_array = array_map('trim', preg_split( "/( |,|;|\n)/", $wl));
          $wl_array = array_filter($wl_array);
          if (is_array($wl_array)) {
            foreach ($wl_array as $wl_item) {
              if (valid_network($wl_item) || valid_hostname($wl_item)) {
-                $redis->hSet('F2B_WHITELIST', $wl_item, 1);
+                $valkey->hSet('F2B_WHITELIST', $wl_item, 1);
              }
              else {
                $_SESSION['return'][] = array(
@@ -304,7 +304,7 @@ function fail2ban($_action, $_data = null, $_extra = null) {
                getenv('IPV4_NETWORK') . '0',
                getenv('IPV6_NETWORK')
              ))) {
-                $redis->hSet('F2B_BLACKLIST', $bl_item, 1);
+                $valkey->hSet('F2B_BLACKLIST', $bl_item, 1);
              }
              else {
                $_SESSION['return'][] = array(
@@ -322,7 +322,7 @@ function fail2ban($_action, $_data = null, $_extra = null) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
@@ -334,13 +334,13 @@ function fail2ban($_action, $_data = null, $_extra = null) {
    break;
    case 'banlist':
      try {
-        $f2b_options = json_decode($redis->Get('F2B_OPTIONS'), true);
-      } 
+        $f2b_options = json_decode($valkey->Get('F2B_OPTIONS'), true);
+      }
      catch (RedisException $e) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $_action, $_data_log, $_extra),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        http_response_code(500);
        return false;
@@ -356,14 +356,14 @@ function fail2ban($_action, $_data = null, $_extra = null) {
      switch ($_data) {
        case 'get':
          try {
-            $bl = $redis->hKeys('F2B_BLACKLIST');
-            $active_bans = $redis->hKeys('F2B_ACTIVE_BANS');
-          } 
+            $bl = $valkey->hKeys('F2B_BLACKLIST');
+            $active_bans = $valkey->hKeys('F2B_ACTIVE_BANS');
+          }
          catch (RedisException $e) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_data_log, $_extra),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            );
            http_response_code(500);
            return false;
@@ -378,13 +378,13 @@ function fail2ban($_action, $_data = null, $_extra = null) {

          $f2b_options['banlist_id'] = uuid4();
          try {
-            $redis->Set('F2B_OPTIONS', json_encode($f2b_options));
-          } 
+            $valkey->Set('F2B_OPTIONS', json_encode($f2b_options));
+          }
          catch (RedisException $e) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_data_log, $_extra),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            );
            return false;
          }
--- a/data/web/inc/functions.fwdhost.inc.php
+++ b/data/web/inc/functions.fwdhost.inc.php
@@ -1,7 +1,7 @@
 <?php
 function fwdhost($_action, $_data = null) {
  require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/spf.inc.php';
-  global $redis;
+  global $valkey;
  global $lang;
  $_data_log = $_data;
  switch ($_action) {
@@ -37,19 +37,19 @@ function fwdhost($_action, $_data = null) {
      }
      foreach ($hosts as $host) {
        try {
-          $redis->hSet('WHITELISTED_FWD_HOST', $host, $source);
+          $valkey->hSet('WHITELISTED_FWD_HOST', $host, $source);
          if ($filter_spam == 0) {
-            $redis->hSet('KEEP_SPAM', $host, 1);
+            $valkey->hSet('KEEP_SPAM', $host, 1);
          }
-          elseif ($redis->hGet('KEEP_SPAM', $host)) {
-            $redis->hDel('KEEP_SPAM', $host);
+          elseif ($valkey->hGet('KEEP_SPAM', $host)) {
+            $valkey->hDel('KEEP_SPAM', $host);
          }
        }
        catch (RedisException $e) {
          $_SESSION['return'][] = array(
            'type' => 'danger',
            'log' => array(__FUNCTION__, $_action, $_data_log),
-            'msg' => array('redis_error', $e)
+            'msg' => array('valkey_error', $e)
          );
          return false;
        }
@@ -86,17 +86,17 @@ function fwdhost($_action, $_data = null) {
        }
        try {
          if ($keep_spam == 1) {
-            $redis->hSet('KEEP_SPAM', $fwdhost, 1);
+            $valkey->hSet('KEEP_SPAM', $fwdhost, 1);
          }
          else {
-            $redis->hDel('KEEP_SPAM', $fwdhost);
+            $valkey->hDel('KEEP_SPAM', $fwdhost);
          }
        }
        catch (RedisException $e) {
          $_SESSION['return'][] = array(
            'type' => 'danger',
            'log' => array(__FUNCTION__, $_action, $_data_log),
-            'msg' => array('redis_error', $e)
+            'msg' => array('valkey_error', $e)
          );
          continue;
        }
@@ -111,14 +111,14 @@ function fwdhost($_action, $_data = null) {
      $hosts = (array)$_data['forwardinghost'];
      foreach ($hosts as $host) {
        try {
-          $redis->hDel('WHITELISTED_FWD_HOST', $host);
-          $redis->hDel('KEEP_SPAM', $host);
+          $valkey->hDel('WHITELISTED_FWD_HOST', $host);
+          $valkey->hDel('KEEP_SPAM', $host);
        }
        catch (RedisException $e) {
          $_SESSION['return'][] = array(
            'type' => 'danger',
            'log' => array(__FUNCTION__, $_action, $_data_log),
-            'msg' => array('redis_error', $e)
+            'msg' => array('valkey_error', $e)
          );
          continue;
        }
@@ -135,10 +135,10 @@ function fwdhost($_action, $_data = null) {
      }
      $fwdhostsdata = array();
      try {
-        $fwd_hosts = $redis->hGetAll('WHITELISTED_FWD_HOST');
+        $fwd_hosts = $valkey->hGetAll('WHITELISTED_FWD_HOST');
        if (!empty($fwd_hosts)) {
        foreach ($fwd_hosts as $fwd_host => $source) {
-          $keep_spam = ($redis->hGet('KEEP_SPAM', $fwd_host)) ? "yes" : "no";
+          $keep_spam = ($valkey->hGet('KEEP_SPAM', $fwd_host)) ? "yes" : "no";
          $fwdhostsdata[] = array(
            'host' => $fwd_host,
            'source' => $source,
@@ -151,7 +151,7 @@ function fwdhost($_action, $_data = null) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
@@ -163,17 +163,17 @@ function fwdhost($_action, $_data = null) {
        return false;
      }
      try {
-        if ($source = $redis->hGet('WHITELISTED_FWD_HOST', $_data)) {
+        if ($source = $valkey->hGet('WHITELISTED_FWD_HOST', $_data)) {
          $fwdhostdetails['host'] = $_data;
          $fwdhostdetails['source'] = $source;
-          $fwdhostdetails['keep_spam'] = ($redis->hGet('KEEP_SPAM', $_data)) ? "yes" : "no";
+          $fwdhostdetails['keep_spam'] = ($valkey->hGet('KEEP_SPAM', $_data)) ? "yes" : "no";
        }
      }
      catch (RedisException $e) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -126,7 +126,7 @@ function hash_password($password) {
  return $pw_hash;
 }
 function password_complexity($_action, $_data = null) {
-  global $redis;
+  global $valkey;
  global $lang;
  switch ($_action) {
    case 'edit':
@@ -147,7 +147,7 @@ function password_complexity($_action, $_data = null) {
        $numbers = (isset($_data['numbers'])) ? intval($_data['numbers']) : $is_now['numbers'];
      }
      try {
-        $redis->hMSet('PASSWD_POLICY', [
+        $valkey->hMSet('PASSWD_POLICY', [
          'length' => $length,
          'chars' => $chars,
          'special_chars' => $special_chars,
@@ -159,7 +159,7 @@ function password_complexity($_action, $_data = null) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $_action, $_data),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
@@ -171,11 +171,11 @@ function password_complexity($_action, $_data = null) {
    break;
    case 'get':
      try {
-        $length = $redis->hGet('PASSWD_POLICY', 'length');
-        $chars = $redis->hGet('PASSWD_POLICY', 'chars');
-        $special_chars = $redis->hGet('PASSWD_POLICY', 'special_chars');
-        $lowerupper = $redis->hGet('PASSWD_POLICY', 'lowerupper');
-        $numbers = $redis->hGet('PASSWD_POLICY', 'numbers');
+        $length = $valkey->hGet('PASSWD_POLICY', 'length');
+        $chars = $valkey->hGet('PASSWD_POLICY', 'chars');
+        $special_chars = $valkey->hGet('PASSWD_POLICY', 'special_chars');
+        $lowerupper = $valkey->hGet('PASSWD_POLICY', 'lowerupper');
+        $numbers = $valkey->hGet('PASSWD_POLICY', 'numbers');
        return array(
          'length' => $length,
          'chars' => $chars,
@@ -188,7 +188,7 @@ function password_complexity($_action, $_data = null) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $_action, $_data),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
@@ -253,7 +253,7 @@ function password_check($password1, $password2) {
 }
 function last_login($action, $username, $sasl_limit_days = 7, $ui_offset = 1) {
  global $pdo;
-  global $redis;
+  global $valkey;
  $sasl_limit_days = intval($sasl_limit_days);
  switch ($action) {
    case 'get':
@@ -272,13 +272,13 @@ function last_login($action, $username, $sasl_limit_days = 7, $ui_offset = 1) {
          }
          elseif (filter_var($sasl[$k]['real_rip'], FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
            try {
-              $sasl[$k]['location'] = $redis->hGet('IP_SHORTCOUNTRY', $sasl[$k]['real_rip']);
+              $sasl[$k]['location'] = $valkey->hGet('IP_SHORTCOUNTRY', $sasl[$k]['real_rip']);
            }
            catch (RedisException $e) {
              $_SESSION['return'][] = array(
                'type' => 'danger',
                'log' => array(__FUNCTION__, $_action, $_data_log),
-                'msg' => array('redis_error', $e)
+                'msg' => array('valkey_error', $e)
              );
              return false;
            }
@@ -294,13 +294,13 @@ function last_login($action, $username, $sasl_limit_days = 7, $ui_offset = 1) {
                if ($ip_data_array !== false and !empty($ip_data_array['shortcountry'])) {
                  $sasl[$k]['location'] = $ip_data_array['shortcountry'];
                    try {
-                      $redis->hSet('IP_SHORTCOUNTRY', $sasl[$k]['real_rip'], $ip_data_array['shortcountry']);
+                      $valkey->hSet('IP_SHORTCOUNTRY', $sasl[$k]['real_rip'], $ip_data_array['shortcountry']);
                    }
                    catch (RedisException $e) {
                      $_SESSION['return'][] = array(
                        'type' => 'danger',
                        'log' => array(__FUNCTION__, $_action, $_data_log),
-                        'msg' => array('redis_error', $e)
+                        'msg' => array('valkey_error', $e)
                      );
                      curl_close($curl);
                      return false;
@@ -1107,11 +1107,21 @@ function user_get_alias_details($username) {
  }
  return $data;
 }
-function is_valid_domain_name($domain_name) {
+function is_valid_domain_name($domain_name, $options = array()) {
  if (empty($domain_name)) {
    return false;
  }
+
+  // Convert domain name to ASCII for validation
  $domain_name = idn_to_ascii($domain_name, 0, INTL_IDNA_VARIANT_UTS46);
+
+  if (isset($options['allow_wildcard']) && $options['allow_wildcard'] == true) {
+    // Remove '*.' if wildcard subdomains are allowed
+    if (strpos($domain_name, '*.') === 0) {
+      $domain_name = substr($domain_name, 2);
+    }
+  }
+
  return (preg_match("/^([a-z\d](-*[a-z\d])*)(\.([a-z\d](-*[a-z\d])*))*$/i", $domain_name)
       && preg_match("/^.{1,253}$/", $domain_name)
       && preg_match("/^[^\.]{1,63}(\.[^\.]{1,63})*$/", $domain_name));
@@ -1989,7 +1999,7 @@ function admin_api($access, $action, $data = null) {
 }
 function license($action, $data = null) {
  global $pdo;
-  global $redis;
+  global $valkey;
  global $lang;
  if ($_SESSION['mailcow_cc_role'] != "admin") {
    $_SESSION['return'][] =  array(
@@ -2039,13 +2049,13 @@ function license($action, $data = null) {
      }
      try {
        // json_encode needs "true"/"false" instead of true/false, to not encode it to 0 or 1
-        $redis->Set('LICENSE_STATUS_CACHE', json_encode($_SESSION['gal']));
+        $valkey->Set('LICENSE_STATUS_CACHE', json_encode($_SESSION['gal']));
      }
      catch (RedisException $e) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
@@ -2126,7 +2136,7 @@ function rspamd_ui($action, $data = null) {
  }
 }
 function cors($action, $data = null) {
-  global $redis;
+  global $valkey;

  switch ($action) {
    case "edit":
@@ -2167,7 +2177,7 @@ function cors($action, $data = null) {
      }

      try {
-        $redis->hMSet('CORS_SETTINGS', array(
+        $valkey->hMSet('CORS_SETTINGS', array(
          'allowed_origins' => implode(', ', $allowed_origins),
          'allowed_methods' => implode(', ', $allowed_methods)
        ));
@@ -2175,7 +2185,7 @@ function cors($action, $data = null) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $action, $data),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
@@ -2189,12 +2199,12 @@ function cors($action, $data = null) {
    break;
    case "get":
      try {
-        $cors_settings                  = $redis->hMGet('CORS_SETTINGS', array('allowed_origins', 'allowed_methods'));
+        $cors_settings                  = $valkey->hMGet('CORS_SETTINGS', array('allowed_origins', 'allowed_methods'));
      } catch (RedisException $e) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $action, $data),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
      }

@@ -2211,7 +2221,7 @@ function cors($action, $data = null) {
      $cors_settings['allowed_origins'] = $allowed_origins[0];
      if (in_array('*', $allowed_origins)){
        $cors_settings['allowed_origins'] = '*';
-      } else if (in_array($_SERVER['HTTP_ORIGIN'], $allowed_origins)) {
+      } else if (array_key_exists('HTTP_ORIGIN', $_SERVER) && in_array($_SERVER['HTTP_ORIGIN'], $allowed_origins)) {
        $cors_settings['allowed_origins'] = $_SERVER['HTTP_ORIGIN'];
      }
      // always allow OPTIONS for preflight request
@@ -2957,7 +2967,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
 }
 function reset_password($action, $data = null) {
  global $pdo;
-  global $redis;
+  global $valkey;
  global $mailcow_hostname;
  global $PW_RESET_TOKEN_LIMIT;
  global $PW_RESET_TOKEN_LIFETIME;
@@ -3193,10 +3203,10 @@ function reset_password($action, $data = null) {
      $type = $data;

      try {
-        $settings['from'] = $redis->Get('PW_RESET_FROM');
-        $settings['subject'] = $redis->Get('PW_RESET_SUBJ');
-        $settings['html_tmpl'] = $redis->Get('PW_RESET_HTML');
-        $settings['text_tmpl'] = $redis->Get('PW_RESET_TEXT');
+        $settings['from'] = $valkey->Get('PW_RESET_FROM');
+        $settings['subject'] = $valkey->Get('PW_RESET_SUBJ');
+        $settings['html_tmpl'] = $valkey->Get('PW_RESET_HTML');
+        $settings['text_tmpl'] = $valkey->Get('PW_RESET_TEXT');
        if (empty($settings['html_tmpl']) && empty($settings['text_tmpl'])) {
          $settings['html_tmpl'] = file_get_contents("/tpls/pw_reset_html.tpl");
          $settings['text_tmpl'] = file_get_contents("/tpls/pw_reset_text.tpl");
@@ -3211,7 +3221,7 @@ function reset_password($action, $data = null) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $action, $_data_log),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
@@ -3314,16 +3324,16 @@ function reset_password($action, $data = null) {
      $html = (empty($data['html_tmpl'])) ? "" : $data['html_tmpl'];

      try {
-        $redis->Set('PW_RESET_FROM', $from);
-        $redis->Set('PW_RESET_SUBJ', $subject);
-        $redis->Set('PW_RESET_HTML', $html);
-        $redis->Set('PW_RESET_TEXT', $text);
+        $valkey->Set('PW_RESET_FROM', $from);
+        $valkey->Set('PW_RESET_SUBJ', $subject);
+        $valkey->Set('PW_RESET_HTML', $html);
+        $valkey->Set('PW_RESET_TEXT', $text);
      }
      catch (RedisException $e) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $action, $_data_log),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
@@ -3366,7 +3376,7 @@ function get_logs($application, $lines = false) {
    $to = intval($to);
    if ($from < 1 || $to < $from) { return false; }
  }
-  global $redis;
+  global $valkey;
  global $pdo;
  if ($_SESSION['mailcow_cc_role'] != "admin") {
    return false;
@@ -3415,10 +3425,10 @@ function get_logs($application, $lines = false) {
  // Redis
  if ($application == "dovecot-mailcow") {
    if (isset($from) && isset($to)) {
-      $data = $redis->lRange('DOVECOT_MAILLOG', $from - 1, $to - 1);
+      $data = $valkey->lRange('DOVECOT_MAILLOG', $from - 1, $to - 1);
    }
    else {
-      $data = $redis->lRange('DOVECOT_MAILLOG', 0, $lines);
+      $data = $valkey->lRange('DOVECOT_MAILLOG', 0, $lines);
    }
    if ($data) {
      foreach ($data as $json_line) {
@@ -3429,10 +3439,10 @@ function get_logs($application, $lines = false) {
  }
  if ($application == "cron-mailcow") {
    if (isset($from) && isset($to)) {
-      $data = $redis->lRange('CRON_LOG', $from - 1, $to - 1);
+      $data = $valkey->lRange('CRON_LOG', $from - 1, $to - 1);
    }
    else {
-      $data = $redis->lRange('CRON_LOG', 0, $lines);
+      $data = $valkey->lRange('CRON_LOG', 0, $lines);
    }
    if ($data) {
      foreach ($data as $json_line) {
@@ -3443,10 +3453,10 @@ function get_logs($application, $lines = false) {
  }
  if ($application == "postfix-mailcow") {
    if (isset($from) && isset($to)) {
-      $data = $redis->lRange('POSTFIX_MAILLOG', $from - 1, $to - 1);
+      $data = $valkey->lRange('POSTFIX_MAILLOG', $from - 1, $to - 1);
    }
    else {
-      $data = $redis->lRange('POSTFIX_MAILLOG', 0, $lines);
+      $data = $valkey->lRange('POSTFIX_MAILLOG', 0, $lines);
    }
    if ($data) {
      foreach ($data as $json_line) {
@@ -3457,10 +3467,10 @@ function get_logs($application, $lines = false) {
  }
  if ($application == "sogo-mailcow") {
    if (isset($from) && isset($to)) {
-      $data = $redis->lRange('SOGO_LOG', $from - 1, $to - 1);
+      $data = $valkey->lRange('SOGO_LOG', $from - 1, $to - 1);
    }
    else {
-      $data = $redis->lRange('SOGO_LOG', 0, $lines);
+      $data = $valkey->lRange('SOGO_LOG', 0, $lines);
    }
    if ($data) {
      foreach ($data as $json_line) {
@@ -3471,10 +3481,10 @@ function get_logs($application, $lines = false) {
  }
  if ($application == "watchdog-mailcow") {
    if (isset($from) && isset($to)) {
-      $data = $redis->lRange('WATCHDOG_LOG', $from - 1, $to - 1);
+      $data = $valkey->lRange('WATCHDOG_LOG', $from - 1, $to - 1);
    }
    else {
-      $data = $redis->lRange('WATCHDOG_LOG', 0, $lines);
+      $data = $valkey->lRange('WATCHDOG_LOG', 0, $lines);
    }
    if ($data) {
      foreach ($data as $json_line) {
@@ -3485,10 +3495,10 @@ function get_logs($application, $lines = false) {
  }
  if ($application == "acme-mailcow") {
    if (isset($from) && isset($to)) {
-      $data = $redis->lRange('ACME_LOG', $from - 1, $to - 1);
+      $data = $valkey->lRange('ACME_LOG', $from - 1, $to - 1);
    }
    else {
-      $data = $redis->lRange('ACME_LOG', 0, $lines);
+      $data = $valkey->lRange('ACME_LOG', 0, $lines);
    }
    if ($data) {
      foreach ($data as $json_line) {
@@ -3499,10 +3509,10 @@ function get_logs($application, $lines = false) {
  }
  if ($application == "ratelimited") {
    if (isset($from) && isset($to)) {
-      $data = $redis->lRange('RL_LOG', $from - 1, $to - 1);
+      $data = $valkey->lRange('RL_LOG', $from - 1, $to - 1);
    }
    else {
-      $data = $redis->lRange('RL_LOG', 0, $lines);
+      $data = $valkey->lRange('RL_LOG', 0, $lines);
    }
    if ($data) {
      foreach ($data as $json_line) {
@@ -3513,10 +3523,10 @@ function get_logs($application, $lines = false) {
  }
  if ($application == "api-mailcow") {
    if (isset($from) && isset($to)) {
-      $data = $redis->lRange('API_LOG', $from - 1, $to - 1);
+      $data = $valkey->lRange('API_LOG', $from - 1, $to - 1);
    }
    else {
-      $data = $redis->lRange('API_LOG', 0, $lines);
+      $data = $valkey->lRange('API_LOG', 0, $lines);
    }
    if ($data) {
      foreach ($data as $json_line) {
@@ -3527,10 +3537,10 @@ function get_logs($application, $lines = false) {
  }
  if ($application == "netfilter-mailcow") {
    if (isset($from) && isset($to)) {
-      $data = $redis->lRange('NETFILTER_LOG', $from - 1, $to - 1);
+      $data = $valkey->lRange('NETFILTER_LOG', $from - 1, $to - 1);
    }
    else {
-      $data = $redis->lRange('NETFILTER_LOG', 0, $lines);
+      $data = $valkey->lRange('NETFILTER_LOG', 0, $lines);
    }
    if ($data) {
      foreach ($data as $json_line) {
@@ -3541,10 +3551,10 @@ function get_logs($application, $lines = false) {
  }
  if ($application == "autodiscover-mailcow") {
    if (isset($from) && isset($to)) {
-      $data = $redis->lRange('AUTODISCOVER_LOG', $from - 1, $to - 1);
+      $data = $valkey->lRange('AUTODISCOVER_LOG', $from - 1, $to - 1);
    }
    else {
-      $data = $redis->lRange('AUTODISCOVER_LOG', 0, $lines);
+      $data = $valkey->lRange('AUTODISCOVER_LOG', 0, $lines);
    }
    if ($data) {
      foreach ($data as $json_line) {
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1,7 +1,7 @@
 <?php
 function mailbox($_action, $_type, $_data = null, $_extra = null) {
  global $pdo;
-  global $redis;
+  global $valkey;
  global $lang;
  global $MAILBOX_DEFAULT_ATTRIBUTES;
  global $iam_settings;
@@ -628,13 +628,13 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
          }

          try {
-            $redis->hSet('DOMAIN_MAP', $domain, 1);
+            $valkey->hSet('DOMAIN_MAP', $domain, 1);
          }
          catch (RedisException $e) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            );
            return false;
          }
@@ -646,7 +646,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
          $_data['key_size'] = (isset($_data['key_size'])) ? intval($_data['key_size']) : $DOMAIN_DEFAULT_ATTRIBUTES['key_size'];
          $_data['dkim_selector'] = (isset($_data['dkim_selector'])) ? $_data['dkim_selector'] : $DOMAIN_DEFAULT_ATTRIBUTES['dkim_selector'];
          if (!empty($_data['key_size']) && !empty($_data['dkim_selector'])) {
-            if (!empty($redis->hGet('DKIM_SELECTORS', $domain))) {
+            if (!empty($valkey->hGet('DKIM_SELECTORS', $domain))) {
              $_SESSION['return'][] = array(
                'type' => 'success',
                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -684,15 +684,16 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
          return true;
        break;
        case 'alias':
-          $addresses  = array_map('trim', preg_split( "/( |,|;|\n)/", $_data['address']));
-          $gotos      = array_map('trim', preg_split( "/( |,|;|\n)/", $_data['goto']));
-          $active = intval($_data['active']);
-          $sogo_visible = intval($_data['sogo_visible']);
-          $goto_null = intval($_data['goto_null']);
-          $goto_spam = intval($_data['goto_spam']);
-          $goto_ham = intval($_data['goto_ham']);
+          $addresses       = array_map('trim', preg_split( "/( |,|;|\n)/", $_data['address']));
+          $gotos           = array_map('trim', preg_split( "/( |,|;|\n)/", $_data['goto']));
+          $internal        = intval($_data['internal']);
+          $active          = intval($_data['active']);
+          $sogo_visible    = intval($_data['sogo_visible']);
+          $goto_null       = intval($_data['goto_null']);
+          $goto_spam       = intval($_data['goto_spam']);
+          $goto_ham        = intval($_data['goto_ham']);
          $private_comment = $_data['private_comment'];
-          $public_comment = $_data['public_comment'];
+          $public_comment  = $_data['public_comment'];
          if (strlen($private_comment) > 160 | strlen($public_comment) > 160){
            $_SESSION['return'][] = array(
              'type' => 'danger',
@@ -842,8 +843,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              );
              continue;
            }
-            $stmt = $pdo->prepare("INSERT INTO `alias` (`address`, `public_comment`, `private_comment`, `goto`, `domain`, `sogo_visible`, `active`)
-              VALUES (:address, :public_comment, :private_comment, :goto, :domain, :sogo_visible, :active)");
+            $stmt = $pdo->prepare("INSERT INTO `alias` (`address`, `public_comment`, `private_comment`, `goto`, `domain`, `sogo_visible`, `internal`, `active`)
+              VALUES (:address, :public_comment, :private_comment, :goto, :domain, :sogo_visible, :internal, :active)");
            if (!filter_var($address, FILTER_VALIDATE_EMAIL) === true) {
              $stmt->execute(array(
                ':address' => '@'.$domain,
@@ -853,6 +854,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                ':goto' => $goto,
                ':domain' => $domain,
                ':sogo_visible' => $sogo_visible,
+                ':internal' => $internal,
                ':active' => $active
              ));
            }
@@ -864,6 +866,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                ':goto' => $goto,
                ':domain' => $domain,
                ':sogo_visible' => $sogo_visible,
+                ':internal' => $internal,
                ':active' => $active
              ));
            }
@@ -971,13 +974,13 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              ':active' => $active
            ));
            try {
-              $redis->hSet('DOMAIN_MAP', $alias_domain, 1);
+              $valkey->hSet('DOMAIN_MAP', $alias_domain, 1);
            }
            catch (RedisException $e) {
              $_SESSION['return'][] = array(
                'type' => 'danger',
                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-                'msg' => array('redis_error', $e)
+                'msg' => array('valkey_error', $e)
              );
              return false;
            }
@@ -985,7 +988,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              ratelimit('edit', 'domain', array('rl_value' => $_data['rl_value'], 'rl_frame' => $_data['rl_frame'], 'object' => $alias_domain));
            }
            if (!empty($_data['key_size']) && !empty($_data['dkim_selector'])) {
-              if (!empty($redis->hGet('DKIM_SELECTORS', $alias_domain))) {
+              if (!empty($valkey->hGet('DKIM_SELECTORS', $alias_domain))) {
                $_SESSION['return'][] = array(
                  'type' => 'success',
                  'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1443,7 +1446,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
          }
          foreach ($mx as $index => $mx_domain) {
            $mx_domain = idn_to_ascii(strtolower(trim($mx_domain)), 0, INTL_IDNA_VARIANT_UTS46);
-            if (!is_valid_domain_name($mx_domain)) {
+            if (!is_valid_domain_name($mx_domain, array('allow_wildcard' => true))) {
              $_SESSION['return'][] = array(
                'type' => 'danger',
                'log' => array(__FUNCTION__, $_action, $_type, $_data, $_attr),
@@ -2144,42 +2147,42 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
            }
            if (isset($_data['tagged_mail_handler']) && $_data['tagged_mail_handler'] == "subject") {
              try {
-                $redis->hSet('RCPT_WANTS_SUBJECT_TAG', $username, 1);
-                $redis->hDel('RCPT_WANTS_SUBFOLDER_TAG', $username);
+                $valkey->hSet('RCPT_WANTS_SUBJECT_TAG', $username, 1);
+                $valkey->hDel('RCPT_WANTS_SUBFOLDER_TAG', $username);
              }
              catch (RedisException $e) {
                $_SESSION['return'][] = array(
                  'type' => 'danger',
                  'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-                  'msg' => array('redis_error', $e)
+                  'msg' => array('valkey_error', $e)
                );
                continue;
              }
            }
            else if (isset($_data['tagged_mail_handler']) && $_data['tagged_mail_handler'] == "subfolder") {
              try {
-                $redis->hSet('RCPT_WANTS_SUBFOLDER_TAG', $username, 1);
-                $redis->hDel('RCPT_WANTS_SUBJECT_TAG', $username);
+                $valkey->hSet('RCPT_WANTS_SUBFOLDER_TAG', $username, 1);
+                $valkey->hDel('RCPT_WANTS_SUBJECT_TAG', $username);
              }
              catch (RedisException $e) {
                $_SESSION['return'][] = array(
                  'type' => 'danger',
                  'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-                  'msg' => array('redis_error', $e)
+                  'msg' => array('valkey_error', $e)
                );
                continue;
              }
            }
            else {
              try {
-                $redis->hDel('RCPT_WANTS_SUBJECT_TAG', $username);
-                $redis->hDel('RCPT_WANTS_SUBFOLDER_TAG', $username);
+                $valkey->hDel('RCPT_WANTS_SUBJECT_TAG', $username);
+                $valkey->hDel('RCPT_WANTS_SUBFOLDER_TAG', $username);
              }
              catch (RedisException $e) {
                $_SESSION['return'][] = array(
                  'type' => 'danger',
                  'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-                  'msg' => array('redis_error', $e)
+                  'msg' => array('valkey_error', $e)
                );
                continue;
              }
@@ -2481,6 +2484,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
          foreach ($ids as $id) {
            $is_now = mailbox('get', 'alias_details', $id);
            if (!empty($is_now)) {
+              $internal = (isset($_data['internal'])) ? intval($_data['internal']) : $is_now['internal'];
              $active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
              $sogo_visible = (isset($_data['sogo_visible'])) ? intval($_data['sogo_visible']) : $is_now['sogo_visible'];
              $goto_null = (isset($_data['goto_null'])) ? intval($_data['goto_null']) : 0;
@@ -2666,6 +2670,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                `domain` = :domain,
                `goto` = :goto,
                `sogo_visible`= :sogo_visible,
+                `internal`= :internal,
                `active`= :active
                  WHERE `id` = :id");
              $stmt->execute(array(
@@ -2675,6 +2680,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                ':domain' => $domain,
                ':goto' => $goto,
                ':sogo_visible' => $sogo_visible,
+                ':internal' => $internal,
                ':active' => $active,
                ':id' => $is_now['id']
              ));
@@ -3891,7 +3897,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
            foreach ($mx as $index => $mx_domain) {
              $mx_domain = idn_to_ascii(strtolower(trim($mx_domain)), 0, INTL_IDNA_VARIANT_UTS46);
              $invalid_mx = false;
-              if (!is_valid_domain_name($mx_domain)) {
+              if (!is_valid_domain_name($mx_domain, array('allow_wildcard' => true))) {
                $invalid_mx = $mx_domain;
                break;
              }
@@ -4597,10 +4603,10 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
            $_data = $_SESSION['mailcow_cc_username'];
          }
          try {
-            if ($redis->hGet('RCPT_WANTS_SUBJECT_TAG', $_data)) {
+            if ($valkey->hGet('RCPT_WANTS_SUBJECT_TAG', $_data)) {
              return "subject";
            }
-            elseif ($redis->hGet('RCPT_WANTS_SUBFOLDER_TAG', $_data)) {
+            elseif ($valkey->hGet('RCPT_WANTS_SUBFOLDER_TAG', $_data)) {
              return "subfolder";
            }
            else {
@@ -4611,7 +4617,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            );
            return false;
          }
@@ -4700,6 +4706,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
            `address`,
            `public_comment`,
            `private_comment`,
+            `internal`,
            `active`,
            `sogo_visible`,
            `created`,
@@ -4730,6 +4737,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
          $aliasdata['goto'] = $row['goto'];
          $aliasdata['address'] = $row['address'];
          (!filter_var($aliasdata['address'], FILTER_VALIDATE_EMAIL)) ? $aliasdata['is_catch_all'] = 1 : $aliasdata['is_catch_all'] = 0;
+          $aliasdata['internal'] = $row['internal'];
          $aliasdata['active'] = $row['active'];
          $aliasdata['active_int'] = $row['active'];
          $aliasdata['sogo_visible'] = $row['sogo_visible'];
@@ -5628,14 +5636,14 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
            $stmt = $pdo->query("DELETE FROM `admin` WHERE `superadmin` = 0 AND `username` NOT IN (SELECT `username`FROM `domain_admins`);");
            $stmt = $pdo->query("DELETE FROM `da_acl` WHERE `username` NOT IN (SELECT `username`FROM `domain_admins`);");
            try {
-              $redis->hDel('DOMAIN_MAP', $domain);
-              $redis->hDel('RL_VALUE', $domain);
+              $valkey->hDel('DOMAIN_MAP', $domain);
+              $valkey->hDel('RL_VALUE', $domain);
            }
            catch (RedisException $e) {
              $_SESSION['return'][] = array(
                'type' => 'danger',
                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-                'msg' => array('redis_error', $e)
+                'msg' => array('valkey_error', $e)
              );
              continue;
            }
@@ -5761,14 +5769,14 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              ':alias_domain' => $alias_domain,
            ));
            try {
-              $redis->hDel('DOMAIN_MAP', $alias_domain);
-              $redis->hDel('RL_VALUE', $domain);
+              $valkey->hDel('DOMAIN_MAP', $alias_domain);
+              $valkey->hDel('RL_VALUE', $domain);
            }
            catch (RedisException $e) {
              $_SESSION['return'][] = array(
                'type' => 'danger',
                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-                'msg' => array('redis_error', $e)
+                'msg' => array('valkey_error', $e)
              );
              continue;
            }
@@ -5947,13 +5955,13 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              ));
            }
            try {
-              $redis->hDel('RL_VALUE', $username);
+              $valkey->hDel('RL_VALUE', $username);
            }
            catch (RedisException $e) {
              $_SESSION['return'][] = array(
                'type' => 'danger',
                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-                'msg' => array('redis_error', $e)
+                'msg' => array('valkey_error', $e)
              );
              continue;
            }
--- a/data/web/inc/functions.oauth2.inc.php
+++ b/data/web/inc/functions.oauth2.inc.php
@@ -1,7 +1,7 @@
 <?php
 function oauth2($_action, $_type, $_data = null) {
  global $pdo;
-  global $redis;
+  global $valkey;
  global $lang;
  if ($_SESSION['mailcow_cc_role'] != "admin") {
    $_SESSION['return'][] = array(
--- a/data/web/inc/functions.policy.inc.php
+++ b/data/web/inc/functions.policy.inc.php
@@ -1,7 +1,7 @@
 <?php
 function policy($_action, $_scope, $_data = null) {
  global $pdo;
-  global $redis;
+  global $valkey;
  global $lang;
  $_data_log = $_data;
  switch ($_action) {
--- a/data/web/inc/functions.quarantine.inc.php
+++ b/data/web/inc/functions.quarantine.inc.php
@@ -4,7 +4,7 @@ use PHPMailer\PHPMailer\SMTP;
 use PHPMailer\PHPMailer\Exception;
 function quarantine($_action, $_data = null) {
 	global $pdo;
-	global $redis;
+	global $valkey;
 	global $lang;
 	$_data_log = $_data;
  switch ($_action) {
@@ -102,14 +102,14 @@ function quarantine($_action, $_data = null) {
        return false;
        }
        try {
-          $release_format = $redis->Get('Q_RELEASE_FORMAT');
+          $release_format = $valkey->Get('Q_RELEASE_FORMAT');
        }
        catch (RedisException $e) {
          logger(array('return' => array(
            array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_data_log),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            )
          )));
          return false;
@@ -180,7 +180,7 @@ function quarantine($_action, $_data = null) {
            array('221', '')
          );
          // Thanks to https://stackoverflow.com/questions/6632399/given-an-email-as-raw-text-how-can-i-send-it-using-php
-          $smtp_connection = fsockopen($postfix, 590, $errno, $errstr, 1); 
+          $smtp_connection = fsockopen($postfix, 590, $errno, $errstr, 1);
          if (!$smtp_connection) {
            logger(array('return' => array(
              array(
@@ -192,7 +192,7 @@ function quarantine($_action, $_data = null) {
            return false;
          }
          for ($i=0; $i < count($postfix_talk); $i++) {
-            $smtp_resource = fgets($smtp_connection, 256); 
+            $smtp_resource = fgets($smtp_connection, 256);
            if (substr($smtp_resource, 0, 3) !== $postfix_talk[$i][0]) {
              $ret = substr($smtp_resource, 0, 3);
              $ret = (empty($ret)) ? '-' : $ret;
@@ -332,23 +332,23 @@ function quarantine($_action, $_data = null) {
        }
        $exclude_domains = (array)$_data['exclude_domains'];
        try {
-          $redis->Set('Q_RETENTION_SIZE', intval($retention_size));
-          $redis->Set('Q_MAX_SIZE', intval($max_size));
-          $redis->Set('Q_MAX_SCORE', $max_score);
-          $redis->Set('Q_MAX_AGE', $max_age);
-          $redis->Set('Q_EXCLUDE_DOMAINS', json_encode($exclude_domains));
-          $redis->Set('Q_RELEASE_FORMAT', $release_format);
-          $redis->Set('Q_SENDER', $sender);
-          $redis->Set('Q_BCC', $bcc);
-          $redis->Set('Q_REDIRECT', $redirect);
-          $redis->Set('Q_SUBJ', $subject);
-          $redis->Set('Q_HTML', $html);
+          $valkey->Set('Q_RETENTION_SIZE', intval($retention_size));
+          $valkey->Set('Q_MAX_SIZE', intval($max_size));
+          $valkey->Set('Q_MAX_SCORE', $max_score);
+          $valkey->Set('Q_MAX_AGE', $max_age);
+          $valkey->Set('Q_EXCLUDE_DOMAINS', json_encode($exclude_domains));
+          $valkey->Set('Q_RELEASE_FORMAT', $release_format);
+          $valkey->Set('Q_SENDER', $sender);
+          $valkey->Set('Q_BCC', $bcc);
+          $valkey->Set('Q_REDIRECT', $redirect);
+          $valkey->Set('Q_SUBJ', $subject);
+          $valkey->Set('Q_HTML', $html);
        }
        catch (RedisException $e) {
          $_SESSION['return'][] = array(
            'type' => 'danger',
            'log' => array(__FUNCTION__, $_action, $_data_log),
-            'msg' => array('redis_error', $e)
+            'msg' => array('valkey_error', $e)
          );
          return false;
        }
@@ -403,13 +403,13 @@ function quarantine($_action, $_data = null) {
            continue;
          }
          try {
-            $release_format = $redis->Get('Q_RELEASE_FORMAT');
+            $release_format = $valkey->Get('Q_RELEASE_FORMAT');
          }
          catch (RedisException $e) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_data_log),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            );
            return false;
          }
@@ -475,7 +475,7 @@ function quarantine($_action, $_data = null) {
              array('221', '')
            );
            // Thanks to https://stackoverflow.com/questions/6632399/given-an-email-as-raw-text-how-can-i-send-it-using-php
-            $smtp_connection = fsockopen($postfix, 590, $errno, $errstr, 1); 
+            $smtp_connection = fsockopen($postfix, 590, $errno, $errstr, 1);
            if (!$smtp_connection) {
              $_SESSION['return'][] = array(
                'type' => 'warning',
@@ -485,7 +485,7 @@ function quarantine($_action, $_data = null) {
              return false;
            }
            for ($i=0; $i < count($postfix_talk); $i++) {
-              $smtp_resource = fgets($smtp_connection, 256); 
+              $smtp_resource = fgets($smtp_connection, 256);
              if (substr($smtp_resource, 0, 3) !== $postfix_talk[$i][0]) {
                $ret = substr($smtp_resource, 0, 3);
                $ret = (empty($ret)) ? '-' : $ret;
@@ -776,18 +776,18 @@ function quarantine($_action, $_data = null) {
    case 'settings':
      try {
        if ($_SESSION['mailcow_cc_role'] == "admin") {
-          $settings['exclude_domains'] = json_decode($redis->Get('Q_EXCLUDE_DOMAINS'), true);
+          $settings['exclude_domains'] = json_decode($valkey->Get('Q_EXCLUDE_DOMAINS'), true);
        }
-        $settings['max_size'] = $redis->Get('Q_MAX_SIZE');
-        $settings['max_score'] = $redis->Get('Q_MAX_SCORE');
-        $settings['max_age'] = $redis->Get('Q_MAX_AGE');
-        $settings['retention_size'] = $redis->Get('Q_RETENTION_SIZE');
-        $settings['release_format'] = $redis->Get('Q_RELEASE_FORMAT');
-        $settings['subject'] = $redis->Get('Q_SUBJ');
-        $settings['sender'] = $redis->Get('Q_SENDER');
-        $settings['bcc'] = $redis->Get('Q_BCC');
-        $settings['redirect'] = $redis->Get('Q_REDIRECT');
-        $settings['html_tmpl'] = htmlspecialchars($redis->Get('Q_HTML'));
+        $settings['max_size'] = $valkey->Get('Q_MAX_SIZE');
+        $settings['max_score'] = $valkey->Get('Q_MAX_SCORE');
+        $settings['max_age'] = $valkey->Get('Q_MAX_AGE');
+        $settings['retention_size'] = $valkey->Get('Q_RETENTION_SIZE');
+        $settings['release_format'] = $valkey->Get('Q_RELEASE_FORMAT');
+        $settings['subject'] = $valkey->Get('Q_SUBJ');
+        $settings['sender'] = $valkey->Get('Q_SENDER');
+        $settings['bcc'] = $valkey->Get('Q_BCC');
+        $settings['redirect'] = $valkey->Get('Q_REDIRECT');
+        $settings['html_tmpl'] = htmlspecialchars($valkey->Get('Q_HTML'));
        if (empty($settings['html_tmpl'])) {
          $settings['html_tmpl'] = htmlspecialchars(file_get_contents("/tpls/quarantine.tpl"));
        }
@@ -796,7 +796,7 @@ function quarantine($_action, $_data = null) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
--- a/data/web/inc/functions.quota_notification.inc.php
+++ b/data/web/inc/functions.quota_notification.inc.php
@@ -1,6 +1,6 @@
 <?php
 function quota_notification($_action, $_data = null) {
-	global $redis;
+	global $valkey;
 	$_data_log = $_data;
  if ($_SESSION['mailcow_cc_role'] != "admin") {
    $_SESSION['return'][] = array(
@@ -26,15 +26,15 @@ function quota_notification($_action, $_data = null) {
      }
      $html = $_data['html_tmpl'];
      try {
-        $redis->Set('QW_SENDER', $sender);
-        $redis->Set('QW_SUBJ', $subject);
-        $redis->Set('QW_HTML', $html);
+        $valkey->Set('QW_SENDER', $sender);
+        $valkey->Set('QW_SUBJ', $subject);
+        $valkey->Set('QW_HTML', $html);
      }
      catch (RedisException $e) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
@@ -46,9 +46,9 @@ function quota_notification($_action, $_data = null) {
    break;
    case 'get':
      try {
-        $settings['subject'] = $redis->Get('QW_SUBJ');
-        $settings['sender'] = $redis->Get('QW_SENDER');
-        $settings['html_tmpl'] = htmlspecialchars($redis->Get('QW_HTML'));
+        $settings['subject'] = $valkey->Get('QW_SUBJ');
+        $settings['sender'] = $valkey->Get('QW_SENDER');
+        $settings['html_tmpl'] = htmlspecialchars($valkey->Get('QW_HTML'));
        if (empty($settings['html_tmpl'])) {
          $settings['html_tmpl'] = htmlspecialchars(file_get_contents("/tpls/quota.tpl"));
        }
@@ -57,7 +57,7 @@ function quota_notification($_action, $_data = null) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
@@ -66,7 +66,7 @@ function quota_notification($_action, $_data = null) {
  }
 }
 function quota_notification_bcc($_action, $_data = null) {
-	global $redis;
+	global $valkey;
 	$_data_log = $_data;
  if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin") {
    $_SESSION['return'][] = array(
@@ -105,16 +105,16 @@ function quota_notification_bcc($_action, $_data = null) {
      $bcc_rcpts = array_filter($bcc_rcpts);
      if (empty($bcc_rcpts)) {
        $active = 0;
-        
+
      }
      try {
-        $redis->hSet('QW_BCC', $domain, json_encode(array('bcc_rcpts' => $bcc_rcpts, 'active' => $active)));
+        $valkey->hSet('QW_BCC', $domain, json_encode(array('bcc_rcpts' => $bcc_rcpts, 'active' => $active)));
      }
      catch (RedisException $e) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
@@ -135,13 +135,13 @@ function quota_notification_bcc($_action, $_data = null) {
        return false;
      }
      try {
-        return json_decode($redis->hGet('QW_BCC', $domain), true);
+        return json_decode($valkey->hGet('QW_BCC', $domain), true);
      }
      catch (RedisException $e) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
--- a/data/web/inc/functions.ratelimit.inc.php
+++ b/data/web/inc/functions.ratelimit.inc.php
@@ -1,6 +1,6 @@
 <?php
 function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
-  global $redis;
+  global $valkey;
  $_data_log = $_data;
  switch ($_action) {
    case 'edit':
@@ -42,26 +42,26 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
            }
            if (empty($rl_value)) {
              try {
-                $redis->hDel('RL_VALUE', $object);
+                $valkey->hDel('RL_VALUE', $object);
              }
              catch (RedisException $e) {
                $_SESSION['return'][] = array(
                  'type' => 'danger',
                  'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
-                  'msg' => array('redis_error', $e)
+                  'msg' => array('valkey_error', $e)
                );
                continue;
              }
            }
            else {
              try {
-                $redis->hSet('RL_VALUE', $object, $rl_value . ' / 1' . $rl_frame);
+                $valkey->hSet('RL_VALUE', $object, $rl_value . ' / 1' . $rl_frame);
              }
              catch (RedisException $e) {
                $_SESSION['return'][] = array(
                  'type' => 'danger',
                  'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
-                  'msg' => array('redis_error', $e)
+                  'msg' => array('valkey_error', $e)
                );
                continue;
              }
@@ -103,26 +103,26 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
            }
            if (empty($rl_value)) {
              try {
-                $redis->hDel('RL_VALUE', $object);
+                $valkey->hDel('RL_VALUE', $object);
              }
              catch (RedisException $e) {
                $_SESSION['return'][] = array(
                  'type' => 'danger',
                  'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
-                  'msg' => array('redis_error', $e)
+                  'msg' => array('valkey_error', $e)
                );
                continue;
              }
            }
            else {
              try {
-                $redis->hSet('RL_VALUE', $object, $rl_value . ' / 1' . $rl_frame);
+                $valkey->hSet('RL_VALUE', $object, $rl_value . ' / 1' . $rl_frame);
              }
              catch (RedisException $e) {
                $_SESSION['return'][] = array(
                  'type' => 'danger',
                  'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
-                  'msg' => array('redis_error', $e)
+                  'msg' => array('valkey_error', $e)
                );
                continue;
              }
@@ -143,7 +143,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
            return false;
          }
          try {
-            if ($rl_value = $redis->hGet('RL_VALUE', $_data)) {
+            if ($rl_value = $valkey->hGet('RL_VALUE', $_data)) {
              $rl = explode(' / 1', $rl_value);
              $data['value'] = $rl[0];
              $data['frame'] = $rl[1];
@@ -157,7 +157,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            );
            return false;
          }
@@ -169,7 +169,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
            return false;
          }
          try {
-            if ($rl_value = $redis->hGet('RL_VALUE', $_data)) {
+            if ($rl_value = $valkey->hGet('RL_VALUE', $_data)) {
              $rl = explode(' / 1', $rl_value);
              $data['value'] = $rl[0];
              $data['frame'] = $rl[1];
@@ -183,7 +183,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
-              'msg' => array('redis_error', $e)
+              'msg' => array('valkey_error', $e)
            );
            return false;
          }
@@ -202,16 +202,16 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
        return false;
      }
      try {
-        $data_rllog = $redis->lRange('RL_LOG', 0, -1);
+        $data_rllog = $valkey->lRange('RL_LOG', 0, -1);
        if ($data_rllog) {
          foreach ($data_rllog as $json_line) {
            if (preg_match('/' . $data['hash'] . '/i', $json_line)) {
-              $redis->lRem('RL_LOG', $json_line, 0);
+              $valkey->lRem('RL_LOG', $json_line, 0);
            }
          }
        }
-        if ($redis->type($data['hash']) == Redis::REDIS_HASH) {
-          $redis->delete($data['hash']);
+        if ($valkey->type($data['hash']) == Redis::REDIS_HASH) {
+          $valkey->delete($data['hash']);
          $_SESSION['return'][] = array(
            'type' => 'success',
            'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
@@ -232,7 +232,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
        $_SESSION['return'][] = array(
          'type' => 'danger',
          'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
-          'msg' => array('redis_error', $e)
+          'msg' => array('valkey_error', $e)
        );
        return false;
      }
--- a/data/web/inc/header.inc.php
+++ b/data/web/inc/header.inc.php
@@ -62,7 +62,11 @@ if ($app_links_processed){
  }
 }

-
+// Workaround to get text with <br> straight to twig.
+// Using "nl2br" doesn't work with Twig as it would escape everything by default.
+if (isset($UI_TEXTS["ui_footer"])) {
+  $UI_TEXTS["ui_footer"] = nl2br($UI_TEXTS["ui_footer"]);
+}

 $globalVariables = [
  'mailcow_hostname' => getenv('MAILCOW_HOSTNAME'),
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -4,7 +4,7 @@ function init_db_schema()
  try {
    global $pdo;

-    $db_version = "19082025_1436";
+    $db_version = "07102025_1015";

    $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
    $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -184,6 +184,7 @@ function init_db_schema()
          "private_comment" => "TEXT",
          "public_comment" => "TEXT",
          "sogo_visible" => "TINYINT(1) NOT NULL DEFAULT '1'",
+          "internal" => "TINYINT(1) NOT NULL DEFAULT '0'",
          "active" => "TINYINT(1) NOT NULL DEFAULT '1'"
        ),
        "keys" => array(
@@ -1336,6 +1337,14 @@ function init_db_schema()
      $pdo->query($create);
    }

+    // Clear old app_passwd log entries
+    $pdo->exec("DELETE FROM logs
+      WHERE role != 'unauthenticated'
+        AND JSON_EXTRACT(`call`, '$[0]') = 'app_passwd'
+        AND JSON_EXTRACT(`call`, '$[1]') = 'edit'
+        AND (JSON_CONTAINS_PATH(`call`, 'one', '$[2].password')
+          OR JSON_CONTAINS_PATH(`call`, 'one', '$[2].password2'));");
+
    // Mitigate imapsync argument injection issue
    $pdo->query("UPDATE `imapsync` SET `custom_params` = ''
      WHERE `custom_params` LIKE '%pipemess%'
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -57,22 +57,22 @@ $WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $server_name, $form
 // only include root ca's when needed
 if (getenv('WEBAUTHN_ONLY_TRUSTED_VENDORS') == 'y') $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates');

-// Redis
-$redis = new Redis();
+// Valkey
+$valkey = new Redis();
 try {
-  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
-    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
+  if (!empty(getenv('VALKEY_SLAVEOF_IP'))) {
+    $valkey->connect(getenv('VALKEY_SLAVEOF_IP'), getenv('VALKEY_SLAVEOF_PORT'));
  }
  else {
-    $redis->connect('redis-mailcow', 6379);
+    $valkey->connect('valkey-mailcow', 6379);
  }
-  $redis->auth(getenv("REDISPASS"));
+  $valkey->auth(getenv("VALKEYPASS"));
 }
 catch (Exception $e) {
-// Stop when redis is not available
+// Stop when valkey is not available
 http_response_code(500);
 ?>
-<center style='font-family:sans-serif;'>Connection to Redis failed.<br /><br />The following error was reported:<br/><?=$e->getMessage();?></center>
+<center style='font-family:sans-serif;'>Connection to Valkey failed.<br /><br />The following error was reported:<br/><?=$e->getMessage();?></center>
 <?php
 exit;
 }
--- a/data/web/inc/sessions.inc.php
+++ b/data/web/inc/sessions.inc.php
@@ -1,7 +1,9 @@
 <?php
 // Start session
 if (session_status() !== PHP_SESSION_ACTIVE) {
+  session_name($SESSION_NAME);
  ini_set("session.cookie_httponly", 1);
+  ini_set("session.cookie_samesite", $SESSION_SAMESITE_POLICY);
  ini_set('session.gc_maxlifetime', $SESSION_LIFETIME);
 }

@@ -67,7 +69,7 @@ if (!empty($_SERVER['HTTP_X_API_KEY'])) {
      }
    }
    else {
-      $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for API_USER by " . $_SERVER['REMOTE_ADDR']);
+      $valkey->publish("F2B_CHANNEL", "mailcow UI: Invalid password for API_USER by " . $_SERVER['REMOTE_ADDR']);
      error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
      http_response_code(401);
      echo json_encode(array(
@@ -79,7 +81,7 @@ if (!empty($_SERVER['HTTP_X_API_KEY'])) {
    }
  }
  else {
-    $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for API_USER by " . $_SERVER['REMOTE_ADDR']);
+    $valkey->publish("F2B_CHANNEL", "mailcow UI: Invalid password for API_USER by " . $_SERVER['REMOTE_ADDR']);
    error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
    http_response_code(401);
    echo json_encode(array(
--- a/data/web/inc/triggers.user.inc.php
+++ b/data/web/inc/triggers.user.inc.php
@@ -80,7 +80,7 @@ if (isset($_POST["verify_tfa_login"])) {
            intval($user_details['attributes']['force_pw_update']) != 1 &&
            getenv('SKIP_SOGO') != "y" &&
            !$is_dual) {
-          header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}");
+          header("Location: /SOGo/so/");
          die();
        } else {
          header("Location: /user");
@@ -146,7 +146,7 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
        intval($user_details['attributes']['force_pw_update']) != 1 &&
        getenv('SKIP_SOGO') != "y" &&
        !$is_dual) {
-      header("Location: /SOGo/so/{$login_user}");
+      header("Location: /SOGo/so/");
      die();
    } else {
      header("Location: /user");
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -153,6 +153,13 @@ $LOG_PAGINATION_SIZE = 50;
 // Session lifetime in seconds
 $SESSION_LIFETIME = 10800;

+// Session SameSite Policy
+// Use "None", "Lax" or "Strict"
+$SESSION_SAMESITE_POLICY = "Lax";
+
+// Name of the session cookie
+$SESSION_NAME = "MCSESSID";
+
 // Label for OTP devices
 $OTP_LABEL = "mailcow UI";

--- a/data/web/js/build/013-mailcow.js
+++ b/data/web/js/build/013-mailcow.js
@@ -22,8 +22,8 @@ $(document).ready(function() {
    $.notify({message: msg},{z_index: 20000, delay: auto_hide, type: type,placement: {from: "bottom",align: "right"},animate: {enter: 'animated fadeInUp',exit: 'animated fadeOutDown'}});
  }

-  $(".generate_password").click(async function( event ) {   
-    try { 
+  $(".generate_password").click(async function( event ) {
+    try {
      var password_policy = await window.fetch("/api/v1/get/passwordpolicy", { method:'GET', cache:'no-cache' });
      var password_policy = await password_policy.json();
      random_passwd_length = password_policy.length;
@@ -48,7 +48,11 @@ $(document).ready(function() {
    })
  }
  $(".rot-enc").html(function(){
-    return str_rot13($(this).html())
+    footer_html = $(this).html();
+    footer_html = footer_html.replace(/&lt;/g, '<').replace(/&gt;/g, '>')
+                             .replace(/&amp;/g, '&').replace(/&nzc;/g, '&')
+                             .replace(/&quot;/g, '"').replace(/&#x27;/g, "'");
+    return str_rot13(footer_html)
  });
  // https://stackoverflow.com/questions/4399005/implementing-jquerys-shake-effect-with-animate
  function shake(div,interval,distance,times) {
@@ -125,7 +129,7 @@ $(document).ready(function() {
        }
      });
  })();
-  
+
  // responsive tabs, scroll to opened tab
  $(document).on("shown.bs.collapse shown.bs.tab", function (e) {
 	  var target = $(e.target);
@@ -409,4 +413,4 @@ function copyToClipboard(id) {
  // only works with https connections
  navigator.clipboard.writeText(copyText.value);
  mailcow_alert_box(lang.copy_to_clipboard, "success");
-}
+}
--- a/data/web/js/site/admin.js
+++ b/data/web/js/site/admin.js
@@ -715,7 +715,6 @@ jQuery(function($){
    $('.app_hide').off('change');
    $('.app_hide').on('change', function (e) {
      var value = $(this).is(':checked') ? '1' : '0';
-      console.log(value)
      $(this).parent().children(':first-child').val(value);
    })
  }
--- a/data/web/js/site/dashboard.js
+++ b/data/web/js/site/dashboard.js
@@ -47,8 +47,6 @@ $(document).ready(function() {
    window.fetch("/api/v1/get/status/host/ip", { method:'GET', cache:'no-cache' }).then(function(response) {
      return response.json();
    }).then(function(data) {
-      console.log(data);
-
      // display host ips
      if (data.ipv4)
        $("#host_ipv4").text(data.ipv4);
@@ -1007,7 +1005,7 @@ jQuery(function($){
              "data-order": cellData.sortBy,
              "data-sort": cellData.sortBy
            });
-          },    
+          },
          render: function (data) {
            return data.value;
          }
@@ -1032,7 +1030,7 @@ jQuery(function($){
              "data-order": cellData.sortBy,
              "data-sort": cellData.sortBy
            });
-          },    
+          },
          render: function (data) {
            return data.value;
          }
@@ -1348,8 +1346,6 @@ function update_stats(timeout=5){
  window.fetch("/api/v1/get/status/host", {method:'GET',cache:'no-cache'}).then(function(response) {
    return response.json();
  }).then(function(data) {
-    console.log(data);
-
    if (data){
      // display table data
      $("#host_date").text(data.system_time);
@@ -1399,8 +1395,6 @@ function update_container_stats(timeout=5){
        var diskIOCtx = Chart.getChart(container + "_DiskIOChart");
        var netIOCtx = Chart.getChart(container + "_NetIOChart");

-        console.log(container);
-        console.log(data);
        prev_stats = null;
        if (data.length >= 2){
          prev_stats = data[data.length -2];
--- a/data/web/js/site/edit.js
+++ b/data/web/js/site/edit.js
@@ -66,7 +66,6 @@ $(document).ready(function() {
  // load tags
  if ($('#tags').length){
    var tagsEl = $('#tags').parent().find('.tag-values')[0];
-    console.log($(tagsEl).val())
    var tags = JSON.parse($(tagsEl).val());
    $(tagsEl).val("");

--- a/data/web/js/site/mailbox.js
+++ b/data/web/js/site/mailbox.js
@@ -1949,11 +1949,6 @@ jQuery(function($){
          defaultContent: '',
          responsivePriority: 5,
        },
-        {
-          title: lang.bcc_destinations,
-          data: 'bcc_dest',
-          defaultContent: ''
-        },
        {
          title: lang.sogo_visible,
          data: 'sogo_visible',
@@ -1972,6 +1967,15 @@ jQuery(function($){
          data: 'private_comment',
          defaultContent: ''
        },
+        {
+          title: lang.internal,
+          data: 'internal',
+          defaultContent: '',
+          responsivePriority: 6,
+          render: function (data, type) {
+            return 1==data?'<i class="bi bi-check-lg"><span class="sorting-value">1</span></i>':0==data&&'<i class="bi bi-x-lg"><span class="sorting-value">0</span></i>';
+          }
+        },
        {
          title: lang.active,
          data: 'active',
--- a/data/web/js/site/user.js
+++ b/data/web/js/site/user.js
@@ -169,7 +169,6 @@ jQuery(function($){
        type: "GET",
        url: "/api/v1/get/time_limited_aliases",
        dataSrc: function(data){
-          console.log(data);
          $.each(data, function (i, item) {
            if (acl_data.spam_alias === 1) {
              item.action = '<div class="btn-group">' +
@@ -262,7 +261,6 @@ jQuery(function($){
        type: "GET",
        url: '/api/v1/get/syncjobs/' + encodeURIComponent(mailcow_cc_username) + '/no_log',
        dataSrc: function(data){
-          console.log(data);
          $.each(data, function (i, item) {
            item.user1 = escapeHtml(item.user1);
            item.log = '<a href="#syncjobLogModal" data-bs-toggle="modal" data-syncjob-id="' + item.id + '">' + lang.open_logs + '</a>'
@@ -418,7 +416,6 @@ jQuery(function($){
        type: "GET",
        url: '/api/v1/get/app-passwd/all',
        dataSrc: function(data){
-          console.log(data);
          $.each(data, function (i, item) {
            item.name = escapeHtml(item.name)
            item.protocols = []
@@ -514,7 +511,6 @@ jQuery(function($){
        type: "GET",
        url: '/api/v1/get/policy_wl_mailbox',
        dataSrc: function(data){
-          console.log(data);
          $.each(data, function (i, item) {
            if (validateEmail(item.object)) {
              item.chkbox = '<input type="checkbox" class="form-check-input" data-id="policy_wl_mailbox" name="multi_select" value="' + item.prefid + '" />';
@@ -585,7 +581,6 @@ jQuery(function($){
        type: "GET",
        url: '/api/v1/get/policy_bl_mailbox',
        dataSrc: function(data){
-          console.log(data);
          $.each(data, function (i, item) {
            if (validateEmail(item.object)) {
              item.chkbox = '<input type="checkbox" class="form-check-input" data-id="policy_bl_mailbox" name="multi_select" value="' + item.prefid + '" />';
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -8,7 +8,7 @@ header('Content-Type: application/json');
 error_reporting(0);

 function api_log($_data) {
-  global $redis;
+  global $valkey;
  $data_var = array();
  foreach ($_data as $data => &$value) {
    if ($data == 'csrf_token') {
@@ -36,12 +36,12 @@ function api_log($_data) {
      'remote' => get_remote_ip(),
      'data' => implode(', ', $data_var)
    );
-    $redis->lPush('API_LOG', json_encode($log_line));
+    $valkey->lPush('API_LOG', json_encode($log_line));
  }
  catch (RedisException $e) {
    $_SESSION['return'][] = array(
      'type' => 'danger',
-      'msg' => 'Redis: '.$e
+      'msg' => 'Valkey: '.$e
    );
    return false;
  }
--- a/data/web/lang/lang.cs-cz.json
+++ b/data/web/lang/lang.cs-cz.json
@@ -24,7 +24,7 @@
        "sogo_access": "Správa přístupu do SOGo",
        "sogo_profile_reset": "Resetování profilu SOGo",
        "spam_alias": "Dočasné aliasy",
-        "spam_policy": "Blacklist/Whitelist",
+        "spam_policy": "Denylist/Allowlist",
        "spam_score": "Skóre spamu",
        "syncjobs": "Synchronizační úlohy",
        "tls_policy": "Pravidla TLS",
@@ -109,7 +109,9 @@
        "validate": "Ověřit",
        "validation_success": "Úspěšně ověřeno",
        "tags": "Štítky",
-        "dry": "Simulovat synchronizaci"
+        "dry": "Simulovat synchronizaci",
+        "internal": "Interní",
+        "internal_info": "Interní aliasy jsou přístupné jen z vlastních domén nebo jejich aliasů."
    },
    "admin": {
        "access": "Přístupy",
@@ -303,7 +305,7 @@
        "rspamd_global_filters": "Mapa globálních filtrů",
        "rspamd_global_filters_agree": "Budu opatrný!",
        "rspamd_global_filters_info": "Mapa globálních filtrů obsahuje jiné globální black- a whitelisty.",
-        "rspamd_global_filters_regex": "Názvy jsou dostatečným vysvětlením. Musí obsahovat jen platné regulární výrazy ve formátu \"/vyraz/parametry\" (e.g. <code>/.+@domena\\.tld/i</code>).<br>\r\n  Každý výraz bude podroben základní kontrole, přesto je možné Rspamd 'rozbít', nebude-li syntax zcela korektní.<br>\r\n  Rspamd se pokusí načíst mapu po každé změně. V případě potíží, <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">restartujte Rspamd</a>, aby se konfigurace načetla explicitně.",
+        "rspamd_global_filters_regex": "Názvy stačí k vysvětlení. Položky musejí obsahovat jen platné regulární výrazy ve tvaru \"/vyraz/parametry\" (e.g. <code>/.+@domena\\.tld/i</code>).<br>\n  Každý výraz bude podroben základní kontrole, přesto je možné Rspamd 'rozbít', nebude-li syntax zcela korektní.<br>\n  Rspamd se pokusí po každé změně načíst mapu znovu. V případě potíží <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">restartujte Rspamd</a>, aby se konfigurace načetla explicitně.",
        "rspamd_settings_map": "Nastavení Rspamd",
        "sal_level": "Úroveň 'Moo'",
        "save": "Uložit změny",
@@ -407,7 +409,9 @@
        "iam_extra_permission": "Aby vše fungovalo, musí mít mailcow klient v Keycloaku nastavený <code>servisní účet</code> a povolení <code>view-users</code>.",
        "iam_host": "Hostitel",
        "iam_host_info": "Zadejte jeden či více hostitelů, oddělte čárkou.",
-        "iam_import_users": "Importovat uživatele"
+        "iam_import_users": "Importovat uživatele",
+        "iam_auth_flow": "Proces autentizace",
+        "needs_restart": "potřebuje restart"
    },
    "danger": {
        "access_denied": "Přístup odepřen nebo jsou neplatná data ve formuláři",
@@ -494,7 +498,7 @@
        "pushover_token": "Token služby Pushover nemá správný formát",
        "quota_not_0_not_numeric": "Kvóta musí být číslo >= 0",
        "recipient_map_entry_exists": "Položka mapy příjemců \"%s\" již existuje",
-        "redis_error": "Chyba Redis: %s",
+        "valkey_error": "Chyba Valkey: %s",
        "relayhost_invalid": "Položky %s je neplatná",
        "release_send_failed": "Zprávu nelze propustit: %s",
        "reset_f2b_regex": "Regex filtr se nepodařilo resetovat, zkuste to znovu nebo počkejte pár sekund a obnovte stránku.",
@@ -548,7 +552,11 @@
        "img_size_exceeded": "Obrázek má větší než povolenou velikost souboru",
        "invalid_reset_token": "Neplatný resetovací token",
        "required_data_missing": "Chybí potřebný údaj %s",
-        "reset_token_limit_exceeded": "Byl překročen limit na reset tokeny. Zkuste to později."
+        "reset_token_limit_exceeded": "Byl překročen limit na reset tokeny. Zkuste to později.",
+        "max_age_invalid": "Maximální životnost %s není platná",
+        "mode_invalid": "Mód %s není platný",
+        "mx_invalid": "Záznam MX %s není platný",
+        "version_invalid": "Verze %s není platná"
    },
    "datatables": {
        "emptyTable": "Tabulka neobsahuje žádná data",
@@ -584,7 +592,7 @@
        "history_all_servers": "Záznam (všechny servery)",
        "in_memory_logs": "Logy v paměti",
        "last_modified": "Naposledy změněn",
-        "log_info": "<p><b>Logy v paměti</b> jsou shromažďovány v Redis seznamech a jsou oříznuty na LOG_LINES (%d) každou minutu, aby se nepřetěžoval server.\r\n  <br>Logy v paměti nemají být trvalé. Všechny aplikace, které logují do paměti, zároveň logují i do Docker služby podle nastavení logging driveru.\r\n  <br>Logy v paměti lze použít pro ladění drobných problémů s kontejnery.</p>\r\n  <p><b>Externí logy</b> jsou shromažďovány pomocí API dané aplikace.</p>\r\n  <p><b>Statické logy</b> jsou většinou logy činností, které nejsou zaznamenávány do Docker služby, ale přesto je dobré je schraňovat (výjimkou jsou logy API).</p>",
+        "log_info": "<p><b>Logy v paměti</b> jsou shromažďovány v Valkey seznamech a jsou oříznuty na LOG_LINES (%d) každou minutu, aby se nepřetěžoval server.\r\n  <br>Logy v paměti nemají být trvalé. Všechny aplikace, které logují do paměti, zároveň logují i do Docker služby podle nastavení logging driveru.\r\n  <br>Logy v paměti lze použít pro ladění drobných problémů s kontejnery.</p>\r\n  <p><b>Externí logy</b> jsou shromažďovány pomocí API dané aplikace.</p>\r\n  <p><b>Statické logy</b> jsou většinou logy činností, které nejsou zaznamenávány do Docker služby, ale přesto je dobré je schraňovat (výjimkou jsou logy API).</p>",
        "login_time": "Čas",
        "logs": "Logy",
        "online_users": "Uživatelů online",
@@ -759,7 +767,20 @@
        "mailbox_rename_warning": "DŮLEŽITÉ! Vytvořte si zálohu schránky, než ji přejmenujete.",
        "mailbox_rename_alias": "Automaticky vytvořit alias",
        "mailbox_rename_title": "Nový název zdejší schránky",
-        "pushover": "Pushover"
+        "pushover": "Pushover",
+        "internal": "Interní",
+        "internal_info": "Interní aliasy jsou přístupné jen z vlastních domén nebo jejich aliasů.",
+        "mta_sts": "MTA-STS",
+        "mta_sts_info": "<a href='https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_MTA_Strict_Transport_Security' target='_blank'>MTA-STS</a> je standard, jenž říká poštovním serverům, aby komunikovaly pomocí TLS s platnými certifikáty. <br>Používá se, pokud není k dispozici <a target='_blank' href='https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities'>DANE</a>, např. chybí-li či není podporováno DNSSEC.<br><b>Pozn.</b>: Podporuje-li přijímající doména DANE a DNSSEC, bude <b>vždy</b> použito DANE; MTA-STS zůstane jako plán B.",
+        "mta_sts_version": "Verze",
+        "mta_sts_version_info": "Určuje verzi standardu MTA-STS – zatím je podporována jen <code>STSv1</code>.",
+        "mta_sts_mode": "Mód",
+        "mta_sts_mode_info": "K dispozici jsou tři módy:<ul><li><em>testing</em> – pravidlo se jen sleduje, porušení je bez následků.</li><li><em>enforce</em> – pravidlo je důsledně dodržováno, spojení bez platného TLS jsou odmítána.</li><li><em>none</em> – pravidlo je zveřejněno, ale neuplatňuje se.</li></ul>",
+        "mta_sts_max_age": "Maximální životnost",
+        "mta_sts_max_age_info": "Doba v sekundách, po niž poštovní servery mohou toho pravidlo držet v mezipaměti bez nutnosti obnovení.",
+        "mta_sts_mx": "Server MX",
+        "mta_sts_mx_info": "Dovoluje odesílání jen výslovně vypsaným poštovním serverům; odesílající server kontroluje, že server MX určený v DNS odpovídá pravidlu, a povolí doručení jen s platným certifikátem TLS (chrání přes útokem typu MITM).",
+        "mta_sts_mx_notice": "Lze zadat více serverů MX (oddělte čárkou)."
    },
    "fido2": {
        "confirm": "Potvrdit",
@@ -829,7 +850,8 @@
        "login_admintext": "Přihlášení správce",
        "login_user": "Přihlášení uživatele",
        "login_dadmin": "Přihlášení správce domény",
-        "login_admin": "Přihlášení správce"
+        "login_admin": "Přihlášení správce",
+        "email": "Mailová adresa"
    },
    "mailbox": {
        "action": "Akce",
@@ -861,7 +883,7 @@
        "bcc": "BCC",
        "bcc_destination": "Cíl kopie",
        "bcc_destinations": "Cíl kopií",
-        "bcc_info": "Skrytá kopie (mapa BCC) se používá pro tiché předávání kopií všech zpráv na jinou adresu. Mapa příjemců se použije, funguje-li je místní cíl jako adresát zprávy. Totéž platí pro mapy odesílatelů.\nMístní cíl se nedozví, selže-li doručení na cíl BCC.",
+        "bcc_info": "<br/>Skrytá kopie (mapa BCC) se používá pro tiché předávání kopií všech zpráv na jinou adresu. Mapa příjemců se použije, funguje-li je místní cíl jako adresát zprávy. Totéž platí pro mapy odesílatelů.<br/>\n  Místní cíl se nedozví, selže-li doručení na cíl BCC.",
        "bcc_local_dest": "Týká se",
        "bcc_map": "Skrytá kopie",
        "bcc_map_type": "Typ skryté kopie",
@@ -1005,7 +1027,8 @@
        "weekly": "Každý týden",
        "yes": "&#10003;",
        "relay_unknown": "Předávání neexistujících schránek",
-        "iam": "Poskytovatel identity"
+        "iam": "Poskytovatel identity",
+        "internal": "Interní"
    },
    "oauth2": {
        "access_denied": "K udělení přístupu se přihlašte jako vlastník mailové schránky.",
@@ -1082,7 +1105,8 @@
        "hold_mail_legend": "Podrží vybrané e-maily. (Zabrání dalším pokusům o doručení)",
        "show_message": "Zobrazit zprávu",
        "unhold_mail": "Uvolnit",
-        "unhold_mail_legend": "Uvolnit vybrané e-maily k doručení. (Pouze v případě předchozího podržení)"
+        "unhold_mail_legend": "Uvolnit vybrané e-maily k doručení. (Pouze v případě předchozího podržení)",
+        "unban": "odblokovat"
    },
    "ratelimit": {
        "disabled": "Vypnuto",
--- a/data/web/lang/lang.da-dk.json
+++ b/data/web/lang/lang.da-dk.json
@@ -401,7 +401,7 @@
        "pushover_token": "Pushover-token har et forkert format",
        "quota_not_0_not_numeric": "Kvoten skal være numerisk og >= 0",
        "recipient_map_entry_exists": "En modtagerkortpost \"%s\" eksisterer",
-        "redis_error": "Redis fejl: %s",
+        "valkey_error": "Valkey fejl: %s",
        "relayhost_invalid": "Kortindtastning %s er ugyldig",
        "release_send_failed": "Beskeden kunne ikke frigives: %s",
        "reset_f2b_regex": "Regex filter kunne ikke nulstilles i tide, prøv igen eller vent et par sekunder mere, og genindlæs webstedet.",
@@ -444,7 +444,7 @@
        "external_logs": "Eksterne logfiler",
        "history_all_servers": "Historie (alle servere)",
        "in_memory_logs": "In-memory logs",
-        "log_info": "<p>mailcow <b>in-memory logs</b> er samlet i Redis-lister og trimmet til LOG_LINES (%d) hvert minut for at reducere hamring.\r\n  <br>Logbøger i hukommelsen er ikke beregnet til at være vedholdende. Alle applikationer, der logger ind i hukommelsen, logger også på Docker-dæmonen og derfor til standardlogdriveren.\r\n  <br>Logtypen i hukommelsen skal bruges til fejlfinding af mindre problemer med containere.</p>\r\n  <p><b>Eksterne logfiler</b> indsamles via API for den givne applikation.</p>\r\n  <p><b>Statiske logfiler</b> er for det meste aktivitetslogfiler, der ikke er logget på Dockerd, men stadig skal være vedholdende (undtagen API-logfiler).</p>",
+        "log_info": "<p>mailcow <b>in-memory logs</b> er samlet i Valkey-lister og trimmet til LOG_LINES (%d) hvert minut for at reducere hamring.\r\n  <br>Logbøger i hukommelsen er ikke beregnet til at være vedholdende. Alle applikationer, der logger ind i hukommelsen, logger også på Docker-dæmonen og derfor til standardlogdriveren.\r\n  <br>Logtypen i hukommelsen skal bruges til fejlfinding af mindre problemer med containere.</p>\r\n  <p><b>Eksterne logfiler</b> indsamles via API for den givne applikation.</p>\r\n  <p><b>Statiske logfiler</b> er for det meste aktivitetslogfiler, der ikke er logget på Dockerd, men stadig skal være vedholdende (undtagen API-logfiler).</p>",
        "logs": "Logs",
        "restart_container": "Genstart",
        "started_on": "Startede den",
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -71,6 +71,8 @@
        "goto_spam": "Nachrichten als <span class=\"text-danger\"><b>Spam</b></span> lernen",
        "hostname": "Host",
        "inactive": "Inaktiv",
+        "internal": "Intern",
+        "internal_info": "Interne Aliasse sind nur von der eigenen Domäne oder Alias-Domänen erreichbar.",
        "kind": "Art",
        "mailbox_quota_def": "Standard-Quota einer Mailbox",
        "mailbox_quota_m": "Max. Speicherplatz pro Mailbox (MiB)",
@@ -408,7 +410,8 @@
        "allowed_origins": "Access-Control-Allow-Origin",
        "logo_dark_label": "Invertiert für den Darkmode",
        "logo_normal_label": "Normal",
-        "user_link": "Nutzer-Link"
+        "user_link": "Nutzer-Link",
+        "filter": "Filter"
    },
    "danger": {
        "access_denied": "Zugriff verweigert oder unvollständige/ungültige Daten",
@@ -511,7 +514,7 @@
        "quota_not_0_not_numeric": "Speicherplatz muss numerisch und >= 0 sein",
        "recipient_map_entry_exists": "Eine Empfängerumschreibung für Objekt \"%s\" existiert bereits",
        "recovery_email_failed": "E-Mail zur Wiederherstellung konnte nicht gesendet werden. Bitte wenden Sie sich an Ihren Administrator.",
-        "redis_error": "Redis Fehler: %s",
+        "valkey_error": "Valkey Fehler: %s",
        "relayhost_invalid": "Map-Eintrag %s ist ungültig",
        "release_send_failed": "Die Nachricht konnte nicht versendet werden: %s",
        "reset_f2b_regex": "Regex-Filter konnten nicht in vorgegebener Zeit zurückgesetzt werden, bitte erneut versuchen oder die Webseite neu laden.",
@@ -597,7 +600,7 @@
        "history_all_servers": "History (alle Server)",
        "in_memory_logs": "In-memory Logs",
        "last_modified": "Zuletzt geändert",
-        "log_info": "<p>mailcow <b>in-memory Logs</b> werden in Redis Listen gespeichert, die maximale Anzahl der Einträge pro Anwendung richtet sich nach LOG_LINES (%d).\r\n  <br>In-memory Logs sind vergänglich und nicht zur ständigen Aufbewahrung bestimmt. Alle Anwendungen, die in-memory protokollieren, schreiben ebenso in den Docker Daemon.\r\n  <br>Das in-memory Protokoll versteht sich als schnelle Übersicht zum Debugging eines Containers, für komplexere Protokolle sollte der Docker Daemon konsultiert werden.</p>\r\n  <p><b>Externe Logs</b> werden via API externer Applikationen bezogen.</p>\r\n  <p><b>Statische Logs</b> sind weitestgehend Aktivitätsprotokolle, die nicht in den Docker Daemon geschrieben werden, jedoch permanent verfügbar sein müssen (ausgeschlossen API Logs).</p>",
+        "log_info": "<p>mailcow <b>in-memory Logs</b> werden in Valkey Listen gespeichert, die maximale Anzahl der Einträge pro Anwendung richtet sich nach LOG_LINES (%d).\r\n  <br>In-memory Logs sind vergänglich und nicht zur ständigen Aufbewahrung bestimmt. Alle Anwendungen, die in-memory protokollieren, schreiben ebenso in den Docker Daemon.\r\n  <br>Das in-memory Protokoll versteht sich als schnelle Übersicht zum Debugging eines Containers, für komplexere Protokolle sollte der Docker Daemon konsultiert werden.</p>\r\n  <p><b>Externe Logs</b> werden via API externer Applikationen bezogen.</p>\r\n  <p><b>Statische Logs</b> sind weitestgehend Aktivitätsprotokolle, die nicht in den Docker Daemon geschrieben werden, jedoch permanent verfügbar sein müssen (ausgeschlossen API Logs).</p>",
        "login_time": "Zeit",
        "logs": "Protokolle",
        "memory": "Arbeitsspeicher",
@@ -689,6 +692,8 @@
        "grant_types": "Grant-types",
        "hostname": "Servername",
        "inactive": "Inaktiv",
+        "internal": "Intern",
+        "internal_info": "Interne Aliasse sind nur von der eigenen Domäne oder Alias-Domänen erreichbar.",
        "kind": "Art",
        "last_modified": "Zuletzt geändert",
        "lookup_mx": "Ziel mit MX vergleichen (Regex, etwa <code>.*\\.google\\.com</code>, um alle Ziele mit MX *google.com zu routen)",
@@ -846,7 +851,8 @@
        "password": "Passwort",
        "reset_password": "Passwort zurücksetzen",
        "request_reset_password": "Passwortänderung anfordern",
-        "username": "Benutzername"
+        "username": "Benutzername",
+        "email": "E-Mail-Adresse"
    },
    "mailbox": {
        "action": "Aktion",
@@ -921,6 +927,7 @@
        "in_use": "Prozentualer Gebrauch",
        "inactive": "Inaktiv",
        "insert_preset": "Beispiel \"%s\" laden",
+        "internal": "Intern",
        "kind": "Art",
        "last_mail_login": "Letzter Mail-Login",
        "last_modified": "Zuletzt geändert",
@@ -1093,7 +1100,7 @@
        "legend": "Funktionen der Mailqueue Aktionen:",
        "ays": "Soll die derzeitige Queue wirklich komplett bereinigt werden?",
        "deliver_mail": "Ausliefern",
-        "deliver_mail_legend": "Versucht eine erneute Zustellung der ausgwählten Mails.",
+        "deliver_mail_legend": "Versucht eine erneute Zustellung der ausgewählten Mails.",
        "hold_mail": "Zurückhalten",
        "hold_mail_legend": "Hält die ausgewählten Mails zurück. (Verhindert weitere Zustellversuche)",
        "queue_manager": "Queue Manager",
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
FreddleSpl0it	c0f06bfc52	Merge branch 'staging' into feat/valkey	2025-10-10 12:40:41 +02:00
milkmaker	79cf0abc6e	[Web] Updated lang.zh-cn.json (#6826 ) Co-authored-by: Easton Man <me@eastonman.com>	2025-10-09 19:54:12 +02:00
Olavo Rocha Neto	7de70322d6	Update pt-br lang (#6803 ) * [Web] Updated lang.si-si.json Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si> * Update pt-br lang * Complimentary adjustments * Revert "[Web] Updated lang.si-si.json" This reverts commit `b23848e0f2`. --------- Co-authored-by: milkmaker <milkmaker@mailcow.de> Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>	2025-10-09 19:36:36 +02:00
DerLinkman	417835dea8	netfilter: improve logging and mark iptables-legacy as deprecated	2025-10-09 16:37:05 +02:00
FreddleSpl0it	df4d3bb6e0	[Web] Fix dashboard host stats	2025-10-07 11:41:57 +02:00
FreddleSpl0it	455ef084b4	[Web] clear old app_passwd log entries	2025-10-07 10:37:44 +02:00
FreddleSpl0it	c2948735f2	[Web] clear old app_passwd log entries	2025-10-07 10:18:07 +02:00
FreddleSpl0it	1ef0149076	[Web] make SameSite policy and cookie name configurable via vars.local.inc	2025-10-06 11:00:03 +02:00
FreddleSpl0it	922d173540	[Web] include hostname in default website title	2025-10-06 10:58:35 +02:00
renovate[bot]	fd088cb504	chore(deps): update actions/stale action to v10.1.0 (#6806 )	2025-10-04 14:13:48 +02:00
Valentin Brandl	721ee2394e	Update variable name for prometheus-exporter security token (#6776 ) * update variable name for prometheus-exporter security token * update `MAILCOW_EXPORTER_TOKEN_DISABLE` variable name	2025-10-03 18:03:03 +01:00
Colin Kubon	c217be06c6	scripts: make sure /etc/docker exists (#6791 )	2025-10-02 09:24:06 +02:00
Jonas	871c422ec1	Fix typos in config (#6792 ) Co-authored-by: DerLinkman <niklas.meyer@servercow.de>	2025-10-02 09:22:35 +02:00
sdsys-ch	3cc28af607	[Helper] Fix cold-standby script to support digits and override files (#6800 ) This commit fixes two bugs in the cold-standby script: 1. Support digits in COMPOSE_PROJECT_NAME The script was stripping digits from COMPOSE_PROJECT_NAME, while backup_and_restore.sh (fixed in `a71d991c`) correctly supports them. Added '0-9' to the tr character set to align behavior. 2. Support docker-compose.override.yml on remote Lines 172 and 287 explicitly used '-f docker-compose.yml' which causes Docker Compose to ignore docker-compose.override.yml even when present. Changed to 'cd && compose' pattern (matching line 296) to auto-discover override files. Impact: Users with custom volumes/services in override file would experience silent failures - volumes not created, images not pulled, data syncing to wrong locations. Both fixes ensure cold-standby works correctly with standard Docker Compose conventions and user customizations. Co-authored-by: Christophe Neuerburg <c.neuerburg@sdsys.ch>	2025-10-02 09:21:26 +02:00
milkmaker	796e131c3a	update postscreen_access.cidr (#6801 )	2025-10-01 11:14:57 +02:00
milkmaker	c51a769aec	[Web] Updated lang.si-si.json (#6794 ) Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>	2025-09-29 18:10:39 +02:00
FreddleSpl0it	45a61755a5	Merge pull request #6777 from patschi/enable-https-redirect-default Enable HTTPS redirect by default on new setups	2025-09-29 11:56:46 +02:00
FreddleSpl0it	769c57c355	Merge pull request #6779 from patschi/remove-debug-consolelog Remove debug console.log calls	2025-09-29 11:54:23 +02:00
FreddleSpl0it	2e7eb7c0fd	Merge pull request #6780 from patschi/fix-pwcomplexity-apppasswds Fixed password complexity check for AppPasswords creation/edit	2025-09-29 11:53:26 +02:00
FreddleSpl0it	4c83147d01	Merge pull request #6781 from patschi/pw-field-name-consistency Rename password fields for AppPasswords same way for consistency	2025-09-29 11:52:08 +02:00
FreddleSpl0it	ca0bec4fc2	Merge pull request #6782 from patschi/fix-footer-escape Fixed wrong footer escaping for certain characters	2025-09-29 11:45:42 +02:00
FreddleSpl0it	6f50dd17da	Merge pull request #6786 from patschi/fix-sql-typo Fix several SQL statements	2025-09-29 11:39:30 +02:00
FreddleSpl0it	4a331929d0	Merge pull request #6787 from patschi/hide-relayhosts-if-no-acl Hide relayhosts when ACL does not allow	2025-09-29 11:38:52 +02:00
FreddleSpl0it	748bc893b6	Merge pull request #6788 from patschi/lastmodified-default-value Show "Never" by default if no last-modified date saved	2025-09-29 11:37:52 +02:00
FreddleSpl0it	e462602ddc	Merge pull request #6789 from patschi/domain-descr-readonly-when-no-acl Make domain description field readonly when no ACL	2025-09-29 11:36:42 +02:00
milkmaker	4e0f435d12	[Web] Updated lang.si-si.json (#6793 )	2025-09-28 15:12:14 +02:00
milkmaker	46f0581936	[Web] Updated lang.si-si.json (#6790 ) Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>	2025-09-26 19:14:07 +02:00
Patrik Kernstock	20f04ecf6b	Make domain description field readonly when no ACL	2025-09-26 17:13:24 +02:00
Patrik Kernstock	ff43799763	Show "Never" by default if no last-modified date	2025-09-26 17:02:22 +02:00
Patrik Kernstock	85ca197615	Hide relayhosts when ACL does not allow	2025-09-26 16:50:58 +02:00
Patrik Kernstock	d06d23bbaf	Fix several SQL statements	2025-09-26 14:58:04 +02:00
Patrik Kernstock	702ed85dfd	Fixed footer escaping	2025-09-26 14:41:19 +02:00
milkmaker	8abe74a562	[Web] Updated lang.si-si.json (#6785 ) Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>	2025-09-26 10:57:32 +02:00
Patrik Kernstock	5c5287ca21	Fixed wrong footer escaping	2025-09-26 04:04:45 +02:00
Patrik Kernstock	ce219668cf	Rename AppPasswds fields uniquely like 'add'	2025-09-26 03:37:49 +02:00
Patrik Kernstock	5b1b49a418	Fixed password complexity check for AppPasswords	2025-09-26 02:37:02 +02:00
Patrik Kernstock	8978a9ad79	Remove debug console.log() lines	2025-09-26 02:13:22 +02:00
Patrik Kernstock	5f4a4fd759	Removed new lines for consistency	2025-09-26 01:14:33 +02:00
Patrik Kernstock	171c591da4	Enable REDIRECT_HTTP=y by default	2025-09-26 01:14:23 +02:00
FreddleSpl0it	9133b9899c	Merge pull request #6764 from patschi/tools-install-clear-msg Clearer message to install required tool, e.g. jq	2025-09-25 09:00:41 +02:00
FreddleSpl0it	701c9fb1b4	Merge pull request #6772 from patschi/update-issue-template Update GitHub's issue template	2025-09-25 08:53:18 +02:00
Patrik Kernstock	eabd22188b	Re-intend checkboxes	2025-09-24 21:20:48 +02:00
Patrik Kernstock	7028619742	Update GitHub's issue template	2025-09-24 21:17:29 +02:00
Patrik Kernstock	c915bf2ee2	Add docs link to get_installed_tools() message	2025-09-24 19:06:47 +02:00
milkmaker	011edd5ac9	[Web] Updated lang.si-si.json (#6771 ) Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>	2025-09-24 17:36:09 +02:00
FreddleSpl0it	7ba3de4ced	Merge pull request #6767 from mailcow/fix/rename-phpsessid [Web] Rename PHP Cookie to MCSESSID	2025-09-23 12:41:01 +02:00
FreddleSpl0it	8ead77083f	[Web] Rename PHP Cookie to MCSESSID	2025-09-23 12:39:48 +02:00
FreddleSpl0it	b2774fb50b	Merge pull request #6766 from mailcow/fix/samesite-cookie [Web] set cookie SameSite attribute to Lax	2025-09-23 12:36:11 +02:00
FreddleSpl0it	4440bd46ad	[Web] set cookie SameSite attribute to Lax	2025-09-23 12:24:25 +02:00
FreddleSpl0it	28985973eb	[Web] Revert - allow "*" as wildcard domain	2025-09-23 10:07:33 +02:00
Christian 🦄	f2c4697ca3	Fixed typo in lang de-de (#6765 )	2025-09-22 22:45:54 +01:00
Patrik Kernstock	383b5affb5	More clearer message to install required tool	2025-09-22 19:49:31 +02:00
FreddleSpl0it	ed4dcff63b	[Web] allow "*" as wildcard domain	2025-09-22 14:42:14 +02:00
FreddleSpl0it	caca32bbba	Merge pull request #6759 from mailcow/fix/6720 [Web] Allow wildcard subdomains for MTA-STS	2025-09-22 14:20:36 +02:00
FreddleSpl0it	d31e74c778	Merge pull request #6760 from mailcow/fix/6739 [Web] Remove Port from HTTP_HOST	2025-09-22 14:20:15 +02:00
FreddleSpl0it	6c00e29276	Merge pull request #6762 from mailcow/fix/6740 [Nginx] do not invert ENABLE_IPV6	2025-09-22 14:19:57 +02:00
FreddleSpl0it	9940c503a2	[Nginx] do not invert ENABLE_IPV6	2025-09-22 14:16:42 +02:00
FreddleSpl0it	4b2862cb3c	[Web] Remove Port from HTTP_HOST	2025-09-22 14:07:17 +02:00
FreddleSpl0it	a36485f0f1	[Web] Allow wildcard subdomains for MTA-STS	2025-09-22 13:55:18 +02:00
FreddleSpl0it	78168ee80a	Merge pull request #6758 from mailcow/feat/sogo-url-encryption [SOGo][Web] SOGo URL Encryption support	2025-09-22 13:32:58 +02:00
FreddleSpl0it	610609378f	[SOGo][Web] Set URL encryption key in mailcow.conf	2025-09-22 12:58:05 +02:00
FreddleSpl0it	260906e350	[SOGo][Web] Enable SOGo URL Encryption	2025-09-22 12:28:09 +02:00
milkmaker	2891bbf82a	Translations update from Weblate (#6749 ) * [Web] Updated lang.cs-cz.json Co-authored-by: Filip Hajny <filip@hajny.net> * [Web] Updated lang.lv-lv.json Co-authored-by: Edgars Andersons <Edgars+Mailcow+Weblate@gaitenis.id.lv> --------- Co-authored-by: Filip Hajny <filip@hajny.net> Co-authored-by: Edgars Andersons <Edgars+Mailcow+Weblate@gaitenis.id.lv>	2025-09-16 18:24:12 +02:00
milkmaker	eb26bcbc94	Translations update from Weblate (#6743 ) * [Web] Updated lang.zh-cn.json Co-authored-by: Easton Man <me@eastonman.com> * [Web] Updated lang.si-si.json [Web] Updated lang.si-si.json Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si> Co-authored-by: milkmaker <milkmaker@mailcow.de> --------- Co-authored-by: Easton Man <me@eastonman.com> Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>	2025-09-13 21:41:59 +02:00
patr_	84e230de8f	[Nginx] fix: Disable IPv6 support in Nginx configuration (#6736 ) Co-authored-by: patr_ <patbernh@gmail.com>	2025-09-12 11:17:18 +02:00
FreddleSpl0it	f67a12d157	Merge pull request #6726 from mailcow/fix/6135 [Web] remove unused bcc dest column from alias table	2025-09-11 13:50:25 +02:00
FreddleSpl0it	34b48eedfc	Merge pull request #6727 from mailcow/fix/6423 [SOGo] Drop deprecated `sogo_update_password` sql trigger if it still exists	2025-09-11 13:50:05 +02:00
FreddleSpl0it	0d900d4fc8	[SOGo] Drop deprecated `sogo_update_password` sql trigger if it still exists	2025-09-11 11:01:50 +02:00
FreddleSpl0it	642ac6d02c	[Web] remove unused bcc dest column from alias table	2025-09-11 10:34:35 +02:00
DerLinkman	94c1a6c4e1	scripts: ipv6_controller improvement + fix modules handling (#6722 ) * Fix subscript handling for modules * ipv6: detect case when link local is present * v6-controller: removed fixed-cidr for docker 28+	2025-09-10 16:20:58 +02:00
FreddleSpl0it	262fe04286	change MAJOR_VERSIONS 2025-08 to 2025-09	2025-09-10 11:17:34 +02:00
FreddleSpl0it	1c438330c6	[postfix-tlspol] build with NOOPT=1 for wider CPU compatibility	2025-09-10 10:14:37 +02:00
FreddleSpl0it	8cb25709ae	[Clamd] update to 1.71	2025-09-10 08:23:22 +02:00
FreddleSpl0it	221f2989b0	Merge pull request #6698 from mailcow/6644_clamd-tmp-folder-naming-change Changed clamavs tmp folder structure	2025-09-09 13:12:54 +02:00
FreddleSpl0it	3d05207bc7	Merge pull request #6717 from mailcow/fix/6664 [Rspamd] only recreate external_services.conf file if it was deleted	2025-09-09 12:53:03 +02:00
FreddleSpl0it	8c8497d885	[Rspamd] only recreate external_services.conf file if it was deleted	2025-09-09 12:50:19 +02:00
FreddleSpl0it	56d083ced4	Merge pull request #6682 from psuet/fix/imapsync fix: imapsync gets correct timeouts from imapsync_runner.pl	2025-09-09 12:34:02 +02:00
FreddleSpl0it	a90b3544a7	Merge pull request #6651 from psuet/fix/php-warnings Fix multiple PHP Warnings present in "stock" installation	2025-09-09 12:27:14 +02:00
FreddleSpl0it	08aea7fb26	Merge pull request #6716 from mailcow/fix/6610 Prevent user login if protocol access has been disabled	2025-09-09 12:16:09 +02:00
FreddleSpl0it	13f7f9830b	Prevent user login if protocol access has been disabled	2025-09-09 12:11:19 +02:00
FreddleSpl0it	2f75039194	Merge pull request #6715 from mailcow/fix/version-tag [Web] Only include mailcow_info in JS when mailcow_cc_username is set	2025-09-09 11:10:25 +02:00
FreddleSpl0it	1e192e14f4	[Web] Only include mailcow_info in JS when mailcow_cc_username is set	2025-09-09 11:09:09 +02:00
FreddleSpl0it	9cd1f931fc	Merge pull request #6714 from mailcow/fix/domain-wide-footer [RSPAMD] Add boundary if present when applying domain-wide footer	2025-09-09 10:57:18 +02:00
FreddleSpl0it	8d7235b535	[RSPAMD] Add boundary if present when applying domain-wide footer	2025-09-09 10:52:19 +02:00
FreddleSpl0it	8446abd484	Merge pull request #6713 from mailcow/feat/internal-alias [Rspamd][Web] Internal alias support	2025-09-09 10:45:56 +02:00
FreddleSpl0it	f67c0530f5	[Rspamd][Web] Internal alias support	2025-09-09 10:37:54 +02:00
Dmitriy Alekseev	06db1d6a72	[Rspamd] Do not increment rate limit for emails from user to himself (#6706 ) * [Rspamd] Do not increment rate limit for emails from user to himself * Lowercase username and recipient address for comparison Normalize username and recipient address comparison to lowercase.	2025-09-05 03:37:59 +02:00
renovate[bot]	81775ab4d5	chore(deps): update actions/stale action to v10 (#6708 ) Signed-off-by: milkmaker <milkmaker@mailcow.de> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2025-09-04 18:02:11 +02:00
DerLinkman	34877ecf9c	watchdog: added postfix-tlspol check (#6691 )	2025-09-03 08:18:04 +02:00
milkmaker	dbde144014	update postscreen_access.cidr (#6703 )	2025-09-03 08:14:14 +02:00
DerLinkman	5361a4a4ee	updated sponsors in Readme.md	2025-09-01 12:32:27 +02:00
milkmaker	0997548d7f	Translations update from Weblate (#6699 ) * [Web] Updated lang.de-de.json Co-authored-by: Peter <magic@kthx.at> * [Web] Updated lang.en-gb.json Co-authored-by: Peter <magic@kthx.at> * [Web] Updated lang.hu-hu.json [Web] Language file updated by 'Cleanup translation files' addon Co-authored-by: Peter <magic@kthx.at> Co-authored-by: milkmaker <milkmaker@mailcow.de> * [Web] Updated lang.si-si.json Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si> --------- Co-authored-by: Peter <magic@kthx.at> Co-authored-by: Matjaž Tekavec <matjaz@moj-svet.si>	2025-08-29 22:38:06 +02:00
Sándor	921de02a2b	Update lang.hu-hu.json (#6697 ) Extended Hungarian translation	2025-08-29 18:32:17 +02:00
Peter	48e90a72dc	Changed clamavs tmp folder structure	2025-08-29 18:27:34 +02:00
renovate[bot]	c0b7a98e6c	chore(deps): update actions/checkout action to v5 (#6671 ) Signed-off-by: milkmaker <milkmaker@mailcow.de> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2025-08-29 18:23:56 +02:00
DerLinkman	0b0a65a3f3	web: rename login placeholder for mailbox to email address (#6693 )	2025-08-28 17:02:16 +02:00
DerLinkman	6c5d82c4df	expanded postscreen whitelist with modern freemailers + included checks.mailcow.email	2025-08-28 14:06:17 +02:00
maxi322	5e66ffa366	watchdog: use dig instead of check_dns (#6685 ) * watchdog: use dig instead of check_dns check_dns is slower and uses more system resources, dig wrapped in a script is a more performant approach and uses fewer system resources * added debug mode + compose image bump --------- Co-authored-by: maxi322 <maxi322@users.noreply.github.com> Co-authored-by: DerLinkman <niklas.meyer@servercow.de>	2025-08-28 12:56:37 +02:00
Sajjad hassanzadeh	4d88e19106	Feat/prometheus-exporter : Add prometheus exporter and grafana dashboard for mailcow. (#6314 ) * add : readme for prometheus exporter configs * add : grafana dashboard json file * add: prometheus exporter service on docker-compose.override.yml * migrate: doc files into docs.mailcow.email project * add : security configs in prometheus exporter compose file * add : explain more in my comment part in prometheus override compose file * remove : mailcow dockerized docs --------- Co-authored-by: Saji <saji@abrnoc>	2025-08-28 12:36:43 +02:00
Paul Sütterlin	53c35493a5	fix: imapsync gets correct timeouts Previously imapsync only attached the timeout1 / timeout2 arguments if the argument was negative (which is not even possible). Now the argument is added for every positive number. Fixes #6590	2025-08-21 18:36:01 +00:00
Paul Sütterlin	ad9b328ed5	fix: Undefined array key "pending_tfa_methods" in /web/inc/footer.inc.php on line 29	2025-07-26 01:12:48 +00:00
Paul Sütterlin	3d5b57889a	fix: Empty App Links The return value of the function caused a warning in header.inc.php:42 if no additional links were set. header.inc.php is the only caller of this function, thus it is safe to return an empty array here.	2025-07-26 01:08:28 +00:00
Paul Sütterlin	6b8e981bdc	fix: Only use HTTP_ORIGIN if it is sent.	2025-07-26 01:06:24 +00:00
FreddleSpl0it	0698159f07	Add redis-to-valkey migratior	2025-02-28 15:49:28 +01:00
FreddleSpl0it	c27000215e	migrate from redis to valkey	2025-02-28 15:36:19 +01:00