[SOGo][Web] use incremental updates for mailbox/alias/resource sync in sogo_static_view

.github/workflows/rebuild_backup_image.yml

@@ -16,14 +16,14 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
       - name: Login to GHCR
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v4
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}

.gitignore

@@ -51,7 +51,6 @@ data/conf/sogo/cron.creds
 data/conf/sogo/custom-fulllogo.svg
 data/conf/sogo/custom-shortlogo.svg
 data/conf/sogo/custom-fulllogo.png
-data/conf/acme/dns-01.conf
 data/gitea/
 data/gogs/
 data/hooks/dovecot/*

data/Dockerfiles/acme/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.23
+FROM alpine:3.21
 
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 

data/Dockerfiles/acme/acme.sh

@@ -14,17 +14,6 @@ until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
   sleep 2
 done
 
-# Create DNS-01 configuration template if it doesn't exist
-if [[ ! -f /etc/acme/dns-01.conf ]]; then
-  mkdir -p /etc/acme
-  cat > /etc/acme/dns-01.conf <<'EOF'
-# Add here your DNS-01 challenge configuration
-# For more information, visit the acme.sh documentation:
-# https://github.com/acmesh-official/acme.sh/wiki/dnsapi
-EOF
-  echo "Created DNS-01 configuration template at /etc/acme/dns-01.conf"
-fi
-
 source /srv/functions.sh
 # Thanks to https://github.com/cvmiller -> https://github.com/cvmiller/expand6
 source /srv/expand6.sh

data/Dockerfiles/dockerapi/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.23
+FROM alpine:3.21
 
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 

data/Dockerfiles/dovecot/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.22
+FROM alpine:3.21
 
 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
 

data/Dockerfiles/dovecot/docker-entrypoint.sh

@@ -44,109 +44,90 @@ if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
 else
   QUOTA_TABLE=quota2replica
 fi
-
-cat <<EOF > /etc/dovecot/conf.d/12-mysql.conf
-# Autogenerated by mailcow - DO NOT TOUCH!
-mysql /var/run/mysqld/mysqld.sock {
-  dbname=${DBNAME}
-  user=${DBUSER}
-  password=${DBPASS}
-
-  ssl = no
-}
-EOF
-
-
 cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-quota.conf
 # Autogenerated by mailcow
-dict_map priv/quota/storage {
-  sql_table = ${QUOTA_TABLE}
+connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
+map {
+  pattern = priv/quota/storage
+  table = ${QUOTA_TABLE}
   username_field = username
-  value_field bytes {
-  }
+  value_field = bytes
 }
-
-dict_map priv/quota/messages {
-  sql_table = ${QUOTA_TABLE}
+map {
+  pattern = priv/quota/messages
+  table = ${QUOTA_TABLE}
   username_field = username
-  value_field messages {
-  }
+  value_field = messages
 }
 EOF
 
 # Create dict used for sieve pre and postfilters
 cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_before.conf
 # Autogenerated by mailcow
-
-dict_map priv/sieve/name/\$script_name {
-  sql_table = sieve_before
+connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
+map {
+  pattern = priv/sieve/name/\$script_name
+  table = sieve_before
   username_field = username
-  value_field id {
-  }
-
-  # The script name field in the table to query
-  key_field script_name {
-    value = \$script_name
+  value_field = id
+  fields {
+    script_name = \$script_name
   }
 }
-
-dict_map priv/sieve/data/\$id {
-  sql_table = sieve_before
+map {
+  pattern = priv/sieve/data/\$id
+  table = sieve_before
   username_field = username
-  value_field script_data {
-  }
-  key_field id {
-    value = \$id
+  value_field = script_data
+  fields {
+    id = \$id
   }
 }
 EOF
 
 cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_after.conf
 # Autogenerated by mailcow
-
-dict_map priv/sieve/name/\$script_name {
-  sql_table = sieve_after
+connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
+map {
+  pattern = priv/sieve/name/\$script_name
+  table = sieve_after
   username_field = username
-  value_field id {
-  }
-  key_field script_name {
-    value = \$script_name
+  value_field = id
+  fields {
+    script_name = \$script_name
   }
 }
-
-dict_map priv/sieve/data/\$id {
-  sql_table = sieve_after
+map {
+  pattern = priv/sieve/data/\$id
+  table = sieve_after
   username_field = username
-  value_field script_data {
-  }
-  key_field id {
-    value = \$id
+  value_field = script_data
+  fields {
+    id = \$id
   }
 }
 EOF
 
-if [[ "${ACL_ANYONE}" == "allow" ]]; then
-  echo -n "yes" > /etc/dovecot/acl_anyone
-else
-  echo -n "no" > /etc/dovecot/acl_anyone
-fi
+echo -n ${ACL_ANYONE} > /etc/dovecot/acl_anyone
 
 if [[ "${SKIP_FTS}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
 echo -e "\e[33mDetecting SKIP_FTS=y... not enabling Flatcurve (FTS) then...\e[0m"
-echo -n 'quota quota_clone acl mail_crypt mail_crypt_acl mail_log mail_compress notify lazy_expunge' > /etc/dovecot/mail_plugins
-echo -n 'quota quota_clone imap_quota imap_acl acl imap_sieve mail_crypt mail_crypt_acl mail_compress notify mail_log' > /etc/dovecot/mail_plugins_imap
-echo -n 'quota quota_clone sieve acl mail_crypt mail_crypt_acl mail_compress notify' > /etc/dovecot/mail_plugins_lmtp
+echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify listescape replication lazy_expunge' > /etc/dovecot/mail_plugins
+echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify listescape replication mail_log' > /etc/dovecot/mail_plugins_imap
+echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
 else
 echo -e "\e[32mDetecting SKIP_FTS=n... enabling Flatcurve (FTS)\e[0m"
-echo -n 'quota quota_clone acl mail_crypt mail_crypt_acl mail_log mail_compress notify fts fts_flatcurve lazy_expunge' > /etc/dovecot/mail_plugins
-echo -n 'quota quota_clone imap_quota imap_acl acl imap_sieve mail_crypt mail_crypt_acl mail_compress notify mail_log fts fts_flatcurve' > /etc/dovecot/mail_plugins_imap
-echo -n 'quota quota_clone sieve acl mail_crypt mail_crypt_acl mail_compress fts fts_flatcurve notify' > /etc/dovecot/mail_plugins_lmtp
+echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify fts fts_flatcurve listescape replication lazy_expunge' > /etc/dovecot/mail_plugins
+echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify mail_log fts fts_flatcurve listescape replication' > /etc/dovecot/mail_plugins_imap
+echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl fts fts_flatcurve notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
 fi
 chmod 644 /etc/dovecot/mail_plugins /etc/dovecot/mail_plugins_imap /etc/dovecot/mail_plugins_lmtp /templates/quarantine.tpl
 
 cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-userdb.conf
 # Autogenerated by mailcow
-query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format')), mailbox_path_prefix, '%{user | domain }}/%{user | username }/Maildir:VOLATILEDIR=/var/volatile/%{user}:INDEX=/var/vmail_index/%{user}') AS mail, '%{protocol}' AS protocol, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%{user}' AND (active = '1' OR active = '2')
+driver = mysql
+connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
+user_query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format')), mailbox_path_prefix, '%d/%n/${MAILDIR_SUB}:VOLATILEDIR=/var/volatile/%u:INDEX=/var/vmail_index/%u') AS mail, '%s' AS protocol, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND (active = '1' OR active = '2')
 iterate_query = SELECT username FROM mailbox WHERE active = '1' OR active = '2';
 EOF
 
@@ -177,8 +158,8 @@ for cert_dir in /etc/ssl/mail/*/ ; do
   domains=($(cat ${cert_dir}domains))
   for domain in ${domains[@]}; do
     echo 'local_name '${domain}' {' >> /etc/dovecot/sni.conf;
-    echo '  ssl_server_cert_file = '${cert_dir}'cert.pem' >> /etc/dovecot/sni.conf;
-    echo '  ssl_server_key_file = '${cert_dir}'key.pem' >> /etc/dovecot/sni.conf;
+    echo '  ssl_cert = <'${cert_dir}'cert.pem' >> /etc/dovecot/sni.conf;
+    echo '  ssl_key = <'${cert_dir}'key.pem' >> /etc/dovecot/sni.conf;
     echo '}' >> /etc/dovecot/sni.conf;
   done
 done
@@ -202,13 +183,11 @@ else
 fi
 cat <<EOF > /etc/dovecot/shared_namespace.conf
 # Autogenerated by mailcow
-namespace shared {
+namespace {
     type = shared
     separator = /
-    prefix = Shared/\$user/
-    mail_driver = maildir
-    mail_path = %{owner_home}${MAILDIR_SUB_SHARED}
-    mail_index_private_path = ~${MAILDIR_SUB_SHARED}/Shared/%{owner_user}
+    prefix = Shared/%%u/
+    location = maildir:%%h${MAILDIR_SUB_SHARED}:INDEX=~${MAILDIR_SUB_SHARED}/Shared/%%u
     subscriptions = no
     list = children
 }
@@ -218,7 +197,7 @@ EOF
 cat <<EOF > /etc/dovecot/sogo_trusted_ip.conf
 # Autogenerated by mailcow
 remote ${IPV4_NETWORK}.248 {
-  auth_allow_cleartext = yes
+  disable_plaintext_auth = no
 }
 EOF
 
@@ -227,13 +206,9 @@ RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
 echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass
 cat <<EOF > /etc/dovecot/sogo-sso.conf
 # Autogenerated by mailcow
-passdb static {
-  fields {
-    allow_real_nets=${IPV4_NETWORK}.248/32
-  }
-
-  password={plain}${RAND_PASS}
-  
+passdb {
+  driver = static
+  args = allow_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
 }
 EOF
 
@@ -261,9 +236,9 @@ fi
 if [[ "${SKIP_FTS}" =~ ^([nN][oO]|[nN])+$ ]]; then
   echo -e "\e[94mConfiguring FTS Settings...\e[0m"
   echo -e "\e[94mSetting FTS Memory Limit (per process) to ${FTS_HEAP} MB\e[0m"
-  sed -i "s/vsz_limit\s*=\s*[0-9]*\s*MB*/vsz_limit=${FTS_HEAP} MB/" /etc/dovecot/conf.d/35-fts.conf
+  sed -i "s/vsz_limit\s*=\s*[0-9]*\s*MB*/vsz_limit=${FTS_HEAP} MB/" /etc/dovecot/conf.d/fts.conf
   echo -e "\e[94mSetting FTS Process Limit to ${FTS_PROCS}\e[0m"
-  sed -i "s/process_limit\s*=\s*[0-9]*/process_limit=${FTS_PROCS}/" /etc/dovecot/conf.d/35-fts.conf
+  sed -i "s/process_limit\s*=\s*[0-9]*/process_limit=${FTS_PROCS}/" /etc/dovecot/conf.d/fts.conf
 fi
 
 # 401 is user dovecot
@@ -275,16 +250,16 @@ else
 	chown 401 /mail_crypt/ecprivkey.pem /mail_crypt/ecpubkey.pem
 fi
 
-# # Fix OpenSSL 3.X TLS1.0, 1.1 support (https://community.mailcow.email/d/4062-hi-all/20)
-# if grep -qE 'ssl_min_protocol\s*=\s*(TLSv1|TLSv1\.1)\s*$' /etc/dovecot/dovecot.conf /etc/dovecot/extra.conf; then
-#     sed -i '/\[openssl_init\]/a ssl_conf = ssl_configuration' /etc/ssl/openssl.cnf
+# Fix OpenSSL 3.X TLS1.0, 1.1 support (https://community.mailcow.email/d/4062-hi-all/20)
+if grep -qE 'ssl_min_protocol\s*=\s*(TLSv1|TLSv1\.1)\s*$' /etc/dovecot/dovecot.conf /etc/dovecot/extra.conf; then
+    sed -i '/\[openssl_init\]/a ssl_conf = ssl_configuration' /etc/ssl/openssl.cnf
 
-#     echo "[ssl_configuration]" >> /etc/ssl/openssl.cnf
-#     echo "system_default = tls_system_default" >> /etc/ssl/openssl.cnf
-#     echo "[tls_system_default]" >> /etc/ssl/openssl.cnf
-#     echo "MinProtocol = TLSv1" >> /etc/ssl/openssl.cnf
-#     echo "CipherString = DEFAULT@SECLEVEL=0" >> /etc/ssl/openssl.cnf
-# fi
+    echo "[ssl_configuration]" >> /etc/ssl/openssl.cnf
+    echo "system_default = tls_system_default" >> /etc/ssl/openssl.cnf
+    echo "[tls_system_default]" >> /etc/ssl/openssl.cnf
+    echo "MinProtocol = TLSv1" >> /etc/ssl/openssl.cnf
+    echo "CipherString = DEFAULT@SECLEVEL=0" >> /etc/ssl/openssl.cnf
+fi
 
 # Compile sieve scripts
 sievec /var/vmail/sieve/global_sieve_before.sieve

data/Dockerfiles/unbound/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.23
+FROM alpine:3.21
 
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 

data/Dockerfiles/watchdog/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.23
+FROM alpine:3.21
 
 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 

data/conf/acme/dns-101.conf

@@ -0,0 +1,3 @@
+# Add here your DNS-01 challenge configuration
+# For more information, visit the acme.sh documentation:
+# https://github.com/acmesh-official/acme.sh/wiki/dnsapi

data/conf/dovecot/auth/passwd-verify.lua

@@ -1,5 +1,4 @@
 function auth_password_verify(request, password)
-  request.domain = request.auth_user:match("@(.+)") or nil
   if request.domain == nil then
     return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
   end
@@ -10,10 +9,10 @@ function auth_password_verify(request, password)
   https.TIMEOUT = 30
 
   local req = {
-    username = request.auth_user,
+    username = request.user,
     password = password,
-    real_rip = request.remote_ip,
-    service = request.protocol
+    real_rip = request.real_rip,
+    service = request.service
   }
   local req_json = json.encode(req)
   local res = {}
@@ -34,6 +33,7 @@ function auth_password_verify(request, password)
   -- Returning PASSDB_RESULT_INTERNAL_FAILURE keeps the existing cache entry,
   -- even if the TTL has expired. Useful to avoid cache eviction during backend issues.
   if c ~= 200 and c ~= 401 then
+    dovecot.i_info("HTTP request failed with " .. c .. " for user " .. request.user)
     return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Upstream error"
   end
 
@@ -46,7 +46,7 @@ function auth_password_verify(request, password)
   end
 
   if response_json.success == true then
-    return dovecot.auth.PASSDB_RESULT_OK, { msg = "" }
+    return dovecot.auth.PASSDB_RESULT_OK, ""
   end
 
   return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
@@ -55,7 +55,3 @@ end
 function auth_passdb_lookup(req)
    return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
 end
-
-function auth_passdb_get_cache_key()
-  return "%{protocol}:%{user | username}\t:%{password}"
-end

data/conf/dovecot/conf.d/05-core.conf

@@ -1,3 +0,0 @@
-# /etc/dovecot/conf.d/05-core.conf
-# Core, single-line settings that don't fit elsewhere.
-recipient_delimiter = +

data/conf/dovecot/conf.d/10-logging.conf

@@ -1,13 +0,0 @@
-# /etc/dovecot/conf.d/10-logging.conf
-# Logging and debug.
-#mail_debug = yes
-#auth_debug = yes
-#log_debug = category=fts-flatcurve
-log_path = syslog
-log_timestamp = "%Y-%m-%d %H:%M:%S "
-login_log_format_elements = "user=<%{user}> method=%{mechanism} rip=%{remote_ip} lip=%{local_ip} mpid=%{mail_pid} %{secured} session=<%{session}>"
-
-# Mail event logging.
-mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
-mail_log_fields = uid box msgid size
-mail_log_cached_only = yes

data/conf/dovecot/conf.d/10-mail.conf

@@ -1,10 +0,0 @@
-# /etc/dovecot/conf.d/10-mail.conf
-# Mail storage paths and core mail settings.
-mail_home = /var/vmail/%{user | domain }/%{user | username }
-mail_driver = maildir
-mail_path = ~/Maildir
-mail_index_path = /var/vmail_index/%{user}
-mail_plugins = </etc/dovecot/mail_plugins
-mail_shared_explicit_inbox = yes
-mailbox_list_storage_escape_char = "\\"
-mail_prefetch_count = 30

data/conf/dovecot/conf.d/10-ssl.conf

@@ -1,13 +0,0 @@
-# /etc/dovecot/conf.d/10-ssl.conf
-# TLS/SSL settings.
-ssl_min_protocol = TLSv1.2
-ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:!eNULL:!3DES:!MD5:!PSK:!DSS:!RC4:!SEED:!IDEA:+HIGH:+MEDIUM
-ssl_options = no_ticket
-#ssl_dh_parameters_length = 2048
-
-ssl_server {
-  prefer_ciphers = server
-  dh_file = /etc/ssl/mail/dhparams.pem
-  cert_file = /etc/ssl/mail/cert.pem
-  key_file = /etc/ssl/mail/key.pem
-}

data/conf/dovecot/conf.d/11-sql.conf

@@ -1,3 +0,0 @@
-# /etc/dovecot/conf.d/11-sql.conf
-# Default SQL driver used by SQL-based dicts/userdb.
-sql_driver = mysql

data/conf/dovecot/conf.d/12-mysql.conf

@@ -1,8 +0,0 @@
-# Autogenerated by mailcow - DO NOT TOUCH!
-mysql /var/run/mysqld/mysqld.sock {
-  dbname=mailcow
-  user=mailcow
-  password=D8O9BIivJc7Pb2VCfpAeLbAzUOZ0
-
-  ssl = no
-}

data/conf/dovecot/conf.d/12-storage-attachments.conf

@@ -1,7 +0,0 @@
-# /etc/dovecot/conf.d/12-storage-attachments.conf
-# External attachment storage.
-fs mail_ext_attachment {
-  fs_driver = posix
-  mail_ext_attachment_path = /var/attachments
-  mail_ext_attachment_min_size = 128k
-}

data/conf/dovecot/conf.d/15-performance.conf

@@ -1,10 +0,0 @@
-# /etc/dovecot/conf.d/15-performance.conf
-# Performance and mailbox tuning.
-# Enable only when you do not manually touch cur/.
-maildir_very_dirty_syncs = yes
-
-# NFS examples | Only modify if using NFS!:
-#mm ap_disable = yes
-#mail_fsync = always
-#mail_nfs_index = yes
-#mail_nfs_storage = yes

data/conf/dovecot/conf.d/20-auth.conf

@@ -1,40 +0,0 @@
-# /etc/dovecot/conf.d/20-auth.conf
-# Authentication mechanisms, master/user separation, passdb chain, auth cache.
-auth_mechanisms = plain login
-auth_allow_cleartext = yes
-auth_master_user_separator = *
-
-auth_cache_verify_password_with_worker = yes
-auth_cache_negative_ttl = 60s
-auth_cache_ttl = 300s
-auth_cache_size = 10M
-auth_verbose_passwords = sha1:6
-
-# 1) Lua password verification (blocking, return mapping).
-passdb lua {
-  driver = lua
-  lua_file = /etc/dovecot/auth/passwd-verify.lua
-  lua_settings {
-    blocking=yes
-    result_success = return-ok
-    result_failure = continue
-    result_internalfail = continue
-  }
-}
-
-# 2) Master password for master user logins.
-passdb master {
-  driver = passwd-file
-  passwd_file_path = /etc/dovecot/dovecot-master.passwd 
-  master = yes
-  skip = authenticated
-}
-
-# 3) Mandatory return layer: empty Lua (e.g. for forced reset).
-passdb empty-lua {
-  driver = lua
-  lua_file = /etc/dovecot/auth/passwd-verify.lua
-  lua_settings {
-    blocking = yes
-  }
-}

data/conf/dovecot/conf.d/20-userdb.conf

@@ -1,11 +0,0 @@
-# /etc/dovecot/conf.d/20-userdb.conf
-# User database chain.
-userdb passwd {
-  driver = passwd-file
-  passwd_file_path = /etc/dovecot/dovecot-master.userdb
-}
-
-userdb sql {
-  !include /etc/dovecot/sql/dovecot-dict-sql-userdb.conf
-  skip = found
-}

data/conf/dovecot/conf.d/25-services.conf

@@ -1,144 +0,0 @@
-# /etc/dovecot/conf.d/25-services.conf
-# All service listeners and workers.
-
-# doveadm remote admin
-# Set doveadm_password in extra.conf.
-service doveadm {
-  inet_listener doveadm {
-    port = 12345
-  }
-  vsz_limit = 2048 MB
-}
-
-# dict
-service dict {
-  unix_listener dict {
-    mode = 0660
-    user = vmail
-    group = vmail
-  }
-}
-
-# log
-service log {
-  user = dovenull
-}
-
-# config socket
-service config {
-  unix_listener config {
-    user = root
-    group = vmail
-    mode = 0660
-  }
-}
-
-# anvil socket
-service anvil {
-  unix_listener anvil {
-    user = vmail
-    group = vmail
-    mode = 0660
-  }
-}
-
-# auth sockets and inet
-service auth {
-  inet_listener auth-inet {
-    port = 10001
-  }
-  unix_listener auth-master {
-    mode = 0600
-    user = vmail
-  }
-  unix_listener auth-userdb {
-    mode = 0600
-    user = vmail
-  }
-  vsz_limit = 2G
-}
-
-# managesieve login
-service managesieve-login {
-  inet_listener sieve {
-    port = 4190
-  }
-  inet_listener sieve_haproxy {
-    port = 14190
-    haproxy = yes
-  }
-  service_restart_request_count = 1
-  process_min_avail = 2
-  vsz_limit = 1G
-}
-
-# imap login
-service imap-login {
-  service_restart_request_count = 1
-  process_min_avail = 2
-  process_limit = 10000
-  vsz_limit = 1G
-  user = dovenull
-  inet_listener imap_haproxy {
-    port = 10143
-    haproxy = yes
-  }
-  inet_listener imaps_haproxy {
-    port = 10993
-    ssl = yes
-    haproxy = yes
-  }
-}
-
-# pop3 login
-service pop3-login {
-  service_restart_request_count = 1
-  process_min_avail = 1
-  vsz_limit = 1G
-  inet_listener pop3_haproxy {
-    port = 10110
-    haproxy = yes
-  }
-  inet_listener pop3s_haproxy {
-    port = 10995
-    ssl = yes
-    haproxy = yes
-  }
-}
-
-# imap worker
-service imap {
-  executable = imap
-  user = vmail
-  vsz_limit = 1G
-}
-
-# managesieve worker
-service managesieve {
-  process_limit = 256
-}
-
-# lmtp
-service lmtp {
-  inet_listener lmtp-inet {
-    port = 24
-  }
-  user = vmail
-}
-
-# quota warning hook
-service quota-warning {
-  executable = script /usr/local/bin/quota_notify.py
-  user = vmail
-  unix_listener quota-warning {
-    user = vmail
-  }
-}
-
-# stats
-service stats {
-  unix_listener stats-writer {
-    mode = 0660
-    user = vmail
-  }
-}

data/conf/dovecot/conf.d/30-protocols.conf

@@ -1,17 +0,0 @@
-# /etc/dovecot/conf.d/30-protocols.conf
-# IMAP protocol specifics.
-protocol imap {
-  mail_plugins = </etc/dovecot/mail_plugins_imap
-  imap_metadata = yes
-}
-
-# LMTP protocol specifics.
-protocol lmtp {
-  mail_plugins = </etc/dovecot/mail_plugins_lmtp
-  auth_socket_path = /var/run/dovecot/auth-master
-}
-
-# ManageSieve protocol specifics.
-protocol sieve {
-  managesieve_logout_format = bytes=%i/%o
-}

data/conf/dovecot/conf.d/35-fts.conf

@@ -1,45 +0,0 @@
-# mailcow FTS Flatcurve Settings, change them as you like.
-
-# Maximum term length can be set via the 'maxlen' argument (maxlen is
-# specified in bytes, not number of UTF-8 characters)
-language_tokenizer_address_token_maxlen = 100
-language_tokenizer_generic_algorithm = simple
-language_tokenizer_generic_token_maxlen = 30
-
-# These are not flatcurve settings, but required for Dovecot FTS. See
-# Dovecot FTS Configuration link above for further information.
-language en {
-  default = yes
-  language_filters = lowercase snowball english-possessive stopwords
-}
-
-language de {
-  language_filters = lowercase snowball stopwords
-}
-
-language es {
-  language_filters = lowercase snowball stopwords
-}
-
-language_tokenizers = generic email-address
-
-fts_search_timeout = 300s
-
-fts_autoindex = yes
-# Tweak this setting if you only want to ensure big and frequent folders are indexed, not all.
-fts_autoindex_max_recent_msgs = 20
-fts flatcurve {
-  substring_search = no
-}
-
-### THIS PART WILL BE CHANGED BY MODIFYING mailcow.conf AUTOMATICALLY DURING RUNTIME! ###
-
-service indexer-worker {
-  # Max amount of simultaniously running indexer jobs.
-  process_limit=1
-
-  # Max amount of RAM used by EACH indexer process.
-  vsz_limit=128 MB
-}
-
-### THIS PART WILL BE CHANGED BY MODIFYING mailcow.conf AUTOMATICALLY DURING RUNTIME! ###

data/conf/dovecot/conf.d/40-acl.conf

@@ -1,12 +0,0 @@
-# /etc/dovecot/conf.d/40-acl.conf
-# ACL and shared mailboxes.
-imap_acl_allow_anyone = </etc/dovecot/acl_anyone
-
-acl_sharing_map {
-  dict file {
-    path = /var/vmail/shared-mailboxes.db
-  }
-}
-
-acl_driver = vfile
-acl_user = %{user}

data/conf/dovecot/conf.d/40-attributes.conf

@@ -1,7 +0,0 @@
-# /etc/dovecot/conf.d/40-attributes.conf
-# User/mail attributes.
-mail_attribute {
-  dict file {
-    path = /etc/dovecot/dovecot-attributes
-  }
-}

data/conf/dovecot/conf.d/50-quota.conf

@@ -1,25 +0,0 @@
-# /etc/dovecot/conf.d/50-quota.conf
-# Quota configuration and notifications.
-quota "User quota" {
-  driver = count
-
-  warning warn-95 {
-    quota_storage_percentage = 95
-    execute quota-warning {
-      args = 95 %{user}
-    }
-  }
-
-  warning warn-80 {
-    quota_storage_percentage = 80
-    execute quota-warning {
-      args = 80 %{user}
-    }
-  }
-}
-
-quota_clone {
-  dict proxy {
-    name = mysql_quota
-  }
-}

data/conf/dovecot/conf.d/60-sieve-pipeline.conf

@@ -1,97 +0,0 @@
-# /etc/dovecot/conf.d/60-sieve-pipeline.conf
-# Complete Sieve pipeline: personal/global scripts, plugins, limits, training.
-
-# Global before/after (file and dict)
-sieve_script before {
-  type = before
-  driver = file
-  path = /var/vmail/sieve/global_sieve_before.sieve
-}
-
-sieve_script before2 {
-  type = before
-  driver = dict
-  name = active
-  dict proxy {
-    name = sieve_before
-  }
-  bin_path = /var/vmail/sieve_before_bindir/%{user}
-}
-
-sieve_script after {
-  type = after
-  driver = file
-  path = /var/vmail/sieve/global_sieve_after.sieve
-}
-
-sieve_script after2 {
-  type = after
-  driver = dict
-  name = active
-  dict proxy {
-    name = sieve_after
-  }
-  bin_path = /var/vmail/sieve_after_bindir/%{user}
-}
-
-# Personal scripts
-sieve_script personal {
-  type = personal
-  driver = file
-  path = ~/sieve
-  active_path = ~/.dovecot.sieve
-}
-
-# Plugins and behavior
-sieve_plugins = sieve_imapsieve sieve_extprograms
-sieve_vacation_send_from_recipient = yes
-sieve_redirect_envelope_from = recipient
-
-# IMAPSieve training
-imapsieve_from Junk {
-  sieve_script ham {
-    type = before
-    cause = copy
-    path = /usr/lib/dovecot/sieve/report-ham.sieve
-  }
-}
-mailbox Junk {
-  sieve_script spam {
-    type = before
-    cause = copy
-    path = /usr/lib/dovecot/sieve/report-spam.sieve
-  }
-}
-
-# Extprograms and extensions
-sieve_pipe_bin_dir = /usr/lib/dovecot/sieve
-sieve_plugins {
-  sieve_extprograms = yes
-}
-sieve_global_extensions {
-  vnd.dovecot.pipe = yes
-  vnd.dovecot.execute = yes
-}
-
-# Limits and duplicate handling
-sieve_max_script_size = 1M
-sieve_max_redirects = 100
-sieve_max_actions = 101
-sieve_quota_script_count = 0
-sieve_quota_storage_size = 0
-sieve_vacation_min_period = 5s
-sieve_vacation_max_period = 365d
-sieve_vacation_default_period = 60s
-sieve_duplicate_default_period = 1m
-sieve_duplicate_max_period = 7d
-
-sieve_extensions {
-    vacation-seconds = yes
-    editheader = yes
-}
-
-# pipe sockets in /var/run/dovecot/sieve-pipe
-sieve_pipe_socket_dir = sieve-pipe
-
-# execute sockets in /var/run/dovecot/sieve-execute
-sieve_execute_socket_dir = sieve-execute

data/conf/dovecot/conf.d/70-crypto.conf

@@ -1,6 +0,0 @@
-# /etc/dovecot/conf.d/70-crypto.conf
-# Global mail-crypt keys.
-crypt_global_private_key global {
-  crypt_private_key_file = /mail_crypt/ecprivkey.pem
-}
-crypt_global_public_key_file = /mail_crypt/ecpubkey.pem

data/conf/dovecot/conf.d/80-compress.conf

@@ -1,3 +0,0 @@
-# /etc/dovecot/conf.d/80-compress.conf
-# Compression settings.
-mail_compress_write_method = lz4

data/conf/dovecot/conf.d/90-dict.conf

@@ -1,18 +0,0 @@
-# /etc/dovecot/conf.d/90-dict.conf
-# Dict declarations and SQL bindings.
-dict_server {
-  dict sieve_after {
-    driver = sql
-    !include /etc/dovecot/sql/dovecot-dict-sql-sieve_after.conf
-  }
-
-  dict sieve_before {
-    driver = sql
-    !include /etc/dovecot/sql/dovecot-dict-sql-sieve_before.conf
-  }
-
-  dict mysql_quota {
-    driver = sql
-    !include /etc/dovecot/sql/dovecot-dict-sql-quota.conf
-  }
-}

data/conf/dovecot/conf.d/90-limits.conf

@@ -1,7 +0,0 @@
-# /etc/dovecot/conf.d/90-limits.conf
-# Connection and memory limits; doveadm port.
-mail_max_userip_connections = 500
-imap_max_line_length = 2 M
-default_client_limit = 10400
-default_vsz_limit = 1024 M
-doveadm_port = 12345

data/conf/dovecot/conf.d/99-includes.conf

@@ -1,22 +0,0 @@
-# /etc/dovecot/conf.d/99-includes.conf
-# Late includes and site-specific bits.
-
-# Mailbox layout includes (if used)
-!include /etc/dovecot/dovecot.folders.conf
-
-# Optional replication
-!include_try /etc/dovecot/mail_replica.conf
-
-# Existing includes you already had
-!include_try /etc/dovecot/sni.conf
-!include_try /etc/dovecot/sogo_trusted_ip.conf
-!include_try /etc/dovecot/shared_namespace.conf
-!include_try /etc/dovecot/conf.d/fts.conf
-
-# Remote auth override
-remote 127.0.0.1 {
-  auth_allow_cleartext = yes
-}
-
-# Outbound submission target
-submission_host = postfix:588

data/conf/dovecot/conf.d/fts.conf

@@ -0,0 +1,37 @@
+# mailcow FTS Flatcurve Settings, change them as you like.
+plugin {
+    fts_autoindex = yes
+    fts_autoindex_exclude = \Junk
+    fts_autoindex_exclude2 = \Trash
+    # Tweak this setting if you only want to ensure big and frequent folders are indexed, not all.
+    fts_autoindex_max_recent_msgs = 20
+    fts = flatcurve
+
+    # Maximum term length can be set via the 'maxlen' argument (maxlen is
+    # specified in bytes, not number of UTF-8 characters)
+    fts_tokenizer_email_address = maxlen=100
+    fts_tokenizer_generic = algorithm=simple maxlen=30
+
+    # These are not flatcurve settings, but required for Dovecot FTS. See
+    # Dovecot FTS Configuration link above for further information.
+    fts_languages = en es de
+    fts_tokenizers = generic email-address
+
+    # OPTIONAL: Recommended default FTS core configuration
+    fts_filters = normalizer-icu snowball stopwords
+    fts_filters_en = lowercase snowball english-possessive stopwords
+
+    fts_index_timeout = 300s
+}
+
+### THIS PART WILL BE CHANGED BY MODIFYING mailcow.conf AUTOMATICALLY DURING RUNTIME! ###
+
+service indexer-worker {
+  # Max amount of simultaniously running indexer jobs.
+  process_limit=1
+
+  # Max amount of RAM used by EACH indexer process.
+  vsz_limit=128 MB
+}
+
+### THIS PART WILL BE CHANGED BY MODIFYING mailcow.conf AUTOMATICALLY DURING RUNTIME! ###

data/conf/dovecot/dovecot.conf

@@ -1,34 +1,311 @@
-# /etc/dovecot/dovecot.conf
-# Base file kept minimal. All real config lives under conf.d/.
-dovecot_config_version = 2.4.0
-dovecot_storage_version = 2.4.0
+# --------------------------------------------------------------------------
+# Please create a file "extra.conf" for persistent overrides to dovecot.conf
+# --------------------------------------------------------------------------
+# LDAP example:
+#passdb {
+#  args = /etc/dovecot/ldap/passdb.conf
+#  driver = ldap
+#}
 
-listen = *,[::]
+auth_mechanisms = plain login
+#mail_debug = yes
+#auth_debug = yes
+#log_debug = category=fts-flatcurve # Activate Logging for Flatcurve FTS Searchings
+log_path = syslog
+disable_plaintext_auth = yes
+# Uncomment on NFS share
+#mmap_disable = yes
+#mail_fsync = always
+#mail_nfs_index = yes
+#mail_nfs_storage = yes
+login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k"
+mail_home = /var/vmail/%d/%n
+mail_location = maildir:~/
+mail_plugins = </etc/dovecot/mail_plugins
+mail_attachment_fs = crypt:set_prefix=mail_crypt_global:posix:
+mail_attachment_dir = /var/attachments
+mail_attachment_min_size = 128k
+# Significantly speeds up very large mailboxes, but is only safe to enable if
+# you do not manually modify the files in the `cur` directories in
+# mailcowdockerized_vmail-vol-1.
+# https://docs.mailcow.email/manual-guides/Dovecot/u_e-dovecot-performance/
+maildir_very_dirty_syncs = yes
+
+# Dovecot 2.2
+#ssl_protocols = !SSLv3
+# Dovecot 2.3
+ssl_min_protocol = TLSv1.2
+
+ssl_prefer_server_ciphers = yes
+ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:!eNULL:!3DES:!MD5:!PSK:!DSS:!RC4:!SEED:!IDEA:+HIGH:+MEDIUM
+
+# Default in Dovecot 2.3
+ssl_options = no_compression no_ticket
+
+# New in Dovecot 2.3
+ssl_dh = </etc/ssl/mail/dhparams.pem
+# Dovecot 2.2
+#ssl_dh_parameters_length = 2048
+log_timestamp = "%Y-%m-%d %H:%M:%S "
+recipient_delimiter = +
+auth_master_user_separator = *
+mail_shared_explicit_inbox = yes
+mail_prefetch_count = 30
+passdb {
+  driver = lua
+  args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes cache_key=%s:%u:%w
+  result_success = return-ok
+  result_failure = continue
+  result_internalfail = continue
+}
+# try a master passwd
+passdb {
+  driver = passwd-file
+  args = /etc/dovecot/dovecot-master.passwd
+  master = yes
+  skip = authenticated
+}
+# check for regular password - if empty (e.g. force-passwd-reset), previous pass=yes passdbs also fail
+# a return of the following passdb is mandatory
+passdb {
+  driver = lua
+  args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes
+}
+# Set doveadm_password=your-secret-password in data/conf/dovecot/extra.conf (create if missing)
+service doveadm {
+  inet_listener {
+    port = 12345
+  }
+  vsz_limit=2048 MB
+}
+!include /etc/dovecot/dovecot.folders.conf
 protocols = imap sieve lmtp pop3
+service dict {
+  unix_listener dict {
+    mode = 0660
+    user = vmail
+    group = vmail
+  }
+}
+service log {
+  user = dovenull
+}
+service config {
+  unix_listener config {
+    user = root
+    group = vmail
+    mode = 0660
+  }
+}
+service auth {
+  inet_listener auth-inet {
+    port = 10001
+  }
+  unix_listener auth-master {
+    mode = 0600
+    user = vmail
+  }
+  unix_listener auth-userdb {
+    mode = 0600
+    user = vmail
+  }
+  vsz_limit = 2G
+}
+service managesieve-login {
+  inet_listener sieve {
+    port = 4190
+  }
+  inet_listener sieve_haproxy {
+    port = 14190
+    haproxy = yes
+  }
+  service_count = 1
+  process_min_avail = 2
+  vsz_limit = 1G
+}
+service imap-login {
+  service_count = 1
+  process_min_avail = 2
+  process_limit = 10000
+  vsz_limit = 1G
+  user = dovenull
+  inet_listener imap_haproxy {
+    port = 10143
+    haproxy = yes
+  }
+  inet_listener imaps_haproxy {
+    port = 10993
+    ssl = yes
+    haproxy = yes
+  }
+}
+service pop3-login {
+  service_count = 1
+  process_min_avail = 1
+  vsz_limit = 1G
+  inet_listener pop3_haproxy {
+    port = 10110
+    haproxy = yes
+  }
+  inet_listener pop3s_haproxy {
+    port = 10995
+    ssl = yes
+    haproxy = yes
+  }
+}
+service imap {
+  executable = imap
+  user = vmail
+  vsz_limit = 1G
+}
+service managesieve {
+  process_limit = 256
+}
+service lmtp {
+  inet_listener lmtp-inet {
+    port = 24
+  }
+  user = vmail
+}
+listen = *,[::]
+ssl_cert = </etc/ssl/mail/cert.pem
+ssl_key = </etc/ssl/mail/key.pem
+userdb {
+  driver = passwd-file
+  args = /etc/dovecot/dovecot-master.userdb
+}
+userdb {
+  args = /etc/dovecot/sql/dovecot-dict-sql-userdb.conf
+  driver = sql
+  skip = found
+}
+protocol imap {
+  mail_plugins = </etc/dovecot/mail_plugins_imap
+  imap_metadata = yes
+}
+mail_attribute_dict = file:%h/dovecot-attributes
+protocol lmtp {
+  mail_plugins = </etc/dovecot/mail_plugins_lmtp
+  auth_socket_path = /var/run/dovecot/auth-master
+}
+protocol sieve {
+  managesieve_logout_format = bytes=%i/%o
+}
+plugin {
+  # Allow "any" or "authenticated" to be used in ACLs
+  acl_anyone = </etc/dovecot/acl_anyone
+  acl_shared_dict = file:/var/vmail/shared-mailboxes.db
+  acl = vfile
+  acl_user = %u
+  quota = dict:Userquota::proxy::sqlquota
+  quota_rule2 = Trash:storage=+100%%
+  sieve = /var/vmail/sieve/%u.sieve
+  sieve_plugins = sieve_imapsieve sieve_extprograms
+  sieve_vacation_send_from_recipient = yes
+  sieve_redirect_envelope_from = recipient
+  # From elsewhere to Spam folder
+  imapsieve_mailbox1_name = Junk
+  imapsieve_mailbox1_causes = COPY
+  imapsieve_mailbox1_before = file:/usr/lib/dovecot/sieve/report-spam.sieve
+  # END
+  # From Spam folder to elsewhere
+  imapsieve_mailbox2_name = *
+  imapsieve_mailbox2_from = Junk
+  imapsieve_mailbox2_causes = COPY
+  imapsieve_mailbox2_before = file:/usr/lib/dovecot/sieve/report-ham.sieve
+  # END
+  master_user = %u
+  quota_warning = storage=95%% quota-warning 95 %u
+  quota_warning2 = storage=80%% quota-warning 80 %u
+  sieve_pipe_bin_dir = /usr/lib/dovecot/sieve
+  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
+  sieve_extensions = +notify +imapflags +vacation-seconds +editheader
+  sieve_max_script_size = 1M
+  sieve_max_redirects = 100
+  sieve_max_actions = 101
+  sieve_quota_max_scripts = 0
+  sieve_quota_max_storage = 0
+  listescape_char = "\\"
+  sieve_vacation_min_period = 5s
+  sieve_vacation_max_period = 0
+  sieve_vacation_default_period = 60s
+  sieve_before = /var/vmail/sieve/global_sieve_before.sieve
+  sieve_before2 = dict:proxy::sieve_before;name=active;bindir=/var/vmail/sieve_before_bindir
+  sieve_after = dict:proxy::sieve_after;name=active;bindir=/var/vmail/sieve_after_bindir
+  sieve_after2 = /var/vmail/sieve/global_sieve_after.sieve
+  sieve_duplicate_default_period = 1m
+  sieve_duplicate_max_period = 7d
 
-!include_try /etc/dovecot/conf.d/05-core.conf
-!include_try /etc/dovecot/conf.d/10-logging.conf
-!include_try /etc/dovecot/conf.d/10-mail.conf
-!include_try /etc/dovecot/conf.d/10-ssl.conf
-!include_try /etc/dovecot/conf.d/11-sql.conf
-!include_try /etc/dovecot/conf.d/12-mysql.conf
-!include_try /etc/dovecot/conf.d/12-storage-attachments.conf
-!include_try /etc/dovecot/conf.d/15-performance.conf
-!include_try /etc/dovecot/conf.d/20-auth.conf
-!include_try /etc/dovecot/conf.d/20-userdb.conf
-!include_try /etc/dovecot/conf.d/25-services.conf
-!include_try /etc/dovecot/conf.d/30-protocols.conf
-!include_try /etc/dovecot/conf.d/35-fts.conf
-!include_try /etc/dovecot/conf.d/40-acl.conf
-!include_try /etc/dovecot/conf.d/40-attributes.conf
-!include_try /etc/dovecot/conf.d/50-quota.conf
-!include_try /etc/dovecot/conf.d/60-sieve-pipeline.conf
-!include_try /etc/dovecot/conf.d/70-crypto.conf
-!include_try /etc/dovecot/conf.d/80-compress.conf
-!include_try /etc/dovecot/conf.d/80-mail-logging.conf
-!include_try /etc/dovecot/conf.d/90-limits.conf
-!include_try /etc/dovecot/conf.d/90-dict.conf
-!include_try /etc/dovecot/conf.d/99-includes.conf
+  # -- Global keys
+  mail_crypt_global_private_key = </mail_crypt/ecprivkey.pem
+  mail_crypt_global_public_key = </mail_crypt/ecpubkey.pem
+  mail_crypt_save_version = 2
 
-# Last: local overrides
-!include_try /etc/dovecot/extra.conf
+  # Enable compression while saving, lz4 Dovecot v2.3.17+
+  zlib_save = lz4
+
+  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
+  mail_log_fields = uid box msgid size
+  mail_log_cached_only = yes
+
+  # Try set mail_replica
+  !include_try /etc/dovecot/mail_replica.conf
+}
+service quota-warning {
+  executable = script /usr/local/bin/quota_notify.py
+  # use some unprivileged user for executing the quota warnings
+  user = vmail
+  unix_listener quota-warning {
+    user = vmail
+  }
+}
+dict {
+  sqlquota = mysql:/etc/dovecot/sql/dovecot-dict-sql-quota.conf
+  sieve_after = mysql:/etc/dovecot/sql/dovecot-dict-sql-sieve_after.conf
+  sieve_before = mysql:/etc/dovecot/sql/dovecot-dict-sql-sieve_before.conf
+}
+remote 127.0.0.1 {
+  disable_plaintext_auth = no
+}
+submission_host = postfix:588
+mail_max_userip_connections = 500
+service stats {
+  unix_listener stats-writer {
+    mode = 0660
+    user = vmail
+  }
+}
+imap_max_line_length = 2 M
+auth_cache_verify_password_with_worker = yes
+auth_cache_negative_ttl = 60s
+auth_cache_ttl = 300s
+auth_cache_size = 10M
+auth_verbose_passwords = sha1:6
+service replicator {
+  process_min_avail = 1
+}
+service aggregator {
+  fifo_listener replication-notify-fifo {
+    user = vmail
+  }
+  unix_listener replication-notify {
+    user = vmail
+  }
+}
+service replicator {
+  unix_listener replicator-doveadm {
+    mode = 0666
+  }
+}
+replication_max_conns = 10
+doveadm_port = 12345
+replication_dsync_parameters = -d -l 30 -U -n INBOX
+# <Includes>
+!include_try /etc/dovecot/sni.conf
+!include_try /etc/dovecot/sogo_trusted_ip.conf
+!include_try /etc/dovecot/extra.conf
+!include_try /etc/dovecot/shared_namespace.conf
+!include_try /etc/dovecot/conf.d/fts.conf
+# </Includes>
+default_client_limit = 10400
+default_vsz_limit = 1024 M

data/conf/dovecot/dovecot.folders.conf

@@ -1,14 +1,10 @@
 namespace inbox {
   inbox = yes
+  location =
   separator = /
-  mailbox storage/* {
-    quota_storage_extra = 100M
-  }
   mailbox "Trash" {
     auto = subscribe
     special_use = \Trash
-    quota_storage_percentage = 100
-    fts_autoindex = no
   }
   mailbox "Deleted Messages" {
     special_use = \Trash
@@ -199,7 +195,6 @@ namespace inbox {
   mailbox "Junk" {
     auto = subscribe
     special_use = \Junk
-    fts_autoindex = no
   }
   mailbox "Junk-E-Mail" {
     special_use = \Junk

data/web/inc/functions.mailbox.inc.php

@@ -9,6 +9,10 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
   $_data_log = $_data;
   !isset($_data_log['password']) ?: $_data_log['password'] = '*';
   !isset($_data_log['password2']) ?: $_data_log['password2'] = '*';
+
+  // Track mailboxes affected by alias operations for incremental SOGo updates
+  $update_sogo_mailboxes = array();
+
   switch ($_action) {
     case 'add':
       switch ($_type) {
@@ -886,6 +890,17 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
               'msg' => array('alias_added', $address, $id)
             );
+
+            // Track affected mailboxes for SOGo update
+            if (!empty($goto)) {
+              $gotos = array_map('trim', explode(',', $goto));
+              foreach ($gotos as $g) {
+                if (filter_var($g, FILTER_VALIDATE_EMAIL) &&
+                    !in_array($g, array('null@localhost', 'spam@localhost', 'ham@localhost'))) {
+                  $update_sogo_mailboxes[] = $g;
+                }
+              }
+            }
           }
         break;
         case 'alias_domain':
@@ -1368,15 +1383,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             ), $_extra);
           }
 
-          try {
-            update_sogo_static_view($username);
-          } catch (PDOException $e) {
-            $_SESSION['return'][] = array(
-              'type' => 'danger',
-              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-              'msg' => $e->getMessage()
-            );
-          }
+          // Track affected mailboxes for SOGo update
+          $update_sogo_mailboxes[] = $username;
           $_SESSION['return'][] = array(
             'type' => 'success',
             'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1607,6 +1615,9 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
             'msg' => array('resource_added', htmlspecialchars($name))
           );
+
+          // Track affected mailboxes for SOGo update
+          $update_sogo_mailboxes[] = $name;
         break;
         case 'domain_templates':
           if ($_SESSION['mailcow_cc_role'] != "admin") {
@@ -2725,6 +2736,28 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
               'msg' => array('alias_modified', htmlspecialchars($address))
             );
+
+            // Track affected mailboxes for SOGo update (both old and new goto addresses)
+            // Old goto: to remove alias from their view
+            if (!empty($is_now['goto'])) {
+              $old_gotos = array_map('trim', explode(',', $is_now['goto']));
+              foreach ($old_gotos as $g) {
+                if (filter_var($g, FILTER_VALIDATE_EMAIL) &&
+                    !in_array($g, array('null@localhost', 'spam@localhost', 'ham@localhost'))) {
+                  $update_sogo_mailboxes[] = $g;
+                }
+              }
+            }
+            // New goto: to add alias to their view
+            if (!empty($goto)) {
+              $new_gotos = array_map('trim', explode(',', $goto));
+              foreach ($new_gotos as $g) {
+                if (filter_var($g, FILTER_VALIDATE_EMAIL) &&
+                    !in_array($g, array('null@localhost', 'spam@localhost', 'ham@localhost'))) {
+                  $update_sogo_mailboxes[] = $g;
+                }
+              }
+            }
           }
         break;
         case 'domain':
@@ -3439,15 +3472,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               'msg' => array('mailbox_modified', $username)
             );
 
-            try {
-              update_sogo_static_view($username);
-            } catch (PDOException $e) {
-              $_SESSION['return'][] = array(
-                'type' => 'danger',
-                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-                'msg' => $e->getMessage()
-              );
-            }
+            // Track affected mailboxes for SOGo update
+            $update_sogo_mailboxes[] = $username;
           }
           return true;
         break;
@@ -4076,6 +4102,9 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
               'msg' => array('resource_modified', htmlspecialchars($name))
             );
+
+            // Track affected mailboxes for SOGo update
+            $update_sogo_mailboxes[] = $name;
           }
         break;
         case 'domain_wide_footer':
@@ -5780,6 +5809,18 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               );
               continue;
             }
+
+            // Track affected mailboxes for SOGo update (capture before deletion)
+            if (!empty($alias_data['goto'])) {
+              $gotos = array_map('trim', explode(',', $alias_data['goto']));
+              foreach ($gotos as $g) {
+                if (filter_var($g, FILTER_VALIDATE_EMAIL) &&
+                    !in_array($g, array('null@localhost', 'spam@localhost', 'ham@localhost'))) {
+                  $update_sogo_mailboxes[] = $g;
+                }
+              }
+            }
+
             $stmt = $pdo->prepare("DELETE FROM `alias` WHERE `id` = :id");
             $stmt->execute(array(
               ':id' => $alias_data['id']
@@ -6038,20 +6079,14 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               continue;
             }
 
-            try {
-              update_sogo_static_view($username);
-            }catch (PDOException $e) {
-              $_SESSION['return'][] = array(
-                'type' => 'success',
-                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-                'msg' => $e->getMessage()
-              );
-            }
             $_SESSION['return'][] = array(
               'type' => 'success',
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
               'msg' => array('mailbox_removed', htmlspecialchars($username))
             );
+
+            // Track affected mailboxes for SOGo update
+            $update_sogo_mailboxes[] = $username;
           }
           return true;
         break;
@@ -6153,6 +6188,9 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
               'msg' => array('resource_removed', htmlspecialchars($name))
             );
+
+            // Track affected mailboxes for SOGo update
+            $update_sogo_mailboxes[] = $name;
           }
         break;
         case 'tags_domain':
@@ -6259,9 +6297,21 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
       }
     break;
   }
-  if ($_action != 'get' && in_array($_type, array('domain', 'alias', 'alias_domain', 'resource')) && getenv('SKIP_SOGO') != "y") {
+  if ($_action != 'get' && in_array($_type, array('domain', 'alias', 'alias_domain', 'resource', 'mailbox')) && getenv('SKIP_SOGO') != "y") {
     try {
-      update_sogo_static_view();
+      if (($_type == 'alias' || $_type == 'resource' || $_type == 'mailbox') && !empty($update_sogo_mailboxes)) {
+        // INCREMENTAL UPDATE: Update only affected mailboxes/resources
+        $update_sogo_mailboxes = array_unique($update_sogo_mailboxes);
+        foreach ($update_sogo_mailboxes as $mailbox) {
+          update_sogo_static_view($mailbox);
+        }
+      }
+      else {
+        // FULL REBUILD: For domain and alias_domain operations or if no tracked mailboxes
+        // Domain operations affect all mailboxes
+        // Alias_domain operations affect entire target domain
+        update_sogo_static_view();
+      }
     }catch (PDOException $e) {
       $_SESSION['return'][] = array(
         'type' => 'success',

data/web/lang/lang.de-de.json

@@ -686,6 +686,8 @@
         "extended_sender_acl_info": "Der DKIM-Domainkey der externen Absenderdomain sollte in diesen Server importiert werden, falls vorhanden.<br>\r\n  Wird SPF verwendet, muss diesem Server der Versand gestattet werden.<br>\r\n  Wird eine Domain oder Alias-Domain zu diesem Server hinzugefügt, die sich mit der externen Absenderadresse überschneidet, wird der externe Absender hier entfernt.<br>\r\n  Ein Eintrag @domain.tld erlaubt den Versand als *@domain.tld",
         "force_pw_update": "Erzwinge Passwortänderung bei nächstem Login",
         "force_pw_update_info": "Dem Benutzer wird lediglich der Zugang zur %s ermöglicht, App Passwörter funktionieren weiterhin.",
+        "force_tfa": "Zwei-Faktor-Authentifizierung beim Login erzwingen",
+        "force_tfa_info": "Der Benutzer muss Zwei-Faktor-Authentifizierung einrichten, bevor er auf den Bereich zugreifen kann.",
         "footer_exclude": "von Fußzeile ausschließen",
         "full_name": "Voller Name",
         "gal": "Globales Adressbuch",
@@ -1239,7 +1241,8 @@
         "force_tfa_info": "Der Benutzer muss Zwei-Faktor-Authentifizierung einrichten, bevor er auf den Bereich zugreifen kann.",
         "setup_title": "Zwei-Faktor-Authentifizierung erforderlich",
         "setup_required": "Ihr Konto erfordert Zwei-Faktor-Authentifizierung. Bitte richten Sie eine 2FA-Methode ein, um fortzufahren.",
-        "cancel_setup": "Abbrechen und abmelden"
+        "cancel_setup": "Abbrechen und abmelden",
+        "disable_tfa_blocked": "Die Zwei-Faktor-Authentifizierung kann nicht deaktiviert werden, da sie für dieses Konto erforderlich ist."
     },
     "user": {
         "action": "Aktion",

data/web/lang/lang.si-si.json

@@ -557,8 +557,7 @@
         "max_age_invalid": "Najvišja starost %s je neveljavna",
         "mode_invalid": "Način %s ni veljaven",
         "mx_invalid": "Zapis MX %s je neveljaven",
-        "version_invalid": "Različica %s je neveljavna",
-        "tfa_removal_blocked": "Dvofaktorske avtentikacije ni mogoče odstraniti, ker je obvezna za vaš račun."
+        "version_invalid": "Različica %s je neveljavna"
     },
     "debug": {
         "containers_info": "Informacije o zabojniku",
@@ -1233,12 +1232,7 @@
         "u2f_deprecated_important": "Prosimo, registrirajte svoj ključ v skrbniški plošči z novo metodo WebAuthn.",
         "waiting_usb_auth": "<i>Čakanje na napravo USB ...</i><br><br>Zdaj se dotaknite gumba na napravi USB.",
         "waiting_usb_register": "<i>Čakanje na napravo USB ...</i><br><br>Vnesite svoje geslo zgoraj in potrdite registracijo tako, da tapnete gumb na napravi USB.",
-        "yubi_otp": "Avtentikacija z enkratnim geslom Yubico",
-        "force_tfa": "Vsiljena registracija 2FA ob prijavi",
-        "force_tfa_info": "Uporabnik bo moral pred dostopom do nadzorne plošče nastaviti dvofaktorsko overjanje.",
-        "setup_title": "Zahtevana je dvofaktorska avtentikacija",
-        "setup_required": "Vaš račun zahteva dvofaktorsko overjanje. Za nadaljevanje nastavite metodo dvofaktorske overitve.",
-        "cancel_setup": "Prekliči in se odjavi"
+        "yubi_otp": "Avtentikacija z enkratnim geslom Yubico"
     },
     "ratelimit": {
         "disabled": "Onemogočeno",
@@ -1419,8 +1413,7 @@
         "syncjob_EX_OK": "Uspeh",
         "expire_never": "Nikoli ne poteče",
         "forever": "Za vedno",
-        "spam_aliases_info": "Vzdevek za neželeno pošto je začasni e-poštni naslov, ki ga je mogoče uporabiti za zaščito pravih e-poštnih naslovov. <br>Po želji je mogoče nastaviti čas poteka veljavnosti, tako da se vzdevek po določenem obdobju samodejno deaktivira, s čimer se učinkovito znebite zlorabljenih ali razkritih naslovov.",
-        "pw_update_required": "Za vaš račun je potrebna sprememba gesla. Za nadaljevanje nastavite novo geslo."
+        "spam_aliases_info": "Vzdevek za neželeno pošto je začasni e-poštni naslov, ki ga je mogoče uporabiti za zaščito pravih e-poštnih naslovov. <br>Po želji je mogoče nastaviti čas poteka veljavnosti, tako da se vzdevek po določenem obdobju samodejno deaktivira, s čimer se učinkovito znebite zlorabljenih ali razkritih naslovov."
     },
     "warning": {
         "cannot_delete_self": "Prijavljenega uporabnika ni mogoče izbrisati",

docker-compose.yml

@@ -1,7 +1,7 @@
 services:
 
     unbound-mailcow:
-      image: ghcr.io/mailcow/unbound:1.25
+      image: ghcr.io/mailcow/unbound:1.24
       environment:
         - TZ=${TZ}
         - SKIP_UNBOUND_HEALTHCHECK=${SKIP_UNBOUND_HEALTHCHECK:-n}
@@ -117,7 +117,7 @@ services:
             - rspamd
 
     php-fpm-mailcow:
-      image: ghcr.io/mailcow/phpfpm:8.2.29-2
+      image: ghcr.io/mailcow/phpfpm:8.2.29-1
       command: "php-fpm -d date.timezone=${TZ} -d expose_php=0"
       depends_on:
         - redis-mailcow
@@ -339,7 +339,7 @@ services:
             - dovecot
 
     postfix-mailcow:
-      image: ghcr.io/mailcow/postfix:3.7.11-2
+      image: ghcr.io/mailcow/postfix:3.7.11-1
       depends_on:
         mysql-mailcow:
           condition: service_started
@@ -382,7 +382,7 @@ services:
             - postfix
 
     postfix-tlspol-mailcow:
-      image: ghcr.io/mailcow/postfix-tlspol:1.8.23
+      image: ghcr.io/mailcow/postfix-tlspol:1.8.22
       depends_on:
         unbound-mailcow:
           condition: service_healthy
@@ -419,7 +419,7 @@ services:
         - php-fpm-mailcow
         - sogo-mailcow
         - rspamd-mailcow
-      image: ghcr.io/mailcow/nginx:1.06
+      image: ghcr.io/mailcow/nginx:1.05
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       environment:
@@ -465,7 +465,7 @@ services:
           condition: service_started
         unbound-mailcow:
           condition: service_healthy
-      image: ghcr.io/mailcow/acme:1.96
+      image: ghcr.io/mailcow/acme:1.95
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       environment:
@@ -506,7 +506,7 @@ services:
             - acme
 
     netfilter-mailcow:
-      image: ghcr.io/mailcow/netfilter:1.64
+      image: ghcr.io/mailcow/netfilter:1.63
       stop_grace_period: 30s
       restart: always
       privileged: true
@@ -601,7 +601,7 @@ services:
             - watchdog
 
     dockerapi-mailcow:
-      image: ghcr.io/mailcow/dockerapi:2.12
+      image: ghcr.io/mailcow/dockerapi:2.11a
       security_opt:
         - label=disable
       restart: always