[SOGo] Add path compatibility symlink for custom theming

2026-03-30 18:32:44 +00:00 · 2026-03-11 08:50:36 +01:00
19 changed files with 41 additions and 177 deletions
--- a/data/Dockerfiles/acme/acme.sh
+++ b/data/Dockerfiles/acme/acme.sh
@@ -253,20 +253,10 @@ while true; do
    unset VALIDATED_CONFIG_DOMAINS_SUBDOMAINS
    declare -a VALIDATED_CONFIG_DOMAINS_SUBDOMAINS
    for SUBDOMAIN in "${ADDITIONAL_WC_ARR[@]}"; do
-      FULL_SUBDOMAIN="${SUBDOMAIN}.${SQL_DOMAIN}"
-
-      # Skip if subdomain matches MAILCOW_HOSTNAME
-      if [[ "${FULL_SUBDOMAIN}" == "${MAILCOW_HOSTNAME}" ]]; then
-        continue
-      fi
-      # Skip if subdomain is covered by a wildcard in ADDITIONAL_SAN
-      if is_covered_by_wildcard "${FULL_SUBDOMAIN}"; then
-        log_f "Subdomain '${FULL_SUBDOMAIN}' is covered by wildcard - skipping explicit subdomain"
-        continue
-      fi
-      # Validate and add subdomain
-      if check_domain "${FULL_SUBDOMAIN}"; then
-        VALIDATED_CONFIG_DOMAINS_SUBDOMAINS+=("${FULL_SUBDOMAIN}")
+      if [[  "${SUBDOMAIN}.${SQL_DOMAIN}" != "${MAILCOW_HOSTNAME}" ]]; then
+        if check_domain "${SUBDOMAIN}.${SQL_DOMAIN}"; then
+          VALIDATED_CONFIG_DOMAINS_SUBDOMAINS+=("${SUBDOMAIN}.${SQL_DOMAIN}")
+        fi
      fi
    done
    VALIDATED_CONFIG_DOMAINS+=("${VALIDATED_CONFIG_DOMAINS_SUBDOMAINS[*]}")
@@ -283,10 +273,7 @@ while true; do
        fi
        # Only add mta-sts subdomain for alias domains
        if [[ "mta-sts.${alias_domain}" != "${MAILCOW_HOSTNAME}" ]]; then
-          # Skip if mta-sts subdomain is covered by a wildcard
-          if is_covered_by_wildcard "mta-sts.${alias_domain}"; then
-            log_f "Alias domain mta-sts subdomain 'mta-sts.${alias_domain}' is covered by wildcard - skipping"
-          elif check_domain "mta-sts.${alias_domain}"; then
+          if check_domain "mta-sts.${alias_domain}"; then
            VALIDATED_CONFIG_DOMAINS+=("mta-sts.${alias_domain}")
          fi
        fi
@@ -321,31 +308,13 @@ while true; do
  done
  fi

-  # Check if MAILCOW_HOSTNAME is covered by a wildcard in ADDITIONAL_SAN
-  MAILCOW_HOSTNAME_COVERED=0
-  if [[ ! -z ${VALIDATED_MAILCOW_HOSTNAME} ]]; then
-    if is_covered_by_wildcard "${VALIDATED_MAILCOW_HOSTNAME}"; then
-      MAILCOW_PARENT_DOMAIN=$(echo ${VALIDATED_MAILCOW_HOSTNAME} | cut -d. -f2-)
-      log_f "MAILCOW_HOSTNAME '${VALIDATED_MAILCOW_HOSTNAME}' is covered by wildcard '*.${MAILCOW_PARENT_DOMAIN}' - skipping explicit hostname"
-      MAILCOW_HOSTNAME_COVERED=1
-    fi
-  fi
-
  # Unique domains for server certificate
  if [[ ${ENABLE_SSL_SNI} == "y" ]]; then
    # create certificate for server name and fqdn SANs only
-    if [[ ${MAILCOW_HOSTNAME_COVERED} == "1" ]]; then
-      SERVER_SAN_VALIDATED=($(echo ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
-    else
-      SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
-    fi
+    SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
  else
    # create certificate for all domains, including all subdomains from other domains [*]
-    if [[ ${MAILCOW_HOSTNAME_COVERED} == "1" ]]; then
-      SERVER_SAN_VALIDATED=($(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
-    else
-      SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
-    fi
+    SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
  fi
  if [[ ! -z ${SERVER_SAN_VALIDATED[*]} ]]; then
    CERT_NAME=${SERVER_SAN_VALIDATED[0]}
--- a/data/Dockerfiles/acme/functions.sh
+++ b/data/Dockerfiles/acme/functions.sh
@@ -135,32 +135,3 @@ verify_challenge_path(){
    return 1
  fi
 }
-
-# Check if a domain is covered by a wildcard (*.example.com) in ADDITIONAL_SAN
-# Usage: is_covered_by_wildcard "subdomain.example.com"
-# Returns: 0 if covered, 1 if not covered
-# Note: Only returns 0 (covered) when DNS-01 challenge is enabled,
-#       as wildcards cannot be validated with HTTP-01 challenge
-is_covered_by_wildcard() {
-  local DOMAIN=$1
-
-  # Only skip if DNS challenge is enabled (wildcards require DNS-01)
-  if [[ ${ACME_DNS_CHALLENGE} != "y" ]]; then
-    return 1
-  fi
-
-  # Return early if no ADDITIONAL_SAN is set
-  if [[ -z ${ADDITIONAL_SAN} ]]; then
-    return 1
-  fi
-
-  # Extract parent domain (e.g., mail.example.com -> example.com)
-  local PARENT_DOMAIN=$(echo ${DOMAIN} | cut -d. -f2-)
-
-  # Check if ADDITIONAL_SAN contains a wildcard for this parent domain
-  if [[ "${ADDITIONAL_SAN}" == *"*.${PARENT_DOMAIN}"* ]]; then
-    return 0  # Covered by wildcard
-  fi
-
-  return 1  # Not covered
-}
--- a/data/Dockerfiles/dovecot/quarantine_notify.py
+++ b/data/Dockerfiles/dovecot/quarantine_notify.py
@@ -47,7 +47,7 @@ try:
  if max_score == "":
    max_score = 9999.0

-  def query_mysql(query, params = None, headers = True, update = False):
+  def query_mysql(query, headers = True, update = False):
    while True:
      try:
        cnx = MySQLdb.connect(user=os.environ.get('DBUSER'), password=os.environ.get('DBPASS'), database=os.environ.get('DBNAME'), charset="utf8mb4", collation="utf8mb4_general_ci")
@@ -57,10 +57,7 @@ try:
      else:
        break
    cur = cnx.cursor()
-    if params:
-      cur.execute(query, params)
-    else:
-      cur.execute(query)
+    cur.execute(query)
    if not update:
      result = []
      columns = tuple( [d[0] for d in cur.description] )
@@ -79,7 +76,7 @@ try:

  def notify_rcpt(rcpt, msg_count, quarantine_acl, category):
    if category == "add_header": category = "add header"
-    meta_query = query_mysql('SELECT `qhash`, id, subject, score, sender, created, action FROM quarantine WHERE notified = 0 AND rcpt = %s AND score < %s AND (action = %s OR "all" = %s)', (rcpt, max_score, category, category))
+    meta_query = query_mysql('SELECT `qhash`, id, subject, score, sender, created, action FROM quarantine WHERE notified = 0 AND rcpt = "%s" AND score < %f AND (action = "%s" OR "all" = "%s")' % (rcpt, max_score, category, category))
    print("%s: %d of %d messages qualify for notification" % (rcpt, len(meta_query), msg_count))
    if len(meta_query) == 0:
      return
@@ -133,7 +130,7 @@ try:
            server.sendmail(msg['From'], [str(redirect)] + [str(bcc)], text)
        server.quit()
        for res in meta_query:
-         query_mysql('UPDATE quarantine SET notified = 1 WHERE id = %s', (res['id'],), update = True)
+         query_mysql('UPDATE quarantine SET notified = 1 WHERE id = "%d"' % (res['id']), update = True)
        r.hset('Q_LAST_NOTIFIED', record['rcpt'], time_now)
        break
      except Exception as ex:
@@ -141,7 +138,7 @@ try:
        print('%s'  % (ex))
        time.sleep(3)

-  records = query_mysql('SELECT IFNULL(user_acl.quarantine, 0) AS quarantine_acl, count(id) AS counter, rcpt FROM quarantine LEFT OUTER JOIN user_acl ON user_acl.username = rcpt WHERE notified = 0 AND score < %s AND rcpt in (SELECT username FROM mailbox) GROUP BY rcpt', (max_score,))
+  records = query_mysql('SELECT IFNULL(user_acl.quarantine, 0) AS quarantine_acl, count(id) AS counter, rcpt FROM quarantine LEFT OUTER JOIN user_acl ON user_acl.username = rcpt WHERE notified = 0 AND score < %f AND rcpt in (SELECT username FROM mailbox) GROUP BY rcpt' % (max_score))

  for record in records:
    attrs = ''
@@ -159,7 +156,7 @@ try:
    except Exception as ex:
      print('Could not determine last notification for %s, assuming never' % (record['rcpt']))
      last_notification = 0
-    attrs_json = query_mysql('SELECT attributes FROM mailbox WHERE username = %s', (record['rcpt'],))
+    attrs_json = query_mysql('SELECT attributes FROM mailbox WHERE username = "%s"' % (record['rcpt']))
    attrs = attrs_json[0]['attributes']
    if isinstance(attrs, str):
      # if attr is str then just load it
--- a/data/Dockerfiles/sogo/Dockerfile
+++ b/data/Dockerfiles/sogo/Dockerfile
@@ -1,6 +1,6 @@
 # SOGo built from source to enable security patch application
 # Repository: https://github.com/Alinto/sogo
-# Version: SOGo-5.12.4
+# Version: SOGo-5.12.5
 #
 # Applied security patches:
 # -
@@ -161,6 +161,10 @@ RUN ln -s /usr/local/sbin/sogod /usr/sbin/sogod \
  && ln -s /usr/local/sbin/sogo-ealarms-notify /usr/sbin/sogo-ealarms-notify \
  && ln -s /usr/local/sbin/sogo-slapd-sockd /usr/sbin/sogo-slapd-sockd

+# Create compatibility symlink for old SOGo documentation path
+# Allows volume mounts using /usr/lib/GNUstep to work with /usr/local/lib/GNUstep
+RUN ln -sf /usr/local/lib/GNUstep /usr/lib/GNUstep
+
 # Copy configuration files and scripts
 COPY ./bootstrap-sogo.sh /bootstrap-sogo.sh
 COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -287,8 +287,6 @@ function user_login($user, $pass, $extra = null){
            return false;
          }

-          $row['attributes'] = json_decode($row['attributes'], true);
-
          // check for tfa authenticators
          $authenticators = get_tfa($user);
          if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
@@ -345,8 +343,6 @@ function user_login($user, $pass, $extra = null){
          return false;
        }

-        $row['attributes'] = json_decode($row['attributes'], true);
-
        // check for tfa authenticators
        $authenticators = get_tfa($user);
        if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
--- a/data/web/inc/functions.fwdhost.inc.php
+++ b/data/web/inc/functions.fwdhost.inc.php
@@ -108,14 +108,6 @@ function fwdhost($_action, $_data = null) {
      }
    break;
    case 'delete':
-      if ($_SESSION['mailcow_cc_role'] != "admin") {
-        $_SESSION['return'][] = array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => 'access_denied'
-        );
-        return false;
-      }
      $hosts = (array)$_data['forwardinghost'];
      foreach ($hosts as $host) {
        try {
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1111,21 +1111,10 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
          $relayhost = (isset($_data['relayhost'])) ? intval($_data['relayhost']) : 0;
          $quarantine_notification = (isset($_data['quarantine_notification'])) ? strval($_data['quarantine_notification']) : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_notification']);
          $quarantine_category = (isset($_data['quarantine_category'])) ? strval($_data['quarantine_category']) : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_category']);
-          // Validate quarantine_category
-          if (!in_array($quarantine_category, array('add_header', 'reject', 'all'))) {
-            $_SESSION['return'][] = array(
-              'type' => 'danger',
-              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-              'msg' => 'quarantine_category_invalid'
-            );
-            return false;
-          }
          $quota_b    = ($quota_m * 1048576);
          $attribute_hash = (!empty($_data['attribute_hash'])) ? $_data['attribute_hash'] : '';
          if (in_array($authsource, array('keycloak', 'generic-oidc', 'ldap'))){
            $force_pw_update = 0;
-          }
-          if ($authsource == 'generic-oidc'){
            $force_tfa = 0;
          }
          $mailbox_attrs = json_encode(
@@ -1742,15 +1731,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
          $attr["tagged_mail_handler"]         = (!empty($_data['tagged_mail_handler'])) ? $_data['tagged_mail_handler'] : strval($MAILBOX_DEFAULT_ATTRIBUTES['tagged_mail_handler']);
          $attr["quarantine_notification"]     = (!empty($_data['quarantine_notification'])) ? $_data['quarantine_notification'] : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_notification']);
          $attr["quarantine_category"]         = (!empty($_data['quarantine_category'])) ? $_data['quarantine_category'] : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_category']);
-          // Validate quarantine_category
-          if (!in_array($attr["quarantine_category"], array('add_header', 'reject', 'all'))) {
-            $_SESSION['return'][] = array(
-              'type' => 'danger',
-              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_extra),
-              'msg' => 'quarantine_category_invalid'
-            );
-            return false;
-          }
          $attr["rl_frame"]                    = (!empty($_data['rl_frame'])) ? $_data['rl_frame'] : "s";
          $attr["rl_value"]                    = (!empty($_data['rl_value'])) ? $_data['rl_value'] : "";
          $attr["force_pw_update"]             = isset($_data['force_pw_update']) ? intval($_data['force_pw_update']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['force_pw_update']);
@@ -2080,14 +2060,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
            return false;
          }
          foreach ($usernames as $username) {
-            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
-              $_SESSION['return'][] = array(
-                'type' => 'danger',
-                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-                'msg' => 'access_denied'
-              );
-              continue;
-            }
            if ($_data['spam_score'] == "default") {
              $stmt = $pdo->prepare("DELETE FROM `filterconf` WHERE `object` = :username
                AND (`option` = 'lowspamlevel' OR `option` = 'highspamlevel')");
@@ -3154,8 +3126,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              }
              if (in_array($authsource, array('keycloak', 'generic-oidc', 'ldap'))){
                $force_pw_update = 0;
-              }
-              if ($authsource == 'generic-oidc'){
                $force_tfa = 0;
              }
              $pw_recovery_email    = (isset($_data['pw_recovery_email']) && $authsource == 'mailcow') ? $_data['pw_recovery_email'] : $is_now['attributes']['recovery_email'];
@@ -3816,15 +3786,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
            $attr["tagged_mail_handler"]         = (!empty($_data['tagged_mail_handler'])) ? $_data['tagged_mail_handler'] : $is_now['tagged_mail_handler'];
            $attr["quarantine_notification"]     = (!empty($_data['quarantine_notification'])) ? $_data['quarantine_notification'] : $is_now['quarantine_notification'];
            $attr["quarantine_category"]         = (!empty($_data['quarantine_category'])) ? $_data['quarantine_category'] : $is_now['quarantine_category'];
-            // Validate quarantine_category
-            if (!in_array($attr["quarantine_category"], array('add_header', 'reject', 'all'))) {
-              $_SESSION['return'][] = array(
-                'type' => 'danger',
-                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_extra),
-                'msg' => 'quarantine_category_invalid'
-              );
-              continue;
-            }
            $attr["rl_frame"]                    = (!empty($_data['rl_frame'])) ? $_data['rl_frame'] : $is_now['rl_frame'];
            $attr["rl_value"]                    = (!empty($_data['rl_value'])) ? $_data['rl_value'] : $is_now['rl_value'];
            $attr["force_pw_update"]             = isset($_data['force_pw_update']) ? intval($_data['force_pw_update']) : $is_now['force_pw_update'];
--- a/data/web/inc/header.inc.php
+++ b/data/web/inc/header.inc.php
@@ -89,7 +89,7 @@ $globalVariables = [
  'app_links' => $app_links,
  'app_links_processed' => $app_links_processed,
  'is_root_uri' => (parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH) == '/'),
-  'uri' => parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH) ?: '/',
+  'uri' => $_SERVER['REQUEST_URI'],
 ];

 foreach ($globalVariables as $globalVariableName => $globalVariableValue) {
--- a/data/web/inc/twig.inc.php
+++ b/data/web/inc/twig.inc.php
@@ -13,9 +13,7 @@ $twig = new Environment($loader, [

 // functions
 $twig->addFunction(new TwigFunction('query_string', function (array $params = []) {
-  $allowed = ['lang', 'mobileconfig'];
-  $filtered = array_intersect_key($_GET, array_flip($allowed));
-  return http_build_query(array_merge($filtered, $params));
+  return http_build_query(array_merge($_GET, $params));
 }));

 $twig->addFunction(new TwigFunction('is_uri', function (string $uri, string $where = null) {
--- a/data/web/js/build/013-mailcow.js
+++ b/data/web/js/build/013-mailcow.js
@@ -345,7 +345,7 @@ $(document).ready(function() {
      $('.main-logo-dark').addClass('d-none');
      if ($('#rspamd_logo').length) $('#rspamd_logo').attr('src', '/img/rspamd_logo_dark.png');
      if ($('#rspamd_logo_sm').length) $('#rspamd_logo_sm').attr('src', '/img/rspamd_logo_dark.png');
-      localStorage.setItem('mailcow_theme', 'light');
+      localStorage.setItem('theme', 'light');
    }else{
      $('head').append('<link id="dark-mode-theme" rel="stylesheet" type="text/css" href="/css/themes/mailcow-darkmode.css">');
      $('#dark-mode-toggle').prop('checked', true);
@@ -353,7 +353,7 @@ $(document).ready(function() {
      $('.main-logo-dark').removeClass('d-none');
      if ($('#rspamd_logo').length) $('#rspamd_logo').attr('src', '/img/rspamd_logo_light.png');
      if ($('#rspamd_logo_sm').length) $('#rspamd_logo_sm').attr('src', '/img/rspamd_logo_light.png');
-      localStorage.setItem('mailcow_theme', 'dark');
+      localStorage.setItem('theme', 'dark');
    }
  }

--- a/data/web/js/site/dashboard.js
+++ b/data/web/js/site/dashboard.js
@@ -1128,11 +1128,6 @@ jQuery(function($){
          item.ua = escapeHtml(item.ua);
        }
        item.ua = '<span style="font-size:small">' + item.ua + '</span>';
-        if (item.user == null) {
-          item.user = 'unknown';
-        } else {
-          item.user = escapeHtml(item.user);
-        }
        if (item.service == "activesync") {
          item.service = '<span class="badge fs-6 bg-info">ActiveSync</span>';
        }
--- a/data/web/js/site/index.js
+++ b/data/web/js/site/index.js
@@ -1,6 +1,5 @@
 $(document).ready(function() {
-  var theme = localStorage.getItem("mailcow_theme");
-  if (theme !== null) {
-    localStorage.setItem("mailcow_theme", theme);
-  }
+  var theme = localStorage.getItem("theme");
+  localStorage.clear();
+  localStorage.setItem("theme", theme);
 });
--- a/data/web/js/site/quarantine.js
+++ b/data/web/js/site/quarantine.js
@@ -226,18 +226,18 @@ jQuery(function($){
        }
        if (typeof data.fuzzy_hashes === 'object' && data.fuzzy_hashes !== null && data.fuzzy_hashes.length !== 0) {
          $.each(data.fuzzy_hashes, function (index, value) {
-            $('#qid_detail_fuzzy').append('<p style="font-family:monospace">' + escapeHtml(value) + '</p>');
+            $('#qid_detail_fuzzy').append('<p style="font-family:monospace">' + value + '</p>');
          });
        } else {
          $('#qid_detail_fuzzy').append('-');
        }
        if (typeof data.score !== 'undefined' && typeof data.action !== 'undefined') {
          if (data.action == "add header") {
-            $('#qid_detail_score').append('<span class="label-rspamd-action badge fs-6 bg-warning"><b>' + escapeHtml(data.score) + '</b> - ' + lang.junk_folder + '</span>');
+            $('#qid_detail_score').append('<span class="label-rspamd-action badge fs-6 bg-warning"><b>' + data.score + '</b> - ' + lang.junk_folder + '</span>');
          } else if (data.action == "reject") {
-            $('#qid_detail_score').append('<span class="label-rspamd-action badge fs-6 bg-danger"><b>' + escapeHtml(data.score) + '</b> - ' + lang.rejected + '</span>');
+            $('#qid_detail_score').append('<span class="label-rspamd-action badge fs-6 bg-danger"><b>' + data.score + '</b> - ' + lang.rejected + '</span>');
          } else if (data.action == "rewrite subject") {
-            $('#qid_detail_score').append('<span class="label-rspamd-action badge fs-6 bg-warning"><b>' + escapeHtml(data.score) + '</b> - ' + lang.rewrite_subject + '</span>');
+            $('#qid_detail_score').append('<span class="label-rspamd-action badge fs-6 bg-warning"><b>' + data.score + '</b> - ' + lang.rewrite_subject + '</span>');
          }
        }
        if (typeof data.recipients !== 'undefined') {
@@ -254,8 +254,8 @@ jQuery(function($){
          qAtts.text('');
          $.each(data.attachments, function(index, value) {
            qAtts.append(
-              '<p><a href="/inc/ajax/qitem_details.php?id=' + escapeHtml(qitem) + '&amp;att=' + index + '" target="_blank">' + escapeHtml(value[0]) + '</a> (' + escapeHtml(value[1]) + ')' +
-              ' - <small><a href="' + escapeHtml(value[3]) + '" target="_blank">' + lang.check_hash + '</a></small></p>'
+              '<p><a href="/inc/ajax/qitem_details.php?id=' + qitem + '&att=' + index + '" target="_blank">' + value[0] + '</a> (' + value[1] + ')' +
+              ' - <small><a href="' + value[3] + '" target="_blank">' + lang.check_hash + '</a></small></p>'
            );
          });
        }
--- a/data/web/js/site/user.js
+++ b/data/web/js/site/user.js
@@ -98,8 +98,8 @@ jQuery(function($){
              var local_datetime = datetime.toLocaleDateString(undefined, {year: "numeric", month: "2-digit", day: "2-digit", hour: "2-digit", minute: "2-digit", second: "2-digit"});
              var service = '<div class="badge bg-secondary">' + item.service.toUpperCase() + '</div>';
              var app_password = item.app_password ? ' <a href="/edit/app-passwd/' + item.app_password + '"><i class="bi bi-key-fill"></i><span class="ms-1">' + escapeHtml(item.app_password_name || "App") + '</span></a>' : '';
-              var real_rip = item.real_rip.startsWith("Web") ? escapeHtml(item.real_rip) : '<a href="https://bgp.tools/prefix/' + escapeHtml(item.real_rip) + '" target="_blank">' + escapeHtml(item.real_rip) + "</a>";
-              var ip_location = item.location ? ' <span class="flag-icon flag-icon-' + escapeHtml(item.location.toLowerCase()) + '"></span>' : '';
+              var real_rip = item.real_rip.startsWith("Web") ? item.real_rip : '<a href="https://bgp.tools/prefix/' + item.real_rip + '" target="_blank">' + item.real_rip + "</a>";
+              var ip_location = item.location ? ' <span class="flag-icon flag-icon-' + item.location.toLowerCase() + '"></span>' : '';
              var ip_data = real_rip + ip_location + app_password;

              $(".last-sasl-login").append(`
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -512,7 +512,6 @@
        "pushover_credentials_missing": "Pushover Token und/oder Key fehlen",
        "pushover_key": "Pushover Key hat das falsche Format",
        "pushover_token": "Pushover Token hat das falsche Format",
-        "quarantine_category_invalid": "Quarantäne-Kategorie muss eine der folgenden sein: add_header, reject, all",
        "quota_not_0_not_numeric": "Speicherplatz muss numerisch und >= 0 sein",
        "recipient_map_entry_exists": "Eine Empfängerumschreibung für Objekt \"%s\" existiert bereits",
        "recovery_email_failed": "E-Mail zur Wiederherstellung konnte nicht gesendet werden. Bitte wenden Sie sich an Ihren Administrator.",
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -513,7 +513,6 @@
        "pushover_credentials_missing": "Pushover token and or key missing",
        "pushover_key": "Pushover key has a wrong format",
        "pushover_token": "Pushover token has a wrong format",
-        "quarantine_category_invalid": "Quarantine category must be one of: add_header, reject, all",
        "quota_not_0_not_numeric": "Quota must be numeric and >= 0",
        "recipient_map_entry_exists": "A Recipient map entry \"%s\" exists",
        "recovery_email_failed": "Could not send a recovery email. Please contact your administrator.",
--- a/data/web/lang/lang.hu-hu.json
+++ b/data/web/lang/lang.hu-hu.json
@@ -1144,8 +1144,7 @@
        "subscribeall": "Feliratkozás minden mappára",
        "syncjob": "Szinkronizálási feladat hozzáadása",
        "internal": "Belső",
-        "internal_info": "Belső álnevek csak a saját domain vagy domain álnév számára elérhető.",
-        "sender_allowed": "Küldés engedélyezése ezzel az aliasszal"
+        "internal_info": "Belső álnevek csak a saját domain vagy domain álnév számára elérhető."
    },
    "danger": {
        "access_denied": "Hozzáférés megtagatva vagy nem megfelelő űrlap adat",
@@ -1246,21 +1245,6 @@
        "pushover_key": "A pushover kulcs rossz formátumú",
        "pushover_token": "A Pushover token rossz formátumú",
        "quota_not_0_not_numeric": "A kvótának numerikusnak és >= 0-nak kell lennie.",
-        "recipient_map_entry_exists": "Létezik egy \"%s\" címzett-térkép bejegyzés",
-        "redis_error": "Redis hiba lépett fel: %s",
-        "relayhost_invalid": "A(z) %s elem érvénytelen a leképezésben.",
-        "release_send_failed": "Az üzenet felszabadítása sikertelen: %s",
-        "reset_f2b_regex": "A regex-szűrő időtúllépés miatt nem állt le. Próbálja újra, vagy várjon egy kicsit, és töltse újra az oldalt.",
-        "resource_invalid": "A(z) %s erőforrásnév érvénytelen",
-        "rl_timeframe": "Érvénytelen időkeret a lekérdezési korláthoz",
-        "rspamd_ui_pw_length": "A Rspamd UI jelszónak legalább 6 karakter hosszúnak kell lennie.",
-        "script_empty": "A szkript nem lehet üres",
-        "sender_acl_invalid": "A küldőhöz tartozó ACL-érték (%s) érvénytelen",
-        "set_acl_failed": "Az ACL beállítása meghiúsult",
-        "settings_map_invalid": "Érvénytelen beállítás-leképezési azonosító: %s",
-        "recovery_email_failed": "A helyreállítási email kiküldése sikertelen. Kérlek, lépj kapcsolatba az adminisztrátorral!",
-        "reset_token_limit_exceeded": "Túl sok visszaállítási kísérlet. Kérjük, várjon, mielőtt újra próbálkozna.",
-        "required_data_missing": "Hiányzik a(z) szükséges %s adat",
-        "tfa_removal_blocked": "A kétfaktoros hitelesítés nem távolítható el, mert elengedhetetlen a fiókod használatához."
+        "recipient_map_entry_exists": "Létezik egy \"%s\" címzett-térkép bejegyzés"
    }
 }
--- a/data/web/templates/base.twig
+++ b/data/web/templates/base.twig
@@ -11,8 +11,8 @@
  <link rel="stylesheet" href="{{ css_path }}">
  <script>
    // check if darkmode is preferred by OS or set by localStorage
-    if (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches && localStorage.getItem("mailcow_theme") !== "light" ||
-        localStorage.getItem("mailcow_theme") === "dark") {
+    if (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches && localStorage.getItem("theme") !== "light" ||
+        localStorage.getItem("theme") === "dark") {
      var head  = document.getElementsByTagName('head')[0];
      var link  = document.createElement('link');
      link.id   = 'dark-mode-theme';
@@ -193,7 +193,7 @@ $(window).scroll(function() {
 });
 // Select language and reopen active URL without POST
 function setLang(sel) {
-  $.post( '{{ uri|escape("js") }}', {lang: sel} );
+  $.post( '{{ uri }}', {lang: sel} );
  window.location.href = window.location.pathname + window.location.search;
 }
 // FIDO2 functions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -200,7 +200,7 @@ services:
            - phpfpm

    sogo-mailcow:
-      image: ghcr.io/mailcow/sogo:5.12.5-3
+      image: ghcr.io/mailcow/sogo:5.12.5-4
      environment:
        - DBNAME=${DBNAME}
        - DBUSER=${DBUSER}
@@ -252,7 +252,7 @@ services:
            - sogo

    dovecot-mailcow:
-      image: ghcr.io/mailcow/dovecot:2.3.21.1-2
+      image: ghcr.io/mailcow/dovecot:2.3.21.1-1
      depends_on:
        - mysql-mailcow
        - netfilter-mailcow
@@ -465,7 +465,7 @@ services:
          condition: service_started
        unbound-mailcow:
          condition: service_healthy
-      image: ghcr.io/mailcow/acme:1.97
+      image: ghcr.io/mailcow/acme:1.96
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      environment: