Merge remote-tracking branch 'upstream/master' into Riscue-master

3 years ago · 04b7ddfffd
parent d2aa647a9f e519ec9ae6
commit 04b7ddfffd
47 changed files with 346 additions and 134 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,10 +3,7 @@ Changelog
 For full details see the [releases page](https://mailu.io/1.9/releases.html)
-Warning, the helm-chart repo is not in sync yet with the new Mailu 1.9 release. If you use helm-chart (kubernetes), we advise to stick to version 1.8. 
+Upgrade should run fine as long as you generate a new compose or stack configuration and upgrade your mailu.env. Please note that once you have upgraded to 1.9 you won't be able to roll-back to earlier versions without resetting user passwords.
 Upgrade should run fine as long as you generate a new compose or stack
 configuration and upgrade your mailu.env.
 If you use a reverse proxy in front of Mailu, it is vital to configure the newly introduced env variables REAL_IP_HEADER and REAL_IP_FROM.
 These settings tell Mailu that the HTTP header with the remote client IP address from the reverse proxy can be trusted.
--- a/README.md
+++ b/README.md
@ -17,7 +17,7 @@ Features
 Main features include:
- **Standard email server**, IMAP and IMAP+, SMTP and Submission
+- **Standard email server**, IMAP and IMAP+, SMTP and Submission with autoconfiguration profiles for clients
 - **Advanced email features**, aliases, domain aliases, custom routing
 - **Web access**, multiple Webmails and administration interface
 - **User features**, aliases, auto-reply, auto-forward, fetched accounts
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@ -1,5 +1,5 @@
 # First stage to build assets
-ARG DISTRO=alpine:3.14.3
+ARG DISTRO=alpine:3.14.5
 ARG ARCH=""
 FROM ${ARCH}node:16 as assets
@ -13,7 +13,7 @@ COPY webpack.config.js ./
 COPY assets ./assets
 RUN set -eu \
 && sed -i 's/#007bff/#55a5d9/' node_modules/admin-lte/build/scss/_bootstrap-variables.scss \
- && for l in ca da de:de_de en:en-gb es:es_es eu fr:fr_fr he hu is it:it_it ja nb_NO:no_nb nl:nl_nl pl pt:pt_pt ru sv:sv_se zh; do \
+ && for l in ca da de:de-DE en:en-GB es:es-ES eu fr:fr-FR he hu is it:it-IT ja nb_NO:no-NB nl:nl-NL pl pt:pt-PT ru sv:sv-SE zh; do \
      cp node_modules/datatables.net-plugins/i18n/${l#*:}.json assets/${l%:*}.json; \
    done \
 && node_modules/.bin/webpack-cli --color
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@ -94,11 +94,11 @@ def handle_authentication(headers):
        else:
            try:
                user = models.User.query.get(user_email) if '@' in user_email else None
                is_valid_user = user is not None
            except sqlalchemy.exc.StatementError as exc:
                exc = str(exc).split('\n', 1)[0]
                app.logger.warn(f'Invalid user {user_email!r}: {exc}')
            else:
                is_valid_user = user is not None
                ip = urllib.parse.unquote(headers["Client-Ip"])
                if check_credentials(user, password, ip, protocol, headers["Auth-Port"]):
                    server, port = get_server(headers["Auth-Protocol"], True)
--- a/core/admin/mailu/internal/views/init.py
+++ b/core/admin/mailu/internal/views/init.py
@ -1,3 +1,3 @@
 __all__ = [
-    'auth', 'postfix', 'dovecot', 'fetch', 'rspamd'
+    'auth', 'autoconfig', 'postfix', 'dovecot', 'fetch', 'rspamd'
 ]
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@ -5,6 +5,7 @@ from flask import current_app as app
 import flask
 import flask_login
 import base64
 import sqlalchemy.exc
@internal.route("/auth/email")
 def nginx_authentication():
@ -32,7 +33,7 @@ def nginx_authentication():
    for key, value in headers.items():
        response.headers[key] = str(value)
    is_valid_user = False
-    if response.headers.get("Auth-User-Exists"):
+    if response.headers.get("Auth-User-Exists") == "True":
        username = response.headers["Auth-User"]
        if utils.limiter.should_rate_limit_user(username, client_ip):
            # FIXME could be done before handle_authentication()
@ -96,13 +97,19 @@ def basic_authentication():
            response.headers["WWW-Authenticate"] = 'Basic realm="Authentication rate limit for this username exceeded"'
            response.headers['Retry-After'] = '60'
            return response
-        user = models.User.query.get(user_email)
+        try:
-        if user and nginx.check_credentials(user, password.decode('utf-8'), client_ip, "web"):
+            user = models.User.query.get(user_email) if '@' in user_email else None
-            response = flask.Response()
+        except sqlalchemy.exc.StatementError as exc:
-            response.headers["X-User"] = models.IdnaEmail.process_bind_param(flask_login, user.email, "")
+            exc = str(exc).split('\n', 1)[0]
-            utils.limiter.exempt_ip_from_ratelimits(client_ip)
+            app.logger.warn(f'Invalid user {user_email!r}: {exc}')
-            return response
+        else:
-        utils.limiter.rate_limit_user(user_email, client_ip) if user else utils.limiter.rate_limit_ip(client_ip)
+            if user is not None and nginx.check_credentials(user, password.decode('utf-8'), client_ip, "web"):
                response = flask.Response()
                response.headers["X-User"] = models.IdnaEmail.process_bind_param(flask_login, user.email, "")
                utils.limiter.exempt_ip_from_ratelimits(client_ip)
                return response
            # We failed check_credentials
            utils.limiter.rate_limit_user(user_email, client_ip) if user else utils.limiter.rate_limit_ip(client_ip)
    response = flask.Response(status=401)
    response.headers["WWW-Authenticate"] = 'Basic realm="Login Required"'
    return response
--- a/core/admin/mailu/internal/views/autoconfig.py
+++ b/core/admin/mailu/internal/views/autoconfig.py
@ -0,0 +1,183 @@
 from mailu.internal import internal
 from flask import current_app as app
 import flask
 import xmltodict
@internal.route("/autoconfig/mozilla")
 def autoconfig_mozilla():
    # https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat
    hostname = app.config['HOSTNAME']
    xml = f'''<?xml version="1.0"?>
 <clientConfig version="1.1">
 <emailProvider id="%EMAILDOMAIN%">
 <domain>%EMAILDOMAIN%</domain>
 <displayName>Email</displayName>
 <displayShortName>Email</displayShortName>
 <incomingServer type="imap">
 <hostname>{hostname}</hostname>
 <port>993</port>
 <socketType>SSL</socketType>
 <username>%EMAILADDRESS%</username>
 <authentication>password-cleartext</authentication>
 </incomingServer>
 <outgoingServer type="smtp">
 <hostname>{hostname}</hostname>
 <port>465</port>
 <socketType>SSL</socketType>
 <username>%EMAILADDRESS%</username>
 <authentication>password-cleartext</authentication>
 <addThisServer>true</addThisServer>
 <useGlobalPreferredServer>true</useGlobalPreferredServer>
 </outgoingServer>
 <documentation url="https://{hostname}/admin/client">
 <descr lang="en">Configure your email client</descr>
 </documentation>
 </emailProvider>
 </clientConfig>\r\n'''
    return flask.Response(xml, mimetype='text/xml', status=200)
@internal.route("/autoconfig/microsoft.json")
 def autoconfig_microsoft_json():
    proto = flask.request.args.get('Protocol', 'Autodiscoverv1')
    if proto == 'Autodiscoverv1':
        hostname = app.config['HOSTNAME']
        json = f'"Protocol":"Autodiscoverv1","Url":"https://{hostname}/autodiscover/autodiscover.xml"'
        return flask.Response('{'+json+'}', mimetype='application/json', status=200)
    else:
        return flask.abort(404)
@internal.route("/autoconfig/microsoft", methods=['POST'])
 def autoconfig_microsoft():
    # https://docs.microsoft.com/en-us/previous-versions/office/office-2010/cc511507(v=office.14)?redirectedfrom=MSDN#Anchor_3
    hostname = app.config['HOSTNAME']
    try:
        xmlRequest = (flask.request.data).decode("utf-8")
        xml = xmltodict.parse(xmlRequest[xmlRequest.find('<'):xmlRequest.rfind('>')+1])
        schema = xml['Autodiscover']['Request']['AcceptableResponseSchema']
        if schema != 'http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a':
            return flask.abort(404)
        email = xml['Autodiscover']['Request']['EMailAddress']
        xml = f'''<?xml version="1.0" encoding="utf-8" ?>
    <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
        <Response xmlns="{schema}">
            <Account>
            <AccountType>email</AccountType>
            <Action>settings</Action>
            <Protocol>
                <Type>IMAP</Type>
                <Server>{hostname}</Server>
                <Port>993</Port>
                <LoginName>{email}</LoginName>
                <DomainRequired>on</DomainRequired>
                <SPA>off</SPA>
                <SSL>on</SSL>
            </Protocol>
            <Protocol>
                <Type>SMTP</Type>
                <Server>{hostname}</Server>
                <Port>465</Port>
                <LoginName>{email}</LoginName>
                <DomainRequired>on</DomainRequired>
                <SPA>off</SPA>
                <SSL>on</SSL>
                </Protocol>
            </Account>
        </Response>
    </Autodiscover>'''
        return flask.Response(xml, mimetype='text/xml', status=200)
    except:
        return flask.abort(400)
@internal.route("/autoconfig/apple")
 def autoconfig_apple():
    # https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
    hostname = app.config['HOSTNAME']
    sitename = app.config['SITENAME']
    xml = f'''<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
 "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 <key>PayloadContent</key>
 <array>
 <dict>
 <key>EmailAccountDescription</key>
 <string>{sitename}</string>
 <key>EmailAccountName</key>
 <string>{hostname}</string>
 <key>EmailAccountType</key>
 <string>EmailTypeIMAP</string>
 <key>EmailAddress</key>
 <string></string>
 <key>IncomingMailServerAuthentication</key>
 <string>EmailAuthPassword</string>
 <key>IncomingMailServerHostName</key>
 <string>{hostname}</string>
 <key>IncomingMailServerPortNumber</key>
 <integer>993</integer>
 <key>IncomingMailServerUseSSL</key>
 <true/>
 <key>IncomingMailServerUsername</key>
 <string></string>
 <key>IncomingPassword</key>
 <string></string>
 <key>OutgoingMailServerAuthentication</key>
 <string>EmailAuthPassword</string>
 <key>OutgoingMailServerHostName</key>
 <string>{hostname}</string>
 <key>OutgoingMailServerPortNumber</key>
 <integer>465</integer>
 <key>OutgoingMailServerUseSSL</key>
 <true/>
 <key>OutgoingMailServerUsername</key>
 <string></string>
 <key>OutgoingPasswordSameAsIncomingPassword</key>
 <true/>
 <key>PayloadDescription</key>
 <string>{sitename}</string>
 <key>PayloadDisplayName</key>
 <string>{hostname}</string>
 <key>PayloadIdentifier</key>
 <string>{hostname}.email</string>
 <key>PayloadOrganization</key>
 <string></string>
 <key>PayloadType</key>
 <string>com.apple.mail.managed</string>
 <key>PayloadUUID</key>
 <string>72e152e2-d285-4588-9741-25bdd50c4d11</string>
 <key>PayloadVersion</key>
 <integer>1</integer>
 <key>PreventAppSheet</key>
 <true/>
 <key>PreventMove</key>
 <false/>
 <key>SMIMEEnabled</key>
 <false/>
 <key>disableMailRecentsSyncing</key>
 <false/>
 </dict>
 </array>
 <key>PayloadDescription</key>
 <string>{hostname} - E-Mail Account Configuration</string>
 <key>PayloadDisplayName</key>
 <string>E-Mail Account {hostname}</string>
 <key>PayloadIdentifier</key>
 <string>E-Mail Account {hostname}</string>
 <key>PayloadOrganization</key>
 <string>{hostname}</string>
 <key>PayloadRemovalDisallowed</key>
 <false/>
 <key>PayloadType</key>
 <string>Configuration</string>
 <key>PayloadUUID</key>
 <string>56db43a5-d29e-4609-a908-dce94d0be48e</string>
 <key>PayloadVersion</key>
 <integer>1</integer>
 </dict>
 </plist>\r\n'''
    return flask.Response(xml, mimetype='text/xml', status=200)
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@ -255,20 +255,23 @@ class Domain(Base):
        """ return list of auto configuration records (RFC6186) """
        hostname = app.config['HOSTNAME']
        protocols = [
-            ('submission', 587),
+            ('imap', 143, 20),
-            ('imap', 143),
+            ('pop3', 110, 20),
-            ('pop3', 110),
+            ('submission', 587, 20),
        ]
        if app.config['TLS_FLAVOR'] != 'notls':
            protocols.extend([
-                ('imaps', 993),
+                ('autodiscover', 443, 10),
-                ('pop3s', 995),
+                ('submissions', 465, 10),
                ('imaps', 993, 10),
                ('pop3s', 995, 10),
            ])
-        return list([
+
-            f'_{proto}._tcp.{self.name}. 600 IN SRV 1 1 {port} {hostname}.'
+        return [
-            for proto, port
+            f'_{proto}._tcp.{self.name}. 600 IN SRV {prio} 1 {port} {hostname}.'
            for proto, port, prio
            in protocols
-        ])
+        ]+[f'autoconfig.{self.name}. 600 IN CNAME {hostname}.']
    @cached_property
    def dns_tlsa(self):
--- a/core/admin/mailu/ui/templates/client.html
+++ b/core/admin/mailu/ui/templates/client.html
@ -9,6 +9,7 @@
 {%- endblock %}
 {%- block content %}
 <div>If you use an Apple device, <a href="/apple.mobileconfig">click here to autoconfigure it.</a></div>
 {%- call macros.table(title=_("Incoming mail"), datatable=False) %}
  <tbody>
    <tr>
@ -17,7 +18,7 @@
    </tr>
    <tr>
      <th>{% trans %}TCP port{% endtrans %}</th>
-      <td>{{ "143" if config["TLS_FLAVOR"] == "notls" else "993 (TLS) or 143 (STARTTLS)" }}</td>
+      <td>{{ "143" if config["TLS_FLAVOR"] == "notls" else "993 (TLS)" }}</td>
    </tr>
    <tr>
      <th>{% trans %}Server name{% endtrans %}</th>
@ -42,7 +43,7 @@
    </tr>
    <tr>
      <th>{% trans %}TCP port{% endtrans %}</th>
-      <td>{{ "25" if config["TLS_FLAVOR"] == "notls" else "465 (TLS) or 587 (STARTTLS)" }}</td>
+      <td>{{ "25" if config["TLS_FLAVOR"] == "notls" else "465 (TLS)" }}</td>
    </tr>
    <tr>
      <th>{% trans %}Server name{% endtrans %}</th>
--- a/core/admin/mailu/ui/templates/domain/details.html
+++ b/core/admin/mailu/ui/templates/domain/details.html
@ -60,7 +60,7 @@
 </tr>
 {%- endif %}
 <tr>
-  <th>{% trans %}DNS client auto-configuration (RFC6186) entries{% endtrans %}</th>
+  <th>{% trans %}DNS client auto-configuration entries{% endtrans %}</th>
  <td>{{ macros.clip("dns_autoconfig") }}<pre id="dns_autoconfig" class="pre-config border bg-light">
 {%- for line in domain.dns_autoconfig %}
 {{ line }}
--- a/core/admin/mailu/ui/views/domains.py
+++ b/core/admin/mailu/ui/views/domains.py
@ -2,6 +2,7 @@ from mailu import models
 from mailu.ui import ui, forms, access
 from flask import current_app as app
 import validators
 import flask
 import flask_login
 import wtforms_components
@ -18,18 +19,21 @@ def domain_list():
 def domain_create():
    form = forms.DomainForm()
    if form.validate_on_submit():
-        conflicting_domain = models.Domain.query.get(form.name.data)
+        if validators.domain(form.name.data):
-        conflicting_alternative = models.Alternative.query.get(form.name.data)
+            conflicting_domain = models.Domain.query.get(form.name.data)
-        conflicting_relay = models.Relay.query.get(form.name.data)
+            conflicting_alternative = models.Alternative.query.get(form.name.data)
-        if conflicting_domain or conflicting_alternative or conflicting_relay:
+            conflicting_relay = models.Relay.query.get(form.name.data)
-            flask.flash('Domain %s is already used' % form.name.data, 'error')
+            if conflicting_domain or conflicting_alternative or conflicting_relay:
                flask.flash('Domain %s is already used' % form.name.data, 'error')
            else:
                domain = models.Domain()
                form.populate_obj(domain)
                models.db.session.add(domain)
                models.db.session.commit()
                flask.flash('Domain %s created' % domain)
                return flask.redirect(flask.url_for('.domain_list'))
        else:
-            domain = models.Domain()
+            flask.flash('Domain %s is invalid' % form.name.data, 'error')
            form.populate_obj(domain)
            models.db.session.add(domain)
            models.db.session.commit()
            flask.flash('Domain %s created' % domain)
            return flask.redirect(flask.url_for('.domain_list'))
    return flask.render_template('domain/create.html', form=form)
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@ -73,3 +73,4 @@ webencodings==0.5.1
 Werkzeug==2.0.2
 WTForms==2.3.3
 WTForms-Components==0.10.5
 xmltodict==0.12.0
--- a/core/admin/requirements.txt
+++ b/core/admin/requirements.txt
@ -25,3 +25,4 @@ srslib
 marshmallow
 flask-marshmallow
 marshmallow-sqlalchemy
 xmltodict
--- a/core/dovecot/Dockerfile
+++ b/core/dovecot/Dockerfile
@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14.3
+ARG DISTRO=alpine:3.14.5
 FROM $DISTRO
 ARG VERSION
--- a/core/nginx/Dockerfile
+++ b/core/nginx/Dockerfile
@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14.3
+ARG DISTRO=alpine:3.14.5
 FROM $DISTRO
 ARG VERSION
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@ -17,7 +17,7 @@ http {
    keepalive_timeout 65;
    server_tokens off;
    absolute_redirect off;
-    resolver {{ RESOLVER }} ipv6=off valid=30s;
+    resolver {{ RESOLVER }} valid=30s;
    {% if REAL_IP_HEADER %}
    real_ip_header {{ REAL_IP_HEADER }};
@ -117,9 +117,32 @@ http {
      add_header X-Frame-Options 'SAMEORIGIN';
      add_header X-Content-Type-Options 'nosniff';
      add_header X-Permitted-Cross-Domain-Policies 'none';
      add_header X-XSS-Protection '1; mode=block';
      add_header Referrer-Policy 'same-origin';
      # mozilla autoconfiguration
      location ~ ^/(\.well\-known/autoconfig/)?mail/config\-v1\.1\.xml {
        rewrite ^ /internal/autoconfig/mozilla break;
        include /etc/nginx/proxy.conf;
        proxy_pass http://$admin;
      }
      # microsoft autoconfiguration
      location ~* ^/Autodiscover/Autodiscover.json {
        rewrite ^ /internal/autoconfig/microsoft.json break;
        include /etc/nginx/proxy.conf;
        proxy_pass http://$admin;
      }
      location ~* ^/Autodiscover/Autodiscover.xml {
        rewrite ^ /internal/autoconfig/microsoft break;
        include /etc/nginx/proxy.conf;
        proxy_pass http://$admin;
      }
      # apple mobileconfig
      location ~ ^/(apple\.)?mobileconfig {
        rewrite ^ /internal/autoconfig/apple break;
        include /etc/nginx/proxy.conf;
        proxy_pass http://$admin;
      }
      {% if TLS_FLAVOR == 'mail-letsencrypt' %}
      location ^~ /.well-known/acme-challenge/ {
          proxy_pass http://127.0.0.1:8008;
@ -254,7 +277,6 @@ mail {
    server_name {{ HOSTNAMES.split(",")[0] }};
    auth_http http://127.0.0.1:8000/auth/email;
    proxy_pass_error_message on;
    resolver {{ RESOLVER }} ipv6=off valid=30s;
    error_log /dev/stderr info;
    {% if TLS and not TLS_ERROR %}
--- a/core/nginx/letsencrypt.py
+++ b/core/nginx/letsencrypt.py
@ -4,10 +4,12 @@ import os
 import time
 import subprocess
 hostnames = ','.join(set(host.strip() for host in os.environ['HOSTNAMES'].split(',')))
 command = [
    "certbot",
    "-n", "--agree-tos", # non-interactive
-    "-d", os.environ["HOSTNAMES"],
+    "-d", hostnames, "--expand", "--allow-subset-of-names",
    "-m", "{}@{}".format(os.environ["POSTMASTER"], os.environ["DOMAIN"]),
    "certonly", "--standalone",
    "--cert-name", "mailu",
@ -20,7 +22,7 @@ command = [
 command2 = [
    "certbot",
    "-n", "--agree-tos", # non-interactive
-    "-d", os.environ["HOSTNAMES"],
+    "-d", hostnames, "--expand", "--allow-subset-of-names",
    "-m", "{}@{}".format(os.environ["POSTMASTER"], os.environ["DOMAIN"]),
    "certonly", "--standalone",
    "--cert-name", "mailu-ecdsa",
--- a/core/none/Dockerfile
+++ b/core/none/Dockerfile
@ -1,6 +1,6 @@
 # This is an idle image to dynamically replace any component if disabled.
-ARG DISTRO=alpine:3.14.3
+ARG DISTRO=alpine:3.14.5
 FROM $DISTRO
 CMD sleep 1000000d
--- a/core/postfix/Dockerfile
+++ b/core/postfix/Dockerfile
@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14.3
+ARG DISTRO=alpine:3.14.5
 FROM $DISTRO
 ARG VERSION
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@ -80,7 +80,7 @@ virtual_mailbox_maps = ${podop}mailbox
 # Mails are transported if required, then forwarded to Dovecot for delivery
 relay_domains = ${podop}transport
-transport_maps = ${podop}transport
+transport_maps = lmdb:/etc/postfix/transport.map, ${podop}transport
 virtual_transport = lmtp:inet:{{ LMTP_ADDRESS }}
 # Sender and recipient canonical maps, mostly for SRS
--- a/core/postfix/conf/master.cf
+++ b/core/postfix/conf/master.cf
@ -15,6 +15,22 @@ outclean  unix n       -       n       -       0       cleanup
  -o header_checks=pcre:/etc/postfix/outclean_header_filter.cf
  -o nested_header_checks=
 # Polite policy
 polite      unix  -       -       n       -       -       smtp
  -o syslog_name=postfix-polite
  -o polite_destination_concurrency_limit=3
  -o polite_destination_rate_delay=0
  -o polite_destination_recipient_limit=20
  -o polite_destination_concurrency_failed_cohort_limit=10
 # Turtle policy
 turtle      unix  -       -       n       -       -       smtp
  -o syslog_name=postfix-turtle
  -o turtle_destination_concurrency_limit=1
  -o turtle_destination_rate_delay=1
  -o turtle_destination_recipient_limit=5
  -o turtle_destination_concurrency_failed_cohort_limit=10
 # Internal postfix services
 pickup    unix  n       -       n       60      1       pickup
 cleanup   unix  n       -       n       -       0       cleanup
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@ -15,7 +15,7 @@ log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING"))
 def start_podop():
    os.setuid(getpwnam('postfix').pw_uid)
-    os.mkdir('/dev/shm/postfix',mode=0o700)
+    os.makedirs('/dev/shm/postfix',mode=0o700, exist_ok=True)
    url = "http://" + os.environ["ADMIN_ADDRESS"] + "/internal/postfix/"
    # TODO: Remove verbosity setting from Podop?
    run_server(0, "postfix", "/tmp/podop.socket", [
@ -74,9 +74,10 @@ if os.path.exists("/overrides/mta-sts-daemon.yml"):
 else:
    conf.jinja("/conf/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
-if not os.path.exists("/etc/postfix/tls_policy.map.lmdb"):
+for policy in ['tls_policy', 'transport']:
-    open("/etc/postfix/tls_policy.map", "a").close()
+    if not os.path.exists(f'/etc/postfix/{policy}.map.lmdb'):
-    os.system("postmap /etc/postfix/tls_policy.map")
+        open(f'/etc/postfix/{policy}.map', 'a').close()
        os.system(f'postmap /etc/postfix/{policy}.map')
 if "RELAYUSER" in os.environ:
    path = "/etc/postfix/sasl_passwd"
--- a/core/rspamd/conf/antivirus.conf
+++ b/core/rspamd/conf/antivirus.conf
@ -1,6 +1,6 @@
 {% if ANTIVIRUS == 'clamav' %}
 clamav {
-  attachments_only = true;
+  scan_mime_parts = true;
  symbol = "CLAM_VIRUS";
  type = "clamav";
  servers = "{{ ANTIVIRUS_ADDRESS }}";
--- a/docs/contributors/memo.rst
+++ b/docs/contributors/memo.rst
@ -29,5 +29,5 @@ Update information files
 If you added a feature or fixed a bug or committed anything that is worth mentionning
 for the next upgrade, add it in the ``CHANGELOG.md`` file.
-Also, if you would like to be mentionned by name or add a comment in ``AUTHORS.md``,
+Also, if you would like to be mentioned by name or add a comment in ``AUTHORS.md``,
 feel free to do so.
--- a/docs/faq.rst
+++ b/docs/faq.rst
@ -396,58 +396,6 @@ Mailu can serve an `MTA-STS policy`_; To configure it you will need to:
 .. _`1798`: https://github.com/Mailu/Mailu/issues/1798
 .. _`MTA-STS policy`: https://datatracker.ietf.org/doc/html/rfc8461
 How do I setup client autoconfiguration?
 ````````````````````````````````````````
 Mailu can serve an `XML file for autoconfiguration`_; To configure it you will need to:
 1. add ``autoconfig.example.com`` to the ``HOSTNAMES`` configuration variable (and ensure that a valid SSL certificate is available for it; this may mean restarting your smtp container)
 2. configure an override with the policy itself; for example, your ``overrides/nginx/autoconfiguration.conf`` could read:
 .. code-block:: bash
   location ^~ /mail/config-v1.1.xml {
   return 200 "<?xml version=\"1.0\"?>
   <clientConfig version=\"1.1\">
   <emailProvider id=\"%EMAILDOMAIN%\">
   <domain>%EMAILDOMAIN%</domain>
   <displayName>Email</displayName>
   <displayShortName>Email</displayShortName>
   <incomingServer type=\"imap\">
   <hostname>mailu.example.com</hostname>
   <port>993</port>
   <socketType>SSL</socketType>
   <username>%EMAILADDRESS%</username>
   <authentication>password-cleartext</authentication>
   </incomingServer>
   <outgoingServer type=\"smtp\">
   <hostname>mailu.example.com</hostname>
   <port>465</port>
   <socketType>SSL</socketType>
   <username>%EMAILADDRESS%</username>
   <authentication>password-cleartext</authentication>
   <addThisServer>true</addThisServer>
   <useGlobalPreferredServer>true</useGlobalPreferredServer>
   </outgoingServer>
   <documentation url=\"https://mailu.example.com/admin/client\">
   <descr lang=\"en\">Configure your email client</descr>
   </documentation>
   </emailProvider>
   </clientConfig>\r\n";
   }
 3. setup the appropriate DNS/CNAME record (``autoconfig.example.com`` -> ``mailu.example.com``).
 *issue reference:* `224`_.
 .. _`224`: https://github.com/Mailu/Mailu/issues/224
 .. _`XML file for autoconfiguration`: https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat
 Technical issues
 ----------------
@ -476,6 +424,22 @@ Any mail related connection is proxied by nginx. Therefore the SMTP Banner is al
 .. _`1368`: https://github.com/Mailu/Mailu/issues/1368
 My emails are getting rejected, I am being told to slow down, what can I do?
 ````````````````````````````````````````````````````````````````````````````
 Some email operators insist that emails are delivered slowly. Mailu maintains two separate queues for such destinations: ``polite`` and ``turtle``. To enable them for some destination you can creating an override at ``overrides/postfix/transport.map`` as follow:
 .. code-block:: bash
   yahoo.com   polite:
   orange.fr   turtle:
 Re-starting the smtp container will be required for changes to take effect.
 *Issue reference:* `2213`_.
 .. _`2213`: https://github.com/Mailu/Mailu/issues/2213
 My emails are getting defered, what can I do?
 `````````````````````````````````````````````
@ -488,7 +452,7 @@ If delivery to a specific domain fails because their DANE records are invalid or
   domain.example.com   may
   domain.example.org   encrypt
-The syntax and options are as described in `postfix's documentation`_. Re-creating the smtp container will be required for changes to take effect.
+The syntax and options are as described in `postfix's documentation`_. Re-starting the smtp container will be required for changes to take effect.
 .. _`postfix's documentation`: http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
@ -511,7 +475,7 @@ These issues are typically caused by four scenarios:
 #. Certificates expired;
 #. When ``TLS_FLAVOR=letsencrypt``, it might be that the *certbot* script is not capable of
   obtaining the certificates for your domain. See `letsencrypt issues`_
-#. When ``TLS_FLAVOR=certs``, certificates are supposed to be copied to ``/mailu/certs``.
+#. When ``TLS_FLAVOR=cert``, certificates are supposed to be copied to ``/mailu/certs``.
   Using an external ``letsencrypt`` program, it tends to happen people copy the whole
   ``letsencrypt/live`` directory containing symlinks. Symlinks do not resolve inside the
   container and therefore it breaks the TLS implementation.
--- a/docs/index.rst
+++ b/docs/index.rst
@ -23,7 +23,7 @@ popular groupware.
 Main features include:
- **Standard email server**, IMAP and IMAP+, SMTP and Submission
+- **Standard email server**, IMAP and IMAP+, SMTP and Submission with autoconfiguration profiles for clients
 - **Advanced email features**, aliases, domain aliases, custom routing
 - **Web access**, multiple Webmails and administration interface
 - **User features**, aliases, auto-reply, auto-forward, fetched accounts
--- a/docs/maintain.rst
+++ b/docs/maintain.rst
@ -15,6 +15,7 @@ simply pull the latest images and recreate the containers :
 .. code-block:: bash
  docker-compose pull
  docker-compose down
  docker-compose up -d
 Monitoring the mail server
--- a/docs/releases.rst
+++ b/docs/releases.rst
@ -4,8 +4,8 @@ Release notes
 Mailu 1.9 - 2021-12-29
 ----------------------
-Mailu 1.9 is available now. The helm-chart repo is not in sync yet with the new Mailu 1.9 release. If you use helm-chart (kubernetes), we advise to stick to version 1.8 for now. 
+Mailu 1.9 is available now.
-See the section `Upgrading` for important information in regard to upgrading to Mailu 1.9.
+Please see the section `Upgrading` for important information in regard to upgrading to Mailu 1.9.
 Highlights
 ````````````````````````````````
@ -119,7 +119,7 @@ A short summary of the new features:
 Upgrading
 `````````
-Upgrade should run fine as long as you generate a new compose or stack configuration and upgrade your mailu.env.
+Upgrade should run fine as long as you generate a new compose or stack configuration and upgrade your mailu.env. Please note that once you have upgraded to 1.9 you won't be able to roll-back to earlier versions without resetting user passwords.
 If you use a reverse proxy in front of Mailu, it is vital to configure the newly introduced environment variables `REAL_IP_HEADER`` and `REAL_IP_FROM`.
 These settings tell Mailu that the HTTP header with the remote client IP address from the reverse proxy can be trusted.
--- a/docs/reverse.rst
+++ b/docs/reverse.rst
@ -47,7 +47,7 @@ Then on your own frontend, point to these local ports. In practice, you only nee
    location / {
      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr
+      proxy_set_header X-Real-IP $remote_addr;
      proxy_pass https://localhost:8443;
    }
  }
@ -59,16 +59,16 @@ Then on your own frontend, point to these local ports. In practice, you only nee
  REAL_IP_FROM=x.x.x.x,y.y.y.y.y
  #x.x.x.x,y.y.y.y.y is the static IP address your reverse proxy uses for connecting to Mailu. 
-Because the admin interface is served as ``/admin``, the Webmail as ``/webmail``, the single sign on page as ``/sso``, webdav as ``/webdav`` and the static files endpoint as ``/static``, you may also want to use a single virtual host and serve other applications (still Nginx):
+Because the admin interface is served as ``/admin``, the Webmail as ``/webmail``, the single sign on page as ``/sso``, webdav as ``/webdav``, the client-autoconfiguration and the static files endpoint as ``/static``, you may also want to use a single virtual host and serve other applications (still Nginx):
 .. code-block:: nginx
  server {
    # [...] here goes your standard configuration
-    location ~ ^/(admin|sso|static|webdav|webmail) {
+    location ~* ^/(admin|sso|static|webdav|webmail|(apple\.)?mobileconfig|(\.well\-known/autoconfig/)?mail/|Autodiscover/Autodiscover) {
      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr
+      proxy_set_header X-Real-IP $remote_addr;
      proxy_pass https://localhost:8443;     
    }
@ -111,7 +111,7 @@ Here is an example configuration :
    location /webmail {
      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr
+      proxy_set_header X-Real-IP $remote_addr;
      proxy_pass https://localhost:8443/webmail;
    }
  }
@ -123,7 +123,7 @@ Here is an example configuration :
    location /admin {
      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr
+      proxy_set_header X-Real-IP $remote_addr;
      proxy_pass https://localhost:8443/admin;
      proxy_set_header Host $http_host;
    }
@ -189,7 +189,7 @@ Mailu must also be configured with the information what header is used by the re
 .. code-block:: docker
  #mailu.env file
-  REAL_IP_HEADER=X-Real-IP
+  REAL_IP_HEADER=X-Real-Ip
  REAL_IP_FROM=x.x.x.x,y.y.y.y.y
  #x.x.x.x,y.y.y.y.y is the static IP address your reverse proxy uses for connecting to Mailu. 
--- a/docs/rpi_build.rst
+++ b/docs/rpi_build.rst
@ -17,8 +17,8 @@ Adjustments
 ``build_arm.sh`` uses some variables passed as ``build-arg`` to docker-compose:
 - ``ALPINE_VER``: version of ALPINE to use
- ``DISTRO``: is the main distro used. Dockerfiles are set on Alpine 3.10, and
+- ``DISTRO``: is the main distro used. Dockerfiles are set on Alpine 3.14, and
-  build script overrides for ``balenalib/rpi-alpine:3.10``
+  build script overrides for ``balenalib/rpi-alpine:3.14``
 - ``QEMU``: Used by webmails dockerfiles. It will add ``qemu-arm-static`` only
  if ``QEMU`` is set to ``arm``
 - ``ARCH``: Architecture to use for ``admin``, and ``webmails`` as their images
--- a/optional/clamav/Dockerfile
+++ b/optional/clamav/Dockerfile
@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14.3
+ARG DISTRO=alpine:3.14.5
 FROM $DISTRO
 ARG VERSION
--- a/optional/fetchmail/Dockerfile
+++ b/optional/fetchmail/Dockerfile
@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14.3
+ARG DISTRO=alpine:3.14.5
 FROM $DISTRO
 ARG VERSION
--- a/optional/radicale/Dockerfile
+++ b/optional/radicale/Dockerfile
@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14.3
+ARG DISTRO=alpine:3.14.5
 FROM $DISTRO
 ARG VERSION
@ -13,7 +13,7 @@ RUN apk add --no-cache \
 # Image specific layers under this line
 RUN apk add --no-cache curl \
- && pip3 install radicale~=3.0
+ && pip3 install pytz radicale~=3.0
 COPY radicale.conf /radicale.conf
--- a/optional/unbound/Dockerfile
+++ b/optional/unbound/Dockerfile
@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14.3
+ARG DISTRO=alpine:3.14.5
 FROM $DISTRO
 ARG VERSION
--- a/setup/Dockerfile
+++ b/setup/Dockerfile
@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14.3
+ARG DISTRO=alpine:3.14.5
 FROM $DISTRO
 ARG VERSION
 ENV TZ Etc/UTC
--- a/setup/flavors/stack/setup.html
+++ b/setup/flavors/stack/setup.html
@ -4,7 +4,7 @@
 <p>Docker Stack expects a project file, named <code>docker-compose.yml</code>
 in a project directory. First create your project directory.</p>
-<pre><code>mkdir -p {{ root }}/{redis,certs,data,dkim,mail,mailqueue,overrides/rspamd,overrides/postfix,overrides/dovecot,overrides/nginx,filter,dav,webmail}
+<pre><code>mkdir -p {{ root }}/{redis,certs,data,data/fetchmail,dkim,mail,mailqueue,overrides/rspamd,overrides/postfix,overrides/dovecot,overrides/nginx,filter,dav,webmail}
 </pre></code>
 <p>Then download the project file. A side configuration file makes it easier
--- a/setup/templates/steps/compose/03_expose.html
+++ b/setup/templates/steps/compose/03_expose.html
@ -31,7 +31,7 @@ avoid generic all-interfaces addresses like <code>0.0.0.0</code> or <code>::</co
 </div>
 <div class="form-group" id="ipv6" style="display: none">
-  <p><span class="label label-danger">Read this:</span> Docker currently does not expose the IPv6 ports properly, as it does not interface with <code>ip6tables</code>. Be sure to read our <a href="https://mailu.io/{{ version }}/faq.html#how-to-make-ipv6-work">FAQ section</a> and be <b>very careful</b> if you still wish to enable this!</p>
+  <p><span class="label label-danger">Read this:</span> Docker currently does not expose the IPv6 ports properly, as it does not interface with <code>ip6tables</code>. Read <a href="https://mailu.io/{{ version }}/faq.html#how-to-make-ipv6-work">FAQ section</a> and be <b>very careful</b>. We do <b>NOT</b> recommend that you enable this!</p>
  <label>IPv6 listen address</label>
 <!--   Validates IPv6 address -->
  <input class="form-control" type="text" name="bind6" value="::1"
--- a/towncrier/newsfragments/2210.bugfix
+++ b/towncrier/newsfragments/2210.bugfix
@ -0,0 +1 @@
 Add input validation for domain creation
--- a/towncrier/newsfragments/2213.feature
+++ b/towncrier/newsfragments/2213.feature
@ -0,0 +1 @@
 Create a polite and turtle delivery queue to accommodate destinations that expect emails to be sent slowly
--- a/towncrier/newsfragments/224.feature
+++ b/towncrier/newsfragments/224.feature
@ -0,0 +1 @@
 Provide auto-configuration files (autodiscover, autoconfig & mobileconfig); Please update your DNS records
--- a/towncrier/newsfragments/2260.bugfix
+++ b/towncrier/newsfragments/2260.bugfix
@ -0,0 +1 @@
 Fix a bug where rspamd may trigger HFILTER_HOSTNAME_UNKNOWN if part of the delivery chain was using ipv6
--- a/towncrier/newsfragments/2281.bugfix
+++ b/towncrier/newsfragments/2281.bugfix
@ -0,0 +1 @@
 Update to Alpine Linux 3.14.4 which contains a security fix for openssl. 
--- a/towncrier/newsfragments/2284.bugfix
+++ b/towncrier/newsfragments/2284.bugfix
@ -0,0 +1 @@
 Fixed AUTH_RATELIMIT_IP not working on imap/pop3/smtp.
--- a/towncrier/newsfragments/2302.bugfix
+++ b/towncrier/newsfragments/2302.bugfix
@ -0,0 +1 @@
 update alpine linux docker image to version 3.14.5 which includes a security fix for zlib’s CVE-2018-25032.
--- a/towncrier/newsfragments/2338.misc
+++ b/towncrier/newsfragments/2338.misc
@ -0,0 +1 @@
 Don't send the `X-XSS-Protection` http header anymore. 
--- a/towncrier/newsfragments/2346.bugfix
+++ b/towncrier/newsfragments/2346.bugfix
@ -0,0 +1 @@
 Disable the built-in nginx resolver for traffic going through the mail plugin. This will silence errors about DNS resolution when the connecting host has no rDNS.
--- a/webmails/rainloop/defaults/application.ini
+++ b/webmails/rainloop/defaults/application.ini
@ -15,5 +15,5 @@ custom_logout_link='/sso/logout'
 enable = On
 allow_sync = On
-[plugins]
+[defaults]
 contacts_autosave = On
		`@ -0,0 +1 @@`
							`Create a polite and turtle delivery queue to accommodate destinations that expect emails to be sent slowly`
		`@ -0,0 +1 @@`
							`Provide auto-configuration files (autodiscover, autoconfig & mobileconfig); Please update your DNS records`
		`@ -0,0 +1 @@`
							`Fix a bug where rspamd may trigger HFILTER_HOSTNAME_UNKNOWN if part of the delivery chain was using ipv6`
		`@ -0,0 +1 @@`
							`Update to Alpine Linux 3.14.4 which contains a security fix for openssl.`
		`@ -0,0 +1 @@`
							`Fixed AUTH_RATELIMIT_IP not working on imap/pop3/smtp.`
		`@ -0,0 +1 @@`
							`update alpine linux docker image to version 3.14.5 which includes a security fix for zlib’s CVE-2018-25032.`
		`@ -0,0 +1 @@`
							Don't send the `X-XSS-Protection` http header anymore.
		`@ -0,0 +1 @@`
							`Disable the built-in nginx resolver for traffic going through the mail plugin. This will silence errors about DNS resolution when the connecting host has no rDNS.`