Merge branch 'master' into feat-healthchecks

7 years ago · 81b24f61e8
parent a412951a30 f2c4e52fee
commit 81b24f61e8
80 changed files with 1881 additions and 1002 deletions
--- a/core/admin/mailu/init.py
+++ b/core/admin/mailu/init.py
@ -12,7 +12,7 @@ import docker
 import socket
 import uuid
-from werkzeug.contrib import fixers
+from werkzeug.contrib import fixers, profiler
 # Create application
 app = flask.Flask(__name__)
@ -62,7 +62,10 @@ default_config = {
    'HOST_IMAP': 'imap',
    'HOST_POP3': 'imap',
    'HOST_SMTP': 'smtp',
    'HOST_WEBMAIL': 'webmail',
    'HOST_FRONT': 'front',
    'HOST_AUTHSMTP': os.environ.get('HOST_SMTP', 'smtp'),
    'POD_ADDRESS_RANGE': None
 }
 # Load configuration from the environment if available
@ -80,6 +83,10 @@ if app.config.get("DEBUG"):
    import flask_debugtoolbar
    toolbar = flask_debugtoolbar.DebugToolbarExtension(app)
 # Profiler
 if app.config.get("DEBUG"):
    app.wsgi_app = profiler.ProfilerMiddleware(app.wsgi_app, restrictions=[30])
 # Manager commnad
 manager = flask_script.Manager(app)
 manager.add_command('db', flask_migrate.MigrateCommand)
@ -129,4 +136,5 @@ class PrefixMiddleware(object):
            environ['SCRIPT_NAME'] = prefix
        return self.app(environ, start_response)
 app.wsgi_app = PrefixMiddleware(fixers.ProxyFix(app.wsgi_app))
--- a/core/admin/mailu/internal/templates/default.sieve
+++ b/core/admin/mailu/internal/templates/default.sieve
@ -32,9 +32,6 @@ if exists "X-Virus" {
  stop;
 }
-{% if user.reply_enabled %}
+{% if user.reply_active  %}
-if currentdate :value "le" "date" "{{ user.reply_enddate }}"
+vacation :days 1 :subject "{{ user.reply_subject }}" "{{ user.reply_body }}";
 {
 vacation :days 1 :subject "{{ user.reply_subject }}" "{{ user.reply_body }}";
 }
 {% endif %}
--- a/core/admin/mailu/internal/views/dovecot.py
+++ b/core/admin/mailu/internal/views/dovecot.py
@ -1,14 +1,24 @@
-from mailu import db, models
+from mailu import db, models, app
 from mailu.internal import internal
 import flask
 import socket
@internal.route("/dovecot/passdb/<user_email>")
 def dovecot_passdb_dict(user_email):
    user = models.User.query.get(user_email) or flask.abort(404)
    allow_nets = []
    allow_nets.append(
        app.config.get("POD_ADDRESS_RANGE") or
        socket.gethostbyname(app.config["HOST_FRONT"])
    )
    allow_nets.append(socket.gethostbyname(app.config["HOST_WEBMAIL"]))
    print(allow_nets)
    return flask.jsonify({
-        "password": user.password,
+        "password": None,
        "nopassword": "Y",
        "allow_nets": ",".join(allow_nets)
    })
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@ -250,6 +250,8 @@ class User(Base, Email):
    reply_enabled = db.Column(db.Boolean(), nullable=False, default=False)
    reply_subject = db.Column(db.String(255), nullable=True, default=None)
    reply_body = db.Column(db.Text(), nullable=True, default=None)
    reply_startdate = db.Column(db.Date, nullable=False,
        default=date(1900, 1, 1))
    reply_enddate = db.Column(db.Date, nullable=False,
        default=date(2999, 12, 31))
@ -276,7 +278,17 @@ class User(Base, Email):
        else:
            return self.email
-    scheme_dict = {'BLF-CRYPT': "bcrypt",
+    @property
    def reply_active(self):
        now = date.today()
        return (
            self.reply_enabled and
            self.reply_startdate < now and
            self.reply_enddate > now
        )
    scheme_dict = {'PBKDF2': "pbkdf2_sha512",
                   'BLF-CRYPT': "bcrypt",
                   'SHA512-CRYPT': "sha512_crypt",
                   'SHA256-CRYPT': "sha256_crypt",
                   'MD5-CRYPT': "md5_crypt",
@ -287,8 +299,14 @@ class User(Base, Email):
    )
    def check_password(self, password):
        context = User.pw_context
        reference = re.match('({[^}]+})?(.*)', self.password).group(2)
-        return User.pw_context.verify(password, reference)
+        result = context.verify(password, reference)
        if result and context.identify(reference) != context.default_scheme():
            self.set_password(password)
            db.session.add(self)
            db.session.commit()
        return result
    def set_password(self, password, hash_scheme=app.config['PASSWORD_SCHEME'], raw=False):
        """Set password for user with specified encryption scheme
--- a/core/admin/mailu/ui/forms.py
+++ b/core/admin/mailu/ui/forms.py
@ -117,6 +117,7 @@ class UserReplyForm(flask_wtf.FlaskForm):
    reply_subject = fields.StringField(_('Reply subject'))
    reply_body = fields.StringField(_('Reply body'),
        widget=widgets.TextArea())
    reply_startdate = fields.html5.DateField(_('Start of vacation'))
    reply_enddate = fields.html5.DateField(_('End of vacation'))
    submit = fields.SubmitField(_('Update'))
--- a/core/admin/mailu/ui/templates/user/reply.html
+++ b/core/admin/mailu/ui/templates/user/reply.html
@ -13,7 +13,7 @@
 <form class="form" method="post" role="form">
  {{ form.hidden_tag() }}
  {{ macros.form_field(form.reply_enabled,
-      onchange="if(this.checked){$('#reply_subject,#reply_body,#reply_enddate').removeAttr('readonly')}
+      onchange="if(this.checked){$('#reply_subject,#reply_body,#reply_enddate,#reply_startdate').removeAttr('readonly')}
                else{$('#reply_subject,#reply_body,#reply_enddate').attr('readonly', '')}") }}
  {{ macros.form_field(form.reply_subject,
      **{("rw" if user.reply_enabled else "readonly"): ""}) }}
@ -21,6 +21,9 @@
        **{("rw" if user.reply_enabled else "readonly"): ""}) }}
  {{ macros.form_field(form.reply_enddate,
        **{("rw" if user.reply_enabled else "readonly"): ""}) }}
  {{ macros.form_field(form.reply_startdate,
        **{("rw" if user.reply_enabled else "readonly"): ""}) }}
  {{ macros.form_field(form.submit) }}
 </form>
 {% endcall %}
--- a/core/admin/migrations/versions/3b281286c7bd_.py
+++ b/core/admin/migrations/versions/3b281286c7bd_.py
@ -0,0 +1,24 @@
 """ Add a start day for vacations
 Revision ID: 3b281286c7bd
 Revises: 25fd6c7bcb4a
 Create Date: 2018-09-27 22:20:08.158553
 """
 revision = '3b281286c7bd'
 down_revision = '25fd6c7bcb4a'
 from alembic import op
 import sqlalchemy as sa
 def upgrade():
    with op.batch_alter_table('user') as batch:
        batch.add_column(sa.Column('reply_startdate', sa.Date(), nullable=False,
            server_default="1900-01-01"))
 def downgrade():
    with op.batch_alter_table('user') as batch:
        batch.drop_column('reply_startdate')
--- a/core/dovecot/Dockerfile
+++ b/core/dovecot/Dockerfile
@ -2,7 +2,7 @@ FROM alpine:3.8
 RUN apk add --no-cache \
     dovecot dovecot-pigeonhole-plugin dovecot-fts-lucene rspamd-client \
-     python3 py3-pip \
+     bash python3 py3-pip \
 && pip3 install --upgrade pip \
 && pip3 install jinja2 podop tenacity
--- a/core/dovecot/conf/bin/ham
+++ b/core/dovecot/conf/bin/ham
@ -0,0 +1,4 @@
 #!/bin/bash
 tee >(rspamc -h antispam:11334 -P mailu learn_ham /dev/stdin) \
    | rspamc -h antispam:11334 -P mailu -f 13 fuzzy_add /dev/stdin
--- a/core/dovecot/conf/bin/mailtrain
+++ b/core/dovecot/conf/bin/mailtrain
@ -1,3 +0,0 @@
 #!/bin/sh
 rspamc -h antispam:11334 -P mailu "learn_$1" /dev/stdin <&0
--- a/core/dovecot/conf/bin/spam
+++ b/core/dovecot/conf/bin/spam
@ -0,0 +1,4 @@
 #!/bin/bash
 tee >(rspamc -h antispam:11334 -P mailu learn_spam /dev/stdin) \
    >(rspamc -h antispam:11334 -P mailu -f 11 fuzzy_add /dev/stdin)
--- a/core/dovecot/conf/dovecot.conf
+++ b/core/dovecot/conf/dovecot.conf
@ -136,7 +136,8 @@ service managesieve {
 }
 plugin {
-  sieve = dict:proxy:/tmp/podop.socket:sieve
+  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_before = dict:proxy:/tmp/podop.socket:sieve
  sieve_plugins = sieve_imapsieve sieve_extprograms
  sieve_extensions = +spamtest +spamtestplus +editheader
  sieve_global_extensions = +vnd.dovecot.execute
--- a/core/dovecot/conf/report-ham.sieve
+++ b/core/dovecot/conf/report-ham.sieve
@ -8,4 +8,4 @@ if string "${mailbox}" "Trash" {
  stop;
 }
-execute :pipe "mailtrain" "ham";
+execute :pipe "ham";
--- a/core/dovecot/conf/report-spam.sieve
+++ b/core/dovecot/conf/report-spam.sieve
@ -1,3 +1,3 @@
 require "vnd.dovecot.execute";
-execute :pipe "mailtrain" "spam";
+execute :pipe "spam";
--- a/core/dovecot/start.py
+++ b/core/dovecot/start.py
@ -36,5 +36,5 @@ for dovecot_file in glob.glob("/conf/*.conf"):
 # Run Podop, then postfix
 multiprocessing.Process(target=start_podop).start()
-os.system("chown -R mail:mail /mail /var/lib/dovecot")
+os.system("chown -R mail:mail /mail /var/lib/dovecot /conf")
 os.execv("/usr/sbin/dovecot", ["dovecot", "-c", "/etc/dovecot/dovecot.conf", "-F"])
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@ -34,6 +34,8 @@ http {
      ''      $scheme;
    }
    # Disable the main http server when on kubernetes (port 80 and 443)
    {% if KUBERNETES_INGRESS != 'true' %}
    # Main HTTP server
    server {
      # Variables for proxifying
@ -48,8 +50,8 @@ http {
      # Only enable HTTPS if TLS is enabled with no error
      {% if TLS and not TLS_ERROR %}
-      listen 443 ssl;
+      listen 443 ssl http2;
-      listen [::]:443 ssl;
+      listen [::]:443 ssl http2;
      include /etc/nginx/tls.conf;
      ssl_session_cache shared:SSLHTTP:50m;
@ -91,8 +93,10 @@ http {
      {% endif %}
      location {{ WEB_WEBMAIL }} {
        {% if WEB_WEBMAIL != '/' %}
        rewrite ^({{ WEB_WEBMAIL }})$ $1/ permanent;
        rewrite ^{{ WEB_WEBMAIL }}/(.*) /$1 break;
        {% endif %}
        include /etc/nginx/proxy.conf;
        client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};
        proxy_pass http://$webmail;
@ -147,6 +151,7 @@ http {
        proxy_set_header Content-Length "";
      }
    }
    {% endif %}
    # Forwarding authentication server
    server {
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@ -2,8 +2,6 @@
 # General
 ###############
 debug_peer_list = 0.0.0.0/0
 # Main domain and hostname
 mydomain = {{ DOMAIN }}
 myhostname = {{ HOSTNAMES.split(",")[0] }}
@ -34,7 +32,7 @@ relayhost = {{ RELAYHOST }}
 recipient_delimiter = {{ RECIPIENT_DELIMITER }}
 # Only the front server is allowed to perform xclient
-smtpd_authorized_xclient_hosts={{ FRONT_ADDRESS }}
+smtpd_authorized_xclient_hosts={{ FRONT_ADDRESS }} {{ POD_ADDRESS_RANGE }}
 ###############
 # TLS
--- a/docs/Dockerfile
+++ b/docs/Dockerfile
@ -2,6 +2,9 @@ FROM python:3-alpine
 COPY requirements.txt /requirements.txt
 ARG version=master
 ENV VERSION=$version
 RUN pip install -r /requirements.txt \
 && apk add --no-cache nginx curl \
 && mkdir /run/nginx
@ -9,7 +12,8 @@ RUN pip install -r /requirements.txt \
 COPY ./nginx.conf /etc/nginx/conf.d/default.conf
 COPY . /docs
-RUN sphinx-build /docs /build
+RUN mkdir -p /build/$VERSION \
 && sphinx-build /docs /build/$VERSION
 EXPOSE 80/tcp
--- a/docs/_templates/layout.html
+++ b/docs/_templates/layout.html
@ -1,2 +1,9 @@
 {% set version=github_version %}
 {% extends "!layout.html" %}
 {% block document %}
 {% if version != stable_version %}
 <div class="wy-alert info">
    <p>You are currently browsing documentation for the <b>{{ version }}</b> branch. Documentation for the stable <b>{{ stable_version }}</b> branch can be found <a href="/{{ stable_version }}/">here</a>.</p>
 </div>
 {% endif %}
 {{ super() }}
 {% endblock %}
--- a/docs/_templates/page.html
+++ b/docs/_templates/page.html
@ -1,4 +0,0 @@
 {%- extends "layout.html" %}
 {% block body %}
  {{ body|replace("VERSION_TAG", version) }}
 {% endblock %}
--- a/docs/_templates/versions.html
+++ b/docs/_templates/versions.html
@ -0,0 +1,16 @@
  <div class="rst-versions" data-toggle="rst-versions" role="note" aria-label="versions">
    <span class="rst-current-version" data-toggle="rst-current-version">
      <span class="fa fa-book"> Versions</span>
      v: {{ version }}
      <span class="fa fa-caret-down"></span>
    </span>
    <div class="rst-other-versions">
      <dl>
        <dt>{{ _('Versions') }}</dt>
        {% for slug, url in versions %}
          <dd><a href="{{ url }}">{{ slug }}</a></dd>
        {% endfor %}
      </dl>
    </div>
  </div>
--- a/docs/compose/.env
+++ b/docs/compose/.env
@ -130,8 +130,8 @@ LOG_DRIVER=json-file
 COMPOSE_PROJECT_NAME=mailu
 # Default password scheme used for newly created accounts and changed passwords
-# (value: BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT)
+# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME=BLF-CRYPT
+PASSWORD_SCHEME=PBKDF2
 # Header to take the real ip from
 REAL_IP_HEADER=
--- a/docs/conf.py
+++ b/docs/conf.py
@ -2,6 +2,8 @@
 # -*- coding: utf-8 -*-
 #
 import os
 extensions = ['sphinx.ext.imgmath', 'sphinx.ext.viewcode']
 templates_path = ['_templates']
 source_suffix = '.rst'
@ -9,9 +11,9 @@ master_doc = 'index'
 project = 'Mailu'
 copyright = '2018, Mailu authors'
 author = 'Mailu authors'
-version = release = 'latest'
+version = release = os.environ.get('VERSION', 'master')
 language = None
-exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
+exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store', 'Dockerfile', 'docker-compose.yml']
 pygments_style = 'sphinx'
 todo_include_todos = False
 html_theme = 'sphinx_rtd_theme'
@ -33,6 +35,11 @@ html_context = {
    'display_github': True,
    'github_user': 'mailu',
    'github_repo': 'mailu',
-    'github_version': 'master',
+    'github_version': version,
    'stable_version': '1.5',
    'versions': [
        ('1.5', '/1.5/'),
        ('master', '/master/')
    ],
    'conf_py_path': '/docs/'
 }
--- a/docs/contributors/environment.rst
+++ b/docs/contributors/environment.rst
@ -113,7 +113,8 @@ Documentation is maintained in the ``docs`` directory and are maintained as `reS
  docker build -t docs docs
  docker run -p 127.0.0.1:8080:80 docs
-You can now read the local documentation by navigating to http://localhost:8080.
+In a local build Docker always assumes the version to be master.
 You can read the local documentation by navigating to http://localhost:8080/master.
 .. note:: After modifying the documentation, the image needs to be rebuild and the container restarted for the changes to become visible.
--- a/docs/docker-compose.yml
+++ b/docs/docker-compose.yml
@ -0,0 +1,21 @@
 version: '3'
 services:
  docs_master:
    image: mailu/docs:master
    labels:
      - traefik.enable=true
      - traefik.port=80
      - traefik.main.frontend.rule=Host:${hostname};PathPrefix:/master/
  docs_15:
    image: mailu/docs:1.5
    labels:
      - traefik.enable=true
      - traefik.port=80
      - traefik.root.frontend.redirect.regex=.*
      - traefik.root.frontend.redirect.replacement=/1.5/
      - traefik.root.frontend.rule=Host:${hostname};PathPrefix:/
      - traefik.main.frontend.rule=Host:${hostname};PathPrefix:/1.5/
--- a/docs/index.rst
+++ b/docs/index.rst
@ -55,7 +55,7 @@ the version of Mailu that you are running.
    configuration
    compose/requirements
    compose/setup
-    kubernetes/stable/index
+    kubernetes/mailu/index
    dns
    reverse
--- a/docs/kubernetes/1.6/README.md
+++ b/docs/kubernetes/1.6/README.md
@ -1,157 +0,0 @@
 # Install Mailu master on kubernetes
 ## Prequisites
 ### Structure
 There's chosen to have a double NGINX stack for Mailu, this way the main ingress can still be used to access other websites/domains on your cluster. This is the current structure:
 - `NGINX Ingress controller`: Listens to the nodes ports 80 & 443 and directly forwards all TCP traffic on the E-amail ports (993,143,25,587,...). This is because this `DaemonSet` already consumes ports 80 & 443 and uses `hostNetwork: true`
 - `Cert manager`: Creates automatic Lets Encrypt certificates based on an `Ingress`-objects domain name.
 - `Mailu NGINX Front container`: This container receives all the mail traffic forwarded from the ingress controller. The web traffic is also forwarded based on an ingress
 - `Mailu components`: All Mailu components are split into separate files to make them more 
 ### What you need
 - A working Kubernetes cluster (tested with 1.10.5)
 - A working [cert-manager](https://github.com/jetstack/cert-manager) installation
 - A working nginx-ingress controller needed for the lets-encrypt certificates. You can find those files in the `nginx` subfolder
 #### Cert manager
 The `Cert-manager` is quite easy to deploy using Helm when reading the [docs](https://cert-manager.readthedocs.io/en/latest/getting-started/2-installing.html). 
 After booting the `Cert-manager` you'll need a `ClusterIssuer` which takes care of all required certificates through `Ingress` items. An example:
 ```yaml
 apiVersion: certmanager.k8s.io/v1alpha1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-prod
 spec:
  acme:
    email: something@example.com
    http01: {}
    privateKeySecretRef:
      key: ""
      name: letsencrypt-stage
    server: https://acme-v02.api.letsencrypt.org/directory
 ```
 ## Deploying Mailu
 All manifests can be found in the `mailu` subdirectory. All commands below need to be run from this subdirectory
 ### Personalization
 - All services run in the same namespace, currently `mailu-mailserver`. So if you want to use a different one, change the `namespace` value in **every** file
 - Check the `storage-class` field in the `pvc.yaml` file, you can also change the sizes to your liking. Note that you need `RWX` (read-write-many) and `RWO` (read-write-once) storageclasses.
 - Check the `configmap.yaml` and adapt it to your needs. Be sure to check the kubernetes DNS values at the end (if you use a different namespace)
 - Check the `ingress-ssl.yaml` and change it to the domain you want (this is for the kubernetes ingress controller, it will forward to `mailu/nginx` a.k.a. the `front` pod)
 ## Installation
 First run the command to start Mailu:
 ```bash
 kubectl create -f rbac.yaml
 kubectl create -f configmap.yaml
 kubectl create -f pvc.yaml
 kubectl create -f ingress-ssl.yaml
 kubectl create -f redis.yaml
 kubectl create -f front.yaml
 kubectl create -f webmail.yaml
 kubectl create -f imap.yaml
 kubectl create -f security.yaml
 kubectl create -f smtp.yaml
 kubectl create -f fetchmail.yaml
 kubectl create -f admin.yaml
 kubectl create -f webdav.yaml
 ```
 ## Create the first admin account
 When the cluster is online you need to create you master user to access `https://mail.example.com/admin`.
 Enter the main `admin` pod to create the root account:
 ```bash
 kubectl -n mailu-mailserver get po
 kubectl -n mailu-mailserver exec -it mailu-admin-.... /bin/sh
 ```
 And in the pod run the following command. The command uses following entries:
 - `admin` Make it an admin user
 - `root` The first part of the e-mail adres (ROOT@example.com)
 - `example.com` the domain appendix
 - `password` the chosen password for the user
 ```bash
 python manage.py admin root example.com password
 ```
 Now you should be able to login on the mail account: `https://mail.example.com/admin`
 ## Adaptations
 ### Postfix
 I noticed you need an override for the `postfix` server in order to be able to send mail. I noticed Google wasn't able to deliver mail to my account and it had to do with the `smtpd_authorized_xclient_hosts` value in the config file. The config can be read [here](https://github.com/hacor/Mailu/blob/master/core/postfix/conf/main.cf#L35) and is pointing to a single IP of the service. But the requests come from the host IPs (the NGINX Ingress proxy) and they don't use the service specific IP.
 Enter the `postfix` pod:
 ```bash
 kubectl -n mailu-mailserver get po
 kubectl -n mailu-mailserver exec -it mailu-smtp-.... /bin/sh
 ```
 Now you're in the pod, create an override file like so:
 ```bash
 vi /overrides/postfix.cf
 ```
 And give it the following contents, off course replacing `10.2.0.0/16` with the CIDR of your pod range. This way the NGINX pods can also restart and your mail server will still operate
 ```bash
 not_needed = true
 smtpd_authorized_xclient_hosts = 10.2.0.0/16
 ```
 The first line seems stupid, but is needed because its pasted after a #, so from the second line we're really in action.
 Save and close the file and exit. Now you need to delete the pod in order to recreate the config file.
 ```bash
 kubectl -n mailu-mailserver delete po/mailu-smtp-....
 ```
 ### Dovecot
 - If you are using Dovecot on a shared file system (Glusterfs, NFS,...), you need to create a special override otherwise a lot of indexing errors will occur on your Dovecot pod.
 - I also higher the number of max connections per IP. Now it's limited to 10.
 Enter the dovecot pod:
 ```bash
 kubectl -n mailu-mailserver get po
 kubectl -n mailu-mailserver exec -it mailu-imap-.... /bin/sh
 ```
 Create the file `/overrides/dovecot.conf`
 ```bash
 vi /overrides/dovecot.conf
 ```
 And enter following contents:
 ```bash
 mail_nfs_index = yes
 mail_nfs_storage = yes
 mail_fsync = always
 mmap_disable = yes
 mail_max_userip_connections=100
 ```
 Save and close the file and delete the imap pod to get it recreated.
 ```bash
 kubectl -n mailu-mailserver delete po/mailu-imap-....
 ```
 Wait for the pod to recreate and you're online!
 Happy mailing!
 Wait for the pod to recreate and you're online!
 Happy mailing!
--- a/docs/kubernetes/1.6/mailu/ingress-ssl.yaml
+++ b/docs/kubernetes/1.6/mailu/ingress-ssl.yaml
@ -1,32 +0,0 @@
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: mailu-ssl-ingress
  namespace: mailu-mailserver
  annotations:
    kubernetes.io/ingress.class: tectonic
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    ingress.kubernetes.io/ssl-redirect: "true"
    # Replace letsencrypt-prod with the name of the certificate issuer
    certmanager.k8s.io/cluster-issuer: letsencrypt-prod
    #ingress.kubernetes.io/rewrite-target: "/"
    #ingress.kubernetes.io/app-root: "/ui"
    #ingress.kubernetes.io/follow-redirects: "true"
  labels:
    app: mailu
    role: mail
    tier: backend
 spec:
  tls:
  - hosts:
    - "mail.example.com"
    secretName: letsencrypt-certs-all # If unsure how to generate these, check out https://github.com/ployst/docker-letsencrypt
  rules:
  - host: "mail.example.com"
    http:
      paths:
      - path: "/"
        backend:
          serviceName: front
          servicePort: 80
--- a/docs/kubernetes/1.6/mailu/static-ips.yaml
+++ b/docs/kubernetes/1.6/mailu/static-ips.yaml
--- a/docs/kubernetes/mailu/admin-ingress.yaml
+++ b/docs/kubernetes/mailu/admin-ingress.yaml
@ -0,0 +1,86 @@
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: mailu-admin-ingress
  namespace: mailu-mailserver
  annotations:
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    certmanager.k8s.io/cluster-issuer: letsencrypt-stage
    ingress.kubernetes.io/permanent-redirect: "https://mail.example.com/admin/ui/"
    ingress.kubernetes.io/follow-redirects: "true"
  labels:
    app: mailu
    role: mail
    tier: backend
 spec:
  tls:
  - hosts:
    - "mail.example.com"
    secretName: letsencrypt-certs-all # If unsure how to generate these, check out https://github.com/ployst/docker-letsencrypt
  rules:
  - host: "mail.example.com"
    http:
      paths:
      - path: "/admin"
        backend:
          serviceName: admin
          servicePort: 80
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: mailu-admin-ui-ingress
  namespace: mailu-mailserver
  annotations:
    kubernetes.io/tls-acme: "true"
    certmanager.k8s.io/cluster-issuer: letsencrypt-stage
    ingress.kubernetes.io/rewrite-target: "/ui"
    ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header X-Forwarded-Prefix /admin;
  labels:
    app: mailu
    role: mail
    tier: backend
 spec:
  tls:
  - hosts:
    - "mail.example.com"
    secretName: letsencrypt-certs-all # If unsure how to generate these, check out https://github.com/ployst/docker-letsencrypt
  rules:
  - host: "mail.example.com"
    http:
      paths:
      - path: "/admin/ui"
        backend:
          serviceName: admin
          servicePort: 80
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: mailu-admin-static-ingress
  namespace: mailu-mailserver
  annotations:
    kubernetes.io/tls-acme: "true"
    certmanager.k8s.io/cluster-issuer: letsencrypt-stage
    ingress.kubernetes.io/rewrite-target: "/static"
    ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header X-Forwarded-Prefix /admin;
  labels:
    app: mailu
    role: mail
    tier: backend
 spec:
  tls:
  - hosts:
    - "mail.example.com"
    secretName: letsencrypt-certs-all # If unsure how to generate these, check out https://github.com/ployst/docker-letsencrypt
  rules:
  - host: "mail.example.com"
    http:
      paths:
      - path: "/admin/static"
        backend:
          serviceName: admin
          servicePort: 80
--- a/docs/kubernetes/1.6/mailu/admin.yaml
+++ b/docs/kubernetes/1.6/mailu/admin.yaml
@ -1,4 +1,3 @@
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
--- a/docs/kubernetes/1.6/mailu/configmap.yaml
+++ b/docs/kubernetes/1.6/mailu/configmap.yaml
@ -21,7 +21,7 @@
    VERSION: "master"
    # Set to a randomly generated 16 bytes string
-    SECRET_KEY: "YourKeyHere"
+    SECRET_KEY: "MySup3rS3cr3tPas"
    # Address where listening ports should bind
    BIND_ADDRESS4: "127.0.0.1"
@ -45,6 +45,14 @@
    # Opt-out of statistics, replace with "True" to opt out
    DISABLE_STATISTICS: "False"
    ###################################
    # Kubernetes configuration
    ###################################
    # Use Kubernetes Ingress Controller to handle all actions on port 80 and 443
    # This way we can make use of the advantages of the cert-manager deployment
    KUBERNETES_INGRESS: "true"
    ###################################
    # Optional features
    ###################################
@ -71,19 +79,18 @@
    # Default: accept messages up to 50MB
    MESSAGE_SIZE_LIMIT: "50000000"
    # Networks granted relay permissions, make sure that you include your Docker
    # internal network (default to 172.17.0.0/16)
    # For kubernetes this is the CIDR of the pod network
    RELAYNETS: "10.2.0.0/16"
    POD_ADDRESS_RANGE: "10.2.0.0/16"
    # Will relay all outgoing mails if configured
    #RELAYHOST=
    # This part is needed for the XCLIENT login for postfix. This should be the POD ADDRESS range
    FRONT_ADDRESS: "front.mailu-mailserver.svc.cluster.local"
    # This value  is needed by the webmail to find the correct imap backend
    IMAP_ADDRESS: "imap.mailu-mailserver.svc.cluster.local"
    # This value is used by Dovecot to find the Redis server in the cluster
    REDIS_ADDRESS: "redis.mailu-mailserver.svc.cluster.local"
    # Fetchmail delay
    FETCHMAIL_DELAY: "600"
@ -106,13 +113,16 @@
    ###################################
    # Path to the admin interface if enabled
    # Kubernetes addition: You need to change ALL the ingresses, when you want this URL to be different!!!
    WEB_ADMIN: "/admin"
    # Path to the webmail if enabled
    # Currently, this is not used, because we intended to use a different subdomain: webmail.example.com
    # This option can be added in a feature release
    WEB_WEBMAIL: "/webmail"
    # Website name
-    SITENAME: "AppSynth"
+    SITENAME: "Mailu"
    # Linked Website URL
    WEBSITE: "https://example.com"
--- a/docs/kubernetes/1.6/mailu/fetchmail.yaml
+++ b/docs/kubernetes/1.6/mailu/fetchmail.yaml
--- a/docs/kubernetes/1.6/mailu/front.yaml
+++ b/docs/kubernetes/1.6/mailu/front.yaml
@ -1,23 +1,41 @@
-
+apiVersion: apps/v1beta2
-apiVersion: extensions/v1beta1
+kind: DaemonSet
 kind: Deployment
 metadata:
  name: mailu-front
  namespace: mailu-mailserver
  labels:
    k8s-app: mail-loadbalancer
    component: ingress-controller
    type: nginx
 spec:
-  replicas: 1
+  selector:
    matchLabels:
      k8s-app: mail-loadbalancer
      component: ingress-controller
      type: nginx
  template:
    metadata:
      labels:
-        app: mailu-front
+        k8s-app: mail-loadbalancer
-        role: mail
+        component: ingress-controller
-        tier: backend
+        type: nginx
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: node-role.kubernetes.io/node
                operator: Exists
      hostNetwork: true
      nodeSelector:
        node-role.kubernetes.io/node: ""
      dnsPolicy: ClusterFirstWithHostNet
      restartPolicy: Always
      terminationGracePeriodSeconds: 60
      containers:
      - name: front
-        image: mailu/nginx:latest
+        image: mailu/nginx:master
        imagePullPolicy: Always
        envFrom:
          - configMapRef:
@ -26,12 +44,6 @@ spec:
          - name: certs
            mountPath: /certs
        ports:
          - name: http
            containerPort: 80
            protocol: TCP
          - name: https
            containerPort: 443
            protocol: TCP
          - name: pop3
            containerPort: 110
            protocol: TCP
@ -85,21 +97,15 @@ metadata:
  name: front
  namespace: mailu-mailserver
  labels:
-    app: mailu-admin
+    k8s-app: mail-loadbalancer
-    role: mail
+    component: ingress-controller
-    tier: backend
+    type: nginx
 spec:
  selector:
-    app: mailu-front
+    k8s-app: mail-loadbalancer
-    role: mail
+    component: ingress-controller
-    tier: backend
+    type: nginx
  ports:
  - name: http
    port: 80
    protocol: TCP
  - name: https
    port: 443
    protocol: TCP
  - name: pop3
    port: 110
    protocol: TCP
--- a/docs/kubernetes/1.6/mailu/imap.yaml
+++ b/docs/kubernetes/1.6/mailu/imap.yaml
@ -37,8 +37,8 @@ spec:
          - containerPort: 4190
        resources:
          requests:
-            memory: 500Mi
+            memory: 1Gi
-            cpu: 500m
+            cpu: 1000m
          limits:
            memory: 1Gi
            cpu: 1000m
--- a/docs/kubernetes/mailu/index.rst
+++ b/docs/kubernetes/mailu/index.rst
@ -0,0 +1,193 @@
 Install Mailu master on kubernetes
 ==================================
 Prequisites
 -----------
 Structure
 ~~~~~~~~~
 There’s chosen to have a double NGINX stack for Mailu, this way the main
 ingress can still be used to access other websites/domains on your
 cluster. This is the current structure:
 -  ``NGINX Ingress controller``: Listens to the nodes ports 80 & 443. We have chosen to have a double NGINX stack for Mailu.
 -  ``Cert manager``: Creates automatic Lets Encrypt certificates based on an ``Ingress``-objects domain name.
 -  ``Mailu NGINX Front daemonset``: This daemonset runs in parallel with the Nginx Ingress Controller and only listens on all E-mail specific ports (25, 110, 143, 587,...)
 -  ``Mailu components``: All Mailu components (imap, smtp, security, webmail,...) are split into separate files to make them more handy to use, you can find the ``YAML`` files in this directory
 What you need
 ~~~~~~~~~~~~~
 -  A working Kubernetes cluster (tested with 1.10.5)
 -  A working `cert-manager`_ installation
 -  A working nginx-ingress controller needed for the lets-encrypt
   certificates. You can find those files in the ``nginx`` subfolder
 Cert manager
 ^^^^^^^^^^^^
 The ``Cert-manager`` is quite easy to deploy using Helm when reading the
 `docs`_. After booting the ``Cert-manager`` you’ll need a
 ``ClusterIssuer`` which takes care of all required certificates through
 ``Ingress`` items. We chose to provide a ``clusterIssuer`` so you can provide SSL certificates
 for other namespaces (different websites/services), if you don't need this option, you can easily change this by
 changing ``clusterIssuer`` to ``Issuer`` and adding the ``namespace: mailu-mailserver`` to the metadata.
 An example of a production and a staging ``clusterIssuer``:
 .. code:: yaml
   # This clusterIssuer example uses the staging environment for testing first
   apiVersion: certmanager.k8s.io/v1alpha1
   kind: ClusterIssuer
   metadata:
     name: letsencrypt-stage
   spec:
     acme:
       email: something@example.com
       http01: {}
       privateKeySecretRef:
         name: letsencrypt-stage
       server: https://acme-staging-v02.api.letsencrypt.org/directory
 .. code:: yaml
   # This clusterIssuer example uses the production environment
   apiVersion: certmanager.k8s.io/v1alpha1
   kind: ClusterIssuer
   metadata:
     name: letsencrypt-prod
   spec:
     acme:
       email: something@example.com
       http01: {}
       privateKeySecretRef:
         name: letsencrypt-prod
       server: https://acme-v02.api.letsencrypt.org/directory
 **IMPORTANT**: All ``*-ingress.yaml`` files use the ``letsencrypt-stage`` ``clusterIssuer``. If you are ready for production,
 change this field in all ``*-ingress.yaml`` files to ``letsencrypt-prod`` or whatever name you chose for the production.
 If you choose for ``Issuer`` instead of ``clusterIssuer`` you also need to change the annotation to ``certmanager.k8s.io/issuer`` instead of ``certmanager.k8s.io/cluster-issuer``
 Deploying Mailu
 ---------------
 All manifests can be found in the ``mailu`` subdirectory. All commands
 below need to be run from this subdirectory
 Personalization
 ~~~~~~~~~~~~~~~
 -  All services run in the same namespace, currently ``mailu-mailserver``. So if you want to use a different one, change the ``namespace`` value in **every** file
 -  Check the ``storage-class`` field in the ``pvc.yaml`` file, you can also change the sizes to your liking. Note that you need ``RWX`` (read-write-many) and ``RWO`` (read-write-once) storageclasses.
 -  Check the ``configmap.yaml`` and adapt it to your needs. Be sure to check the kubernetes DNS values at the end (if you use a different namespace)
 -  Check the ``*-ingress.yaml`` files and change it to the domain you want (this is for the kubernetes ingress controller to handle the admin, webmail, webdav and auth connections)
 Installation
 ------------
 Boot the Mailu components
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 To start Mailu, run the following commands from the ``docs/kubernetes/mailu`` directory
 .. code-block:: bash
    kubectl create -f rbac.yaml
    kubectl create -f configmap.yaml
    kubectl create -f pvc.yaml
    kubectl create -f redis.yaml
    kubectl create -f front.yaml
    kubectl create -f webmail.yaml
    kubectl create -f imap.yaml
    kubectl create -f security.yaml
    kubectl create -f smtp.yaml
    kubectl create -f fetchmail.yaml
    kubectl create -f admin.yaml
    kubectl create -f webdav.yaml
    kubectl create -f admin-ingress.yaml
    kubectl create -f webdav-ingress.yaml
    kubectl create -f security-ingress.yaml
    kubectl create -f webmail-ingress.yaml
 Create the first admin account
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 When the cluster is online you need to create you master user to access https://mail.example.com/admin
 Enter the main ``admin`` pod to create the root account:
 .. code-block:: bash
    kubectl -n mailu-mailserver get po
    kubectl -n mailu-mailserver exec -it mailu-admin-.... /bin/sh
 And in the pod run the following command. The command uses following entries:
 .. code-block:: bash
    python manage.py admin root example.com password
 - ``admin`` Make it an admin user
 - ``root`` The first part of the e-mail adres (ROOT@example.com)
 - ``example.com`` the domain appendix
 - ``password`` the chosen password for the user
 Now you should be able to login on the mail account: https://mail.example.com/admin
 Adaptations
 -----------
 Dovecot
 ~~~~~~~
 - If you are using Dovecot on a shared file system (Glusterfs, NFS,...), you need to create a special override otherwise a lot of indexing errors will occur on your Dovecot pod.
 - I also higher the number of max connections per IP. Now it's limited to 10.
 Enter the dovecot pod:
 .. code:: bash
    kubectl -n mailu-mailserver get po
    kubectl -n mailu-mailserver exec -it mailu-imap-.... /bin/sh
 Create the file ``overrides/dovecot.conf``
 .. code:: bash
    vi /overrides/dovecot.conf
 And enter following contents:
 .. code:: bash
    mail_nfs_index = yes
    mail_nfs_storage = yes
    mail_fsync = always
    mmap_disable = yes
    mail_max_userip_connections=100
 Save and close the file and delete the imap pod to get it recreated.
 .. code:: bash
    kubectl -n mailu-mailserver delete po/mailu-imap-....
 Wait for the pod to recreate and you're online!
 Happy mailing!
 .. _here: https://github.com/hacor/Mailu/blob/master/core/postfix/conf/main.cf#L35
 .. _cert-manager: https://github.com/jetstack/cert-manager
 .. _docs: https://cert-manager.readthedocs.io/en/latest/getting-started/2-installing.html
 Imap login fix
 ~~~~~~~~~~~~~~
 If it seems you're not able to login using IMAP on your Mailu accounts, check the logs of the imap container to see whether it's a permissions problem on the database.
 This problem can be easily fixed by running following commands:
 .. code:: bash
    kubectl -n mailu-mailserver exec -it maolu-imap-... /bin/sh
    chmod 777 /data/main.db
--- a/docs/kubernetes/1.6/mailu/pvc.yaml
+++ b/docs/kubernetes/1.6/mailu/pvc.yaml
--- a/docs/kubernetes/1.6/mailu/rbac.yaml
+++ b/docs/kubernetes/1.6/mailu/rbac.yaml
--- a/docs/kubernetes/1.6/mailu/redis.yaml
+++ b/docs/kubernetes/1.6/mailu/redis.yaml
--- a/docs/kubernetes/mailu/security-ingress.yaml
+++ b/docs/kubernetes/mailu/security-ingress.yaml
@ -0,0 +1,30 @@
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: mailu-antispam-ingress
  namespace: mailu-mailserver
  annotations:
    kubernetes.io/tls-acme: "true"
    certmanager.k8s.io/cluster-issuer: letsencrypt-stage
    ingress.kubernetes.io/configuration-snippet: |
      rewrite ^/admin/antispam/(.*) /$1 break;
      auth_request /internal/auth/admin;
      proxy_set_header X-Real-IP "";
      proxy_set_header X-Forwarded-For "";
  labels:
    app: mailu
    role: mail
    tier: frontend
 spec:
  tls:
  - hosts:
    - "mail.example.com"
    secretName: letsencrypt-certs-all # If unsure how to generate these, check out https://github.com/ployst/docker-letsencrypt
  rules:
  - host: "mail.example.com"
    http:
      paths:
      - path: "/admin/antispam"
        backend:
          serviceName: antispam
          servicePort: 11334
--- a/docs/kubernetes/1.6/mailu/security.yaml
+++ b/docs/kubernetes/1.6/mailu/security.yaml
@ -31,6 +31,9 @@ spec:
          - name: antispam
            containerPort: 11332
            protocol: TCP
          - name: antispam-http
            containerPort: 11334
            protocol: TCP
        volumeMounts:
          - name: filter
            subPath: filter
@ -87,6 +90,9 @@ spec:
  - name: antispam
    port: 11332
    protocol: TCP
  - name: antispam-http
    protocol: TCP
    port: 11334
 ---
--- a/docs/kubernetes/1.6/mailu/smtp.yaml
+++ b/docs/kubernetes/1.6/mailu/smtp.yaml
@ -21,10 +21,10 @@ spec:
              name: mailu-config
        resources:
          requests:
-            memory: 500Mi
+            memory: 2Gi
-            cpu: 200m
+            cpu: 500m
          limits:
-            memory: 1Gi
+            memory: 2Gi
            cpu: 500m
        volumeMounts:
          - mountPath: /data
--- a/docs/kubernetes/mailu/webdav-ingress.yaml
+++ b/docs/kubernetes/mailu/webdav-ingress.yaml
@ -0,0 +1,46 @@
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: mailu-webdav-ingress
  namespace: mailu-mailserver
  annotations:
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    certmanager.k8s.io/cluster-issuer: letsencrypt-stage
    #ingress.kubernetes.io/auth-url: http://admin.mailu-mailserver.svc.cluster.local/internal/auth/basic
    ingress.kubernetes.io/configuration-snippet: |
      rewrite ^/webdav/(.*) /$1 break;
      auth_request /internal/auth/basic;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      auth_request_set $user $upstream_http_x_user;
      proxy_set_header X-Remote-User $user;
      proxy_set_header X-Script-Name /webdav;
    ingress.kubernetes.io/server-snippet: |
      location /internal {
        internal;
        proxy_set_header Authorization $http_authorization;
        proxy_pass_header Authorization;
        proxy_pass http://admin.mailu-mailserver.svc.cluster.local;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
      }
  labels:
    app: mailu
    role: mail
    tier: frontend
 spec:
  tls:
  - hosts:
    - "mail.example.com"
    secretName: letsencrypt-certs-all # If unsure how to generate these, check out https://github.com/ployst/docker-letsencrypt
  rules:
  - host: "mail.example.com"
    http:
      paths:
      - path: "/webdav"
        backend:
          serviceName: webdav
          servicePort: 5232
--- a/docs/kubernetes/1.6/mailu/webdav.yaml
+++ b/docs/kubernetes/1.6/mailu/webdav.yaml
--- a/docs/kubernetes/mailu/webmail-ingress.yaml
+++ b/docs/kubernetes/mailu/webmail-ingress.yaml
@ -0,0 +1,31 @@
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: mailu-webmail-ingress
  namespace: mailu-mailserver
  annotations:
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    certmanager.k8s.io/cluster-issuer: letsencrypt-stage
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
  labels:
    app: mailu
    role: mail
    tier: backend
 spec:
  tls:
  - hosts:
    - "webmail.example.com"
    secretName: letsencrypt-webmail # If unsure how to generate these, check out https://github.com/ployst/docker-letsencrypt
  rules:
    - host: "webmail.example.com"
      http:
        paths:
        - path: "/"
          backend:
            serviceName: webmail
            servicePort: 80
--- a/docs/kubernetes/1.6/mailu/webmail.yaml
+++ b/docs/kubernetes/1.6/mailu/webmail.yaml
@ -15,7 +15,7 @@ spec:
    spec:
      containers:
      - name: roundcube
-        image: mailu/roundcube:1.5
+        image: mailu/roundcube:master
        imagePullPolicy: Always
        envFrom:
          - configMapRef:
--- a/docs/kubernetes/1.6/nginx/default-http-backend.yaml
+++ b/docs/kubernetes/1.6/nginx/default-http-backend.yaml
--- a/docs/kubernetes/1.6/nginx/nginx-ingress.yaml
+++ b/docs/kubernetes/1.6/nginx/nginx-ingress.yaml
@ -2,15 +2,15 @@ apiVersion: v1
 kind: Service
 metadata:
  # keep it under 24 chars
-  name: appsynth-lb
+  name: ingress-lb
  namespace: kube-ingress
  labels:
-    k8s-app: appsynth-lb
+    k8s-app: ingress-lb
    component: ingress-controller
 spec:
  type: ClusterIP
  selector:
-    k8s-app: appsynth-lb
+    k8s-app: ingress-lb
    component: ingress-controller
  ports:
    - name: http
@ -35,13 +35,6 @@ metadata:
  name: tcp-services
  namespace: kube-ingress
 data:
  25: "mailu-mailserver/front:25"
  110: "mailu-mailserver/front:110"
  465: "mailu-mailserver/front:465"
  587: "mailu-mailserver/front:587"
  143: "mailu-mailserver/front:143"
  993: "mailu-mailserver/front:993"
  995: "mailu-mailserver/front:995"
 ---
 apiVersion: v1
@ -61,7 +54,7 @@ metadata:
    prometheus.io/port: "10254"
    prometheus.io/scrape: "true"
  labels:
-    k8s-app: appsynth-lb
+    k8s-app: ingress-lb
    component: ingress-controller
    type: nginx
 spec:
@ -71,13 +64,13 @@ spec:
    type: RollingUpdate
  selector:
    matchLabels:
-      k8s-app: appsynth-lb
+      k8s-app: ingress-lb
      component: ingress-controller
      type: nginx
  template:
    metadata:
      labels:
-        k8s-app: appsynth-lb
+        k8s-app: ingress-lb
        component: ingress-controller
        type: nginx
    spec:
@ -94,14 +87,11 @@ spec:
          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.16.2
          args:
          - /nginx-ingress-controller
          - --configmap=$(POD_NAMESPACE)/tectonic-custom-error
          - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
          #- --default-ssl-certificate=tectonic-system/tectonic-ingress-tls-secret
          - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
          - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
          - --annotations-prefix=ingress.kubernetes.io
          - --enable-ssl-passthrough
          - --ingress-class=tectonic
          # use downward API
          env:
            - name: POD_NAME
@ -115,10 +105,8 @@ spec:
          ports:
            - name: http
              containerPort: 80
              hostPort: 80
            - name: https
              containerPort: 443
              hostPort: 443
          readinessProbe:
            httpGet:
              path: /healthz
@ -134,6 +122,6 @@ spec:
      hostNetwork: true
      nodeSelector:
        node-role.kubernetes.io/node: ""
-      dnsPolicy: ClusterFirst
+      dnsPolicy: ClusterFirstWithHostNet
      restartPolicy: Always
      terminationGracePeriodSeconds: 60
--- a/docs/kubernetes/1.6/nginx/rbac.yaml
+++ b/docs/kubernetes/1.6/nginx/rbac.yaml
--- a/docs/kubernetes/stable/index.rst
+++ b/docs/kubernetes/stable/index.rst
@ -1,26 +0,0 @@
 Kubernetes setup
 ================
 Please note that Kubernetes setup is not yet well supported or documented, all
 tests currently run on Docker Compose. The configuration has not yet been updated
 to work properly with ngin authentication proxy.
 Prepare the environment
 -----------------------
 The resource configurations in this folder assume that you have `Kubernetes Ingress`_
 set up for your cluster. If you are not using the `NGINX Ingress Controller for Kubernetes`_,
 please ensure that the configuration specified in the file matches your set up.
 .. _`Kubernetes Ingress`: https://kubernetes.io/docs/concepts/services-networking/ingress/
 .. _`NGINX Ingress Controller for Kubernetes`: https://github.com/kubernetes/ingress/tree/master/controllers/nginx
 Setup the Kubernetes service
 ----------------------------
 Using the resource configurations is simple:
 1. ``kubectl apply -f kubernetes-nginx-ingress-controller.yaml`` to configure an ingress controller with the proper settings. (If you have one set up already you may need to port the configuration to your own ingress).
 2. ``kubectl apply -f kubernetes-mailu.yaml`` to create the resources required to run Mailu.
 Based on the configuration, your Mailu instance should be available at ``mail.<hostname>.tld/admin`` (note that visiting just ``mail.<hostname>.tld`` will likely result in a 404 error).
--- a/docs/kubernetes/stable/kubernetes-mailu.yaml
+++ b/docs/kubernetes/stable/kubernetes-mailu.yaml
@ -1,419 +0,0 @@
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: mailu-admin-ing
  labels:
    app: mailu
    role: mail
    tier: backend
 spec:
  tls:
  - hosts:
    - "mail.example.com"
    secretName: letsencrypt-certs-all # If unsure how to generate these, check out https://github.com/ployst/docker-letsencrypt
  rules:
  - host: "mail.example.com"
    http:
      paths:
      - path: "/admin"
        backend:
          serviceName: mailu-admin
          servicePort: 80
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: mailu-redis
 spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: mailu-redis
        role: mail
        tier: backend
    spec:
      containers:
      - name: redis
        image: redis:4.0-alpine
        imagePullPolicy: Always
        volumeMounts:
          - mountPath: /data
            name: redisdata
        ports:
          - containerPort: 6379
            name: redis
            protocol: TCP
      volumes:
        - name: redisdata
          hostPath:
            path: /var/data/mailu/redisdata
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: redis
  labels:
    app: mailu-redis
    role: mail
    tier: backend
 spec:
  selector:
    app: mailu
    role: mail
    tier: backend
  ports:
  - name: redis
    port: 6379
    protocol: TCP
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: mailu-imap
 spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: mailu-imap
        role: mail
        tier: backend
    spec:
      containers:
      - name: imap
        image: mailu/dovecot:stable
        imagePullPolicy: Always
        env:
          - name  : DOMAIN
            value : example.com
          - name  : HOSTNAME
            value : mail.example.com
          - name  : POSTMASTER
            value : admin
        volumeMounts:
          - mountPath: /data
            name: maildata
          - mountPath: /mail
            name: mailstate
          - mountPath: /overrides
            name: overrides
          - mountPath: /certs
            name: certs
            readOnly: true
        ports:
          - containerPort: 2102
          - containerPort: 2525
          - containerPort: 143
          - containerPort: 993
          - containerPort: 4190
      volumes:
        - name: maildata
          hostPath:
            path: /var/data/mailu/maildata
        - name: mailstate
          hostPath:
            path: /var/data/mailu/mailstate
        - name: overrides
          hostPath:
            path: /var/data/mailu/overrides
        - name: certs
          secret:
            items:
              - key: tls.crt
                path: cert.pem
              - key: tls.key
                path: key.pem
            secretName: letsencrypt-certs-all
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: imap
  labels:
    app: mailu
    role: mail
    tier: backend
 spec:
  selector:
    app: mailu-imap
    role: mail
    tier: backend
  ports:
  ports:
  - name: imap-auth
    port: 2102
    protocol: TCP
  - name: imap-transport
    port: 2525
    protocol: TCP
  - name: imap-default
    port: 143
    protocol: TCP
  - name: imap-ssl
    port: 993
    protocol: TCP
  - name: sieve
    port: 4190
    protocol: TCP
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: mailu-smtp
 spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: mailu-smtp
        role: mail
        tier: backend
    spec:
      containers:
      - name: smtp
        image: mailu/postfix:stable
        imagePullPolicy: Always
        env:
          - name  : DOMAIN
            value : example.com
          - name  : HOSTNAME
            value : mail.example.com
          - name  : MESSAGE_SIZE_LIMIT
            value : "50000000"
          - name  : RELAYHOST
            value : ""
        volumeMounts:
          - mountPath: /data
            name: maildata
          - mountPath: /overrides
            name: overrides
          - mountPath: /certs
            name: certs
            readOnly: true
        ports:
          - name: smtp
            containerPort: 25
            protocol: TCP
          - name: smtp-ssl
            containerPort: 465
            protocol: TCP
          - name: smtp-starttls
            containerPort: 587
            protocol: TCP
      volumes:
        - name: maildata
          hostPath:
            path: /var/data/mailu/maildata
        - name: overrides
          hostPath:
            path: /var/data/mailu/overrides
        - name: certs
          secret:
            items:
              - key: tls.crt
                path: cert.pem
              - key: tls.key
                path: key.pem
            secretName: letsencrypt-certs-all
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: smtp
  labels:
    app: mailu
    role: mail
    tier: backend
 spec:
  selector:
    app: mailu-smtp
    role: mail
    tier: backend
  ports:
  - name: smtp
    port: 25
    protocol: TCP
  - name: smtp-ssl
    port: 465
    protocol: TCP
  - name: smtp-starttls
    port: 587
    protocol: TCP
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: mailu-security
 spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: mailu-security
        role: mail
        tier: backend
    spec:
      containers:
      - name: antispam
        image: mailu/rspamd:stable
        imagePullPolicy: Always
        ports:
          - name: antispam
            containerPort: 11333
            protocol: TCP
        volumeMounts:
          - name: filter
            mountPath: /var/lib/rspamd
      - name: antivirus
        image: mailu/clamav:stable
        imagePullPolicy: Always
        ports:
          - name: antivirus
            containerPort: 3310
            protocol: TCP
        volumeMounts:
          - name: filter
            mountPath: /data
      volumes:
        - name: filter
          hostPath:
            path: /var/data/mailu/filter
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: antispam
  labels:
    app: mailu-antispam
    role: mail
    tier: backend
 spec:
  selector:
    app: mailu-security
    role: mail
    tier: backend
  ports:
  - name: antispam
    port: 11333
    protocol: TCP
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: antivirus
  labels:
    app: mailu-antivirus
    role: mail
    tier: backend
 spec:
  selector:
    app: mailu-security
    role: mail
    tier: backend
  ports:
  - name: antivirus
    port: 3310
    protocol: TCP
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: mailu-admin
 spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: mailu-admin
        role: mail
        tier: backend
    spec:
      containers:
      - name: admin
        image: mailu/admin:stable
        imagePullPolicy: Always
        env:
          - name  : DOMAIN
            value : example.com
          - name  : HOSTNAME
            value : mail.example.com
          - name  : POSTMASTER
            value : core
          - name  : SECRET_KEY
            value : pleasereplacethiswithabetterkey
          - name  : DEBUG
            value : "True"
        volumeMounts:
          - name: maildata
            mountPath: /data
          - name: dkim
            mountPath: /dkim
          - name: certs
            mountPath: /certs
            readOnly: true
          # - name: docker
          #   mountPath: /var/run/docker.sock
          #   readOnly: true
        ports:
          - name: http
            containerPort: 80
            protocol: TCP
      volumes:
        - name: maildata
          hostPath:
            path: /var/data/mailu/maildata
        - name: dkim
          hostPath:
            path: /var/data/mailu/dkim
        - name: certs
          secret:
            items:
              - key: tls.crt
                path: cert.pem
              - key: tls.key
                path: key.pem
            secretName: letsencrypt-certs-all
        # - name: docker
        #   hostPath:
        #     path: /var/run/docker.sock
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: mailu-admin
  labels:
    app: mailu-admin
    role: mail
    tier: backend
 spec:
  selector:
    app: mailu-admin
    role: mail
    tier: backend
  ports:
  - name: http
    port: 80
    protocol: TCP
--- a/docs/kubernetes/stable/kubernetes-nginx-ingress-controller.yaml
+++ b/docs/kubernetes/stable/kubernetes-nginx-ingress-controller.yaml
@ -1,84 +0,0 @@
 ---
 kind: ConfigMap
 apiVersion: v1
 metadata:
  name: nginx-configuration
  namespace: ingress-nginx
  labels:
    app: ingress-nginx
 ---
 kind: ConfigMap
 apiVersion: v1
 metadata:
  name: udp-services
  namespace: ingress-nginx
 ---
 kind: ConfigMap
 apiVersion: v1
 metadata:
  name: tcp-services
  namespace: ingress-nginx
 data:
  25: "mailu/smtp:25"
  465: "mailu/smtp:465"
  587: "mailu/smtp:587"
  143: "mailu/imap:143"
  993: "mailu/imap:993"
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: nginx-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: nginx-ingress-controller
 spec:
  replicas: 1
  template:
    metadata:
      labels:
        k8s-app: nginx-ingress-controller
      annotations:
        prometheus.io/port: '10254'
        prometheus.io/scrape: 'true'
    spec:
      # hostNetwork makes it possible to use ipv6 and to preserve the source IP correctly regardless of docker configuration
      # however, it is not a hard dependency of the nginx-ingress-controller itself and it may cause issues if port 10254 already is taken on the host
      # that said, since hostPort is broken on CNI (https://github.com/kubernetes/kubernetes/issues/31307) we have to use hostNetwork where CNI is used
      # like with kubeadm
      # hostNetwork: true
      terminationGracePeriodSeconds: 60
      containers:
      - image: gcr.io/google_containers/nginx-ingress-controller:0.11.0
        name: nginx-ingress-controller
        args:
          - /nginx-ingress-controller
          - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
          - --configmap=$(POD_NAMESPACE)/nginx-configuration
          - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
          - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
          - --annotations-prefix=nginx.ingress.kubernetes.io
        readinessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
        livenessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          timeoutSeconds: 1
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
--- a/docs/swarm/master/README.md
+++ b/docs/swarm/master/README.md
@ -0,0 +1,252 @@
 # Install Mailu on a docker swarm
 ## Prequisites
 ### Swarm
 In order to deploy Mailu on a swarm, you will first need to initialize the swarm:
 The main command will be:
 ```bash
 docker swarm init --advertise-addr <IP_ADDR>
 ```
 See https://docs.docker.com/engine/swarm/swarm-tutorial/create-swarm/
 If you want to add other managers or workers, please use:
 ```bash
 docker swarm join --token xxxxx 
 ```
 See https://docs.docker.com/engine/swarm/join-nodes/
 You have now a working swarm, and you can check its status with:
 ```bash
 core@coreos-01 ~/git/Mailu/docs/swarm/1.5 $ docker node ls
 ID                            HOSTNAME            STATUS              AVAILABILITY        MANAGER STATUS      ENGINE VERSION
 xhgeekkrlttpmtgmapt5hyxrb     black-pearl         Ready               Active                                  18.06.0-ce
 sczlqjgfhehsfdjhfhhph1nvb *   coreos-01           Ready               Active              Leader              18.03.1-ce
 mzrm9nbdggsfz4sgq6dhs5i6n     flying-dutchman     Ready               Active                                  18.06.0-ce
 ```
 ### Volume definition
 For data persistance (the Mailu services might be launched/relaunched on any of the swarm nodes), we need to have Mailu data stored in a manner accessible by every manager or worker in the swarm.
 Hereafter we will assume that "Mailu Data" is available on every node at "$ROOT/certs:/certs" (GlusterFS and nfs shares have been successfully used).
 On this example, we are using:
 - the mesh routing mode (default mode). With this mode, each service is given a virtual IP adress and docker manages the routing between this virtual IP and the container(s) providing this service. 
 - the default ingress mode.
 ### Allow authentification with the mesh routing
 In order to allow every (front & webmail) container to access the other services, we will use the variable POD_ADDRESS_RANGE.
 Let's create the mailu_default network:
 ```bash
 core@coreos-01 ~ $ docker network create -d overlay --attachable mailu_default
 core@coreos-01 ~ $ docker network inspect mailu_default | grep Subnet
                    "Subnet": "10.0.1.0/24",
 ```
 In the docker-compose.yml file, we will then use POD_ADDRESS_RANGE = 10.0.1.0/24 
 In fact, imap & smtp logs doesn't show the IPs from the front(s) container(s), but the IP of  "mailu_default-endpoint". So it is sufficient to set POD_ADDRESS_RANGE to this specific ip (which can be found by inspecting mailu_default network). The issue is that this endpoint is created while the stack is created, I did'nt figure a way to determine this IP before the stack creation...
 ### Limitation with the ingress mode
 With the default ingress mode, the front(s) container(s) will see origin IP(s) all being 10.255.0.x (which is the ingress-endpoint, can be found by inspecting the ingress network)
 This issue is known and discussed here:
 https://github.com/moby/moby/issues/25526
 A workaround (using network host mode and global deployment) is discussed here:
 https://github.com/moby/moby/issues/25526#issuecomment-336363408 
 ### Don't create an open relay !
 As a side effect of this ingress mode "feature", make sure that the ingress subnet is not in your RELAYHOST, otherwise you would create an smtp open relay :-(
 ## Scalability
 - smtp and imap are scalable
 - front and webmail are scalable (pending POD_ADDRESS_RANGE is used), although the let's encrypt magic might not like it (race condidtion ? or risk to be banned by let's encrypt server if too many front containers attemps to renew the certs at the same time) 
 - redis, antispam, antivirus, fetchmail, admin, webdav have not been tested (hence replicas=1 in the following docker-compose.yml file)
 ## Variable substitution and docker-compose.yml
 The docker stack deploy command doesn't support variable substitution in the .yml file itself. 
 As a consequence, we cannot simply use ``` docker stack deploy -c docker.compose.yml mailu ```
 Instead, we will use the following work-around:
 ``` echo "$(docker-compose -f /mnt/docker/apps/mailu/docker-compose.yml config 2>/dev/null)" | docker stack deploy -c- mailu ```
 We need also to:
 - add a deploy section for every service
 - modify the way the ports are defined for the front service
 - add the POD_ADDRESS_RANGE definition for imap, smtp and antispam services
 ## Docker compose 
 An example of docker-compose-stack.yml file is available here:
 ```yaml
 version: '3.2'
 services:
  front:
    image: mailu/nginx:$VERSION
    restart: always
    env_file: .env
    ports:
      - target: 80
        published: 80
      - target: 443
        published: 443
      - target: 110
        published: 110
      - target: 143
        published: 143
      - target: 993
        published: 993
      - target: 995
        published: 995
      - target: 25
        published: 25
      - target: 465
        published: 465
      - target: 587
        published: 587
    volumes:
      - "$ROOT/certs:/certs"
    deploy:
      replicas: 2
  redis:
    image: redis:alpine
    restart: always
    volumes:
      - "$ROOT/redis:/data"
    deploy:
      replicas: 1
  imap:
    image: mailu/dovecot:$VERSION
    restart: always
    env_file: .env
    environment:
      - POD_ADDRESS_RANGE=10.0.1.0/24
    volumes:
      - "$ROOT/mail:/mail"
      - "$ROOT/overrides:/overrides"
    depends_on:
      - front
    deploy:
      replicas: 2
  smtp:
    image: mailu/postfix:$VERSION
    restart: always
    env_file: .env
    environment:
      - POD_ADDRESS_RANGE=10.0.1.0/24
    volumes:
      - "$ROOT/overrides:/overrides"
    depends_on:
      - front
    deploy:
      replicas: 2
  antispam:
    image: mailu/rspamd:$VERSION
    restart: always
    env_file: .env
    environment:
      - POD_ADDRESS_RANGE=10.0.1.0/24
    volumes:
      - "$ROOT/filter:/var/lib/rspamd"
      - "$ROOT/dkim:/dkim"
      - "$ROOT/overrides/rspamd:/etc/rspamd/override.d"
    depends_on:
      - front
    deploy:
      replicas: 1
  antivirus:
    image: mailu/none:$VERSION
    restart: always
    env_file: .env
    volumes:
      - "$ROOT/filter:/data"
    deploy:
      replicas: 1
  webdav:
    image: mailu/none:$VERSION
    restart: always
    env_file: .env
    volumes:
      - "$ROOT/dav:/data"
    deploy:
      replicas: 1
  admin:
    image: mailu/admin:$VERSION
    restart: always
    env_file: .env
    volumes:
      - "$ROOT/data:/data"
      - "$ROOT/dkim:/dkim"
      - /var/run/docker.sock:/var/run/docker.sock:ro
    depends_on:
      - redis
    deploy:
      replicas: 1
  webmail:
    image: mailu/roundcube:$VERSION
    restart: always
    env_file: .env
    volumes:
      - "$ROOT/webmail:/data"
    depends_on:
      - imap
    deploy:
      replicas: 2
  fetchmail:
    image: mailu/fetchmail:$VERSION
    restart: always
    env_file: .env
    volumes:
    deploy:
      replicas: 1
 networks:
  default:
    external:
      name: mailu_default
 ```
 ## Deploy Mailu on the docker swarm
 Run the following command:
 ```bash
 echo "$(docker-compose -f /mnt/docker/apps/mailu/docker-compose.yml config 2>/dev/null)" | docker stack deploy -c- mailu
 ```
 See how the services are being deployed:
 ```bash
 core@coreos-01 ~ $ docker service ls
 ID                  NAME                                 MODE                REPLICAS            IMAGE                                     PORTS
 ywnsetmtkb1l        mailu_antivirus                      replicated          1/1                 mailu/none:master
 pqokiaz0q128        mailu_fetchmail                      replicated          1/1                 mailu/fetchmail:master
 ```
 check a specific service:
 ```bash
 core@coreos-01 ~ $ docker service ps mailu_fetchmail
 ID                  NAME                IMAGE                 NODE                DESIRED STATE       CURRENT STATE         ERROR               PORTS
 tbu8ppgsdffj        mailu_fetchmail.1   mailu/fetchmail:master   coreos-01           Running             Running 11 days ago
 ```
 You might also have a look on the logs:
 ```bash
 core@coreos-01 ~ $ docker service logs -f mailu_fetchmail
 ```
 ## Remove the stack
 Run the follwoing command:
 ```bash
 core@coreos-01 ~ $ docker stack rm mailu
 ```
--- a/docs/swarm/master/README_nfs_example.md
+++ b/docs/swarm/master/README_nfs_example.md
@ -0,0 +1,357 @@
 # Install Mailu on a docker swarm
 ## Prequisites
 ### Swarm
 In order to deploy Mailu on a swarm, you will first need to initialize the swarm:
 The main command will be:
 ```bash
 docker swarm init --advertise-addr <IP_ADDR>
 ```
 See https://docs.docker.com/engine/swarm/swarm-tutorial/create-swarm/
 If you want to add other managers or workers, please use:
 ```bash
 docker swarm join --token xxxxx 
 ```
 See https://docs.docker.com/engine/swarm/join-nodes/
 You have now a working swarm, and you can check its status with:
 ```bash
 core@coreos-01 ~/git/Mailu/docs/swarm/1.5 $ docker node ls
 ID                            HOSTNAME            STATUS              AVAILABILITY        MANAGER STATUS      ENGINE VERSION
 xhgeekkrlttpmtgmapt5hyxrb     black-pearl         Ready               Active                                  18.06.0-ce
 sczlqjgfhehsfdjhfhhph1nvb *   coreos-01           Ready               Active              Leader              18.03.1-ce
 mzrm9nbdggsfz4sgq6dhs5i6n     flying-dutchman     Ready               Active                                  18.06.0-ce
 ```
 ### Volume definition
 For data persistance (the Mailu services might be launched/relaunched on any of the swarm nodes), we need to have Mailu data stored in a manner accessible by every manager or worker in the swarm.
 Hereafter we will use a NFS share:
 ```bash
 core@coreos-01 ~ $ showmount -e 192.168.0.30
 Export list for 192.168.0.30:
 /mnt/Pool1/pv            192.168.0.0
 ```
 on the nfs server, I am using the following /etc/exports
 ```bash
 $more /etc/exports
 /mnt/Pool1/pv -alldirs -mapall=root -network 192.168.0.0 -mask 255.255.255.0 
 ```
 on the nfs server, I created the Mailu directory (in fact I copied a working Mailu set-up)
 ```bash
 $mkdir /mnt/Pool1/pv/mailu
 ```
 On your manager node, mount the nfs share to check that the share is available:
 ```bash
 core@coreos-01 ~ $ sudo mount -t nfs 192.168.0.30:/mnt/Pool1/pv/mailu /mnt/local/
 ```
 If this is ok, you can umount it:
 ```bash
 core@coreos-01 ~ $ sudo umount /mnt/local/
 ```
 ## Networking mode
 On this example, we are using:
 - the mesh routing mode (default mode). With this mode, each service is given a virtual IP adress and docker manages the routing between this virtual IP and the container(s) providing this service. 
 - the default ingress mode.
 ### Allow authentification with the mesh routing
 In order to allow every (front & webmail) container to access the other services, we will use the variable POD_ADDRESS_RANGE.
 Let's create the mailu_default network:
 ```bash
 core@coreos-01 ~ $ docker network create -d overlay --attachable mailu_default
 core@coreos-01 ~ $ docker network inspect mailu_default | grep Subnet
                    "Subnet": "10.0.1.0/24",
 ```
 In the docker-compose.yml file, we will then use POD_ADDRESS_RANGE = 10.0.1.0/24 
 In fact, imap & smtp logs doesn't show the IPs from the front(s) container(s), but the IP of  "mailu_default-endpoint". So it is sufficient to set POD_ADDRESS_RANGE to this specific ip (which can be found by inspecting mailu_default network). The issue is that this endpoint is created while the stack is created, I did'nt figure a way to determine this IP before the stack creation...
 ### Limitation with the ingress mode
 With the default ingress mode, the front(s) container(s) will see origin IP(s) all being 10.255.0.x (which is the ingress-endpoint, can be found by inspecting the ingress network)
 This issue is known and discussed here:
 https://github.com/moby/moby/issues/25526
 A workaround (using network host mode and global deployment) is discussed here:
 https://github.com/moby/moby/issues/25526#issuecomment-336363408 
 ### Don't create an open relay !
 As a side effect of this ingress mode "feature", make sure that the ingress subnet is not in your RELAYHOST, otherwise you would create an smtp open relay :-(
 ## Scalability
 - smtp and imap are scalable
 - front and webmail are scalable (pending POD_ADDRESS_RANGE is used), although the let's encrypt magic might not like it (race condidtion ? or risk to be banned by let's encrypt server if too many front containers attemps to renew the certs at the same time) 
 - redis, antispam, antivirus, fetchmail, admin, webdav have not been tested (hence replicas=1 in the following docker-compose.yml file)
 ## Variable substitution and docker-compose.yml
 The docker stack deploy command doesn't support variable substitution in the .yml file itself. As a consequence, we need to use the following work-around:
 ``` echo "$(docker-compose -f /mnt/docker/apps/mailu/docker-compose.yml config 2>/dev/null)" | docker stack deploy -c- mailu ```
 We need also to:
 - change the way we define the volumes (nfs share in our case)
 - add a deploy section for every service
 - the way the ports are defined for the front service
 ## Docker compose 
 An example of docker-compose-stack.yml file is available here:
 ```yaml
 version: '3.2'
 services:
  front:
    image: mailu/nginx:$VERSION
    restart: always
    env_file: .env
    ports:
      - target: 80
        published: 80
      - target: 443
        published: 443
      - target: 110
        published: 110
      - target: 143
        published: 143
      - target: 993
        published: 993
      - target: 995
        published: 995
      - target: 25
        published: 25
      - target: 465
        published: 465
      - target: 587
        published: 587
    volumes:
 #      - "$ROOT/certs:/certs"
      - type: volume
        source: mailu_certs
        target: /certs
    deploy:
      replicas: 2
  redis:
    image: redis:alpine
    restart: always
    volumes:
 #      - "$ROOT/redis:/data"
      - type: volume
        source: mailu_redis
        target: /data
    deploy:
      replicas: 1
  imap:
    image: mailu/dovecot:$VERSION
    restart: always
    env_file: .env
    environment:
      - POD_ADDRESS_RANGE=10.0.1.0/24
    volumes:
 #      - "$ROOT/mail:/mail"
      - type: volume
        source: mailu_mail
        target: /mail
 #      - "$ROOT/overrides:/overrides"
      - type: volume
        source: mailu_overrides
        target: /overrides
    depends_on:
      - front
    deploy:
      replicas: 2
  smtp:
    image: mailu/postfix:$VERSION
    restart: always
    env_file: .env
    environment:
      - POD_ADDRESS_RANGE=10.0.1.0/24
    volumes:
 #      - "$ROOT/overrides:/overrides"
      - type: volume
        source: mailu_overrides
        target: /overrides
    depends_on:
      - front
    deploy:
      replicas: 2
  antispam:
    image: mailu/rspamd:$VERSION
    restart: always
    env_file: .env
    environment:
      - POD_ADDRESS_RANGE=10.0.1.0/24
    depends_on:
      - front
    volumes:
 #      - "$ROOT/filter:/var/lib/rspamd"
      - type: volume
        source: mailu_filter
        target: /var/lib/rspamd
 #      - "$ROOT/dkim:/dkim"
      - type: volume
        source: mailu_dkim
        target: /dkim
 #      - "$ROOT/overrides/rspamd:/etc/rspamd/override.d"
      - type: volume
        source: mailu_overrides_rspamd
        target: /etc/rspamd/override.d
    deploy:
      replicas: 1
  antivirus:
    image: mailu/none:$VERSION
    restart: always
    env_file: .env
    volumes:
 #      - "$ROOT/filter:/data"
      - type: volume
        source: mailu_filter
        target: /data
    deploy:
      replicas: 1
  webdav:
    image: mailu/none:$VERSION
    restart: always
    env_file: .env
    volumes:
 #      - "$ROOT/dav:/data"
      - type: volume
        source: mailu_dav
        target: /data
    deploy:
      replicas: 1
  admin:
    image: mailu/admin:$VERSION
    restart: always
    env_file: .env
    volumes:
 #      - "$ROOT/data:/data"
      - type: volume
        source: mailu_data
        target: /data
 #      - "$ROOT/dkim:/dkim"
      - type: volume
        source: mailu_dkim
        target: /dkim
      - /var/run/docker.sock:/var/run/docker.sock:ro
    depends_on:
      - redis
    deploy:
      replicas: 1
  webmail:
    image: mailu/roundcube:$VERSION
    restart: always
    env_file: .env
    volumes:
 #      - "$ROOT/webmail:/data"
      - type: volume
        source: mailu_data
        target: /data
    depends_on:
      - imap
    deploy:
      replicas: 2
  fetchmail:
    image: mailu/fetchmail:$VERSION
    restart: always
    env_file: .env
    volumes:
    deploy:
      replicas: 1
 networks:
  default:
    external:
      name: mailu_default
 volumes:
  mailu_filter:
    driver_opts:
      type: "nfs"
      o: "addr=192.168.0.30,soft,rw"
      device: ":/mnt/Pool1/pv/mailu/filter"
  mailu_dkim:
    driver_opts:
      type: "nfs"
      o: "addr=192.168.0.30,soft,rw"
      device: ":/mnt/Pool1/pv/mailu/dkim"
  mailu_overrides_rspamd:
    driver_opts:
      type: "nfs"
      o: "addr=192.168.0.30,soft,rw"
      device: ":/mnt/Pool1/pv/mailu/overrides/rspamd"
  mailu_data:
    driver_opts:
      type: "nfs"
      o: "addr=192.168.0.30,soft,rw"
      device: ":/mnt/Pool1/pv/mailu/data"
  mailu_mail:
    driver_opts:
      type: "nfs"
      o: "addr=192.168.0.30,soft,rw"
      device: ":/mnt/Pool1/pv/mailu/mail"
  mailu_overrides:
    driver_opts:
      type: "nfs"
      o: "addr=192.168.0.30,soft,rw"
      device: ":/mnt/Pool1/pv/mailu/overrides"
  mailu_dav:
    driver_opts:
      type: "nfs"
      o: "addr=192.168.0.30,soft,rw"
      device: ":/mnt/Pool1/pv/mailu/dav"
  mailu_certs:
    driver_opts:
      type: "nfs"
      o: "addr=192.168.0.30,soft,rw"
      device: ":/mnt/Pool1/pv/mailu/certs"
  mailu_redis:
    driver_opts:
      type: "nfs"
      o: "addr=192.168.0.30,soft,rw"
      device: ":/mnt/Pool1/pv/mailu/redis"
 ```
 ## Deploy Mailu on the docker swarm
 Run the following command:
 ```bash
 echo "$(docker-compose -f /mnt/docker/apps/mailu/docker-compose.yml config 2>/dev/null)" | docker stack deploy -c- mailu
 ```
 See how the services are being deployed:
 ```bash
 core@coreos-01 ~ $ docker service ls
 ID                  NAME                                 MODE                REPLICAS            IMAGE                                     PORTS
 ywnsetmtkb1l        mailu_antivirus                      replicated          1/1                 mailu/none:master
 pqokiaz0q128        mailu_fetchmail                      replicated          1/1                 mailu/fetchmail:master
 ```
 check a specific service:
 ```bash
 core@coreos-01 ~ $ docker service ps mailu_fetchmail
 ID                  NAME                IMAGE                 NODE                DESIRED STATE       CURRENT STATE         ERROR               PORTS
 tbu8ppgsdffj        mailu_fetchmail.1   mailu/fetchmail:master   coreos-01           Running             Running 11 days ago
 ```
 ## Remove the stack
 Run the follwoing command:
 ```bash
 core@coreos-01 ~ $ docker stack rm mailu
 ```
--- a/services/rspamd/Dockerfile
+++ b/services/rspamd/Dockerfile
@ -1,6 +1,6 @@
 FROM alpine:3.8
-RUN apk add --no-cache python py-jinja2 rspamd rspamd-controller rspamd-proxy ca-certificates py-pip curl \
+RUN apk add --no-cache python py-jinja2 rspamd rspamd-controller rspamd-proxy rspamd-fuzzy ca-certificates py-pip curl\
 && pip install --upgrade pip \
 && pip install tenacity
@ -9,10 +9,7 @@ RUN mkdir /run/rspamd
 COPY conf/ /conf
 COPY start.py /start.py
-# Temporary fix to remove references to rspamd-fuzzy for now
+EXPOSE 11332/tcp 11334/tcp 11335/tcp
 RUN sed -i '/fuzzy/,$d' /etc/rspamd/rspamd.conf
 EXPOSE 11332/tcp 11334/tcp
 VOLUME ["/var/lib/rspamd"]
--- a/services/rspamd/conf/fuzzy_check.conf
+++ b/services/rspamd/conf/fuzzy_check.conf
@ -0,0 +1,34 @@
 rule "local" {
    # Fuzzy storage server list
    servers = "localhost:11335";
    # Default symbol for unknown flags
    symbol = "LOCAL_FUZZY_UNKNOWN";
    # Additional mime types to store/check
    mime_types = ["application/*"];
    # Hash weight threshold for all maps
    max_score = 20.0;
    # Whether we can learn this storage
    read_only = no;
    # Ignore unknown flags
    skip_unknown = yes;
    # Hash generation algorithm
    algorithm = "mumhash";
    # Map flags to symbols
    fuzzy_map = {
        LOCAL_FUZZY_DENIED {
            # Local threshold
            max_score = 20.0;
            # Flag to match
            flag = 11;
        }
        LOCAL_FUZZY_PROB {
            max_score = 10.0;
            flag = 12;
        }
        LOCAL_FUZZY_WHITE {
            max_score = 2.0;
            flag = 13;
        }
    }
 }
--- a/services/rspamd/conf/metrics.conf
+++ b/services/rspamd/conf/metrics.conf
@ -0,0 +1,19 @@
 group "fuzzy" {
    max_score = 12.0;
    symbol "LOCAL_FUZZY_UNKNOWN" {
        weight = 5.0;
        description = "Generic fuzzy hash match";
    }
    symbol "LOCAL_FUZZY_DENIED" {
        weight = 12.0;
        description = "Denied fuzzy hash";
    }
    symbol "LOCAL_FUZZY_PROB" {
        weight = 5.0;
        description = "Probable fuzzy hash";
    }
    symbol "LOCAL_FUZZY_WHITE" {
        weight = -2.1;
        description = "Whitelisted fuzzy hash";
    }
 }
--- a/services/rspamd/conf/worker-controller.inc
+++ b/services/rspamd/conf/worker-controller.inc
@ -1,3 +1,4 @@
 type = "controller";
 bind_socket = "*:11334";
 password = "mailu";
-secure_ip = "{{ FRONT_ADDRESS }}";
+secure_ip = "{% if POD_ADDRESS_RANGE %}{{ POD_ADDRESS_RANGE }}{% else %}{{ FRONT_ADDRESS }}{% endif %}";
--- a/services/rspamd/conf/worker-fuzzy.inc
+++ b/services/rspamd/conf/worker-fuzzy.inc
@ -0,0 +1,6 @@
 type = "fuzzy";
 bind_socket = "*:11335";
 count = 1;
 backend = "redis";
 expire = 90d;
 allow_update = ["127.0.0.1"];
--- a/services/rspamd/conf/worker-normal.inc
+++ b/services/rspamd/conf/worker-normal.inc
@ -1 +1,2 @@
 type = "normal";
 enabled = false;
--- a/setup/Dockerfile
+++ b/setup/Dockerfile
@ -10,8 +10,10 @@ RUN apk add --no-cache git curl \
 COPY server.py ./server.py
 COPY setup.py ./setup.py
 COPY main.py ./main.py
 COPY flavors /data/master/flavors
 COPY templates /data/master/templates
-RUN python setup.py https://github.com/mailu/mailu /data
+#RUN python setup.py https://github.com/mailu/mailu /data
 EXPOSE 80/tcp
--- a/setup/docker-compose.yml
+++ b/setup/docker-compose.yml
@ -9,5 +9,6 @@ services:
  setup:
    image: mailu/setup
    ports:
-      - "80:80"
+      - "8000:80"
    build: .
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@ -1,124 +1,106 @@
 {% set env='mailu.env' %}
 # This file is auto-generated by the Mailu configuration wizard.
 # Please read the documentation before attempting any change.
 # Generated for {{ flavor }} flavor
-version: '2'
+version: '3.6'
 services:
  # External dependencies
  redis:
    image: redis:alpine
    restart: always
    volumes:
-      - "$ROOT/redis:/data"
+      - "{{ root }}/redis:/data"
  # Core services
  front:
    image: mailu/nginx:{{ version }}
    restart: always
    env_file: {{ env }}
    env:
      - TLS_FLAVOR={{ tls_flavor or 'letsencrypt' }}
      - ADMIN={{ expose_admin or 'no' }}
    ports:
    {% for port in (80, 443, 25, 465, 587, 110, 995, 143, 993) %}
    {% if bind4 %}
-      - "$PUBLIC_IPV4:{{ port }}:{{ port }}"
+      - "{{ bind4 }}:{{ port }}:{{ port }}"
    {% endif %}
    {% if bind6 %}
-      - "$PUBLIC_IPV6:{{ port }}:{{ port }}"
+      - "{{ bind6 }}:{{ port }}:{{ port }}"
    {% endif %}
    {% endfor %}
    {% if flavor in ('cert', 'mail') %}
    volumes:
-      - "$ROOT/certs:/certs"
+      - "{{ root }}/certs:/certs"
    {% endif %}
  admin:
    image: mailu/admin:{{ version }}
    restart: always
    env_file: {{ env }}
-    {% if not expose_admin %}
+    {% if not admin_enabled %}
    ports:
      - 127.0.0.1:8080:80
    {% endif %}
    volumes:
-      - "$ROOT/data:/data"
+      - "{{ root }}/data:/data"
-      - "$ROOT/dkim:/dkim"
+      - "{{ root }}/dkim:/dkim"
    depends_on:
      - redis
  imap:
    image: mailu/dovecot:{{ version }}
    restart: always
    env_file: {{ env }}
    volumes:
-      - "$ROOT/data:/data"
+      - "{{ root }}/mail:/mail"
-      - "$ROOT/mail:/mail"
+      - "{{ root }}/overrides:/overrides"
      - "$ROOT/overrides:/overrides"
    depends_on:
      - front
  smtp:
    image: mailu/postfix:{{ version }}
    restart: always
    env_file: {{ env }}
    volumes:
-      - "$ROOT/data:/data"
+      - "{{ root }}/overrides:/overrides"
      - "$ROOT/overrides:/overrides"
    depends_on:
      - front
  # Optional services
-  {% if enable_antispam %}
+  {% if antispam_enabled %}
  antispam:
    image: mailu/rspamd:{{ version }}
    restart: always
    env_file: {{ env }}
    volumes:
-      - "$ROOT/filter:/var/lib/rspamd"
+      - "{{ root }}/filter:/var/lib/rspamd"
-      - "$ROOT/dkim:/dkim"
+      - "{{ root }}/dkim:/dkim"
-      - "$ROOT/overrides/rspamd:/etc/rspamd/override.d"
+      - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d"
    depends_on:
      - front
  {% endif %}
-  {% if enable_antivirus %}
+  {% if antivirus_enabled %}
  antivirus:
    image: mailu/clamav:{{ version }}
    restart: always
    env_file: {{ env }}
    volumes:
-      - "$ROOT/filter:/data"
+      - "{{ root }}/filter:/data"
  {% endif %}
-  {% if enable_webdav %}
+  {% if webdav_enabled %}
  webdav:
-    image: mailu/radivale:{{ version }}
+    image: mailu/radicale:{{ version }}
    restart: always
    env_file: {{ env }}
    volumes:
-      - "$ROOT/dav:/data"
+      - "{{ root }}/dav:/data"
  {% endif %}
-  {% if enable_fetchmail %}
+  {% if fetchmail_enabled %}
  fetchmail:
    image: mailu/fetchmail:{{ version }}
    restart: always
    env_file: {{ env }}
    volumes:
      - "$ROOT/data:/data"
  {% endif %}
  # Webmail
-  {% if enable_webmail %}
+  {% if webmail_type != 'none' %}
  webmail:
-    image: mailu/{{ webmail }}:{{ version }}
+    image: mailu/{{ webmail_type }}:{{ version }}
    restart: always
    env_file: {{ env }}
    volumes:
-      - "$ROOT/webmail:/data"
+      - "{{ root }}/webmail:/data"
    depends_on:
      - imap
  {% endif %}
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@ -1,5 +1,7 @@
 # Mailu main configuration file
 #
 # Generated for {{ flavor }} flavor
 #
 # This file is autogenerated by the configuration management wizard.
 # For a detailed list of configuration variables, see the documentation at
 # https://mailu.io
@ -9,60 +11,118 @@
 ###################################
 # Set this to the path where Mailu data and configuration is stored
-ROOT=/mailu
+# This variable is now set directly in `docker-compose.yml by the setup utility
 # ROOT={{ root }}
 # Mailu version to run (1.0, 1.1, etc. or master)
 #VERSION={{ version }}
 # Set to a randomly generated 16 bytes string
 SECRET_KEY={{ secret(16) }}
 # Address where listening ports should bind
-{% if bind4 %}PUBLIC_IPV4={{ bind4 }}{% endif %}
+# This variables are now set directly in `docker-compose.yml by the setup utility
-{% if bind6 %}PUBLIC_IPV6={{ bind6 }}{% endif %}
+# PUBLIC_IPV4= {{ bind4 }} (default: 127.0.0.1)
 # PUBLIC_IPV6= {{ bind6 }} (default: ::1)
-# Mail address of the postmaster
+# Main mail domain
-POSTMASTER={{ postmaster }}
+DOMAIN={{ domain }}
 # Hostnames for this server, separated with comas
 HOSTNAMES={{ hostnames }}
 # Postmaster local part (will append the main mail domain)
 POSTMASTER={{ postmaster }}
 # Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
 TLS_FLAVOR={{ tls_flavor }}
 # Authentication rate limit (per source IP address)
-AUTH_RATELIMIT={{ auth_ratelimit }}
+{% if auth_ratelimit_pm > '0' and auth_ratelimit_ph > '0' %}
 AUTH_RATELIMIT={{ auth_ratelimit_pm }}/minute;{{ auth_ratelimit_ph }}/hour 
 {% endif %}
 # Opt-out of statistics, replace with "True" to opt out
-DISABLE_STATISTICS={{ disable_statistics }}
+DISABLE_STATISTICS={{ disable_statistics or 'False' }}
 ###################################
-# Server behavior
+# Optional features
 ###################################
 # Expose the admin interface (value: true, false)
 ADMIN={{ admin_enabled or 'false' }}
 # Choose which webmail to run if any (values: roundcube, rainloop, none)
 WEBMAIL={{ webmail_type }}
 # Dav server implementation (value: radicale, none)
 WEBDAV={{ webdav_enabled or 'none' }}
 # Antivirus solution (value: clamav, none)
 #ANTIVIRUS={{ antivirus_enabled or 'none' }}
 #Antispam solution
 ANTISPAM={{ antispam_enabled or 'none'}}
 ###################################
 # Mail settings
 ###################################
 # Message size limit in bytes
 # Default: accept messages up to 50MB
-MESSAGE_SIZE_LIMIT={{ message_size_limit }}
+MESSAGE_SIZE_LIMIT={{ message_size_limit or '50000000' }}
 # Networks granted relay permissions, make sure that you include your Docker
 # internal network (default to 172.17.0.0/16)
-RELAYNETS={{ relaynets }}
+RELAYNETS={{ relaynets or '172.17.0.0/16' }}
 # Will relay all outgoing mails if configured
 RELAYHOST={{ relayhost }}
 # Fetchmail delay
-FETCHMAIL_DELAY={{ fetchmail_delay }}
+FETCHMAIL_DELAY={{ fetchmail_delay or '600' }}
 # Recipient delimiter, character used to delimiter localpart from custom address part
-RECIPIENT_DELIMITER={{ recipient_delimiter }}
+RECIPIENT_DELIMITER={{ recipient_delimiter or '+' }}
 {% if dmarc_rua or dmarc_ruf %}
 # DMARC rua and ruf email
-{% if dmarc_rua %}DMARC_RUA={{ dmarc_rua }}{% endif %}
+DMARC_RUA={{ dmarc_rua or 'admin' }}
-{% if dmarc_ruf %}DMARC_RUF={{ dmarc_ruf }}{% endif %}
+DMARC_RUF={{ dmarc_ruf or 'admin' }}
 {% endif %}
 {% if welcome_enabled %}
 # Welcome email, enable and set a topic and body if you wish to send welcome
 # emails to all users.
-WELCOME={{ welcome_enable }}
+WELCOME={{ welcome_enable or 'false' }}
-WELCOME_SUBJECT={{ welcome_subject }}
+WELCOME_SUBJECT={{ welcome_subject or 'Welcome to your new email account' }}
-WELCOME_BODY={{ welcome_body }}
+WELCOME_BODY={{ welcome_body or 'Welcome to your new email account, if you can read this, then it is configured properly!' }}
 {% endif %}
 # Maildir Compression
 # choose compression-method, default: none (value: bz2, gz)
 COMPRESSION={{ compression }}
 # change compression-level, default: 6 (value: 1-9)
 COMPRESSION_LEVEL={{ compression_level }}
 ###################################
 # Web settings
 ###################################
 # Path to the admin interface if enabled
 WEB_ADMIN={{ admin_path }}
 # Path to the webmail if enabled
 WEB_WEBMAIL={{ webmail_path }}
 # Website name
 SITENAME={{ site_name }}
 # Linked Website URL
 WEBSITE={{ website }}
 {% if recaptcha_public_key and recaptcha_private_key %}
 # Registration reCaptcha settings (warning, this has some privacy impact)
 # RECAPTCHA_PUBLIC_KEY={{ recaptcha_public_key }}
 # RECAPTCHA_PRIVATE_KEY={{ recaptcha_private_key }}
 {% endif %}
 {% if domain_registration %}
@ -70,39 +130,28 @@ WELCOME_BODY={{ welcome_body }}
 DOMAIN_REGISTRATION=true
 {% endif %}
 ###################################
 # Web settings
 ###################################
 # Path to the admin interface if enabled
 WEB_ADMIN=/admin
 # Path to the webmail if enabled
 WEB_WEBMAIL=/webmail
 # Website name
 SITENAME=Mailu
 # Linked Website URL
 WEBSITE=https://mailu.io
 {% if recaptcha_public_key and recaptcha_private_key %}
 # Registration reCaptcha settings (warning, this has some privacy impact)
 # RECAPTCHA_PUBLIC_KEY={{ recaptcha_public_key }}
 # RECAPTCHA_PRIVATE_KEY={{ recaptcha_private_key }}
 {% endif %}
 ###################################
 # Advanced settings
 ###################################
-{% if password_scheme %}
+# Log driver for front service. Possible values:
-# Specific password storage scheme
+# json-file (default)
-PASSWORD_SCHEME={{ password_scheme }}
+# journald (On systemd platforms, useful for Fail2Ban integration)
-{% endif %}
+# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!)
 LOG_DRIVER={{ log_driver or 'json-file' }}
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME={{ compose_project_name or 'mailu' }}
 # Default password scheme used for newly created accounts and changed passwords
 # (value: BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT)
 PASSWORD_SCHEME={{ password_scheme or 'BLF-CRYPT' }}
 # Header to take the real ip from
 REAL_IP_HEADER={{ real_ip_header }}
 # IPs for nginx set_real_ip_from (CIDR list separated by commas)
 REAL_IP_FROM={{ real_ip_from }}
 # choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no)
 REJECT_UNLISTED_RECIPIENT={{ reject_unlisted_recipient }}
--- a/setup/flavors/compose/setup.html
+++ b/setup/flavors/compose/setup.html
@ -4,15 +4,15 @@
 <p>Docker Compose expects a project file, named <code>docker-compose.yml</code>
 in a project directory. First create your project directory.</p>
-<pre><code>mkdir /mailu
+<pre><code>mkdir {{ root }}
 </pre></code>
 <p>Then download the project file. A side configuration file makes it easier
 to read and check the configuration variables generated by the wizard.</p>
-<pre><code>cd /mailu
+<pre><code>cd {{ root }}
-wget {{ url_for('.file', uid=uid, filepath='docker-compose.yml', _external=True) }}
+curl {{ url_for('.file', uid=uid, filepath='docker-compose.yml', _external=True) }} > docker-compose.yml
-wget {{ url_for('.file', uid=uid, filepath='mailu.env', _external=True) }}
+curl {{ url_for('.file', uid=uid, filepath='mailu.env', _external=True) }} > mailu.env
 </pre></code>
 {% endcall %}
@ -30,7 +30,22 @@ files before going any further.</p>
 <p>To start your compose project, simply run the Docker Compose <code>up</code>
 command.</p>
-<pre><code>cd /mailu
+<pre><code>cd {{ root }}
 docker-compose up -d
 </pre></code>
 Before you can use Mailu, you must create the primary administrator user account. This should be {{ postmaster }}@{{ domain }}. Use the following command, changing PASSWORD to your liking:
 <pre><code>docker-compose exec admin python manage.py admin {{ postmaster }} {{ domain }} PASSWORD
 </pre></code>
 <p>Login to the admin interface to change the password for a safe one, at
 {% if admin_enabled %}
 one of the hostnames 
 <a href="https://{{ hostnames.split(',')[0] }}{{ admin_path }}">{{ hostnames.split(',')[0] }}{{ admin_path }}</a>.
 {% else %}
 <a href="http://127.0.0.1:8080">http://127.0.0.1:8080</a> (only directly from the host running docker).
 {% endif %}
 And choose the "Update password" option in the left menu.
 </p>
 {% endcall %}
--- a/setup/flavors/stack/docker-compose.yml
+++ b/setup/flavors/stack/docker-compose.yml
@ -0,0 +1,128 @@
 {% set env='mailu.env' %}
 # This file is auto-generated by the Mailu configuration wizard.
 # Please read the documentation before attempting any change.
 # Generated for {{ flavor }} flavor
 version: '3.6'
 services:
 # External dependencies
  redis:
    image: redis:alpine
    restart: always
    volumes:
      - "{{ root }}/redis:/data"
 # Core services
  front:
    image: mailu/nginx:{{ version }}
    env_file: {{ env }}
    ports:
    {% for port in (80, 443, 25, 465, 587, 110, 995, 143, 993) %}
      - target: {{ port }}
        published: {{ port }}
        mode: overlay
    {% endfor %}
    volumes:
      - "{{ root }}/certs:/certs"
    deploy:
      replicas: 1
  admin:
    image: mailu/admin:{{ version }}
    env_file: {{ env }}
    {% if not admin_enabled %}
    ports:
      - 127.0.0.1:8080:80
    {% endif %}
    volumes:
      - "{{ root }}/data:/data"
      - "{{ root }}/dkim:/dkim"
    deploy:
      replicas: 1
  imap:
    image: mailu/dovecot:{{ version }}
    env_file: {{ env }}
    environment:
    # Default to 10.0.1.0/24
      - POD_ADDRESS_RANGE={{ subnet }}
    volumes:
      - "{{ root }}/mail:/mail"
      - "{{ root }}/overrides:/overrides"
    deploy:
      replicas: 1
  smtp:
    image: mailu/postfix:{{ version }}
    env_file: {{ env }}
    environment:
      - POD_ADDRESS_RANGE={{ subnet }}
    volumes:
      - "{{ root }}/overrides:/overrides"
    deploy:
      replicas: 1
  # Optional services
  {% if antispam_enabled %}
  antispam:
    image: mailu/rspamd:{{ version }}
    env_file: {{ env }}
    environment:
      - POD_ADDRESS_RANGE={{ subnet }}
    volumes:
      - "{{ root }}/filter:/var/lib/rspamd"
      - "{{ root }}/dkim:/dkim"
      - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d"
    deploy:
      replicas: 1
  {% endif %}
  {% if antivirus_enabled %}
  antivirus:
    image: mailu/clamav:{{ version }}
    env_file: {{ env }}
    volumes:
      - "{{ root }}/filter:/data"
    deploy:
      replicas: 1
  {% endif %}
  {% if webdav_enabled %}
  webdav:
    image: mailu/none:{{ version }}
    env_file: {{ env }}
    volumes:
      - "{{ root }}/dav:/data"
    deploy:
      replicas: 1
  {% endif %}
  {% if fetchmail_enabled %}
  fetchmail:
    image: mailu/fetchmail:{{ version }}
    env_file: {{ env }}
    volumes:
      - "{{ root }}/data:/data"
    deploy:
      replicas: 1
  {% endif %}
  {% if webmail_type != 'none' %}
  webmail:
    image: mailu/roundcube:{{ version }}
    env_file: {{ env }}
    volumes:
      - "{{ root }}/webmail:/data"
    deploy:
      replicas: 1
  {% endif %}
 networks:
  default:
    driver: overlay
    ipam:
      driver: default
      config:
        - subnet: {{ subnet }}
--- a/setup/flavors/stack/mailu.env
+++ b/setup/flavors/stack/mailu.env
@ -0,0 +1 @@
 ../compose/mailu.env
--- a/setup/flavors/stack/setup.html
+++ b/setup/flavors/stack/setup.html
@ -0,0 +1,60 @@
 {% import "macros.html" as macros %}
 {% call macros.panel("info", "Step 1 - Download your configuration files") %}
 <p>Docker Stack expects a project file, named <code>docker-compose.yml</code>
 in a project directory. First create your project directory.</p>
 <pre><code>mkdir -p /{{ root }}/{redis,certs,data,dkim,mail,overrides/rspamd,filter,dav,webmail}
 </pre></code>
 <p>Then download the project file. A side configuration file makes it easier
 to read and check the configuration variables generated by the wizard.</p>
 <pre><code>cd {{ root }}
 curl {{ url_for('.file', uid=uid, filepath='docker-compose.yml', _external=True) }} > docker-compose.yml
 curl {{ url_for('.file', uid=uid, filepath='mailu.env', _external=True) }} > mailu.env
 </pre></code>
 {% endcall %}
 {% call macros.panel("info", "Step 2 - Review the configuration") %}
 <p>We did not insert any malicious code on purpose in the configurations we
 distribute, but your download could have been intercepted, or our wizard
 website could have been compromised, so make sure you check the configuration
 files before going any further.</p>
 <p>When you are done checking them, check them one last time.</p>
 {% endcall %}
 {% call macros.panel("info", "Step 3 - Deploy docker stack") %}
 <p>To deploy the docker stack use the following commands. For more information about setting up docker swarm nodes read the
 	<a href="https://docs.docker.com/get-started">docker documentation</a></p>
 <pre><code>cd {{ root }}
 docker swarm init
 docker stack deploy -c docker-compose.yml mailu
 </pre></code>
 In the docker stack deploy command, mailu is the app name. Feel free to change it.<br/>
 In order to display the running container you can use<br/>
 <pre><code>docker ps</code></pre>
 or
 <pre><code>docker stack ps --no-trunc mailu</code></pre>
 Command for removing docker stack is
 <pre><code>docker stack rm mailu</code></pre>
 Before you can use Mailu, you must create the primary administrator user account. This should be {{ postmaster }}@{{ domain }}. Use the following command, changing PASSWORD to your liking:
 <pre><code>docker exec $(docker ps | grep admin | cut -d ' ' -f1) python manage.py admin {{ postmaster }} {{ domain }} PASSWORD 
 </pre></code>
 <p>Login to the admin interface to change the password for a safe one, at
 {% if admin_enabled %}
 one of the hostnames 
 <a href="https://{{ hostnames.split(',')[0] }}{{ admin_path }}">{{ hostnames.split(',')[0] }}{{ admin_path }}</a>.
 {% else %}
 <a href="http://127.0.0.1:8080">http://127.0.0.1:8080</a> (only directly from the host running docker).
 {% endif %}
 And choose the "Update password" option in the left menu.
 </p>
 {% endcall %}
--- a/setup/server.py
+++ b/setup/server.py
@ -32,9 +32,11 @@ def secret(length=16):
 def build_app(path):
    #Hardcoded master as the only version for test purposes
    versions = [
-        version for version in os.listdir(path)
+    #    version for version in os.listdir(path)
-        if os.path.isdir(os.path.join(path, version))
+    #    if os.path.isdir(os.path.join(path, version))
         "master"
    ]
    app.jinja_env.trim_blocks = True
@ -63,6 +65,12 @@ def build_app(path):
        def wizard():
            return flask.render_template('wizard.html')
        @bp.route("/submit_flavor", methods=["POST"])
        def submit_flavor():
            data = flask.request.form.copy()
            steps = sorted(os.listdir(path + "/" + version + "/templates/steps/" + data["flavor"]))
            return flask.render_template('wizard.html', flavor=data["flavor"], steps=steps)
        @bp.route("/submit", methods=["POST"])
        def submit():
            data = flask.request.form.copy()
--- a/setup/templates/base.html
+++ b/setup/templates/base.html
@ -8,7 +8,7 @@
  <h1>Mailu configuration</h1>
  <p>
    Version
-    <select onchange="window.location.href=this.value;">
+    <select onchange="window.location.href=this.value;" class="btn btn-primary dropdown-toggle">
      {% for available in versions %}
      <option value="{{ url_for('{}.wizard'.format(available)) }}" {% if available == version %}selected{% endif %}>{{ available }}</option>
      {% endfor %}
--- a/setup/templates/macros.html
+++ b/setup/templates/macros.html
@ -9,10 +9,10 @@
  </div>
 {% endmacro %}
-{% macro radio(name, value, emph, text) %}
+{% macro radio(name, value, emph, text, current) %}
  <div class="radio">
    <label>
-      <input type="radio" name="{{ name }}" value="{{ value }}">
+      <input type="radio" name="{{ name }}" value="{{ value }}"{% if current == value %} checked="checked"{% endif %}>
      {% if emph %}
      <strong>{{ emph }}</strong>,
      {% endif %}
--- a/setup/templates/steps/compose/02_services.html
+++ b/setup/templates/steps/compose/02_services.html
@ -3,31 +3,27 @@
 interface, Web email clients (webmails), antispam, antivirus, etc. If you
 wish to disable some of these features, you are free to do so.</p>
 <p>The admin interface is the main Mailu-specific bit, it provides tools to
 manage your email domains, users, etc.</p>
 <div class="form-group">
  <label>Enable the admin UI (and path to the admin UI)</label>
  <div class="input-group">
    <div class="input-group-addon"><input type="checkbox" name="admin_enabled" checked></div>
    <input class="form-control" type="text" name="admin_path" value="/admin">
  </div>
 </div>
 <p>Emails will be available through IMAP and POP3. You may also enable a Web
 email client. These do add some complexity but provide an easier way of
 accessing messages for beginner users.</p>
 <!-- 	Switched from radio buttons to dropdown menu in order to remove the checkbox -->
 <div class="form-group">
  <label>Enable Web email client (and path to the Web email client)</label>
-  <div class="input-group">
+<!--   <div class="radio"> -->
-    <div class="input-group-addon"><input type="checkbox" name="webmail_enabled" checked></div>
+<!--     {{ macros.radio("webmail_type", "roundcube", "RoundCube", "popular Webmail running on top of PHP") }} -->
-    <input class="form-control" type="text" name="webmail_path" value="/webmail">
+<!--     {{ macros.radio("webmail_type", "rainloop", "Rainloop", "lightweight Webmail based on PHP, no database") }} -->
-  </div>
+<!--   </div> -->
  <br/>
  <select class="btn btn-primary dropdown-toggle" name="webmail_type">
  	{% for webmailtype in ["none", "roundcube", "rainloop"] %}
  	<option value="{{ webmailtype }}" >{{ webmailtype }}</option>
  	{% endfor %}
  </select>
  <p></p>
-  <div class="radio">
+  <div class="input-group">
-    {{ macros.radio("webmail_type", "roundcube", "RoundCube", "popular Webmail running on top of PHP") }}
+<!--     <div class="input-group-addon"><input type="checkbox" name="webmail_enabled" value="true"></div> -->
-    {{ macros.radio("webmail_type", "rainloop", "Rainloop", "lightweight Webmail based on PHP, no database") }}
+    <input class="form-control" type="text" name="webmail_path" value="/webmail">
  </div>
 </div>
@ -38,15 +34,29 @@ also disable the antivirus if required (it does use aroung 1GB of ram).</p>
 <div class="form-check form-check-inline">
  <label class="form-check-label">
-    <input class="form-check-input" type="checkbox" name="antispam_enabled" checked>
+    <input class="form-check-input" type="checkbox" name="antispam_enabled" value="rspamd" checked>
-    Enable the filtering service
+    Enable the spam filtering service
  </label>
 </div>
 <div class="form-check form-check-inline">
  <label class="form-check-label">
-    <input class="form-check-input" type="checkbox" name="antivirus_enabled" checked>
+    <input class="form-check-input" type="checkbox" name="antivirus_enabled" value="clamav">
    Enable the antivirus service
  </label>
 </div>
 <div class="form-check form-check-inline">
  <label class="form-check-label">
    <input class="form-check-input" type="checkbox" name="webdav_enabled" value="radicale">
    Enable the webdav service
  </label>
 </div>
 <div class="form-check form-check-inline">
  <label class="form-check-label">
    <input class="form-check-input" type="checkbox" name="fetchmail_enabled" value="true">
    Enable fetchmail
  </label>
 </div>
 {% endcall %}
--- a/setup/templates/steps/compose/03_expose.html
+++ b/setup/templates/steps/compose/03_expose.html
@ -0,0 +1,39 @@
 {% call macros.panel("info", "Step 4 - expose Mailu to the world") %}
 <p>A mail server must be exposed to the world to receive emails, send emails,
 and let users access their mailboxes. Mailu has some flexibility in the way
 you expose it to the world.</p>
 <p>Among Mailu services, the <em>front</em> server is the one accepting connections,
 be it directly from the outside world, through a reverse proxy or in any
 complex configuration that you might want to setup. It needs to listen on some
 IP addresses in order to expose its public services. You must at least setup
 an IPv4 or an IPv6 address if you wish to access Mailu.</p>
 <p><span class="label label-warning">Warning</span> You must use specific addresses, please
 avoid generic all-interfaces addresses like <code>0.0.0.0</code> or <code>::</code>.</p>
 <div class="form-group">
  <label>IPv4 listen address</label>
 <!--   Validates IPv4 address -->
  <input class="form-control" type="text" name="bind4" value="127.0.0.1" 
  		pattern="^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$">
 </div>
 <div class="form-group">
  <label>IPv6 listen address</label>
 <!--   Validates IPv6 address -->
  <input class="form-control" type="text" name="bind6" value="::1"
  		pattern="^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$">
 </div>
 <p>You server will be available under a main hostname but may expose multiple public
 hostnames. Every e-mail domain that points to this server must have one of the
 hostnames in its <code>MX</code> record. Hostnames must be coma-separated.</p>
 <div class="form-group">
  <label>Public hostnames</label>
 <!--   Validates hostname or list of hostnames -->
  <input class="form-control" type="text" name="hostnames" placeholder="my.host.name,other.host.name" multiple required
    	pattern="^(?:(?:\w+(?:-+\w+)*\.)+[a-z]+)*(?:,(?:(?:\w+(?:-+\w+)*\.)+[a-z]+)\s*)*$">
 </div>
 {% endcall %}
--- a/setup/templates/steps/config.html
+++ b/setup/templates/steps/config.html
@ -0,0 +1,78 @@
 {% call macros.panel("info", "Step 2 - Initial configuration") %}
 <p>Before starting some variables must be set</p>
 <div class="form-group">
  <label>Root path: </label>
 <!--   Validates path -->
  <input class="form-control" type="text" name="root" value="/mailu" required pattern="^/[-_A-Za-z0-9]+(/[-_A-Za-z0-9]*)*">
 </div>
 <p>In the next sections we need to set the postmaster address. This is a combination from the <i>postmaster</i> local part and the <i>main mail domain</i>.
 The <i>main mail domain</i> is also used as </i>"server display name"</i>. This is the way the SMTP server identifies himself when connecting to others.
 The Postmaster will get an e-mail address &lt;postmaster&gt;@&lt;main_domain&gt;. This address will receive the DMARC "rua" and "ruf" reports.
 Or in plain english: if receivers start to classify your mail as spam, this postmaster will be informed.</p>
 <div class="form-group">
  <label>
    Main mail domain and server display name.
  </label>
 <!--   Validates domain name -->
  <input class="form-control" type="text" name="domain" placeholder="e.g. mailu.io" 
  		required pattern="^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$">
 </div>
 <div class="form-group">
  <label>Postmaster local part</label>
  <input class="form-control" type="text" name="postmaster" value="admin" required>
 </div>
 <div class="form-group">
  <label>Choose how you wish to handle security (TLS) certificates</label>
  <br/>
  <select class="btn btn-primary dropdown-toggle" name="tls_flavor">
  	{% for tlsflavor in ["letsencrypt", "cert", "notls", "mail", "mail-letsencrypt"] %}
  	<option value="{{ tlsflavor }}" >{{ tlsflavor }}</option>
  	{% endfor %}
  </select>
 </div>
 <div class="form-group">
  <label>Authentication rate limit (per source IP address)</label>
 <!--   Validates number input only -->
  <p><input class="form-control" style="width: 7%; display: inline;" type="number" name="auth_ratelimit_pm" 
  		value="10" required >/minute;
  <input class="form-control" style="width: 7%; display: inline;;" type="number" name="auth_ratelimit_ph"
  		value="1000" required >/hour</p>
 </div>
 <div class="form-check form-check-inline">
  <label class="form-check-label">
    <input class="form-check-input" type="checkbox" name="disable_statistics" value="True">
    Opt-out of statistics
  </label>
 </div>
 <div class="form-group">
  <label>Website name</label>
  <input class="form-control" type="text" name="site_name" value="Mailu" required>
 </div>
 <div class="form-group">
  <label>Linked Website URL</label>
 <!--   Validates url with or without https:// -->
  <input class="form-control" type="url" name="website" value="https://mailu.io" required
  		pattern="^(https?://)?([a-zA-Z0-9]([a-zA-ZäöüÄÖÜ0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,6}$">
 </div>
 <p>The admin interface is the main Mailu-specific bit, it provides tools to
 manage your email domains, users, etc.</p>
 <div class="form-group">
  <label>Enable the admin UI (and path to the admin UI)</label>
  <div class="input-group">
    <div class="input-group-addon"><input type="checkbox" name="admin_enabled" value="true"></div>
    <input class="form-control" type="text" name="admin_path" value="/admin">
  </div>
 </div>
 {% endcall %}
--- a/setup/templates/steps/expose.html
+++ b/setup/templates/steps/expose.html
@ -1,33 +0,0 @@
 {% call macros.panel("info", "Step 2 - expose Mailu to the world") %}
 <p>A mail server must be exposed to the world to receive emails, send emails,
 and let users access their mailboxes. Mailu has some flexibility in the way
 you expose it to the world.</p>
 <p>Among Mailu services, the <em>front</em> server is the one accepting connections,
 be it directly from the outside world, through a reverse proxy or in any
 complex configuration that you might want to setup. It needs to listen on some
 IP addresses in order to expose its public services. You must at least setup
 an IPv4 or an IPv6 address if you wish to access Mailu.</p>
 <p><span class="label label-warning">Warning</span> You must use specific addresses, please
 avoid generic all-interfaces addresses like <code>0.0.0.0</code> or <code>::</code>.</p>
 <div class="form-group">
  <label>IPv4 listen address</label>
  <input class="form-control" type="text" name="ip4" placeholder="1.2.3.4">
 </div>
 <div class="form-group">
  <label>IPv6 listen address</label>
  <input class="form-control" type="text" name="ip6" placeholder="2001:be4:1234::1">
 </div>
 <p>You server will be available under a main hostname but may expose multiple public
 hostnames. Every e-mail domain that points to this server must have one of the
 hostnames in its <code>MX</code> record. Hostnames must be coma-separated.</p>
 <div class="form-group">
  <label>Public hostnames</label>
  <input class="form-control" type="text" name="hostnames" placeholder="my.host.name,other.host.name" multiple>
 </div>
 {% endcall %}
--- a/setup/templates/steps/flavor.html
+++ b/setup/templates/steps/flavor.html
@ -7,10 +7,10 @@ developpers, will mostly cover Compose and Stack, while other flavors are
 maintained by specific contributors.</p>
 <div class="radio">
-  {{ macros.radio("flavor", "compose", "Compose", "simply using Docker Compose manager") }}
+  {{ macros.radio("flavor", "compose", "Compose", "simply using Docker Compose manager", flavor) }}
-  {{ macros.radio("flavor", "stack", "Stack", "using stack deployments in a Swarm cluster") }}
+  {{ macros.radio("flavor", "stack", "Stack", "using stack deployments in a Swarm cluster", flavor) }}
-  {{ macros.radio("flavor", "rancher", "Rancher", "on top of the Rancher container manager") }}
+  {{ macros.radio("flavor", "rancher", "Rancher", "on top of the Rancher container manager", flavor) }}
-  {{ macros.radio("flavor", "kubernetes", "Kubernetes", "on top of the Kubernetes container manager") }}
+  {{ macros.radio("flavor", "kubernetes", "Kubernetes", "on top of the Kubernetes container manager", flavor) }}
 </div>
 {% endcall %}
--- a/setup/templates/steps/optional.html
+++ b/setup/templates/steps/optional.html
@ -1,16 +0,0 @@
 {% call macros.panel("info", "Step 4 - enable optional features") %}
 <p>Mailu also comes with less common optional features that you might wish
 to enable.</p>
 <p>The DAV service enables contacts and calendar storage through Mailu,
 it is especially userful when synchronizing your desktop and mobile devices.</p>
 <div class="form-group">
  <label>Enable the DAV service (and path to the DAV service)</label>
  <div class="input-group">
    <div class="input-group-addon"><input type="checkbox" name="dav_enabled" checked></div>
    <input class="form-control" type="text" name="admin_path" value="/webdav">
  </div>
 </div>
 {% endcall %}
--- a/setup/templates/steps/stack/02_services.html
+++ b/setup/templates/steps/stack/02_services.html
@ -0,0 +1,62 @@
 {% call macros.panel("info", "Step 3 - pick some features") %}
 <p>Mailu comes with multiple base features, including a specific admin
 interface, Web email clients (webmails), antispam, antivirus, etc. If you
 wish to disable some of these features, you are free to do so.</p>
 <p>Emails will be available through IMAP and POP3. You may also enable a Web
 email client. These do add some complexity but provide an easier way of
 accessing messages for beginner users.</p>
 <!-- 	Switched from radio buttons to dropdown menu in order to remove the checkbox -->
 <div class="form-group">
  <label>Enable Web email client (and path to the Web email client)</label>
 <!--   <div class="radio"> -->
 <!--     {{ macros.radio("webmail_type", "roundcube", "RoundCube", "popular Webmail running on top of PHP") }} -->
 <!--     {{ macros.radio("webmail_type", "rainloop", "Rainloop", "lightweight Webmail based on PHP, no database") }} -->
 <!--   </div> -->
  <br/>
  <select class="btn btn-primary dropdown-toggle" name="webmail_type">
  	{% for webmailtype in ["none", "roundcube", "rainloop"] %}
  	<option value="{{ webmailtype }}" >{{ webmailtype }}</option>
  	{% endfor %}
  </select>
  <p></p>
  <div class="input-group">
 <!--     <div class="input-group-addon"><input type="checkbox" name="webmail_enabled" value="true"></div> -->
    <input class="form-control" type="text" name="webmail_path" value="/webmail">
  </div>
 </div>
 <p>Email filtering is a really important features. You can still disable it, which
 will prevent Mailu from doing spam filtering, virus filtering, and from applying
 white and blacklists that you may configure in the admin interface. You may
 also disable the antivirus if required (it does use aroung 1GB of ram).</p>
 <div class="form-check form-check-inline">
  <label class="form-check-label">
    <input class="form-check-input" type="checkbox" name="antispam_enabled" value="rspamd" checked>
    Enable the spam filtering service
  </label>
 </div>
 <div class="form-check form-check-inline">
  <label class="form-check-label">
    <input class="form-check-input" type="checkbox" name="antivirus_enabled" value="clamav">
    Enable the antivirus service
  </label>
 </div>
 <div class="form-check form-check-inline">
  <label class="form-check-label">
    <input class="form-check-input" type="checkbox" name="webdav_enabled" value="radicale">
    Enable the webdav service
  </label>
 </div>
 <div class="form-check form-check-inline">
  <label class="form-check-label">
    <input class="form-check-input" type="checkbox" name="fetchmail_enabled" value="true">
    Enable fetchmail
  </label>
 </div>
 {% endcall %}
--- a/setup/templates/steps/stack/03_expose.html
+++ b/setup/templates/steps/stack/03_expose.html
@ -0,0 +1,21 @@
 {% call macros.panel("info", "Step 4 - expose Mailu to the world") %}
 <p>A mail server must be exposed to the world to receive emails, send emails,
 and let users access their mailboxes. Mailu has some flexibility in the way
 you expose it to the world.</p>
 <div class="form-group">
  <label>Subnet</label>
  <input class="form-control" type="text" name="subnet" required pattern="^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))$">
 </div>
 <p>You server will be available under a main hostname but may expose multiple public
 hostnames. Every e-mail domain that points to this server must have one of the
 hostnames in its <code>MX</code> record. Hostnames must be coma-separated.</p>
 <div class="form-group">
  <label>Public hostnames</label>
 <!--   Validates hostname or list of hostnames -->
  <input class="form-control" type="text" name="hostnames" placeholder="my.host.name,other.host.name" multiple required
    	pattern="^(?:(?:\w+(?:-+\w+)*\.)+[a-z]+)*(?:,(?:(?:\w+(?:-+\w+)*\.)+[a-z]+)\s*)*$">
 </div>
 {% endcall %}
--- a/setup/templates/wizard.html
+++ b/setup/templates/wizard.html
@ -8,12 +8,18 @@
  ready when using this wizard.
  {% endcall %}
-  <form method="post" action="{{ url_for(".submit") }}">
+  <form method="post" action="{{ url_for(".submit_flavor") }}">
  {% include "steps/flavor.html" %}
-  {% include "steps/expose.html" %}
+  <input class="btn btn-primary" type="submit" value="Next >" style="margin-bottom: 15px">
-  {% include "steps/services.html" %}
+  </form>
-  {% include "steps/optional.html" %}
+  {% if flavor %}
-
+  <form method="post" action="{{ url_for(".submit") }}">
  <input type="hidden" name="flavor" value="{{ flavor }}">
  {% include "steps/config.html" %}
  {%for file in steps %}
  {% include "steps/" + flavor + "/" + file %}
  {% endfor %}
  <input class="btn btn-primary" type="submit" value="Setup Mailu">
  {% endif %}
  </form>
 {% endblock %}
		`@ -1,3 +0,0 @@`
			`#!/bin/sh`

			`rspamc -h antispam:11334 -P mailu "learn_$1" /dev/stdin <&0`
`@ -1,3 +1,3 @@`
	`require "vnd.dovecot.execute";`	`require "vnd.dovecot.execute";`

	`execute :pipe "mailtrain" "spam";`	`execute :pipe "spam";`
`@ -1 +1,2 @@`
		`type = "normal";`
	`enabled = false;`	`enabled = false;`