diff --git a/.mergify.yml b/.mergify.yml
index 6cd6a5a3..02e41922 100644
--- a/.mergify.yml
+++ b/.mergify.yml
@@ -27,7 +27,7 @@ pull_request_rules:
 
   - name: Trusted author and 1 approved review; trigger bors r+
     conditions:
-      - author~=^(mergify|kaiyou|muhlemmer|mildred|HorayNarea|hoellen|ofthesun9|Nebukadneza|micw|lub|Diman0|3-w-c|decentral1se|ghostwheel42|nextgens|parisni)$
+      - author~=^(mergify|kaiyou|muhlemmer|mildred|HorayNarea|hoellen|ofthesun9|Nebukadneza|micw|lub|Diman0|ghostwheel42|nextgens)$
       - -title~=(WIP|wip)
       - -label~=^(status/wip|status/blocked|review/need2)$
       - "#approved-reviews-by>=1"
diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md
index 8fb3265d..fc3b6b61 100644
--- a/PULL_REQUEST_TEMPLATE.md
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -8,7 +8,7 @@
 - Mention an issue like: #001
 - Auto close an issue like: closes #001
 
-## Prerequistes
+## Prerequisites
 Before we can consider review and merge, please make sure the following list is done and checked.
 If an entry in not applicable, you can check it or remove it from the list.
 
diff --git a/README.md b/README.md
index c4354b28..4c19ad78 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ Main features include:
 - **Web access**, multiple Webmails and administration interface
 - **User features**, aliases, auto-reply, auto-forward, fetched accounts
 - **Admin features**, global admins, announcements, per-domain delegation, quotas
-- **Security**, enforced TLS, Letsencrypt!, outgoing DKIM, anti-virus scanner
+- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner
 - **Antispam**, auto-learn, greylisting, DMARC and SPF
 - **Freedom**, all FOSS components, no tracker included
 
diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index fa75e8dc..1958ae61 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -1,40 +1,51 @@
 # First stage to build assets
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 ARG ARCH=""
 
 FROM ${ARCH}node:16 as assets
-COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
 
 COPY package.json ./
-RUN npm install
+RUN set -eu \
+ && npm config set update-notifier false \
+ && npm install --no-fund
 
-COPY ./webpack.config.js ./
-COPY ./assets ./assets
-RUN mkdir static \
- && ./node_modules/.bin/webpack-cli
+COPY webpack.config.js ./
+COPY assets ./assets
+RUN set -eu \
+ && sed -i 's/#007bff/#55a5d9/' node_modules/admin-lte/build/scss/_bootstrap-variables.scss \
+ && for l in ca da de:de_de en:en-gb es:es_es eu fr:fr_fr he hu is it:it_it ja nb_NO:no_nb nl:nl_nl pl pt:pt_pt ru sv:sv_se zh; do \
+      cp node_modules/datatables.net-plugins/i18n/${l#*:}.json assets/${l%:*}.json; \
+    done \
+ && node_modules/.bin/webpack-cli --color
 
 
 # Actual application
 FROM $DISTRO
+COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
+
+ENV TZ Etc/UTC
+
 # python3 shared with most images
-RUN apk add --no-cache \
-    python3 py3-pip git bash \
-  && pip3 install --upgrade pip
+RUN set -eu \
+ && apk add --no-cache python3 py3-pip py3-wheel git bash tzdata \
+ && pip3 install --upgrade pip
 
 RUN mkdir -p /app
 WORKDIR /app
 
 COPY requirements-prod.txt requirements.txt
-RUN apk add --no-cache openssl curl postgresql-libs mariadb-connector-c \
-  && apk add --no-cache --virtual build-dep \
-  openssl-dev libffi-dev python3-dev build-base postgresql-dev mariadb-connector-c-dev cargo \
-  && pip3 install -r requirements.txt \
-  && apk del --no-cache build-dep
+RUN set -eu \
+ && apk add --no-cache libressl curl postgresql-libs mariadb-connector-c \
+ && apk add --no-cache --virtual build-dep libressl-dev libffi-dev python3-dev build-base postgresql-dev mariadb-connector-c-dev cargo \
+ && pip install --upgrade pip \
+ && pip install -r requirements.txt \
+ && apk del --no-cache build-dep
 
-COPY --from=assets static ./mailu/ui/static
+COPY --from=assets static ./mailu/static
 COPY mailu ./mailu
 COPY migrations ./migrations
 COPY start.py /start.py
+COPY audit.py /audit.py
 
 RUN pybabel compile -d mailu/translations
 
@@ -44,4 +55,4 @@ ENV FLASK_APP mailu
 
 CMD /start.py
 
-HEALTHCHECK CMD curl -f -L http://localhost/ui/login?next=ui.index || exit 1
+HEALTHCHECK CMD curl -f -L http://localhost/sso/login?next=ui.index || exit 1
diff --git a/core/admin/assets/app.css b/core/admin/assets/app.css
index 8351eed8..84644900 100644
--- a/core/admin/assets/app.css
+++ b/core/admin/assets/app.css
@@ -1,23 +1,59 @@
-.select2-search--inline .select2-search__field:focus {
-  border: none;
+/* mailu logo */
+.mailu-logo {
+  opacity: .8;
+}
+.bg-mailu-logo {
+  background-color: #2980b9!important;
 }
 
-.sidebar h4 {
-  padding-left: 5px;
-  padding-right: 5px;
-  overflow: hidden;
-  text-overflow: ellipsis;
+/* user image */
+.div-circle {
+  position: relative;
+  width: 2.1rem;
+  height: 2.1rem;
+  opacity: .8;
+  background-color: white;
+  border-radius: 50%;
+}
+.div-circle > i {
+  display: block;
+  position: absolute;
+  top: 50%;
+  left: 50%;
+  transform: translate(-50%, -50%)
 }
 
-.sidebar-collapse .sidebar h4 {
-  display: none !important;
+/* nice round preformatted configuration display */
+.pre-config {
+  padding: 9px;
+  margin: 0;
+  white-space: pre-wrap;
+  word-wrap: anywhere;
+  border-radius: 4px;
 }
 
-.logo a {
-  color: #fff;
+/* fieldset */
+legend {
+  font-size: inherit;
+}
+fieldset:disabled :not(legend) label {
+  opacity: .5;
+}
+fieldset:disabled .form-control:disabled {
+  color: gray;
 }
 
-.sidebar-toggle {
-  padding: unset !important;
+/* fix animation for icons in menu text */
+.sidebar .nav-link p i {
+  transition: margin-left .3s linear,opacity .3s ease,visibility .3s ease;
 }
 
+/* fix select2 text color */
+.select2-container--default .select2-selection--multiple .select2-selection__choice {
+  color: black;
+}
+
+/* range input spacing */
+.input-group-text {
+  margin-right: 1em;
+}
diff --git a/core/admin/assets/app.js b/core/admin/assets/app.js
index 364f8429..03ea6215 100644
--- a/core/admin/assets/app.js
+++ b/core/admin/assets/app.js
@@ -1,17 +1,79 @@
 require('./app.css');
 
-import 'admin-lte/plugins/select2/js/select2.js';
-import 'admin-lte/plugins/datatables/jquery.dataTables.js';
-import 'admin-lte/plugins/datatables-bs4/js/dataTables.bootstrap4.js';
-import 'admin-lte/plugins/datatables-responsive/js/dataTables.responsive.js';
-import 'admin-lte/plugins/datatables-responsive/js/responsive.bootstrap4.js';
+import logo from './mailu.png';
+import modules from "./*.json";
 
-jQuery("document").ready(function() {
-    jQuery(".mailselect").select2({
+// TODO: conditionally (or lazy) load select2 and dataTable
+$('document').ready(function() {
+
+    // intercept anchors with data-clicked attribute and open alternate location instead
+    $('[data-clicked]').click(function(e) {
+        e.preventDefault();
+        window.location.href = $(this).data('clicked');
+    });
+
+    // use post for language selection
+    $('#mailu-languages > a').click(function(e) {
+        e.preventDefault();
+        $.post({
+            url: $(this).attr('href'),
+            success: function() {
+                window.location = window.location.href;
+            },
+        });
+    });
+
+    // allow en-/disabling of inputs in fieldset with checkbox in legend
+    $('fieldset legend input[type=checkbox]').change(function() {
+        var fieldset = $(this).parents('fieldset');
+        if (this.checked) {
+            fieldset.removeAttr('disabled');
+            fieldset.find('input,textarea').not(this).removeAttr('disabled');
+        } else {
+            fieldset.attr('disabled', '');
+            fieldset.find('input,textarea').not(this).attr('disabled', '');
+        }
+    });
+
+    // display of range input value
+    $('input[type=range]').each(function() {
+        var value_element = $('#'+this.id+'_value');
+        if (value_element.length) {
+            value_element = $(value_element[0]);
+            var infinity = $(this).data('infinity');
+            var step = $(this).attr('step');
+            $(this).on('input', function() {
+                var num = (infinity && this.value == 0) ? '∞' : (this.value/step).toFixed(2);
+                if (num.endsWith('.00')) num = num.substr(0, num.length - 3);
+                value_element.text(num);
+            }).trigger('input');
+        }
+    });
+
+    // init select2
+    $('.mailselect').select2({
         tags: true,
-        tokenSeparators: [',', ' ']
+        tokenSeparators: [',', ' '],
     });
-    jQuery(".dataTable").DataTable({
-        "responsive": true,
+
+    // init dataTable
+    var d = $(document.documentElement);
+    $('.dataTable').DataTable({
+        'responsive': true,
+        language: {
+            url: d.data('static') + d.attr('lang') + '.json',
+        },
     });
+
+    // init clipboard.js
+    new ClipboardJS('.btn-clip');
+
+    // disable login if not possible
+    var l = $('#login_needs_https');
+    if (l.length && window.location.protocol != 'https:') {
+        l.removeClass("d-none");
+        $('form :input').prop('disabled', true);
+    }
+
 });
+
diff --git a/core/admin/assets/mailu.png b/core/admin/assets/mailu.png
new file mode 100644
index 00000000..e4f5021f
Binary files /dev/null and b/core/admin/assets/mailu.png differ
diff --git a/core/admin/assets/vendor.js b/core/admin/assets/vendor.js
index fd43d918..906448cf 100644
--- a/core/admin/assets/vendor.js
+++ b/core/admin/assets/vendor.js
@@ -1,22 +1,24 @@
-// jQuery
-import jQuery from 'jquery';
-import 'admin-lte/plugins/select2/css/select2.css';
-
-// bootstrap
-// import 'bootstrap/less/bootstrap.less';
-// import 'bootstrap';
-
-// FontAwesome
-import 'admin-lte/plugins/fontawesome-free/css/fontawesome.css';
-import 'admin-lte/plugins/fontawesome-free/css/regular.css';
-import 'admin-lte/plugins/fontawesome-free/css/solid.css';
-
 // AdminLTE
+import 'admin-lte/plugins/jquery/jquery.min.js';
+import 'admin-lte/plugins/bootstrap/js/bootstrap.bundle.min.js';
 import 'admin-lte/build/scss/adminlte.scss';
-import 'admin-lte/plugins/datatables-bs4/css/dataTables.bootstrap4.css';
-import 'admin-lte/plugins/datatables-responsive/css/responsive.bootstrap4.css';
-import 'admin-lte/plugins/bootstrap/js/bootstrap.js';
 import 'admin-lte/build/js/AdminLTE.js';
-import 'admin-lte/build/js/Layout.js';
-import 'admin-lte/build/js/ControlSidebar.js';
-import 'admin-lte/build/js/PushMenu.js';
+
+// fontawesome plugin
+import 'admin-lte/plugins/fontawesome-free/css/all.min.css';
+
+// select2 plugin
+import 'admin-lte/plugins/select2/css/select2.min.css';
+import 'admin-lte/plugins/select2/js/select2.min.js';
+
+// dataTables plugin
+import 'admin-lte/plugins/datatables-bs4/css/dataTables.bootstrap4.min.css';
+import 'admin-lte/plugins/datatables-responsive/css/responsive.bootstrap4.min.css';
+import 'admin-lte/plugins/datatables/jquery.dataTables.min.js';
+import 'admin-lte/plugins/datatables-bs4/js/dataTables.bootstrap4.min.js';
+import 'admin-lte/plugins/datatables-responsive/js/dataTables.responsive.min.js';
+import 'admin-lte/plugins/datatables-responsive/js/responsive.bootstrap4.min.js';
+
+// clipboard.js
+import 'clipboard/dist/clipboard.min.js';
+
diff --git a/core/admin/audit.py b/core/admin/audit.py
old mode 100644
new mode 100755
index db105ff4..60583f83
--- a/core/admin/audit.py
+++ b/core/admin/audit.py
@@ -1,14 +1,19 @@
-from mailu import app
+#!/usr/bin/python3
 
 import sys
 import tabulate
 
+sys.path[0:0] = ['/app']
+
+import mailu
+app = mailu.create_app()
+
 
 # Known endpoints without permissions
 known_missing_permissions = [
-    "index",
-    "static", "bootstrap.static",
-    "admin.static", "admin.login"
+    'index',
+    'static', 'bootstrap.static',
+    'admin.static', 'admin.login'
 ]
 
 
@@ -16,7 +21,7 @@ known_missing_permissions = [
 missing_permissions = []
 permissions = {}
 for endpoint, function in app.view_functions.items():
-    audit = function.__dict__.get("_audit_permissions")
+    audit = function.__dict__.get('_audit_permissions')
     if audit:
         handler, args = audit
         if args:
@@ -28,16 +33,15 @@ for endpoint, function in app.view_functions.items():
     elif endpoint not in known_missing_permissions:
         missing_permissions.append(endpoint)
 
-
-# Fail if any endpoint is missing a permission check
-if missing_permissions:
-    print("The following endpoints are missing permission checks:")
-    print(missing_permissions.join(","))
-    sys.exit(1)
-
-
 # Display the permissions table
 print(tabulate.tabulate([
     [route, *permissions[route.endpoint]]
     for route in app.url_map.iter_rules() if route.endpoint in permissions
 ]))
+
+# Warn if any endpoint is missing a permission check
+if missing_permissions:
+    print()
+    print('The following endpoints are missing permission checks:')
+    print(','.join(missing_permissions))
+
diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
index 8ab8ed0e..fe1f376c 100644
--- a/core/admin/mailu/__init__.py
+++ b/core/admin/mailu/__init__.py
@@ -11,11 +11,10 @@ import hmac
 def create_app_from_config(config):
     """ Create a new application based on the given configuration
     """
-    app = flask.Flask(__name__)
+    app = flask.Flask(__name__, static_folder='static', static_url_path='/static')
     app.cli.add_command(manage.mailu)
 
-    # Bootstrap is used for basic JS and CSS loading
-    # TODO: remove this and use statically generated assets instead
+    # Bootstrap is used for error display and flash messages
     app.bootstrap = flask_bootstrap.Bootstrap(app)
 
     # Initialize application extensions
@@ -29,7 +28,18 @@ def create_app_from_config(config):
     utils.proxy.init_app(app)
     utils.migrate.init_app(app, models.db)
 
+    app.device_cookie_key = hmac.new(bytearray(app.secret_key, 'utf-8'), bytearray('DEVICE_COOKIE_KEY', 'utf-8'), 'sha256').digest()
     app.temp_token_key = hmac.new(bytearray(app.secret_key, 'utf-8'), bytearray('WEBMAIL_TEMP_TOKEN_KEY', 'utf-8'), 'sha256').digest()
+    app.srs_key = hmac.new(bytearray(app.secret_key, 'utf-8'), bytearray('SRS_KEY', 'utf-8'), 'sha256').digest()
+
+    # Initialize list of translations
+    app.config.translations = {
+        str(locale): locale
+        for locale in sorted(
+            utils.babel.list_translations(),
+            key=lambda l: l.get_language_name().title()
+        )
+    }
 
     # Initialize debugging tools
     if app.config.get("DEBUG"):
@@ -43,15 +53,24 @@ def create_app_from_config(config):
     def inject_defaults():
         signup_domains = models.Domain.query.filter_by(signup_enabled=True).all()
         return dict(
-            signup_domains=signup_domains,
-            config=app.config
+            signup_domains= signup_domains,
+            config        = app.config,
         )
 
-    # Import views
-    from mailu import ui, internal
-    app.register_blueprint(ui.ui, url_prefix='/ui')
-    app.register_blueprint(internal.internal, url_prefix='/internal')
+    # Jinja filters
+    @app.template_filter()
+    def format_date(value):
+        return utils.flask_babel.format_date(value) if value else ''
 
+    @app.template_filter()
+    def format_datetime(value):
+        return utils.flask_babel.format_datetime(value) if value else ''
+
+    # Import views
+    from mailu import ui, internal, sso
+    app.register_blueprint(ui.ui, url_prefix=app.config['WEB_ADMIN'])
+    app.register_blueprint(internal.internal, url_prefix='/internal')
+    app.register_blueprint(sso.sso, url_prefix='/sso')
     return app
 
 
@@ -60,3 +79,4 @@ def create_app():
     """
     config = configuration.ConfigManager()
     return create_app_from_config(config)
+
diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 7cd3a56b..b60b8a3e 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -2,6 +2,7 @@ import os
 
 from datetime import timedelta
 from socrate import system
+import ipaddress
 
 DEFAULT_CONFIG = {
     # Specific to the admin UI
@@ -35,8 +36,13 @@ DEFAULT_CONFIG = {
     'WILDCARD_SENDERS': '',
     'TLS_FLAVOR': 'cert',
     'INBOUND_TLS_ENFORCE': False,
-    'AUTH_RATELIMIT': '1000/minute;10000/hour',
-    'AUTH_RATELIMIT_SUBNET': False,
+    'DEFER_ON_TLS_ERROR': True,
+    'AUTH_RATELIMIT_IP': '60/hour',
+    'AUTH_RATELIMIT_IP_V4_MASK': 24,
+    'AUTH_RATELIMIT_IP_V6_MASK': 56,
+    'AUTH_RATELIMIT_USER': '100/day',
+    'AUTH_RATELIMIT_EXEMPTION': '',
+    'AUTH_RATELIMIT_EXEMPTION_LENGTH': 86400,
     'DISABLE_STATISTICS': False,
     # Mail settings
     'DMARC_RUA': None,
@@ -48,20 +54,26 @@ DEFAULT_CONFIG = {
     'DKIM_PATH': '/dkim/{domain}.{selector}.key',
     'DEFAULT_QUOTA': 1000000000,
     'MESSAGE_RATELIMIT': '200/day',
+    'MESSAGE_RATELIMIT_EXEMPTION': '',
+    'RECIPIENT_DELIMITER': '',
     # Web settings
     'SITENAME': 'Mailu',
     'WEBSITE': 'https://mailu.io',
+    'ADMIN' : 'none',
     'WEB_ADMIN': '/admin',
     'WEB_WEBMAIL': '/webmail',
     'WEBMAIL': 'none',
     'RECAPTCHA_PUBLIC_KEY': '',
     'RECAPTCHA_PRIVATE_KEY': '',
+    'LOGO_URL': None,
+    'LOGO_BACKGROUND': None,
     # Advanced settings
     'LOG_LEVEL': 'WARNING',
     'SESSION_KEY_BITS': 128,
     'SESSION_LIFETIME': 24,
     'SESSION_COOKIE_SECURE': True,
     'CREDENTIAL_ROUNDS': 12,
+    'TZ': 'Etc/UTC',
     # Host settings
     'HOST_IMAP': 'imap',
     'HOST_LMTP': 'imap:2525',
@@ -78,7 +90,7 @@ DEFAULT_CONFIG = {
     'POD_ADDRESS_RANGE': None
 }
 
-class ConfigManager(dict):
+class ConfigManager:
     """ Naive configuration manager that uses environment only
     """
 
@@ -93,19 +105,16 @@ class ConfigManager(dict):
 
     def get_host_address(self, name):
         # if MYSERVICE_ADDRESS is defined, use this
-        if '{}_ADDRESS'.format(name) in os.environ:
-            return os.environ.get('{}_ADDRESS'.format(name))
+        if f'{name}_ADDRESS' in os.environ:
+            return os.environ.get(f'{name}_ADDRESS')
         # otherwise use the host name and resolve it
-        return system.resolve_address(self.config['HOST_{}'.format(name)])
+        return system.resolve_address(self.config[f'HOST_{name}'])
 
     def resolve_hosts(self):
-        self.config["IMAP_ADDRESS"] = self.get_host_address("IMAP")
-        self.config["POP3_ADDRESS"] = self.get_host_address("POP3")
-        self.config["AUTHSMTP_ADDRESS"] = self.get_host_address("AUTHSMTP")
-        self.config["SMTP_ADDRESS"] = self.get_host_address("SMTP")
-        self.config["REDIS_ADDRESS"] = self.get_host_address("REDIS")
-        if self.config["WEBMAIL"] != "none":
-            self.config["WEBMAIL_ADDRESS"] = self.get_host_address("WEBMAIL")
+        for key in ['IMAP', 'POP3', 'AUTHSMTP', 'SMTP', 'REDIS']:
+            self.config[f'{key}_ADDRESS'] = self.get_host_address(key)
+        if self.config['WEBMAIL'] != 'none':
+            self.config['WEBMAIL_ADDRESS'] = self.get_host_address('WEBMAIL')
 
     def __get_env(self, key, value):
         key_file = key + "_FILE"
@@ -124,6 +133,7 @@ class ConfigManager(dict):
         return value
 
     def init_app(self, app):
+        # get current app config
         self.config.update(app.config)
         # get environment variables
         self.config.update({
@@ -137,31 +147,18 @@ class ConfigManager(dict):
             template = self.DB_TEMPLATES[self.config['DB_FLAVOR']]
             self.config['SQLALCHEMY_DATABASE_URI'] = template.format(**self.config)
 
-        self.config['RATELIMIT_STORAGE_URL'] = 'redis://{0}/2'.format(self.config['REDIS_ADDRESS'])
-        self.config['QUOTA_STORAGE_URL'] = 'redis://{0}/1'.format(self.config['REDIS_ADDRESS'])
-        self.config['SESSION_STORAGE_URL'] = 'redis://{0}/3'.format(self.config['REDIS_ADDRESS'])
+        self.config['RATELIMIT_STORAGE_URL'] = f'redis://{self.config["REDIS_ADDRESS"]}/2'
+        self.config['QUOTA_STORAGE_URL'] = f'redis://{self.config["REDIS_ADDRESS"]}/1'
+        self.config['SESSION_STORAGE_URL'] = f'redis://{self.config["REDIS_ADDRESS"]}/3'
         self.config['SESSION_COOKIE_SAMESITE'] = 'Strict'
         self.config['SESSION_COOKIE_HTTPONLY'] = True
         self.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=int(self.config['SESSION_LIFETIME']))
-        # update the app config itself
-        app.config = self
+        hostnames = [host.strip() for host in self.config['HOSTNAMES'].split(',')]
+        self.config['AUTH_RATELIMIT_EXEMPTION'] = set(ipaddress.ip_network(cidr, False) for cidr in (cidr.strip() for cidr in self.config['AUTH_RATELIMIT_EXEMPTION'].split(',')) if cidr)
+        self.config['MESSAGE_RATELIMIT_EXEMPTION'] = set([s for s in self.config['MESSAGE_RATELIMIT_EXEMPTION'].lower().replace(' ', '').split(',') if s])
+        self.config['HOSTNAMES'] = ','.join(hostnames)
+        self.config['HOSTNAME'] = hostnames[0]
 
-    def setdefault(self, key, value):
-        if key not in self.config:
-            self.config[key] = value
-        return self.config[key]
+        # update the app config
+        app.config.update(self.config)
 
-    def get(self, *args):
-        return self.config.get(*args)
-
-    def keys(self):
-        return self.config.keys()
-
-    def __getitem__(self, key):
-        return self.config.get(key)
-
-    def __setitem__(self, key, value):
-        self.config[key] = value
-
-    def __contains__(self, key):
-        return key in self.config
diff --git a/core/admin/mailu/debug.py b/core/admin/mailu/debug.py
index 7677901b..4d63f3c5 100644
--- a/core/admin/mailu/debug.py
+++ b/core/admin/mailu/debug.py
@@ -1,6 +1,6 @@
 import flask_debugtoolbar
 
-from werkzeug.contrib import profiler as werkzeug_profiler
+from werkzeug.middleware.profiler import ProfilerMiddleware
 
 
 # Debugging toolbar
@@ -10,7 +10,7 @@ toolbar = flask_debugtoolbar.DebugToolbarExtension()
 # Profiler
 class Profiler(object):
     def init_app(self, app):
-        app.wsgi_app = werkzeug_profiler.ProfilerMiddleware(
+        app.wsgi_app = ProfilerMiddleware(
             app.wsgi_app, restrictions=[30]
         )
 
diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index 5e60cd0c..027db935 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -5,6 +5,7 @@ import re
 import urllib
 import ipaddress
 import socket
+import sqlalchemy.exc
 import tenacity
 
 SUPPORTED_AUTH_METHODS = ["none", "plain"]
@@ -19,6 +20,11 @@ STATUSES = {
     "encryption": ("Must issue a STARTTLS command first", {
         "smtp": "530 5.7.0"
     }),
+    "ratelimit": ("Temporary authentication failure (rate-limit)", {
+        "imap": "LIMIT",
+        "smtp": "451 4.3.2",
+        "pop3": "-ERR [LOGIN-DELAY] Retry later"
+    }),
 }
 
 def check_credentials(user, password, ip, protocol=None):
@@ -71,37 +77,46 @@ def handle_authentication(headers):
             }
     # Authenticated user
     elif method == "plain":
-        server, port = get_server(headers["Auth-Protocol"], True)
+        is_valid_user = False
         # According to RFC2616 section 3.7.1 and PEP 3333, HTTP headers should
         # be ASCII and are generally considered ISO8859-1. However when passing
         # the password, nginx does not transcode the input UTF string, thus
         # we need to manually decode.
         raw_user_email = urllib.parse.unquote(headers["Auth-User"])
-        user_email = raw_user_email.encode("iso8859-1").decode("utf8")
         raw_password = urllib.parse.unquote(headers["Auth-Pass"])
-        password = raw_password.encode("iso8859-1").decode("utf8")
-        ip = urllib.parse.unquote(headers["Client-Ip"])
-        service_port = int(urllib.parse.unquote(headers["Auth-Port"]))
-        if service_port == 25:
-            return {
-                "Auth-Status": "AUTH not supported",
-                "Auth-Error-Code": "502 5.5.1",
-                "Auth-Wait": 0
-            }
-        user = models.User.query.get(user_email)
-        if check_credentials(user, password, ip, protocol):
-            return {
-                "Auth-Status": "OK",
-                "Auth-Server": server,
-                "Auth-Port": port
-            }
+        user_email = 'invalid'
+        try:
+            user_email = raw_user_email.encode("iso8859-1").decode("utf8")
+            password = raw_password.encode("iso8859-1").decode("utf8")
+            ip = urllib.parse.unquote(headers["Client-Ip"])
+        except:
+            app.logger.warn(f'Received undecodable user/password from nginx: {raw_user_email!r}/{raw_password!r}')
         else:
-            status, code = get_status(protocol, "authentication")
-            return {
-                "Auth-Status": status,
-                "Auth-Error-Code": code,
-                "Auth-Wait": 0
-            }
+            try:
+                user = models.User.query.get(user_email)
+                is_valid_user = True
+            except sqlalchemy.exc.StatementError as exc:
+                exc = str(exc).split('\n', 1)[0]
+                app.logger.warn(f'Invalid user {user_email!r}: {exc}')
+            else:
+                ip = urllib.parse.unquote(headers["Client-Ip"])
+                if check_credentials(user, password, ip, protocol):
+                    server, port = get_server(headers["Auth-Protocol"], True)
+                    return {
+                        "Auth-Status": "OK",
+                        "Auth-Server": server,
+                        "Auth-User": user_email,
+                        "Auth-User-Exists": is_valid_user,
+                        "Auth-Port": port
+                    }
+        status, code = get_status(protocol, "authentication")
+        return {
+            "Auth-Status": status,
+            "Auth-Error-Code": code,
+            "Auth-User": user_email,
+            "Auth-User-Exists": is_valid_user,
+            "Auth-Wait": 0
+        }
     # Unexpected
     return {}
 
diff --git a/core/admin/mailu/internal/templates/default.sieve b/core/admin/mailu/internal/templates/default.sieve
index 5e995611..a29e7aba 100644
--- a/core/admin/mailu/internal/templates/default.sieve
+++ b/core/admin/mailu/internal/templates/default.sieve
@@ -19,7 +19,7 @@ if header :index 2 :matches "Received" "from * by * for <*>; *"
 }
 
 {% if user.spam_enabled %}
-if spamtest :percent :value "gt" :comparator "i;ascii-numeric"  "{{ user.spam_threshold }}"
+if spamtest :percent :value "gt" :comparator "i;ascii-numeric" "{{ user.spam_threshold }}"
 {
   setflag "\\seen";
   fileinto :create "Junk";
@@ -32,6 +32,6 @@ if exists "X-Virus" {
   stop;
 }
 
-{% if user.reply_active  %}
+{% if user.reply_active %}
 vacation :days 1 {% if user.displayed_name != "" %}:from "{{ user.displayed_name }} <{{ user.email }}>"{% endif %} :subject "{{ user.reply_subject }}" "{{ user.reply_body }}";
 {% endif %}
diff --git a/core/admin/mailu/internal/views/__init__.py b/core/admin/mailu/internal/views/__init__.py
index a32106c0..762b2a38 100644
--- a/core/admin/mailu/internal/views/__init__.py
+++ b/core/admin/mailu/internal/views/__init__.py
@@ -1,3 +1,3 @@
 __all__ = [
-    'auth', 'postfix', 'dovecot', 'fetch'
+    'auth', 'postfix', 'dovecot', 'fetch', 'rspamd'
 ]
diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py
index 1686e1cb..344be78b 100644
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@@ -5,19 +5,24 @@ from flask import current_app as app
 import flask
 import flask_login
 import base64
-import ipaddress
-
 
 @internal.route("/auth/email")
 def nginx_authentication():
     """ Main authentication endpoint for Nginx email server
     """
-    limiter = utils.limiter.get_limiter(app.config["AUTH_RATELIMIT"], "auth-ip")
     client_ip = flask.request.headers["Client-Ip"]
-    if not limiter.test(client_ip):
+    headers = flask.request.headers
+    if headers["Auth-Port"] == '25' and headers['Auth-Method'] == 'plain':
         response = flask.Response()
-        response.headers['Auth-Status'] = 'Authentication rate limit from one source exceeded'
-        response.headers['Auth-Error-Code'] = '451 4.3.2'
+        response.headers['Auth-Status'] = 'AUTH not supported'
+        response.headers['Auth-Error-Code'] = '502 5.5.1'
+        utils.limiter.rate_limit_ip(client_ip)
+        return response
+    if utils.limiter.should_rate_limit_ip(client_ip):
+        status, code = nginx.get_status(flask.request.headers['Auth-Protocol'], 'ratelimit')
+        response = flask.Response()
+        response.headers['Auth-Status'] = status
+        response.headers['Auth-Error-Code'] = code
         if int(flask.request.headers['Auth-Login-Attempt']) < 10:
             response.headers['Auth-Wait'] = '3'
         return response
@@ -25,14 +30,27 @@ def nginx_authentication():
     response = flask.Response()
     for key, value in headers.items():
         response.headers[key] = str(value)
-    if ("Auth-Status" not in headers) or (headers["Auth-Status"] != "OK"):
-        limit_subnet = str(app.config["AUTH_RATELIMIT_SUBNET"]) != 'False'
-        subnet = ipaddress.ip_network(app.config["SUBNET"])
-        if limit_subnet or ipaddress.ip_address(client_ip) not in subnet:
-            limiter.hit(flask.request.headers["Client-Ip"])
+    is_valid_user = False
+    if response.headers.get("Auth-User-Exists"):
+        username = response.headers["Auth-User"]
+        if utils.limiter.should_rate_limit_user(username, client_ip):
+            # FIXME could be done before handle_authentication()
+            status, code = nginx.get_status(flask.request.headers['Auth-Protocol'], 'ratelimit')
+            response = flask.Response()
+            response.headers['Auth-Status'] = status
+            response.headers['Auth-Error-Code'] = code
+            if int(flask.request.headers['Auth-Login-Attempt']) < 10:
+                response.headers['Auth-Wait'] = '3'
+            return response
+        is_valid_user = True
+    if headers.get("Auth-Status") == "OK":
+        utils.limiter.exempt_ip_from_ratelimits(client_ip)
+    elif is_valid_user:
+        utils.limiter.rate_limit_user(username, client_ip)
+    else:
+        utils.limiter.rate_limit_ip(client_ip)
     return response
 
-
 @internal.route("/auth/admin")
 def admin_authentication():
     """ Fails if the user is not an authenticated admin.
@@ -60,15 +78,29 @@ def user_authentication():
 def basic_authentication():
     """ Tries to authenticate using the Authorization header.
     """
+    client_ip = flask.request.headers.get('X-Real-IP', flask.request.remote_addr)
+    if utils.limiter.should_rate_limit_ip(client_ip):
+        response = flask.Response(status=401)
+        response.headers["WWW-Authenticate"] = 'Basic realm="Authentication rate limit from one source exceeded"'
+        response.headers['Retry-After'] = '60'
+        return response
     authorization = flask.request.headers.get("Authorization")
     if authorization and authorization.startswith("Basic "):
         encoded = authorization.replace("Basic ", "")
         user_email, password = base64.b64decode(encoded).split(b":", 1)
-        user = models.User.query.get(user_email.decode("utf8"))
-        if nginx.check_credentials(user, password.decode('utf-8'), flask.request.remote_addr, "web"):
+        user_email = user_email.decode("utf8")
+        if utils.limiter.should_rate_limit_user(user_email, client_ip):
+            response = flask.Response(status=401)
+            response.headers["WWW-Authenticate"] = 'Basic realm="Authentication rate limit for this username exceeded"'
+            response.headers['Retry-After'] = '60'
+            return response
+        user = models.User.query.get(user_email)
+        if user and nginx.check_credentials(user, password.decode('utf-8'), client_ip, "web"):
             response = flask.Response()
             response.headers["X-User"] = models.IdnaEmail.process_bind_param(flask_login, user.email, "")
+            utils.limiter.exempt_ip_from_ratelimits(client_ip)
             return response
+        utils.limiter.rate_limit_user(user_email, client_ip) if user else utils.limiter.rate_limit_ip(client_ip)
     response = flask.Response(status=401)
     response.headers["WWW-Authenticate"] = 'Basic realm="Login Required"'
     return response
diff --git a/core/admin/mailu/internal/views/postfix.py b/core/admin/mailu/internal/views/postfix.py
index 2e7d0b9b..ed951943 100644
--- a/core/admin/mailu/internal/views/postfix.py
+++ b/core/admin/mailu/internal/views/postfix.py
@@ -7,6 +7,9 @@ import idna
 import re
 import srslib
 
+@internal.route("/postfix/dane/<domain_name>")
+def postfix_dane_map(domain_name):
+    return flask.jsonify('dane-only') if utils.has_dane_record(domain_name) else flask.abort(404)
 
 @internal.route("/postfix/domain/<domain_name>")
 def postfix_mailbox_domain(domain_name):
@@ -105,7 +108,7 @@ def postfix_recipient_map(recipient):
 
     This is meant for bounces to go back to the original sender.
     """
-    srs = srslib.SRS(flask.current_app.config["SECRET_KEY"])
+    srs = srslib.SRS(flask.current_app.srs_key)
     if srslib.SRS.is_srs_address(recipient):
         try:
             return flask.jsonify(srs.reverse(recipient))
@@ -120,7 +123,7 @@ def postfix_sender_map(sender):
 
     This is for bounces to come back the reverse path properly.
     """
-    srs = srslib.SRS(flask.current_app.config["SECRET_KEY"])
+    srs = srslib.SRS(flask.current_app.srs_key)
     domain = flask.current_app.config["DOMAIN"]
     try:
         localpart, domain_name = models.Email.resolve_domain(sender)
@@ -137,6 +140,7 @@ def postfix_sender_login(sender):
     localpart, domain_name = models.Email.resolve_domain(sender)
     if localpart is None:
         return flask.jsonify(",".join(wildcard_senders)) if wildcard_senders else flask.abort(404)
+    localpart = localpart[:next((i for i, ch in enumerate(localpart) if ch in flask.current_app.config.get('RECIPIENT_DELIMITER')), None)]
     destination = models.Email.resolve_destination(localpart, domain_name, True)
     destination = [*destination, *wildcard_senders] if destination else [*wildcard_senders]
     return flask.jsonify(",".join(destination)) if destination else flask.abort(404)
@@ -145,6 +149,8 @@ def postfix_sender_login(sender):
 def postfix_sender_rate(sender):
     """ Rate limit outbound emails per sender login
     """
+    if sender in flask.current_app.config['MESSAGE_RATELIMIT_EXEMPTION']:
+        flask.abort(404)
     user = models.User.get(sender) or flask.abort(404)
     return flask.abort(404) if user.sender_limiter.hit() else flask.jsonify("450 4.2.1 You are sending too many emails too fast.")
 
diff --git a/core/admin/mailu/internal/views/rspamd.py b/core/admin/mailu/internal/views/rspamd.py
new file mode 100644
index 00000000..458dbb81
--- /dev/null
+++ b/core/admin/mailu/internal/views/rspamd.py
@@ -0,0 +1,27 @@
+from mailu import models
+from mailu.internal import internal
+
+import flask
+
+def vault_error(*messages, status=404):
+    return flask.make_response(flask.jsonify({'errors':messages}), status)
+
+# rspamd key format:
+# {"selectors":[{"pubkey":"...","domain":"...","valid_start":TS,"valid_end":TS,"key":"...","selector":"...","bits":...,"alg":"..."}]}
+
+# hashicorp vault answer format:
+# {"request_id":"...","lease_id":"","renewable":false,"lease_duration":2764800,"data":{...see above...},"wrap_info":null,"warnings":null,"auth":null}
+
+@internal.route("/rspamd/vault/v1/dkim/<domain_name>", methods=['GET'])
+def rspamd_dkim_key(domain_name):
+    selectors = []
+    if domain := models.Domain.query.get(domain_name):
+        if key := domain.dkim_key:
+            selectors.append(
+                {
+                    'domain'  : domain.name,
+                    'key'     : key.decode('utf8'),
+                    'selector': flask.current_app.config.get('DKIM_SELECTOR', 'dkim'),
+                }
+            )
+    return flask.jsonify({'data': {'selectors': selectors}})
diff --git a/core/admin/mailu/limiter.py b/core/admin/mailu/limiter.py
index b5f99915..3bc65f4f 100644
--- a/core/admin/mailu/limiter.py
+++ b/core/admin/mailu/limiter.py
@@ -1,7 +1,12 @@
+from mailu import utils
+from flask import current_app as app
+import base64
 import limits
 import limits.storage
 import limits.strategies
 
+import hmac
+import secrets
 
 class LimitWrapper(object):
     """ Wraps a limit by providing the storage, item and identifiers
@@ -31,4 +36,59 @@ class LimitWraperFactory(object):
         self.limiter = limits.strategies.MovingWindowRateLimiter(self.storage)
 
     def get_limiter(self, limit, *args):
-        return LimitWrapper(self.limiter, limits.parse(limit), *args)
\ No newline at end of file
+        return LimitWrapper(self.limiter, limits.parse(limit), *args)
+
+    def is_subject_to_rate_limits(self, ip):
+        return False if utils.is_exempt_from_ratelimits(ip) else not (self.storage.get(f'exempt-{ip}') > 0)
+
+    def exempt_ip_from_ratelimits(self, ip):
+        self.storage.incr(f'exempt-{ip}', app.config["AUTH_RATELIMIT_EXEMPTION_LENGTH"], True)
+
+    def should_rate_limit_ip(self, ip):
+        limiter = self.get_limiter(app.config["AUTH_RATELIMIT_IP"], 'auth-ip')
+        client_network = utils.extract_network_from_ip(ip)
+        is_rate_limited = self.is_subject_to_rate_limits(ip) and not limiter.test(client_network)
+        if is_rate_limited:
+            app.logger.warn(f'Authentication attempt from {ip} has been rate-limited.')
+        return is_rate_limited
+
+    def rate_limit_ip(self, ip):
+        if ip != app.config['WEBMAIL_ADDRESS']:
+            limiter = self.get_limiter(app.config["AUTH_RATELIMIT_IP"], 'auth-ip')
+            client_network = utils.extract_network_from_ip(ip)
+            if self.is_subject_to_rate_limits(ip):
+                limiter.hit(client_network)
+
+    def should_rate_limit_user(self, username, ip, device_cookie=None, device_cookie_name=None):
+        limiter = self.get_limiter(app.config["AUTH_RATELIMIT_USER"], 'auth-user')
+        is_rate_limited = self.is_subject_to_rate_limits(ip) and not limiter.test(device_cookie if device_cookie_name == username else username)
+        if is_rate_limited:
+            app.logger.warn(f'Authentication attempt from {ip} for {username} has been rate-limited.')
+        return is_rate_limited
+
+    def rate_limit_user(self, username, ip, device_cookie=None, device_cookie_name=None):
+        limiter = self.get_limiter(app.config["AUTH_RATELIMIT_USER"], 'auth-user')
+        if self.is_subject_to_rate_limits(ip):
+            limiter.hit(device_cookie if device_cookie_name == username else username)
+
+    """ Device cookies as described on:
+    https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies
+    """
+    def parse_device_cookie(self, cookie):
+        try:
+            login, nonce, _ = cookie.split('$')
+            if hmac.compare_digest(cookie, self.device_cookie(login, nonce)):
+                return nonce, login
+        except:
+            pass
+        return None, None
+
+    """ Device cookies don't require strong crypto:
+        72bits of nonce, 96bits of signature is more than enough
+        and these values avoid padding in most cases
+    """
+    def device_cookie(self, username, nonce=None):
+        if not nonce:
+            nonce = secrets.token_urlsafe(9)
+        sig = str(base64.urlsafe_b64encode(hmac.new(app.device_cookie_key, bytearray(f'device_cookie|{username}|{nonce}', 'utf-8'), 'sha256').digest()[20:]), 'utf-8')
+        return f'{username}${nonce}${sig}'
diff --git a/core/admin/mailu/manage.py b/core/admin/mailu/manage.py
index 5708327e..937c9f49 100644
--- a/core/admin/mailu/manage.py
+++ b/core/admin/mailu/manage.py
@@ -48,44 +48,44 @@ def advertise():
 @click.argument('localpart')
 @click.argument('domain_name')
 @click.argument('password')
-@click.option('-m', '--mode')
+@click.option('-m', '--mode', default='create', metavar='MODE', help='''\b'create' (default): create user. it's an error if user already exists
+'ifmissing': only update password if user is missing
+'update': create user or update password if user exists
+''')
 @with_appcontext
-def admin(localpart, domain_name, password, mode='create'):
+def admin(localpart, domain_name, password, mode):
     """ Create an admin user
-        'mode' can be:
-            - 'create' (default) Will try to create user and will raise an exception if present
-            - 'ifmissing': if user exists, nothing happens, else it will be created
-            - 'update': user is created or, if it exists, its password gets updated
     """
+
+    if not mode in ('create', 'update', 'ifmissing'):
+        raise click.ClickException(f'invalid mode: {mode!r}')
+
     domain = models.Domain.query.get(domain_name)
     if not domain:
         domain = models.Domain(name=domain_name)
         db.session.add(domain)
 
-    user = None
-    if mode == 'ifmissing' or mode == 'update':
-        email = f'{localpart}@{domain_name}'
-        user = models.User.query.get(email)
-
-        if user and mode == 'ifmissing':
-            print('user %s exists, not updating' % email)
+    email = f'{localpart}@{domain_name}'
+    if user := models.User.query.get(email):
+        if mode == 'ifmissing':
+            print(f'user {email!r} exists, not updating')
             return
-
-    if not user:
+        elif mode == 'update':
+            user.set_password(password)
+            db.session.commit()
+            print("updated admin password")
+        else:
+            raise click.ClickException(f'user {email!r} exists, not created')
+    else:
         user = models.User(
             localpart=localpart,
             domain=domain,
             global_admin=True
         )
-        user.set_password(password)
         db.session.add(user)
+        user.set_password(password)
         db.session.commit()
         print("created admin user")
-    elif mode == 'update':
-        user.set_password(password)
-        db.session.commit()
-        print("updated admin password")
-
 
 
 @mailu.command()
@@ -119,7 +119,7 @@ def password(localpart, domain_name, password):
     """ Change the password of an user
     """
     email = f'{localpart}@{domain_name}'
-    user   = models.User.query.get(email)
+    user  = models.User.query.get(email)
     if user:
         user.set_password(password)
     else:
diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index cdc5a579..aedef62a 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -19,7 +19,8 @@ import os
 import hmac
 import smtplib
 import idna
-import dns
+import dns.resolver
+import dns.exception
 
 from flask import current_app as app
 from sqlalchemy.ext import declarative
@@ -38,6 +39,8 @@ class IdnaDomain(db.TypeDecorator):
     """
 
     impl = db.String(80)
+    cache_ok = True
+    python_type = str
 
     def process_bind_param(self, value, dialect):
         """ encode unicode domain name to punycode """
@@ -47,16 +50,18 @@ class IdnaDomain(db.TypeDecorator):
         """ decode punycode domain name to unicode """
         return idna.decode(value)
 
-    python_type = str
-
 class IdnaEmail(db.TypeDecorator):
     """ Stores a Unicode string in it's IDNA representation (ASCII only)
     """
 
     impl = db.String(255)
+    cache_ok = True
+    python_type = str
 
     def process_bind_param(self, value, dialect):
         """ encode unicode domain part of email address to punycode """
+        if not '@' in value:
+            raise ValueError('invalid email address (no "@")')
         localpart, domain_name = value.lower().rsplit('@', 1)
         if '@' in localpart:
             raise ValueError('email local part must not contain "@"')
@@ -67,13 +72,13 @@ class IdnaEmail(db.TypeDecorator):
         localpart, domain_name = value.rsplit('@', 1)
         return f'{localpart}@{idna.decode(domain_name)}'
 
-    python_type = str
-
 class CommaSeparatedList(db.TypeDecorator):
     """ Stores a list as a comma-separated string, compatible with Postfix.
     """
 
     impl = db.String
+    cache_ok = True
+    python_type = list
 
     def process_bind_param(self, value, dialect):
         """ join list of items to comma separated string """
@@ -88,13 +93,13 @@ class CommaSeparatedList(db.TypeDecorator):
         """ split comma separated string to list """
         return list(filter(bool, (item.strip() for item in value.split(',')))) if value else []
 
-    python_type = list
-
 class JSONEncoded(db.TypeDecorator):
     """ Represents an immutable structure as a json-encoded string.
     """
 
     impl = db.String
+    cache_ok = True
+    python_type = str
 
     def process_bind_param(self, value, dialect):
         """ encode data as json """
@@ -104,8 +109,6 @@ class JSONEncoded(db.TypeDecorator):
         """ decode json to data """
         return json.loads(value) if value else None
 
-    python_type = str
-
 class Base(db.Model):
     """ Base class for all models
     """
@@ -209,16 +212,16 @@ class Domain(Base):
                 os.unlink(file_path)
             self._dkim_key_on_disk = self._dkim_key
 
-    @property
+    @cached_property
     def dns_mx(self):
         """ return MX record for domain """
-        hostname = app.config['HOSTNAMES'].split(',', 1)[0]
+        hostname = app.config['HOSTNAME']
         return f'{self.name}. 600 IN MX 10 {hostname}.'
 
-    @property
+    @cached_property
     def dns_spf(self):
         """ return SPF record for domain """
-        hostname = app.config['HOSTNAMES'].split(',', 1)[0]
+        hostname = app.config['HOSTNAME']
         return f'{self.name}. 600 IN TXT "v=spf1 mx a:{hostname} ~all"'
 
     @property
@@ -226,12 +229,11 @@ class Domain(Base):
         """ return DKIM record for domain """
         if self.dkim_key:
             selector = app.config['DKIM_SELECTOR']
-            return (
-                f'{selector}._domainkey.{self.name}. 600 IN TXT'
-                f'"v=DKIM1; k=rsa; p={self.dkim_publickey}"'
-            )
+            txt = f'v=DKIM1; k=rsa; p={self.dkim_publickey}'
+            record = ' '.join(f'"{txt[p:p+250]}"' for p in range(0, len(txt), 250))
+            return f'{selector}._domainkey.{self.name}. 600 IN TXT {record}'
 
-    @property
+    @cached_property
     def dns_dmarc(self):
         """ return DMARC record for domain """
         if self.dkim_key:
@@ -242,6 +244,41 @@ class Domain(Base):
             ruf = f' ruf=mailto:{ruf}@{domain};' if ruf else ''
             return f'_dmarc.{self.name}. 600 IN TXT "v=DMARC1; p=reject;{rua}{ruf} adkim=s; aspf=s"'
 
+    @cached_property
+    def dns_dmarc_report(self):
+        """ return DMARC report record for mailu server """
+        if self.dkim_key:
+            domain = app.config['DOMAIN']
+            return f'{self.name}._report._dmarc.{domain}. 600 IN TXT "v=DMARC1"'
+
+    @cached_property
+    def dns_autoconfig(self):
+        """ return list of auto configuration records (RFC6186) """
+        hostname = app.config['HOSTNAME']
+        protocols = [
+            ('submission', 587),
+            ('imap', 143),
+            ('pop3', 110),
+        ]
+        if app.config['TLS_FLAVOR'] != 'notls':
+            protocols.extend([
+                ('imaps', 993),
+                ('pop3s', 995),
+            ])
+        return list([
+            f'_{proto}._tcp.{self.name}. 600 IN SRV 1 1 {port} {hostname}.'
+            for proto, port
+            in protocols
+        ])
+
+    @cached_property
+    def dns_tlsa(self):
+        """ return TLSA record for domain when using letsencrypt """
+        hostname = app.config['HOSTNAME']
+        if app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'):
+            # current ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) @20210902
+            return f'_25._tcp.{hostname}. 600 IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3'
+
     @property
     def dkim_key(self):
         """ return private DKIM key """
@@ -533,6 +570,8 @@ class User(Base, Email):
         """ verifies password against stored hash
             and updates hash if outdated
         """
+        if password == '':
+            return False
         cache_result = self._credential_cache.get(self.get_id())
         current_salt = self.password.split('$')[3] if len(self.password.split('$')) == 5 else None
         if cache_result and current_salt:
diff --git a/core/admin/mailu/schemas.py b/core/admin/mailu/schemas.py
index 191d01ac..00cbf464 100644
--- a/core/admin/mailu/schemas.py
+++ b/core/admin/mailu/schemas.py
@@ -145,6 +145,11 @@ class Logger:
             if history.has_changes() and history.deleted:
                 before = history.deleted[-1]
                 after = getattr(target, attr.key)
+                # we don't have ordered lists
+                if isinstance(before, list):
+                    before = set(before)
+                if isinstance(after, list):
+                    after = set(after)
                 # TODO: this can be removed when comment is not nullable in model
                 if attr.key == 'comment' and not before and not after:
                     pass
diff --git a/core/admin/mailu/sso/__init__.py b/core/admin/mailu/sso/__init__.py
new file mode 100644
index 00000000..98b5abd0
--- /dev/null
+++ b/core/admin/mailu/sso/__init__.py
@@ -0,0 +1,5 @@
+from flask import Blueprint
+
+sso = Blueprint('sso', __name__, static_folder=None, template_folder='templates')
+
+from mailu.sso.views import *
diff --git a/core/admin/mailu/sso/forms.py b/core/admin/mailu/sso/forms.py
new file mode 100644
index 00000000..c190b8bc
--- /dev/null
+++ b/core/admin/mailu/sso/forms.py
@@ -0,0 +1,11 @@
+from wtforms import validators, fields
+from flask_babel import lazy_gettext as _
+import flask_wtf
+
+class LoginForm(flask_wtf.FlaskForm):
+    class Meta:
+        csrf = False
+    email = fields.StringField(_('E-mail'), [validators.Email(), validators.DataRequired()])
+    pw = fields.PasswordField(_('Password'), [validators.DataRequired()])
+    submitAdmin = fields.SubmitField(_('Sign in'))
+    submitWebmail = fields.SubmitField(_('Sign in'))
diff --git a/core/admin/mailu/sso/templates/base_sso.html b/core/admin/mailu/sso/templates/base_sso.html
new file mode 100644
index 00000000..9dfb25a5
--- /dev/null
+++ b/core/admin/mailu/sso/templates/base_sso.html
@@ -0,0 +1,86 @@
+{%- import "macros.html" as macros %}
+{%- import "bootstrap/utils.html" as utils %}
+<!doctype html>
+<html lang="{{ session['language'] }}" data-static="/static/">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta name="description" content="{% trans %}Admin page for{% endtrans %} {{ config["SITENAME"] }}">
+    <meta http-equiv="x-ua-compatible" content="ie=edge">
+    <title>Mailu-Admin | {{ config["SITENAME"] }}</title>
+    <link rel="stylesheet" href="{{ url_for('static', filename='vendor.css') }}">
+    <link rel="stylesheet" href="{{ url_for('static', filename='app.css') }}">
+  </head>
+  <body class="hold-transition sidebar-mini layout-fixed">
+    <div class="wrapper">
+      <nav class="main-header navbar navbar-expand navbar-white navbar-light">
+        <ul class="navbar-nav">
+          <li class="nav-item">
+            <a class="nav-link" data-widget="pushmenu" href="#" role="button"><i class="fas fa-bars" title="{% trans %}toggle sidebar{% endtrans %}" aria-expanded="false"></i><span class="sr-only">{% trans %}toggle sidebar{% endtrans %}</span></a>
+          </li>
+          <li class="nav-item">
+          {%- for page, url in path %}
+            {%- if loop.index > 1 %}
+            <i class="fas fa-greater-than text-xs text-gray" aria-hidden="true"></i>
+            {%- endif %}
+            {%- if url %}
+            <a class="nav-link d-inline-block" href="{{ url }}" role="button">{{ page }}</a>
+            {%- else %}
+            <span class="nav-link d-inline-block">{{ page }}</span>
+            {%- endif %}
+          {%- endfor %}
+          </li>
+        </ul>
+        <ul class="navbar-nav ml-auto">
+          <li class="nav-item dropdown">
+            <a class="nav-link" data-toggle="dropdown" href="#" aria-expanded="false">
+              <i class="fas fa-language text-xl" aria-hidden="true" title="{% trans %}change language{% endtrans %}"></i><span class="sr-only">Language</span>
+              <span class="badge badge-primary navbar-badge">{{ session['language'] }}</span></a>
+            <div class="dropdown-menu dropdown-menu-right p-0" id="mailu-languages">
+            {%- for locale in config.translations.values() %}
+              <a class="dropdown-item{% if locale|string() == session['language'] %} active{% endif %}" href="{{ url_for('sso.set_language', language=locale) }}">{{ locale.get_language_name().title() }}</a>
+            {%- endfor %}
+            </div>
+          </li>
+        </ul>
+      </nav>
+      <aside class="main-sidebar sidebar-dark-primary nav-compact elevation-4">
+        <a class="brand-link bg-mailu-logo"{% if config["LOGO_BACKGROUND"] %} style="background-color:{{ config["LOGO_BACKGROUND"] }}!important;"{% endif %}>
+          <img src="{{ config["LOGO_URL"] if config["LOGO_URL"] else '/static/mailu.png' }}" width="33" height="33" alt="Mailu" class="brand-image mailu-logo img-circle elevation-3">
+          <span class="brand-text font-weight-light">{{ config["SITENAME"] }}</span>
+        </a>
+        {%- include "sidebar_sso.html" %}
+      </aside>
+      <div class="content-wrapper text-sm">
+        <section class="content-header">
+          <div class="container-fluid">
+            <div class="row mb-2">
+              <div class="col-sm-6">
+                <h1 class="m-0">{%- block title %}{%- endblock %}</h1>
+                <small>{% block subtitle %}{% endblock %}</small>
+              </div>
+              <div class="col-sm-6">
+                {%- block main_action %}{%- endblock %}
+              </div>
+            </div>
+          </div>
+        </section>
+        <div class="content">
+          {{ utils.flashed_messages(container=False, default_category='success') }}
+          {%- block content %}{%- endblock %}
+        </div>
+      </div>
+      <footer class="main-footer">
+        Built with <i class="fa fa-heart text-danger" aria-hidden="true"></i><span class="sr-only">love</span>
+        using <a href="https://flask.palletsprojects.com/">Flask</a>
+        and <a href="https://adminlte.io/themes/v3/index3.html">AdminLTE</a>.
+        <span class="fa-pull-right">
+          <i class="fa fa-code-branch" aria-hidden="true"></i><span class="sr-only">fork</span>
+          on <a href="https://github.com/Mailu/Mailu">Github</a>
+        </span>
+      </footer>
+    </div>
+    <script src="{{ url_for('static', filename='vendor.js') }}"></script>
+    <script src="{{ url_for('static', filename='app.js') }}"></script>
+  </body>
+</html>
diff --git a/core/admin/mailu/sso/templates/form_sso.html b/core/admin/mailu/sso/templates/form_sso.html
new file mode 100644
index 00000000..d2451597
--- /dev/null
+++ b/core/admin/mailu/sso/templates/form_sso.html
@@ -0,0 +1,11 @@
+{%- extends "base_sso.html" %}
+
+{%- block content %}
+{%- call macros.card() %}
+<form class="form" method="post" role="form">
+  {{ macros.form_field(form.email) }}
+  {{ macros.form_field(form.pw) }}
+  {{ macros.form_fields(fields, label=False, class="btn btn-default") }}
+</form>
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/sso/templates/login.html b/core/admin/mailu/sso/templates/login.html
new file mode 100644
index 00000000..c727e01e
--- /dev/null
+++ b/core/admin/mailu/sso/templates/login.html
@@ -0,0 +1,5 @@
+{%- extends "form_sso.html" %}
+
+{%- block title %}
+{% trans %}Sign in{% endtrans %}
+{%- endblock %}
diff --git a/core/admin/mailu/sso/templates/sidebar_sso.html b/core/admin/mailu/sso/templates/sidebar_sso.html
new file mode 100644
index 00000000..86db3333
--- /dev/null
+++ b/core/admin/mailu/sso/templates/sidebar_sso.html
@@ -0,0 +1,55 @@
+<div class="sidebar text-sm">
+  <nav class="mt-2">
+    <ul class="nav nav-pills nav-sidebar flex-column" role="menu">
+    <li class="nav-header text-uppercase text-primary" role="none">{% trans %}Go to{% endtrans %}</li>
+    {%- if config['ADMIN'] %}
+      <li class="nav-item">
+        <a href="{{ url_for('ui.client') }}" class="nav-link">
+          <i class="nav-icon fa fa-laptop"></i>
+          <p class="text">{% trans %}Client setup{% endtrans %}</p>
+        </a>
+      </li>
+    {%- endif %}
+      <li class="nav-item" role="none">
+        <a href="{{ config["WEBSITE"] }}" target="_blank" class="nav-link" role="menuitem" rel="noreferrer">
+          <i class="nav-icon fa fa-globe"></i>
+          <p>{% trans %}Website{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
+        </a>
+      </li>
+      <li class="nav-item" role="none">
+        <a href="https://mailu.io" target="_blank" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-life-ring"></i>
+          <p class="text">{% trans %}Help{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
+        </a>
+      </li>
+    {#-
+      Domain self-registration is only available when
+       - Admin is available
+       - Domain Self-registration is enabled
+       - The current user is not logged on
+    #}
+    {%- if config['DOMAIN_REGISTRATION'] and not current_user.is_authenticated and config['ADMIN'] %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('ui.domain_signup') }}" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-plus-square"></i>
+          <p class="text">{% trans %}Register a domain{% endtrans %}</p>
+        </a>
+      </li>
+    {%- endif %}
+    {#-
+      User self-registration is only available when
+       - Admin is available
+       - Self-registration is enabled
+       - The current user is not logged on
+    #}
+    {%- if not current_user.is_authenticated and signup_domains and config['ADMIN'] %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('ui.user_signup') }}" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-user-plus"></i>
+          <p class="text">{% trans %}Sign up{% endtrans %}</p>
+        </a>
+      </li>
+    {%- endif %}
+    </ul>
+  </nav>
+</div>
diff --git a/core/admin/mailu/sso/views/__init__.py b/core/admin/mailu/sso/views/__init__.py
new file mode 100644
index 00000000..7b1830fb
--- /dev/null
+++ b/core/admin/mailu/sso/views/__init__.py
@@ -0,0 +1,3 @@
+__all__ = [
+    'base', 'languages'
+]
diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
new file mode 100644
index 00000000..390d5bbf
--- /dev/null
+++ b/core/admin/mailu/sso/views/base.py
@@ -0,0 +1,57 @@
+from werkzeug.utils import redirect
+from mailu import models, utils
+from mailu.sso import sso, forms
+from mailu.ui import access
+
+from flask import current_app as app
+import flask
+import flask_login
+
+@sso.route('/login', methods=['GET', 'POST'])
+def login():
+    client_ip = flask.request.headers.get('X-Real-IP', flask.request.remote_addr)
+    form = forms.LoginForm()
+    form.submitAdmin.label.text = form.submitAdmin.label.text + ' Admin'
+    form.submitWebmail.label.text = form.submitWebmail.label.text + ' Webmail'
+
+    fields = []
+    if str(app.config["ADMIN"]).upper() != "FALSE":
+        fields.append(form.submitAdmin)
+    if str(app.config["WEBMAIL"]).upper() != "NONE":
+        fields.append(form.submitWebmail)
+    fields = [fields]
+
+    if form.validate_on_submit():
+        if form.submitAdmin.data:
+            destination = app.config['WEB_ADMIN']
+        elif form.submitWebmail.data:
+            destination = app.config['WEB_WEBMAIL']
+        device_cookie, device_cookie_username = utils.limiter.parse_device_cookie(flask.request.cookies.get('rate_limit'))
+        username = form.email.data
+        if username != device_cookie_username and utils.limiter.should_rate_limit_ip(client_ip):
+            flask.flash('Too many attempts from your IP (rate-limit)', 'error')
+            return flask.render_template('login.html', form=form)
+        if utils.limiter.should_rate_limit_user(username, client_ip, device_cookie, device_cookie_username):
+            flask.flash('Too many attempts for this user (rate-limit)', 'error')
+            return flask.render_template('login.html', form=form)
+        user = models.User.login(username, form.pw.data)
+        if user:
+            flask.session.regenerate()
+            flask_login.login_user(user)
+            response = flask.redirect(destination)
+            response.set_cookie('rate_limit', utils.limiter.device_cookie(username), max_age=31536000, path=flask.url_for('sso.login'), secure=app.config['SESSION_COOKIE_SECURE'], httponly=True)
+            flask.current_app.logger.info(f'Login succeeded for {username} from {client_ip}.')
+            return response
+        else:
+            utils.limiter.rate_limit_user(username, client_ip, device_cookie, device_cookie_username) if models.User.get(username) else utils.limiter.rate_limit_ip(client_ip)
+            flask.current_app.logger.warn(f'Login failed for {username} from {client_ip}.')
+            flask.flash('Wrong e-mail or password', 'error')
+    return flask.render_template('login.html', form=form, fields=fields)
+
+@sso.route('/logout', methods=['GET'])
+@access.authenticated
+def logout():
+    flask_login.logout_user()
+    flask.session.destroy()
+    return flask.redirect(flask.url_for('.login'))
+
diff --git a/core/admin/mailu/sso/views/languages.py b/core/admin/mailu/sso/views/languages.py
new file mode 100644
index 00000000..66c09b1f
--- /dev/null
+++ b/core/admin/mailu/sso/views/languages.py
@@ -0,0 +1,7 @@
+from mailu.sso import sso
+import flask
+
+@sso.route('/language/<language>', methods=['POST'])
+def set_language(language=None):
+    flask.session['language'] = language
+    return flask.Response(status=200)
diff --git a/core/admin/mailu/translations/pl/LC_MESSAGES/messages.po b/core/admin/mailu/translations/pl/LC_MESSAGES/messages.po
index cec7a4a0..09130a7b 100644
--- a/core/admin/mailu/translations/pl/LC_MESSAGES/messages.po
+++ b/core/admin/mailu/translations/pl/LC_MESSAGES/messages.po
@@ -1,188 +1,287 @@
 msgid ""
 msgstr ""
-"Project-Id-Version: Mailu\n"
+"Project-Id-Version:  Mailu\n"
+"POT-Creation-Date: 2021-02-05 16:34+0100\n"
 "PO-Revision-Date: 2020-02-17 20:23+0000\n"
-"Last-Translator: NeroPcStation <dareknowacki2001@gmail.com>\n"
-"Language-Team: Polish <https://translate.tedomum.net/projects/mailu/admin/pl/"
-">\n"
+"Last-Translator: Marcin Siennicki <marcin@siennicki.eu>\n"
 "Language: pl\n"
+"Language-Team: Polish "
+"<https://translate.tedomum.net/projects/mailu/admin/pl/>\n"
+"Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && "
+"(n%100<10 || n%100>=20) ? 1 : 2\n"
 "MIME-Version: 1.0\n"
-"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 "
-"|| n%100>=20) ? 1 : 2;\n"
-"X-Generator: Weblate 3.3\n"
+"Generated-By: Babel 2.9.0\n"
 
-#: mailu/ui/forms.py:32
+#: mailu/ui/forms.py:33 mailu/ui/forms.py:36
 msgid "Invalid email address."
 msgstr "Nieprawidłowy adres e-mail."
 
-#: mailu/ui/forms.py:36
+#: mailu/ui/forms.py:45
 msgid "Confirm"
 msgstr "Zatwierdź"
 
-#: mailu/ui/forms.py:40 mailu/ui/forms.py:77
+#: mailu/ui/forms.py:49 mailu/ui/forms.py:86
 msgid "E-mail"
 msgstr "E-mail"
 
-#: mailu/ui/forms.py:41 mailu/ui/forms.py:78 mailu/ui/forms.py:90
-#: mailu/ui/forms.py:109 mailu/ui/forms.py:162
+#: mailu/ui/forms.py:50 mailu/ui/forms.py:87 mailu/ui/forms.py:100
+#: mailu/ui/forms.py:118 mailu/ui/forms.py:172
 #: mailu/ui/templates/client.html:32 mailu/ui/templates/client.html:59
 msgid "Password"
 msgstr "Hasło"
 
-#: mailu/ui/forms.py:42 mailu/ui/templates/login.html:4
-#: mailu/ui/templates/sidebar.html:111
+#: mailu/ui/forms.py:51 mailu/ui/templates/login.html:4
+#: mailu/ui/templates/sidebar.html:108
 msgid "Sign in"
 msgstr "Zaloguj"
 
-#: mailu/ui/forms.py:46 mailu/ui/forms.py:56
+#: mailu/ui/forms.py:55 mailu/ui/forms.py:65
 #: mailu/ui/templates/domain/details.html:27
 #: mailu/ui/templates/domain/list.html:18 mailu/ui/templates/relay/list.html:17
 msgid "Domain name"
 msgstr "Nazwa domeny"
 
-#: mailu/ui/forms.py:47
+#: mailu/ui/forms.py:56
 msgid "Maximum user count"
 msgstr "Maksymalna liczba użytkowników"
 
-#: mailu/ui/forms.py:48
+#: mailu/ui/forms.py:57
 msgid "Maximum alias count"
 msgstr "Maksymalna liczba aliasów"
 
-#. Needs more context - is that a verb or a noun?
-#: mailu/ui/forms.py:51 mailu/ui/forms.py:72 mailu/ui/forms.py:83
-#: mailu/ui/forms.py:128 mailu/ui/forms.py:140
+#: mailu/ui/forms.py:58
+msgid "Maximum user quota"
+msgstr "Maksymalny przydział użytkownika"
+
+#: mailu/ui/forms.py:59
+msgid "Enable sign-up"
+msgstr "Włącz rejestrację"
+
+#: mailu/ui/forms.py:60 mailu/ui/forms.py:81 mailu/ui/forms.py:93
+#: mailu/ui/forms.py:138 mailu/ui/forms.py:150
 #: mailu/ui/templates/alias/list.html:21 mailu/ui/templates/domain/list.html:21
 #: mailu/ui/templates/relay/list.html:19 mailu/ui/templates/token/list.html:19
 #: mailu/ui/templates/user/list.html:23
 msgid "Comment"
 msgstr "Komentarz"
 
-#: mailu/ui/forms.py:52 mailu/ui/forms.py:61 mailu/ui/forms.py:66
-#: mailu/ui/forms.py:73 mailu/ui/forms.py:132 mailu/ui/forms.py:141
-msgid "Create"
-msgstr "Utwórz"
+#: mailu/ui/forms.py:61 mailu/ui/forms.py:75 mailu/ui/forms.py:82
+#: mailu/ui/forms.py:95 mailu/ui/forms.py:142 mailu/ui/forms.py:151
+msgid "Save"
+msgstr "Zapisz"
 
-#: mailu/ui/forms.py:59 mailu/ui/forms.py:79 mailu/ui/forms.py:91
+#: mailu/ui/forms.py:66
+msgid "Initial admin"
+msgstr "Początkowy administrator"
+
+#: mailu/ui/forms.py:67
+msgid "Admin password"
+msgstr "Hasło administratora"
+
+#: mailu/ui/forms.py:68 mailu/ui/forms.py:88 mailu/ui/forms.py:101
 msgid "Confirm password"
 msgstr "Potwierdź hasło"
 
-#: mailu/ui/forms.py:80 mailu/ui/templates/user/list.html:22
+#: mailu/ui/forms.py:70
+msgid "Create"
+msgstr "Utwórz"
+
+#: mailu/ui/forms.py:74
+msgid "Alternative name"
+msgstr "Alternatywna nazwa"
+
+#: mailu/ui/forms.py:79
+msgid "Relayed domain name"
+msgstr "Domeny przekierowywane"
+
+#: mailu/ui/forms.py:80 mailu/ui/templates/relay/list.html:18
+msgid "Remote host"
+msgstr "Zdalny host"
+
+#: mailu/ui/forms.py:89 mailu/ui/templates/user/list.html:22
 #: mailu/ui/templates/user/signup_domain.html:16
 msgid "Quota"
 msgstr "Maksymalna przestrzeń na dysku"
 
-#: mailu/ui/forms.py:81
+#: mailu/ui/forms.py:90
 msgid "Allow IMAP access"
 msgstr "Zezwalaj na dostęp przez protokół IMAP"
 
-#: mailu/ui/forms.py:82
+#: mailu/ui/forms.py:91
 msgid "Allow POP3 access"
 msgstr "Zezwalaj na dostęp przez protokół POP3"
 
-#: mailu/ui/forms.py:85
-msgid "Save"
-msgstr "Zapisz"
-
-#: mailu/ui/forms.py:97
+#: mailu/ui/forms.py:92 mailu/ui/forms.py:108
+#: mailu/ui/templates/user/settings.html:15
 msgid "Displayed name"
 msgstr "Nazwa wyświetlana"
 
-#: mailu/ui/forms.py:98
+#: mailu/ui/forms.py:94
+msgid "Enabled"
+msgstr "Włączone"
+
+#: mailu/ui/forms.py:99
+msgid "Email address"
+msgstr "Adres e-mail"
+
+#: mailu/ui/forms.py:102 mailu/ui/templates/sidebar.html:114
+#: mailu/ui/templates/user/signup.html:4
+#: mailu/ui/templates/user/signup_domain.html:4
+msgid "Sign up"
+msgstr "Utwórz konto"
+
+#: mailu/ui/forms.py:109
 msgid "Enable spam filter"
 msgstr "Włącz filtr antyspamowy"
 
-#: mailu/ui/forms.py:80
-msgid "Spam filter threshold"
-msgstr "Próg filtra antyspamowego"
-
-#: mailu/ui/forms.py:105
-msgid "Save settings"
-msgstr "Zapisz ustawienia"
-
 #: mailu/ui/forms.py:110
-msgid "Password check"
-msgstr ""
+msgid "Spam filter tolerance"
+msgstr "Tolerancja filtra spamu"
 
-#: mailu/ui/forms.py:111 mailu/ui/templates/sidebar.html:16
-msgid "Update password"
-msgstr "Zaktualizuj hasło"
-
-#: mailu/ui/forms.py:100
+#: mailu/ui/forms.py:111
 msgid "Enable forwarding"
 msgstr "Włącz przekierowanie poczty"
 
-#: mailu/ui/forms.py:103 mailu/ui/forms.py:139
+#: mailu/ui/forms.py:112
+msgid "Keep a copy of the emails"
+msgstr "Przechowuj kopię wiadomości"
+
+#: mailu/ui/forms.py:113 mailu/ui/forms.py:149
 #: mailu/ui/templates/alias/list.html:20
 msgid "Destination"
 msgstr "Adres docelowy"
 
-#: mailu/ui/forms.py:120
-msgid "Update"
-msgstr "Aktualizuj"
+#: mailu/ui/forms.py:114
+msgid "Save settings"
+msgstr "Zapisz ustawienia"
 
-#: mailu/ui/forms.py:115
+#: mailu/ui/forms.py:119
+msgid "Password check"
+msgstr "Powtórz hasło"
+
+#: mailu/ui/forms.py:120 mailu/ui/templates/sidebar.html:16
+msgid "Update password"
+msgstr "Zaktualizuj hasło"
+
+#: mailu/ui/forms.py:124
 msgid "Enable automatic reply"
 msgstr "Włącz automatyczną odpowiedź"
 
-#: mailu/ui/forms.py:116
+#: mailu/ui/forms.py:125
 msgid "Reply subject"
 msgstr "Temat odpowiedzi"
 
-#: mailu/ui/forms.py:117
+#: mailu/ui/forms.py:126
 msgid "Reply body"
 msgstr "Treść odpowiedzi"
 
-#: mailu/ui/forms.py:136
+#: mailu/ui/forms.py:128
+#, fuzzy
+msgid "Start of vacation"
+msgstr "Rozpoczęcie nieobecności"
+
+#: mailu/ui/forms.py:129
+msgid "End of vacation"
+msgstr "Koniec nieobecności"
+
+#: mailu/ui/forms.py:130
+msgid "Update"
+msgstr "Aktualizuj"
+
+#: mailu/ui/forms.py:135
+msgid "Your token (write it down, as it will never be displayed again)"
+msgstr "Twój token (zapisz go, ponieważ nigdy więcej nie będzie wyświetlany)"
+
+#: mailu/ui/forms.py:140 mailu/ui/templates/token/list.html:20
+msgid "Authorized IP"
+msgstr "Autoryzowany adres IP"
+
+#: mailu/ui/forms.py:146
 msgid "Alias"
 msgstr "Alias"
 
-#: mailu/ui/forms.py:138
+#: mailu/ui/forms.py:148
 msgid "Use SQL LIKE Syntax (e.g. for catch-all aliases)"
 msgstr "Używaj składni SQL LIKE (np. do adresów catch-all)"
 
-#: mailu/ui/forms.py:145
+#: mailu/ui/forms.py:155
 msgid "Admin email"
 msgstr "E-mail administratora"
 
-#: mailu/ui/forms.py:146 mailu/ui/forms.py:151 mailu/ui/forms.py:164
+#: mailu/ui/forms.py:156 mailu/ui/forms.py:161 mailu/ui/forms.py:174
 msgid "Submit"
 msgstr "Prześlij"
 
-#: mailu/ui/forms.py:150
+#: mailu/ui/forms.py:160
 msgid "Manager email"
 msgstr "E-mail menedżera"
 
-#: mailu/ui/forms.py:155
+#: mailu/ui/forms.py:165
 msgid "Protocol"
 msgstr "Protokół"
 
-#: mailu/ui/forms.py:158
+#: mailu/ui/forms.py:168
 msgid "Hostname or IP"
 msgstr "Nazwa hosta lub adres IP"
 
-#: mailu/ui/forms.py:159 mailu/ui/templates/client.html:20
+#: mailu/ui/forms.py:169 mailu/ui/templates/client.html:20
 #: mailu/ui/templates/client.html:47
 msgid "TCP port"
 msgstr "Port TCP"
 
-#: mailu/ui/forms.py:160
+#: mailu/ui/forms.py:170
 msgid "Enable TLS"
 msgstr "Włącz TLS"
 
-#: mailu/ui/forms.py:161 mailu/ui/templates/client.html:28
+#: mailu/ui/forms.py:171 mailu/ui/templates/client.html:28
 #: mailu/ui/templates/client.html:55 mailu/ui/templates/fetch/list.html:20
 msgid "Username"
 msgstr "Nazwa użytkownika"
 
+#: mailu/ui/forms.py:173
+msgid "Keep emails on the server"
+msgstr "Przechowuj wiadomości na serwerze"
+
+#: mailu/ui/forms.py:178
+msgid "Announcement subject"
+msgstr "Temat ogłoszenia"
+
+#: mailu/ui/forms.py:180
+msgid "Announcement body"
+msgstr "Treść ogłoszenia"
+
+#: mailu/ui/forms.py:182
+msgid "Send"
+msgstr "Wyślij"
+
+#: mailu/ui/templates/announcement.html:4
+msgid "Public announcement"
+msgstr "Publiczne ogłoszenie"
+
+#: mailu/ui/templates/client.html:4 mailu/ui/templates/sidebar.html:79
+msgid "Client setup"
+msgstr "Konfiguracja klienta"
+
+#: mailu/ui/templates/client.html:16 mailu/ui/templates/client.html:43
+msgid "Mail protocol"
+msgstr "Protokół poczty"
+
+#: mailu/ui/templates/client.html:24 mailu/ui/templates/client.html:51
+msgid "Server name"
+msgstr "Nazwa serwera"
+
 #: mailu/ui/templates/confirm.html:4
 msgid "Confirm action"
 msgstr "Potwierdź wykonanie czynności"
 
 #: mailu/ui/templates/confirm.html:13
+#, python-format
 msgid "You are about to %(action)s. Please confirm your action."
-msgstr "Zamierzasz wykonać następujące czynności: %(action)s. Potwierdź wykonanie czynności."
+msgstr ""
+"Zamierzasz wykonać następujące czynności: %(action)s. Potwierdź wykonanie"
+" czynności."
 
 #: mailu/ui/templates/docker-error.html:4
 msgid "Docker error"
@@ -192,54 +291,19 @@ msgstr "Błąd Dockera"
 msgid "An error occurred while talking to the Docker server."
 msgstr "Wystąpił błąd komunikacji z serwerem Dockera."
 
-#: mailu/admin/templates/login.html:6
-msgid "Your account"
-msgstr "Twoje konto"
-
 #: mailu/ui/templates/login.html:8
 msgid "to access the administration tools"
 msgstr "aby uzyskać dostęp do narzędzi administracyjnych"
 
-#: mailu/ui/templates/services.html:4 mailu/ui/templates/sidebar.html:39
-msgid "Services status"
-msgstr "Status usług"
-
-#: mailu/ui/templates/services.html:10
-msgid "Service"
-msgstr "Usługa"
-
-#: mailu/ui/templates/fetch/list.html:23 mailu/ui/templates/services.html:11
-msgid "Status"
-msgstr "Status"
-
-#: mailu/ui/templates/services.html:12
-msgid "PID"
-msgstr "PID"
-
-#: mailu/ui/templates/services.html:13
-msgid "Image"
-msgstr "Obraz"
-
-#: mailu/ui/templates/services.html:14
-msgid "Started"
-msgstr ""
-
-#: mailu/ui/templates/services.html:15
-msgid "Last update"
-msgstr "Ostatnia aktualizacja"
-
 #: mailu/ui/templates/sidebar.html:8
+#, fuzzy
 msgid "My account"
-msgstr "Moje konto"
+msgstr "Dodaj konto"
 
 #: mailu/ui/templates/sidebar.html:11 mailu/ui/templates/user/list.html:34
 msgid "Settings"
 msgstr "Ustawienia"
 
-#: mailu/ui/templates/user/settings.html:22
-msgid "Auto-forward"
-msgstr "Automatyczne przekierowanie"
-
 #: mailu/ui/templates/sidebar.html:21 mailu/ui/templates/user/list.html:35
 msgid "Auto-reply"
 msgstr "Automatyczna odpowiedź"
@@ -247,28 +311,60 @@ msgstr "Automatyczna odpowiedź"
 #: mailu/ui/templates/fetch/list.html:4 mailu/ui/templates/sidebar.html:26
 #: mailu/ui/templates/user/list.html:36
 msgid "Fetched accounts"
-msgstr ""
+msgstr "Zewnętrzne konta e-mail"
 
-#: mailu/ui/templates/sidebar.html:105
-msgid "Sign out"
-msgstr "Wyloguj"
+#: mailu/ui/templates/sidebar.html:31 mailu/ui/templates/token/list.html:4
+msgid "Authentication tokens"
+msgstr "Tokeny uwierzytelnienia"
 
-#: mailu/ui/templates/sidebar.html:35
+#: mailu/ui/templates/sidebar.html:36
 msgid "Administration"
 msgstr "Administracja"
 
-#: mailu/ui/templates/sidebar.html:49
+#: mailu/ui/templates/sidebar.html:41
+msgid "Announcement"
+msgstr "Ogłoszenie"
+
+#: mailu/ui/templates/sidebar.html:46
 msgid "Administrators"
 msgstr "Administratorzy"
 
-#: mailu/ui/templates/sidebar.html:66
+#: mailu/ui/templates/sidebar.html:51
+msgid "Relayed domains"
+msgstr "Domeny przekierowywane"
+
+#: mailu/ui/templates/sidebar.html:56 mailu/ui/templates/user/settings.html:19
+msgid "Antispam"
+msgstr "Filtr antyspamowy"
+
+#: mailu/ui/templates/sidebar.html:63
 msgid "Mail domains"
 msgstr "Domeny pocztowe"
 
-#: mailu/ui/templates/sidebar.html:92
+#: mailu/ui/templates/sidebar.html:69
+msgid "Go to"
+msgstr "Przejdź do"
+
+#: mailu/ui/templates/sidebar.html:73
+msgid "Webmail"
+msgstr "Twoja poczta"
+
+#: mailu/ui/templates/sidebar.html:84
+msgid "Website"
+msgstr "Strona internetowa"
+
+#: mailu/ui/templates/sidebar.html:89
 msgid "Help"
 msgstr "Pomoc"
 
+#: mailu/ui/templates/domain/signup.html:4 mailu/ui/templates/sidebar.html:95
+msgid "Register a domain"
+msgstr "Zarejestruj domenę"
+
+#: mailu/ui/templates/sidebar.html:102
+msgid "Sign out"
+msgstr "Wyloguj"
+
 #: mailu/ui/templates/working.html:4
 msgid "We are still working on this feature!"
 msgstr "Nadal pracujemy nad tą funkcją!"
@@ -344,6 +440,22 @@ msgstr "Ostatnia edycja"
 msgid "Edit"
 msgstr "Edytuj"
 
+#: mailu/ui/templates/alternative/create.html:4
+msgid "Create alternative domain"
+msgstr "Utwórz alternatywną domenę"
+
+#: mailu/ui/templates/alternative/list.html:4
+msgid "Alternative domain list"
+msgstr "Alternatywna lista domen"
+
+#: mailu/ui/templates/alternative/list.html:12
+msgid "Add alternative"
+msgstr "Dodaj alternatywę"
+
+#: mailu/ui/templates/alternative/list.html:19
+msgid "Name"
+msgstr "Nazwa"
+
 #: mailu/ui/templates/domain/create.html:4
 #: mailu/ui/templates/domain/list.html:9
 msgid "New domain"
@@ -357,6 +469,10 @@ msgstr "Szczegóły domeny"
 msgid "Regenerate keys"
 msgstr "Wygeneruj ponownie klucze"
 
+#: mailu/ui/templates/domain/details.html:17
+msgid "Generate keys"
+msgstr "Wygeneruj klucze"
+
 #: mailu/ui/templates/domain/details.html:31
 msgid "DNS MX entry"
 msgstr "Wpis MX DNS"
@@ -365,15 +481,15 @@ msgstr "Wpis MX DNS"
 msgid "DNS SPF entries"
 msgstr "Wpisy SPF DNS"
 
-#: mailu/ui/templates/domain/details.html:42
+#: mailu/ui/templates/domain/details.html:41
 msgid "DKIM public key"
 msgstr "Publiczny klucz DKIM"
 
-#: mailu/ui/templates/domain/details.html:46
+#: mailu/ui/templates/domain/details.html:45
 msgid "DNS DKIM entry"
 msgstr "Wpis DKIM DNS"
 
-#: mailu/ui/templates/domain/details.html:50
+#: mailu/ui/templates/domain/details.html:49
 msgid "DNS DMARC entry"
 msgstr "Wpis DMARC DNS"
 
@@ -413,13 +529,42 @@ msgstr "Aliasy"
 msgid "Managers"
 msgstr "Menedżerowie"
 
+#: mailu/ui/templates/domain/list.html:39
+msgid "Alternatives"
+msgstr "Alternatywy"
+
+#: mailu/ui/templates/domain/signup.html:13
+msgid ""
+"In order to register a new domain, you must first setup the\n"
+"    domain zone so that the domain <code>MX</code> points to this server"
+msgstr ""
+"Aby zarejestrować nową domenę, musisz najpierw skonfigurować strefę "
+"domeny, aby domena <code> MX </code> wskazywała na ten serwer"
+
+#: mailu/ui/templates/domain/signup.html:18
+msgid ""
+"If you do not know how to setup an <code>MX</code> record for your DNS "
+"zone,\n"
+"    please contact your DNS provider or administrator. Also, please wait "
+"a\n"
+"    couple minutes after the <code>MX</code> is set so the local server "
+"cache\n"
+"    expires."
+msgstr ""
+"Jeśli nie wiesz, jak skonfigurować rekord <code> MX </code> dla swojej "
+"strefy DNS,\n"
+"skontaktuj się z dostawcą DNS lub administratorem. Proszę również "
+"poczekać\n"
+"kilka minut po ustawieniu <code> MX </code>, żeby pamięć podręczna "
+"serwera lokalnego wygasła."
+
 #: mailu/ui/templates/fetch/create.html:4
 msgid "Add a fetched account"
-msgstr ""
+msgstr "Dodaj zewnętrzne konto pocztowe"
 
 #: mailu/ui/templates/fetch/edit.html:4
 msgid "Update a fetched account"
-msgstr ""
+msgstr "Zaktualizuj konto"
 
 #: mailu/ui/templates/fetch/list.html:12
 msgid "Add an account"
@@ -427,12 +572,28 @@ msgstr "Dodaj konto"
 
 #: mailu/ui/templates/fetch/list.html:19
 msgid "Endpoint"
-msgstr ""
+msgstr "Serwer"
+
+#: mailu/ui/templates/fetch/list.html:21
+msgid "Keep emails"
+msgstr "Przechowuj wiadomości"
 
 #: mailu/ui/templates/fetch/list.html:22
 msgid "Last check"
 msgstr "Ostatnie sprawdzenie"
 
+#: mailu/ui/templates/fetch/list.html:23
+msgid "Status"
+msgstr "Stan"
+
+#: mailu/ui/templates/fetch/list.html:35
+msgid "yes"
+msgstr "Tak"
+
+#: mailu/ui/templates/fetch/list.html:35
+msgid "no"
+msgstr "Nie"
+
 #: mailu/ui/templates/manager/create.html:4
 msgid "Add a manager"
 msgstr "Dodaj menedżera"
@@ -445,34 +606,43 @@ msgstr "Lista menedżerów"
 msgid "Add manager"
 msgstr "Dodaj menedżera"
 
-#: mailu/ui/forms.py:168
-msgid "Announcement subject"
-msgstr "Temat ogłoszenia"
+#: mailu/ui/templates/relay/create.html:4
+msgid "New relay domain"
+msgstr "Nowa domena do przekierowania"
 
-#: mailu/ui/forms.py:170
-msgid "Announcement body"
-msgstr "Treść ogłoszenia"
+#: mailu/ui/templates/relay/edit.html:4
+#, fuzzy
+msgid "Edit relayd domain"
+msgstr "Edycja domeny"
 
-#: mailu/ui/forms.py:172
-msgid "Send"
-msgstr "Wyślij"
+#: mailu/ui/templates/relay/list.html:4
+msgid "Relayed domain list"
+msgstr "Lista domen przekierowywanych"
 
-#: mailu/ui/templates/announcement.html:4
-msgid "Public announcement"
-msgstr "Publiczne ogłoszenie"
+#: mailu/ui/templates/relay/list.html:9
+msgid "New relayed domain"
+msgstr "Nowa domena do przekierowania"
 
-#: mailu/ui/templates/announcement.html:8
-msgid "from"
-msgstr "od"
+#: mailu/ui/templates/token/create.html:4
+msgid "Create an authentication token"
+msgstr "Utwórz token uwierzytelniający"
 
-#: mailu/ui/templates/sidebar.html:44
-msgid "Announcement"
-msgstr "Ogłoszenie"
+#: mailu/ui/templates/token/list.html:12
+msgid "New token"
+msgstr "Nowy token"
 
 #: mailu/ui/templates/user/create.html:4
 msgid "New user"
 msgstr "Nowy użytkownik"
 
+#: mailu/ui/templates/user/create.html:15
+msgid "General"
+msgstr "Ogólne"
+
+#: mailu/ui/templates/user/create.html:23
+msgid "Features and quotas"
+msgstr "Funkcje i limity"
+
 #: mailu/ui/templates/user/edit.html:4
 msgid "Edit user"
 msgstr "Edytuj użytkownika"
@@ -505,202 +675,9 @@ msgstr "Zmiana hasła"
 msgid "Automatic reply"
 msgstr "Automatyczna odpowiedź"
 
-#: mailu/ui/forms.py:49
-msgid "Maximum user quota"
-msgstr "Maksymalny przydział użytkownika"
-
-#: mailu/ui/forms.py:101
-msgid "Keep a copy of the emails"
-msgstr "Przechowuj kopię wiadomości"
-
-#: mailu/ui/forms.py:163
-msgid "Keep emails on the server"
-msgstr "Przechowuj wiadomości na serwerze"
-
-#: mailu/ui/templates/fetch/list.html:21
-msgid "Keep emails"
-msgstr "Przechowuj wiadomości"
-
-#: mailu/ui/templates/fetch/list.html:35
-msgid "yes"
-msgstr "Tak"
-
-#: mailu/ui/templates/fetch/list.html:35
-msgid "no"
-msgstr "Nie"
-
-#: mailu/ui/forms.py:65
-msgid "Alternative name"
-msgstr "Alternatywna nazwa"
-
-#: mailu/ui/forms.py:70
-msgid "Relayed domain name"
-msgstr ""
-
-#: mailu/ui/forms.py:71 mailu/ui/templates/relay/list.html:18
-msgid "Remote host"
-msgstr "Zdalny host"
-
-#: mailu/ui/templates/sidebar.html:54
-msgid "Relayed domains"
-msgstr ""
-
-#: mailu/ui/templates/alternative/create.html:4
-msgid "Create alternative domain"
-msgstr "Utwórz alternatywną domenę"
-
-#: mailu/ui/templates/alternative/list.html:4
-msgid "Alternative domain list"
-msgstr "Alternatywna lista domen"
-
-#: mailu/ui/templates/alternative/list.html:12
-msgid "Add alternative"
-msgstr "Dodaj alternatywę"
-
-#: mailu/ui/templates/alternative/list.html:19
-msgid "Name"
-msgstr "Nazwa"
-
-#: mailu/ui/templates/domain/list.html:39
-msgid "Alternatives"
-msgstr "Alternatywy"
-
-#: mailu/ui/templates/relay/create.html:4
-msgid "New relay domain"
-msgstr ""
-
-#: mailu/ui/templates/relay/edit.html:4
-msgid "Edit relayd domain"
-msgstr ""
-
-#: mailu/ui/templates/relay/list.html:4
-msgid "Relayed domain list"
-msgstr ""
-
-#: mailu/ui/templates/relay/list.html:9
-msgid "New relayed domain"
-msgstr ""
-
-#: mailu/ui/forms.py:125
-msgid "Your token (write it down, as it will never be displayed again)"
-msgstr "Twój token (zapisz go, ponieważ nigdy więcej nie będzie wyświetlany)"
-
-#: mailu/ui/forms.py:130 mailu/ui/templates/token/list.html:20
-msgid "Authorized IP"
-msgstr "Autoryzowany adres IP"
-
-#: mailu/ui/templates/sidebar.html:31 mailu/ui/templates/token/list.html:4
-msgid "Authentication tokens"
-msgstr "Tokeny uwierzytelnienia"
-
-#: mailu/ui/templates/sidebar.html:72
-msgid "Go to"
-msgstr "Przejdź do"
-
-#: mailu/ui/templates/sidebar.html:76
-msgid "Webmail"
-msgstr ""
-
-#: mailu/ui/templates/sidebar.html:87
-msgid "Website"
-msgstr "Strona internetowa"
-
-#: mailu/ui/templates/token/create.html:4
-msgid "Create an authentication token"
-msgstr "Utwórz token uwierzytelniający"
-
-#: mailu/ui/templates/token/list.html:12
-msgid "New token"
-msgstr "Nowy token"
-
-#: mailu/ui/templates/user/create.html:15
-msgid "General"
-msgstr ""
-
-#: mailu/ui/templates/user/create.html:22
-msgid "Features and quotas"
-msgstr ""
-
-#: mailu/ui/templates/user/settings.html:14
-msgid "General settings"
-msgstr "Ustawienia ogólne"
-
-#: mailu/ui/templates/sidebar.html:59 mailu/ui/templates/user/settings.html:15
-msgid "Antispam"
-msgstr "Filtr antyspamowy"
-
-#: mailu/ui/forms.py:99
-msgid "Spam filter tolerance"
-msgstr "Tolerancja filtra spamu"
-
-#: mailu/ui/forms.py:50
-msgid "Enable sign-up"
-msgstr "Włącz rejestrację"
-
-#: mailu/ui/forms.py:57
-msgid "Initial admin"
-msgstr "Początkowy administrator"
-
-#: mailu/ui/forms.py:58
-msgid "Admin password"
-msgstr "hasło administratora"
-
-#: mailu/ui/forms.py:84
-msgid "Enabled"
-msgstr "Włączone"
-
-#: mailu/ui/forms.py:89
-msgid "Email address"
-msgstr "Adres e-mail"
-
-#: mailu/ui/forms.py:93 mailu/ui/templates/sidebar.html:117
-#: mailu/ui/templates/user/signup.html:4
-#: mailu/ui/templates/user/signup_domain.html:4
-msgid "Sign up"
-msgstr ""
-
-#: mailu/ui/forms.py:119
-msgid "End of vacation"
-msgstr "Koniec wakacji"
-
-#: mailu/ui/templates/client.html:4 mailu/ui/templates/sidebar.html:82
-msgid "Client setup"
-msgstr "Konfiguracja klienta"
-
-#: mailu/ui/templates/client.html:16 mailu/ui/templates/client.html:43
-msgid "Mail protocol"
-msgstr "Protokół poczty"
-
-#: mailu/ui/templates/client.html:24 mailu/ui/templates/client.html:51
-msgid "Server name"
-msgstr "Nazwa serwera"
-
-#: mailu/ui/templates/domain/signup.html:4 mailu/ui/templates/sidebar.html:98
-msgid "Register a domain"
-msgstr "Zarejestruj domenę"
-
-#: mailu/ui/templates/domain/details.html:17
-msgid "Generate keys"
-msgstr "Wygeneruj klucze"
-
-#: mailu/ui/templates/domain/signup.html:13
-msgid "In order to register a new domain, you must first setup the\n"
-"    domain zone so that the domain <code>MX</code> points to this server"
-msgstr ""
-"Aby zarejestrować nową domenę, musisz najpierw skonfigurować strefę domeny, "
-"aby domena <code> MX </code> wskazywała na ten serwer"
-
-#: mailu/ui/templates/domain/signup.html:18
-msgid "If you do not know how to setup an <code>MX</code> record for your DNS zone,\n"
-"    please contact your DNS provider or administrator. Also, please wait a\n"
-"    couple minutes after the <code>MX</code> is set so the local server cache\n"
-"    expires."
-msgstr ""
-"Jeśli nie wiesz, jak skonfigurować rekord <code> MX </code>  dla swojej "
-"strefy DNS,\n"
-"skontaktuj się z dostawcą DNS lub administratorem. Proszę również poczekać\n"
-"kilka minut po ustawieniu <code> MX </code> , żeby pamięć podręczna serwera "
-"lokalnego wygasła."
+#: mailu/ui/templates/user/settings.html:26
+msgid "Auto-forward"
+msgstr "Automatyczne przekierowanie"
 
 #: mailu/ui/templates/user/signup_domain.html:8
 msgid "pick a domain for the new account"
@@ -713,3 +690,40 @@ msgstr "Domena"
 #: mailu/ui/templates/user/signup_domain.html:15
 msgid "Available slots"
 msgstr "Dostępne miejsca"
+
+#~ msgid "Spam filter threshold"
+#~ msgstr "Próg filtra antyspamowego"
+
+#~ msgid "Your account"
+#~ msgstr "Twoje konto"
+
+#~ msgid "Services status"
+#~ msgstr "Status usług"
+
+#~ msgid "Service"
+#~ msgstr "Usługa"
+
+#~ msgid "Status"
+#~ msgstr "Status"
+
+#~ msgid "PID"
+#~ msgstr "PID"
+
+#~ msgid "Image"
+#~ msgstr "Obraz"
+
+#~ msgid "Started"
+#~ msgstr "Uruchomione"
+
+#~ msgid "Last update"
+#~ msgstr "Ostatnia aktualizacja"
+
+#~ msgid "My account"
+#~ msgstr "Moje konto"
+
+#~ msgid "from"
+#~ msgstr "od"
+
+#~ msgid "General settings"
+#~ msgstr "Ustawienia ogólne"
+
diff --git a/core/admin/mailu/translations/zh_CN/LC_MESSAGES/messages.po b/core/admin/mailu/translations/zh/LC_MESSAGES/messages.po
similarity index 89%
rename from core/admin/mailu/translations/zh_CN/LC_MESSAGES/messages.po
rename to core/admin/mailu/translations/zh/LC_MESSAGES/messages.po
index ee204fec..5543c5e8 100644
--- a/core/admin/mailu/translations/zh_CN/LC_MESSAGES/messages.po
+++ b/core/admin/mailu/translations/zh/LC_MESSAGES/messages.po
@@ -3,9 +3,11 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Generator: POEditor.com\n"
+"X-Generator: Poedit 1.5.7\n"
 "Project-Id-Version: Mailu\n"
-"Language: zh-CN\n"
+"Language: zh\n"
+"Last-Translator: Chris Chuan <Chris.chuan@gmail.com>\n"
+"Language-Team: \n"
 
 #: mailu/ui/forms.py:32
 msgid "Invalid email address."
@@ -28,7 +30,7 @@ msgstr "密码"
 #: mailu/ui/forms.py:42 mailu/ui/templates/login.html:4
 #: mailu/ui/templates/sidebar.html:111
 msgid "Sign in"
-msgstr "注册"
+msgstr "登录"
 
 #: mailu/ui/forms.py:46 mailu/ui/forms.py:56
 #: mailu/ui/templates/domain/details.html:27
@@ -44,6 +46,14 @@ msgstr "最大用户数"
 msgid "Maximum alias count"
 msgstr "最大别名数"
 
+#: mailu/ui/forms.py:49
+msgid "Maximum user quota"
+msgstr "最大用户配额"
+
+#: mailu/ui/forms.py:50
+msgid "Enable sign-up"
+msgstr "启用注册"
+
 #: mailu/ui/forms.py:51 mailu/ui/forms.py:72 mailu/ui/forms.py:83
 #: mailu/ui/forms.py:128 mailu/ui/forms.py:140
 #: mailu/ui/templates/alias/list.html:21 mailu/ui/templates/domain/list.html:21
@@ -57,10 +67,30 @@ msgstr "说明"
 msgid "Create"
 msgstr "创建"
 
+#: mailu/ui/forms.py:57
+msgid "Initial admin"
+msgstr "初始管理员"
+
+#: mailu/ui/forms.py:58
+msgid "Admin password"
+msgstr "管理员密码"
+
 #: mailu/ui/forms.py:59 mailu/ui/forms.py:79 mailu/ui/forms.py:91
 msgid "Confirm password"
 msgstr "确认密码"
 
+#: mailu/ui/forms.py:65
+msgid "Alternative name"
+msgstr "备用名称"
+
+#: mailu/ui/forms.py:70
+msgid "Relayed domain name"
+msgstr "中继域域名"
+
+#: mailu/ui/forms.py:71 mailu/ui/templates/relay/list.html:18
+msgid "Remote host"
+msgstr "远程主机"
+
 #: mailu/ui/forms.py:80 mailu/ui/templates/user/list.html:22
 #: mailu/ui/templates/user/signup_domain.html:16
 msgid "Quota"
@@ -74,10 +104,24 @@ msgstr "允许IMAP访问"
 msgid "Allow POP3 access"
 msgstr "允许POP3访问"
 
+#: mailu/ui/forms.py:84
+msgid "Enabled"
+msgstr "启用"
+
 #: mailu/ui/forms.py:85
 msgid "Save"
 msgstr "保存"
 
+#: mailu/ui/forms.py:89
+msgid "Email address"
+msgstr "邮件地址"
+
+#: mailu/ui/forms.py:93 mailu/ui/templates/sidebar.html:117
+#: mailu/ui/templates/user/signup.html:4
+#: mailu/ui/templates/user/signup_domain.html:4
+msgid "Sign up"
+msgstr "注册"
+
 #: mailu/ui/forms.py:97
 msgid "Displayed name"
 msgstr "显示名称"
@@ -86,10 +130,23 @@ msgstr "显示名称"
 msgid "Enable spam filter"
 msgstr "启用垃圾邮件过滤"
 
-#: mailu/ui/forms.py:80
-msgid "Spam filter threshold"
+#: mailu/ui/forms.py:99
+msgid "Spam filter tolerance"
 msgstr "垃圾邮件过滤器阈值"
 
+#: mailu/ui/forms.py:100
+msgid "Enable forwarding"
+msgstr "启用转发"
+
+#: mailu/ui/forms.py:101
+msgid "Keep a copy of the emails"
+msgstr "保留电子邮件副本"
+
+#: mailu/ui/forms.py:103 mailu/ui/forms.py:139
+#: mailu/ui/templates/alias/list.html:20
+msgid "Destination"
+msgstr "目的地址"
+
 #: mailu/ui/forms.py:105
 msgid "Save settings"
 msgstr "保存设置"
@@ -102,19 +159,6 @@ msgstr "检查密码"
 msgid "Update password"
 msgstr "更新密码"
 
-#: mailu/ui/forms.py:100
-msgid "Enable forwarding"
-msgstr "启用转发"
-
-#: mailu/ui/forms.py:103 mailu/ui/forms.py:139
-#: mailu/ui/templates/alias/list.html:20
-msgid "Destination"
-msgstr "目的地址"
-
-#: mailu/ui/forms.py:120
-msgid "Update"
-msgstr "更新"
-
 #: mailu/ui/forms.py:115
 msgid "Enable automatic reply"
 msgstr "启用自动回复"
@@ -127,6 +171,22 @@ msgstr "回复主题"
 msgid "Reply body"
 msgstr "回复正文"
 
+#: mailu/ui/forms.py:119
+msgid "End of vacation"
+msgstr "假期结束"
+
+#: mailu/ui/forms.py:120
+msgid "Update"
+msgstr "更新"
+
+#: mailu/ui/forms.py:125
+msgid "Your token (write it down, as it will never be displayed again)"
+msgstr "您的令牌（请记录，它只显示这一次）"
+
+#: mailu/ui/forms.py:130 mailu/ui/templates/token/list.html:20
+msgid "Authorized IP"
+msgstr "授权IP"
+
 #: mailu/ui/forms.py:136
 msgid "Alias"
 msgstr "别名"
@@ -169,11 +229,44 @@ msgstr "启用TLS"
 msgid "Username"
 msgstr "用户名"
 
+#: mailu/ui/forms.py:163
+msgid "Keep emails on the server"
+msgstr "在服务器上保留电子邮件"
+
+#: mailu/ui/forms.py:168
+msgid "Announcement subject"
+msgstr "公告主题"
+
+#: mailu/ui/forms.py:170
+msgid "Announcement body"
+msgstr "公告正文"
+
+#: mailu/ui/forms.py:172
+msgid "Send"
+msgstr "发送"
+
+#: mailu/ui/templates/announcement.html:4
+msgid "Public announcement"
+msgstr "公开公告"
+
+#: mailu/ui/templates/client.html:4 mailu/ui/templates/sidebar.html:82
+msgid "Client setup"
+msgstr "客户端设置"
+
+#: mailu/ui/templates/client.html:16 mailu/ui/templates/client.html:43
+msgid "Mail protocol"
+msgstr "邮件协议"
+
+#: mailu/ui/templates/client.html:24 mailu/ui/templates/client.html:51
+msgid "Server name"
+msgstr "服务器名称"
+
 #: mailu/ui/templates/confirm.html:4
 msgid "Confirm action"
 msgstr "确认操作"
 
 #: mailu/ui/templates/confirm.html:13
+#, python-format
 msgid "You are about to %(action)s. Please confirm your action."
 msgstr "即将%(action)s，请确认您的操作。"
 
@@ -185,54 +278,18 @@ msgstr "Docker错误"
 msgid "An error occurred while talking to the Docker server."
 msgstr "Docker服务器通信出错"
 
-#: mailu/admin/templates/login.html:6
-msgid "Your account"
-msgstr "你的帐户"
-
 #: mailu/ui/templates/login.html:8
 msgid "to access the administration tools"
-msgstr "访问管理员工具"
-
-#: mailu/ui/templates/services.html:4 mailu/ui/templates/sidebar.html:39
-msgid "Services status"
-msgstr "服务状态"
-
-#: mailu/ui/templates/services.html:10
-msgid "Service"
-msgstr "服务"
-
-#: mailu/ui/templates/fetch/list.html:23 mailu/ui/templates/services.html:11
-msgid "Status"
-msgstr "状态"
-
-#: mailu/ui/templates/services.html:12
-msgid "PID"
-msgstr "进程ID"
-
-#: mailu/ui/templates/services.html:13
-msgid "Image"
-msgstr "镜像"
-
-#: mailu/ui/templates/services.html:14
-msgid "Started"
-msgstr "已开始"
-
-#: mailu/ui/templates/services.html:15
-msgid "Last update"
-msgstr "最后更新"
+msgstr "访问管理工具"
 
 #: mailu/ui/templates/sidebar.html:8
 msgid "My account"
-msgstr "我的帐户"
+msgstr "我的账户"
 
 #: mailu/ui/templates/sidebar.html:11 mailu/ui/templates/user/list.html:34
 msgid "Settings"
 msgstr "设置"
 
-#: mailu/ui/templates/user/settings.html:22
-msgid "Auto-forward"
-msgstr "自动转发"
-
 #: mailu/ui/templates/sidebar.html:21 mailu/ui/templates/user/list.html:35
 msgid "Auto-reply"
 msgstr "自动回复"
@@ -240,39 +297,71 @@ msgstr "自动回复"
 #: mailu/ui/templates/fetch/list.html:4 mailu/ui/templates/sidebar.html:26
 #: mailu/ui/templates/user/list.html:36
 msgid "Fetched accounts"
-msgstr "代收帐户"
+msgstr "代收账户"
 
-#: mailu/ui/templates/sidebar.html:105
-msgid "Sign out"
-msgstr "登出"
+#: mailu/ui/templates/sidebar.html:31 mailu/ui/templates/token/list.html:4
+msgid "Authentication tokens"
+msgstr "认证令牌"
 
 #: mailu/ui/templates/sidebar.html:35
 msgid "Administration"
 msgstr "管理"
 
+#: mailu/ui/templates/sidebar.html:44
+msgid "Announcement"
+msgstr "公告"
+
 #: mailu/ui/templates/sidebar.html:49
 msgid "Administrators"
 msgstr "管理员"
 
+#: mailu/ui/templates/sidebar.html:54
+msgid "Relayed domains"
+msgstr "中继域"
+
+#: mailu/ui/templates/sidebar.html:59 mailu/ui/templates/user/settings.html:15
+msgid "Antispam"
+msgstr "反垃圾邮件"
+
 #: mailu/ui/templates/sidebar.html:66
 msgid "Mail domains"
 msgstr "邮件域"
 
+#: mailu/ui/templates/sidebar.html:72
+msgid "Go to"
+msgstr "转到"
+
+#: mailu/ui/templates/sidebar.html:76
+msgid "Webmail"
+msgstr "网页邮箱"
+
+#: mailu/ui/templates/sidebar.html:87
+msgid "Website"
+msgstr "网站"
+
 #: mailu/ui/templates/sidebar.html:92
 msgid "Help"
 msgstr "帮助"
 
+#: mailu/ui/templates/domain/signup.html:4 mailu/ui/templates/sidebar.html:98
+msgid "Register a domain"
+msgstr "注册域名"
+
+#: mailu/ui/templates/sidebar.html:105
+msgid "Sign out"
+msgstr "登出"
+
 #: mailu/ui/templates/working.html:4
 msgid "We are still working on this feature!"
 msgstr "该功能开发中……"
 
 #: mailu/ui/templates/admin/create.html:4
 msgid "Add a global administrator"
-msgstr "添加超级管理员"
+msgstr "添加全局管理员"
 
 #: mailu/ui/templates/admin/list.html:4
 msgid "Global administrators"
-msgstr "超级管理员"
+msgstr "全局管理员"
 
 #: mailu/ui/templates/admin/list.html:9
 msgid "Add administrator"
@@ -323,7 +412,7 @@ msgstr "添加别名"
 #: mailu/ui/templates/relay/list.html:20 mailu/ui/templates/token/list.html:21
 #: mailu/ui/templates/user/list.html:24
 msgid "Created"
-msgstr "创建"
+msgstr "已创建"
 
 #: mailu/ui/templates/alias/list.html:23 mailu/ui/templates/domain/list.html:23
 #: mailu/ui/templates/fetch/list.html:25 mailu/ui/templates/relay/list.html:21
@@ -337,6 +426,22 @@ msgstr "上次编辑"
 msgid "Edit"
 msgstr "编辑"
 
+#: mailu/ui/templates/alternative/create.html:4
+msgid "Create alternative domain"
+msgstr "创建替代域"
+
+#: mailu/ui/templates/alternative/list.html:4
+msgid "Alternative domain list"
+msgstr "替代域名列表"
+
+#: mailu/ui/templates/alternative/list.html:12
+msgid "Add alternative"
+msgstr "添加替代"
+
+#: mailu/ui/templates/alternative/list.html:19
+msgid "Name"
+msgstr "名称"
+
 #: mailu/ui/templates/domain/create.html:4
 #: mailu/ui/templates/domain/list.html:9
 msgid "New domain"
@@ -344,11 +449,15 @@ msgstr "新域"
 
 #: mailu/ui/templates/domain/details.html:4
 msgid "Domain details"
-msgstr "域详情"
+msgstr "域详细信息"
 
 #: mailu/ui/templates/domain/details.html:15
 msgid "Regenerate keys"
-msgstr "重新生成密钥"
+msgstr "重新生成秘钥"
+
+#: mailu/ui/templates/domain/details.html:17
+msgid "Generate keys"
+msgstr "生成秘钥"
 
 #: mailu/ui/templates/domain/details.html:31
 msgid "DNS MX entry"
@@ -392,7 +501,7 @@ msgstr "别名数量"
 
 #: mailu/ui/templates/domain/list.html:28
 msgid "Details"
-msgstr "详情"
+msgstr "详细信息"
 
 #: mailu/ui/templates/domain/list.html:35
 msgid "Users"
@@ -406,26 +515,60 @@ msgstr "别名"
 msgid "Managers"
 msgstr "管理员"
 
+#: mailu/ui/templates/domain/list.html:39
+msgid "Alternatives"
+msgstr "备选方案"
+
+#: mailu/ui/templates/domain/signup.html:13
+msgid ""
+"In order to register a new domain, you must first setup the\n"
+"    domain zone so that the domain <code>MX</code> points to this server"
+msgstr "在注册一个新的域名前，您必须先为该域名设置 <code>MX</code> 记录，并使其指向本服务器"
+
+#: mailu/ui/templates/domain/signup.html:18
+msgid ""
+"If you do not know how to setup an <code>MX</code> record for your DNS "
+"zone,\n"
+"    please contact your DNS provider or administrator. Also, please wait "
+"a\n"
+"    couple minutes after the <code>MX</code> is set so the local server "
+"cache\n"
+"    expires."
+msgstr "如果您不知道如何为域名设置 <code>MX</code> 记录，请联系你的DNS提供商或者系统管理员。在设置完成 <code>MX</code> 记录后，请等待本地域名服务器的缓存过期。"
+
+
 #: mailu/ui/templates/fetch/create.html:4
 msgid "Add a fetched account"
-msgstr "添加一个代收帐户"
+msgstr "添加一个代收账户"
 
 #: mailu/ui/templates/fetch/edit.html:4
 msgid "Update a fetched account"
-msgstr "更新代收帐户"
+msgstr "更新代收账户"
 
 #: mailu/ui/templates/fetch/list.html:12
 msgid "Add an account"
-msgstr "添加一个帐户"
+msgstr "添加一个账户"
 
 #: mailu/ui/templates/fetch/list.html:19
 msgid "Endpoint"
 msgstr "端点"
 
+#: mailu/ui/templates/fetch/list.html:21
+msgid "Keep emails"
+msgstr "保留电子邮件"
+
 #: mailu/ui/templates/fetch/list.html:22
 msgid "Last check"
 msgstr "上次检查"
 
+#: mailu/ui/templates/fetch/list.html:35
+msgid "yes"
+msgstr "是"
+
+#: mailu/ui/templates/fetch/list.html:35
+msgid "no"
+msgstr "否"
+
 #: mailu/ui/templates/manager/create.html:4
 msgid "Add a manager"
 msgstr "添加一个管理员"
@@ -438,41 +581,49 @@ msgstr "管理员列表"
 msgid "Add manager"
 msgstr "添加管理员"
 
-#: mailu/ui/forms.py:168
-msgid "Announcement subject"
-msgstr "公告主题"
+#: mailu/ui/templates/relay/create.html:4
+msgid "New relay domain"
+msgstr "新的中继域"
 
-#: mailu/ui/forms.py:170
-msgid "Announcement body"
-msgstr "公告正文"
+#: mailu/ui/templates/relay/edit.html:4
+msgid "Edit relayd domain"
+msgstr "编辑中继域"
 
-#: mailu/ui/forms.py:172
-msgid "Send"
-msgstr "发送"
+#: mailu/ui/templates/relay/list.html:4
+msgid "Relayed domain list"
+msgstr "中继域列表"
 
-#: mailu/ui/templates/announcement.html:4
-msgid "Public announcement"
-msgstr "公告"
+#: mailu/ui/templates/relay/list.html:9
+msgid "New relayed domain"
+msgstr "新的中继域"
 
-#: mailu/ui/templates/announcement.html:8
-msgid "from"
-msgstr "来自"
+#: mailu/ui/templates/token/create.html:4
+msgid "Create an authentication token"
+msgstr "创建一个认证令牌"
 
-#: mailu/ui/templates/sidebar.html:44
-msgid "Announcement"
-msgstr "公告"
+#: mailu/ui/templates/token/list.html:12
+msgid "New token"
+msgstr "新令牌"
 
 #: mailu/ui/templates/user/create.html:4
 msgid "New user"
 msgstr "新用户"
 
+#: mailu/ui/templates/user/create.html:15
+msgid "General"
+msgstr "通用"
+
+#: mailu/ui/templates/user/create.html:22
+msgid "Features and quotas"
+msgstr "功能和配额"
+
 #: mailu/ui/templates/user/edit.html:4
 msgid "Edit user"
 msgstr "编辑用户"
 
 #: mailu/ui/templates/user/forward.html:4
 msgid "Forward emails"
-msgstr "转发电子邮件"
+msgstr "转发邮件"
 
 #: mailu/ui/templates/user/list.html:4
 msgid "User list"
@@ -492,201 +643,15 @@ msgstr "功能"
 
 #: mailu/ui/templates/user/password.html:4
 msgid "Password update"
-msgstr "密码更新"
+msgstr "更新密码"
 
 #: mailu/ui/templates/user/reply.html:4
 msgid "Automatic reply"
 msgstr "自动回复"
 
-#: mailu/ui/forms.py:49
-msgid "Maximum user quota"
-msgstr "最大用户容量"
-
-#: mailu/ui/forms.py:101
-msgid "Keep a copy of the emails"
-msgstr "保留电子邮件副本"
-
-#: mailu/ui/forms.py:163
-msgid "Keep emails on the server"
-msgstr "保留电子邮件在服务器上"
-
-#: mailu/ui/templates/fetch/list.html:21
-msgid "Keep emails"
-msgstr "保存电子邮件"
-
-#: mailu/ui/templates/fetch/list.html:35
-msgid "yes"
-msgstr "是"
-
-#: mailu/ui/templates/fetch/list.html:35
-msgid "no"
-msgstr "否"
-
-#: mailu/ui/forms.py:65
-msgid "Alternative name"
-msgstr "替代名称"
-
-#: mailu/ui/forms.py:70
-msgid "Relayed domain name"
-msgstr "中继域域名"
-
-#: mailu/ui/forms.py:71 mailu/ui/templates/relay/list.html:18
-msgid "Remote host"
-msgstr "远程主机"
-
-#: mailu/ui/templates/sidebar.html:54
-msgid "Relayed domains"
-msgstr "中继域"
-
-#: mailu/ui/templates/alternative/create.html:4
-msgid "Create alternative domain"
-msgstr "创建替代域"
-
-#: mailu/ui/templates/alternative/list.html:4
-msgid "Alternative domain list"
-msgstr "替代域名列表"
-
-#: mailu/ui/templates/alternative/list.html:12
-msgid "Add alternative"
-msgstr "添加替代"
-
-#: mailu/ui/templates/alternative/list.html:19
-msgid "Name"
-msgstr "名称"
-
-#: mailu/ui/templates/domain/list.html:39
-msgid "Alternatives"
-msgstr "备择方案"
-
-#: mailu/ui/templates/relay/create.html:4
-msgid "New relay domain"
-msgstr "新的中继域"
-
-#: mailu/ui/templates/relay/edit.html:4
-msgid "Edit relayd domain"
-msgstr "编辑中继域"
-
-#: mailu/ui/templates/relay/list.html:4
-msgid "Relayed domain list"
-msgstr "中继域列表"
-
-#: mailu/ui/templates/relay/list.html:9
-msgid "New relayed domain"
-msgstr "新的中继域"
-
-#: mailu/ui/forms.py:125
-msgid "Your token (write it down, as it will never be displayed again)"
-msgstr "您的令牌（请记录，它只显示这一次）"
-
-#: mailu/ui/forms.py:130 mailu/ui/templates/token/list.html:20
-msgid "Authorized IP"
-msgstr "授权IP"
-
-#: mailu/ui/templates/sidebar.html:31 mailu/ui/templates/token/list.html:4
-msgid "Authentication tokens"
-msgstr "认证令牌"
-
-#: mailu/ui/templates/sidebar.html:72
-msgid "Go to"
-msgstr "转到"
-
-#: mailu/ui/templates/sidebar.html:76
-msgid "Webmail"
-msgstr "网页邮箱"
-
-#: mailu/ui/templates/sidebar.html:87
-msgid "Website"
-msgstr "网站"
-
-#: mailu/ui/templates/token/create.html:4
-msgid "Create an authentication token"
-msgstr "创建一个认证令牌"
-
-#: mailu/ui/templates/token/list.html:12
-msgid "New token"
-msgstr "新的令牌"
-
-#: mailu/ui/templates/user/create.html:15
-msgid "General"
-msgstr "通用"
-
-#: mailu/ui/templates/user/create.html:22
-msgid "Features and quotas"
-msgstr "功能和配额"
-
-#: mailu/ui/templates/user/settings.html:14
-msgid "General settings"
-msgstr "常规设置"
-
-#: mailu/ui/templates/sidebar.html:59 mailu/ui/templates/user/settings.html:15
-msgid "Antispam"
-msgstr "反垃圾邮件"
-
-#: mailu/ui/forms.py:99
-msgid "Spam filter tolerance"
-msgstr "垃圾邮件过滤器容忍度"
-
-#: mailu/ui/forms.py:50
-msgid "Enable sign-up"
-msgstr "启用用户注册"
-
-#: mailu/ui/forms.py:57
-msgid "Initial admin"
-msgstr "初始管理员"
-
-#: mailu/ui/forms.py:58
-msgid "Admin password"
-msgstr "管理员密码"
-
-#: mailu/ui/forms.py:84
-msgid "Enabled"
-msgstr "启用"
-
-#: mailu/ui/forms.py:89
-msgid "Email address"
-msgstr "邮件地址"
-
-#: mailu/ui/forms.py:93 mailu/ui/templates/sidebar.html:117
-#: mailu/ui/templates/user/signup.html:4
-#: mailu/ui/templates/user/signup_domain.html:4
-msgid "Sign up"
-msgstr "注册"
-
-#: mailu/ui/forms.py:119
-msgid "End of vacation"
-msgstr "假期结束"
-
-#: mailu/ui/templates/client.html:4 mailu/ui/templates/sidebar.html:82
-msgid "Client setup"
-msgstr "客户端设置"
-
-#: mailu/ui/templates/client.html:16 mailu/ui/templates/client.html:43
-msgid "Mail protocol"
-msgstr "邮件协议"
-
-#: mailu/ui/templates/client.html:24 mailu/ui/templates/client.html:51
-msgid "Server name"
-msgstr "服务器名"
-
-#: mailu/ui/templates/domain/signup.html:4 mailu/ui/templates/sidebar.html:98
-msgid "Register a domain"
-msgstr "注册域名"
-
-#: mailu/ui/templates/domain/details.html:17
-msgid "Generate keys"
-msgstr "生成密钥"
-
-#: mailu/ui/templates/domain/signup.html:13
-msgid "In order to register a new domain, you must first setup the\n"
-"    domain zone so that the domain <code>MX</code> points to this server"
-msgstr "在注册一个新的域名前，您必须先为该域名设置 <code>MX</code> 记录，并使其指向本服务器"
-
-#: mailu/ui/templates/domain/signup.html:18
-msgid "If you do not know how to setup an <code>MX</code> record for your DNS zone,\n"
-"    please contact your DNS provider or administrator. Also, please wait a\n"
-"    couple minutes after the <code>MX</code> is set so the local server cache\n"
-"    expires."
-msgstr "如果您不知道如何为域名设置 <code>MX</code> 记录，请联系你的DNS提供商或者系统管理员。在设置完成 <code>MX</code> 记录后，请等待本地域名服务器的缓存过期。"
+#: mailu/ui/templates/user/settings.html:22
+msgid "Auto-forward"
+msgstr "自动转发"
 
 #: mailu/ui/templates/user/signup_domain.html:8
 msgid "pick a domain for the new account"
@@ -700,3 +665,14 @@ msgstr "域名"
 msgid "Available slots"
 msgstr "可用"
 
+#~ msgid "Your account"
+#~ msgstr ""
+
+#~ msgid "Spam filter threshold"
+#~ msgstr ""
+
+#~ msgid "from"
+#~ msgstr ""
+
+#~ msgid "General settings"
+#~ msgstr ""
diff --git a/core/admin/mailu/ui/__init__.py b/core/admin/mailu/ui/__init__.py
index ec3601a1..49338cd1 100644
--- a/core/admin/mailu/ui/__init__.py
+++ b/core/admin/mailu/ui/__init__.py
@@ -1,6 +1,6 @@
 from flask import Blueprint
 
 
-ui = Blueprint('ui', __name__, static_folder='static', template_folder='templates')
+ui = Blueprint('ui', __name__, static_folder=None, template_folder='templates')
 
 from mailu.ui.views import *
diff --git a/core/admin/mailu/ui/forms.py b/core/admin/mailu/ui/forms.py
index 32bb31ab..24d6f899 100644
--- a/core/admin/mailu/ui/forms.py
+++ b/core/admin/mailu/ui/forms.py
@@ -44,15 +44,6 @@ class MultipleEmailAddressesVerify(object):
 class ConfirmationForm(flask_wtf.FlaskForm):
     submit = fields.SubmitField(_('Confirm'))
 
-
-class LoginForm(flask_wtf.FlaskForm):
-    class Meta:
-        csrf = False
-    email = fields.StringField(_('E-mail'), [validators.Email()])
-    pw = fields.PasswordField(_('Password'), [validators.DataRequired()])
-    submit = fields.SubmitField(_('Sign in'))
-
-
 class DomainForm(flask_wtf.FlaskForm):
     name = fields.StringField(_('Domain name'), [validators.DataRequired()])
     max_users = fields_.IntegerField(_('Maximum user count'), [validators.NumberRange(min=-1)], default=10)
@@ -88,7 +79,7 @@ class UserForm(flask_wtf.FlaskForm):
     localpart = fields.StringField(_('E-mail'), [validators.DataRequired(), validators.Regexp(LOCALPART_REGEX)])
     pw = fields.PasswordField(_('Password'))
     pw2 = fields.PasswordField(_('Confirm password'), [validators.EqualTo('pw')])
-    quota_bytes = fields_.IntegerSliderField(_('Quota'), default=1000000000)
+    quota_bytes = fields_.IntegerSliderField(_('Quota'), default=10**9)
     enable_imap = fields.BooleanField(_('Allow IMAP access'), default=True)
     enable_pop = fields.BooleanField(_('Allow POP3 access'), default=True)
     displayed_name = fields.StringField(_('Displayed name'))
diff --git a/core/admin/mailu/ui/templates/admin/create.html b/core/admin/mailu/ui/templates/admin/create.html
index 6c2413bc..071cb77f 100644
--- a/core/admin/mailu/ui/templates/admin/create.html
+++ b/core/admin/mailu/ui/templates/admin/create.html
@@ -1,15 +1,15 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Add a global administrator{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
   {{ macros.form_field(form.admin, class_='mailselect') }}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/admin/list.html b/core/admin/mailu/ui/templates/admin/list.html
index f2f5d229..84d954a0 100644
--- a/core/admin/mailu/ui/templates/admin/list.html
+++ b/core/admin/mailu/ui/templates/admin/list.html
@@ -1,17 +1,17 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Global administrators{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.admin_create') }}">
   {% trans %}Add administrator{% endtrans %}
 </a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -19,14 +19,14 @@
   </tr>
 </thead>
 <tbody>
-  {% for admin in admins %}
+  {%- for admin in admins %}
   <tr>
     <td>
       <a href="{{ url_for('.admin_delete', admin=admin.email) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>
     </td>
     <td>{{ admin }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/alias/create.html b/core/admin/mailu/ui/templates/alias/create.html
index 2079d191..ce9f8167 100644
--- a/core/admin/mailu/ui/templates/alias/create.html
+++ b/core/admin/mailu/ui/templates/alias/create.html
@@ -1,15 +1,15 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Create alias{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
   {{ macros.form_field(form.localpart, append='<span class="input-group-text">@'+domain.name+'</span>') }}
@@ -18,5 +18,5 @@
   {{ macros.form_field(form.comment) }}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/alias/edit.html b/core/admin/mailu/ui/templates/alias/edit.html
index b28ea170..4dc13cce 100644
--- a/core/admin/mailu/ui/templates/alias/edit.html
+++ b/core/admin/mailu/ui/templates/alias/edit.html
@@ -1,9 +1,9 @@
-{% extends "alias/create.html" %}
+{%- extends "alias/create.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Edit alias{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ alias }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/alias/list.html b/core/admin/mailu/ui/templates/alias/list.html
index e8ddc862..6b52165e 100644
--- a/core/admin/mailu/ui/templates/alias/list.html
+++ b/core/admin/mailu/ui/templates/alias/list.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Alias list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.alias_create', domain_name=domain.name) }}">{% trans %}Add alias{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -25,7 +25,7 @@
   </tr>
 </thead>
 <tbody>
-  {% for alias in domain.aliases %}
+  {%- for alias in domain.aliases %}
   <tr>
     <td>
       <a href="{{ url_for('.alias_edit', alias=alias.email) }}" title="{% trans %}Edit{% endtrans %}"><i class="fa fa-pencil"></i></a>&nbsp;
@@ -34,10 +34,10 @@
     <td>{{ alias }}</td>
     <td>{{ alias.destination|join(', ') or '-' }}</td>
     <td>{{ alias.comment or '' }}</td>
-    <td>{{ alias.created_at }}</td>
-    <td>{{ alias.updated_at or '' }}</td>
+    <td>{{ alias.created_at | format_date }}</td>
+    <td>{{ alias.updated_at | format_date }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/alternative/create.html b/core/admin/mailu/ui/templates/alternative/create.html
index 75461c67..f10cb718 100644
--- a/core/admin/mailu/ui/templates/alternative/create.html
+++ b/core/admin/mailu/ui/templates/alternative/create.html
@@ -1,9 +1,9 @@
-{% extends "form.html" %}
+{%- extends "form.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Create alternative domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/alternative/list.html b/core/admin/mailu/ui/templates/alternative/list.html
index f123eb9f..4ca9f3c8 100644
--- a/core/admin/mailu/ui/templates/alternative/list.html
+++ b/core/admin/mailu/ui/templates/alternative/list.html
@@ -1,36 +1,38 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Alternative domain list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.alternative_create', domain_name=domain.name) }}">{% trans %}Add alternative{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
     <th>{% trans %}Name{% endtrans %}</th>
     <th>{% trans %}Created{% endtrans %}</th>
+    <th>{% trans %}Last edit{% endtrans %}</th>
   </tr>
 </thead>
 <tbody>
-  {% for alternative in domain.alternatives %}
+  {%- for alternative in domain.alternatives %}
   <tr>
     <td>
       <a href="{{ url_for('.alternative_delete', alternative=alternative.name) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>
     </td>
     <td>{{ alternative }}</td>
-    <td>{{ alternative.created_at }}</td>
+    <td>{{ alternative.created_at | format_date }}</td>
+    <td>{{ alternative.updated_at | format_date }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/announcement.html b/core/admin/mailu/ui/templates/announcement.html
index acdbde1a..ed7fe772 100644
--- a/core/admin/mailu/ui/templates/announcement.html
+++ b/core/admin/mailu/ui/templates/announcement.html
@@ -1,16 +1,16 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Public announcement{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
   {{ macros.form_field(form.announcement_subject) }}
   {{ macros.form_field(form.announcement_body, rows=10) }}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/antispam.html b/core/admin/mailu/ui/templates/antispam.html
new file mode 100644
index 00000000..0b2713b9
--- /dev/null
+++ b/core/admin/mailu/ui/templates/antispam.html
@@ -0,0 +1,15 @@
+{%- extends "base.html" %}
+
+{%- block title %}
+{% trans %}Antispam{% endtrans %}
+{%- endblock %}
+
+{%- block subtitle %}
+{% trans %}RSPAMD status page{% endtrans %}
+{%- endblock %}
+
+{%- block content %}
+<div class="embed-responsive embed-responsive-1by1">
+  <iframe class="embed-responsive-item" src="{{ config["WEB_ADMIN"] }}/antispam/"></iframe>
+</div>
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/base.html b/core/admin/mailu/ui/templates/base.html
index 89695e50..e646e579 100644
--- a/core/admin/mailu/ui/templates/base.html
+++ b/core/admin/mailu/ui/templates/base.html
@@ -1,68 +1,86 @@
-{% import "macros.html" as macros %}
-{% import "bootstrap/utils.html" as utils %}
+{%- import "macros.html" as macros %}
+{%- import "bootstrap/utils.html" as utils %}
 <!doctype html>
-<html>
+<html lang="{{ session['language'] }}" data-static="/static/">
   <head>
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <link rel="stylesheet" href="{{ url_for('.static', filename='vendor.css') }}">
-    <link rel="stylesheet" href="{{ url_for('.static', filename='app.css') }}">
-    <title>Mailu-Admin - {{ config["SITENAME"] }}</title>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta name="description" content="{% trans %}Admin page for{% endtrans %} {{ config["SITENAME"] }}">
+    <meta http-equiv="x-ua-compatible" content="ie=edge">
+    <title>Mailu-Admin | {{ config["SITENAME"] }}</title>
+    <link rel="stylesheet" href="{{ url_for('static', filename='vendor.css') }}">
+    <link rel="stylesheet" href="{{ url_for('static', filename='app.css') }}">
   </head>
   <body class="hold-transition sidebar-mini layout-fixed">
     <div class="wrapper">
       <nav class="main-header navbar navbar-expand navbar-white navbar-light">
         <ul class="navbar-nav">
           <li class="nav-item">
-            <a class="nav-link" data-widget="pushmenu" href="#" role="button"><i class="fas fa-bars"></i></a>
+            <a class="nav-link" data-widget="pushmenu" href="#" role="button"><i class="fas fa-bars" title="{% trans %}toggle sidebar{% endtrans %}" aria-expanded="false"></i><span class="sr-only">{% trans %}toggle sidebar{% endtrans %}</span></a>
+          </li>
+          <li class="nav-item">
+          {%- for page, url in path %}
+            {%- if loop.index > 1 %}
+            <i class="fas fa-greater-than text-xs text-gray" aria-hidden="true"></i>
+            {%- endif %}
+            {%- if url %}
+            <a class="nav-link d-inline-block" href="{{ url }}" role="button">{{ page }}</a>
+            {%- else %}
+            <span class="nav-link d-inline-block">{{ page }}</span>
+            {%- endif %}
+          {%- endfor %}
           </li>
         </ul>
         <ul class="navbar-nav ml-auto">
           <li class="nav-item dropdown">
-            <a class="nav-link" data-toggle="dropdown" href="#" aria-expanded="false">{{ session['language'] }}</a>
-            <div class="dropdown-menu dropdown-menu-right p-0">
-                {% for language in session['available_languages'] %}
-                    <a class="dropdown-item {% if language == session['language'] %}active{% endif %} " href="{{ url_for('.set_language', language=language) }}">{{ language }}</a>
-                {% endfor %}
+            <a class="nav-link" data-toggle="dropdown" href="#" aria-expanded="false">
+              <i class="fas fa-language text-xl" aria-hidden="true" title="{% trans %}change language{% endtrans %}"></i><span class="sr-only">Language</span>
+              <span class="badge badge-primary navbar-badge">{{ session['language'] }}</span></a>
+            <div class="dropdown-menu dropdown-menu-right p-0" id="mailu-languages">
+            {%- for locale in config.translations.values() %}
+              <a class="dropdown-item{% if locale|string() == session['language'] %} active{% endif %}" href="{{ url_for('.set_language', language=locale) }}">{{ locale.get_language_name().title() }}</a>
+            {%- endfor %}
             </div>
           </li>
         </ul>
       </nav>
-      <aside class="main-sidebar sidebar-dark-primary">
-        <a href="{{ config["WEB_ADMIN"] }}" class="brand-link">
-         <span class="brand-text font-weight-light">{{ config["SITENAME"] }}</span>
+      <aside class="main-sidebar sidebar-dark-primary nav-compact elevation-4">
+        <a href="{{ url_for('.domain_list' if current_user.manager_of or current_user.global_admin else '.user_settings') }}" class="brand-link bg-mailu-logo"{% if config["LOGO_BACKGROUND"] %} style="background-color:{{ config["LOGO_BACKGROUND"] }}!important;"{% endif %}>
+          <img src="{{ config["LOGO_URL"] if config["LOGO_URL"] else url_for('static', filename='mailu.png') }}" width="33" height="33" alt="Mailu" class="brand-image mailu-logo img-circle elevation-3">
+          <span class="brand-text font-weight-light">{{ config["SITENAME"] }}</span>
         </a>
-        {% block sidebar %}
-        {% include "sidebar.html" %}
-        {% endblock %}
+        {%- include "sidebar.html" %}
       </aside>
-      <div class="content-wrapper">
+      <div class="content-wrapper text-sm">
         <section class="content-header">
           <div class="container-fluid">
             <div class="row mb-2">
               <div class="col-sm-6">
-                <h1 class="m-0">{% block title %}{% endblock %}</h1>
+                <h1 class="m-0">{%- block title %}{%- endblock %}</h1>
                 <small>{% block subtitle %}{% endblock %}</small>
               </div>
               <div class="col-sm-6">
-                {% block main_action %}
-                {% endblock %}
+                {%- block main_action %}{%- endblock %}
               </div>
             </div>
           </div>
         </section>
-
         <div class="content">
-          {{ utils.flashed_messages(container=False) }}
-          {% block content %}{% endblock %}
+          {{ utils.flashed_messages(container=False, default_category='success') }}
+          {%- block content %}{%- endblock %}
         </div>
       </div>
       <footer class="main-footer">
-        Built with <i class="fa fa-heart"></i> using <a class="white-text" href="http://flask.pocoo.org/">Flask</a> and
-        <a class="white-text" href="https://adminlte.io/themes/v3/index3.html">AdminLTE</a>
-        <span class="pull-right"><i class="fa fa-code-fork"></i>on <a class="white-text" href="https://github.com/Mailu/Mailu">Github</a></a></span>
+        Built with <i class="fa fa-heart text-danger" aria-hidden="true"></i><span class="sr-only">love</span>
+        using <a href="https://flask.palletsprojects.com/">Flask</a>
+        and <a href="https://adminlte.io/themes/v3/index3.html">AdminLTE</a>.
+        <span class="fa-pull-right">
+          <i class="fa fa-code-branch" aria-hidden="true"></i><span class="sr-only">fork</span>
+          on <a href="https://github.com/Mailu/Mailu">Github</a>
+        </span>
       </footer>
     </div>
-    <script src="{{ url_for('.static', filename='vendor.js') }}"></script>
-    <script src="{{ url_for('.static', filename='app.js') }}"></script>
+    <script src="{{ url_for('static', filename='vendor.js') }}"></script>
+    <script src="{{ url_for('static', filename='app.js') }}"></script>
   </body>
 </html>
diff --git a/core/admin/mailu/ui/templates/client.html b/core/admin/mailu/ui/templates/client.html
index 668621af..cc4517ad 100644
--- a/core/admin/mailu/ui/templates/client.html
+++ b/core/admin/mailu/ui/templates/client.html
@@ -1,17 +1,15 @@
-<!--TODO add translations for: configure your client, Incoming mail and Outgoing mail-->
+{%- extends "base.html" %}
 
-{% extends "base.html" %}
-
-{% block title %}
+{%- block title %}
 {% trans %}Client setup{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
-configure your email client
-{% endblock %}
+{%- block subtitle %}
+{% trans %}configure your email client{% endtrans %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table(title="Incoming mail", datatable=False) %}
+{%- block content %}
+{%- call macros.table(title=_("Incoming mail"), datatable=False) %}
   <tbody>
     <tr>
       <th>{% trans %}Mail protocol{% endtrans %}</th>
@@ -23,20 +21,20 @@ configure your email client
     </tr>
     <tr>
       <th>{% trans %}Server name{% endtrans %}</th>
-      <td><pre>{{ config["HOSTNAMES"].split(',')[0] }}</pre></td>
+      <td><pre class="pre-config border bg-light">{{ config["HOSTNAMES"] }}</pre></td>
     </tr>
     <tr>
       <th>{% trans %}Username{% endtrans %}</th>
-      <td><pre>{{ current_user if current_user.is_authenticated else "******" }}</pre></td>
+      <td><pre class="pre-config border bg-light">{{ current_user if current_user.is_authenticated else "******" }}</pre></td>
     </tr>
     <tr>
       <th>{% trans %}Password{% endtrans %}</th>
-      <td><pre>*******</pre></td>
+      <td><pre class="pre-config border bg-light">*******</pre></td>
     </tr>
   </tbody>
-{% endcall %}
+{%- endcall %}
 
-{% call macros.table(title="Outgoing mail", datatable=False) %}
+{%- call macros.table(title=_("Outgoing mail"), datatable=False) %}
   <tbody>
     <tr>
       <th>{% trans %}Mail protocol{% endtrans %}</th>
@@ -48,16 +46,16 @@ configure your email client
     </tr>
     <tr>
       <th>{% trans %}Server name{% endtrans %}</th>
-      <td><pre>{{ config["HOSTNAMES"].split(',')[0] }}</pre></td>
+      <td><pre class="pre-config border bg-light">{{ config["HOSTNAMES"] }}</pre></td>
     </tr>
     <tr>
       <th>{% trans %}Username{% endtrans %}</th>
-      <td><pre>{{ current_user if current_user.is_authenticated else "******" }}</pre></td>
+      <td><pre class="pre-config border bg-light">{{ current_user if current_user.is_authenticated else "******" }}</pre></td>
     </tr>
     <tr>
       <th>{% trans %}Password{% endtrans %}</th>
-      <td><pre>*******</pre></td>
+      <td><pre class="pre-config border bg-light">*******</pre></td>
     </tr>
   </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/confirm.html b/core/admin/mailu/ui/templates/confirm.html
index d0f6acf3..ac1d4f98 100644
--- a/core/admin/mailu/ui/templates/confirm.html
+++ b/core/admin/mailu/ui/templates/confirm.html
@@ -1,16 +1,16 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Confirm action{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ action }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card(theme="warning") %}
+{%- block content %}
+{%- call macros.card(theme="warning") %}
 <p>{% trans action %}You are about to {{ action }}. Please confirm your action.{% endtrans %}</p>
 {{ macros.form(form) }}
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/docker-error.html b/core/admin/mailu/ui/templates/docker-error.html
index 248e8b27..10742b99 100644
--- a/core/admin/mailu/ui/templates/docker-error.html
+++ b/core/admin/mailu/ui/templates/docker-error.html
@@ -1,14 +1,14 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Docker error{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ action }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 <p>{% trans action %}An error occurred while talking to the Docker server.{% endtrans %}</p>
-<pre>{{ error }}</pre>
-{% endblock %}
+<pre class="pre-config border bg-light">{{ error }}</pre>
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/domain/create.html b/core/admin/mailu/ui/templates/domain/create.html
index 3fdd262a..bc407d27 100644
--- a/core/admin/mailu/ui/templates/domain/create.html
+++ b/core/admin/mailu/ui/templates/domain/create.html
@@ -1,21 +1,20 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}New domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
   {{ macros.form_field(form.name) }}
   {{ macros.form_fields((form.max_users, form.max_aliases)) }}
-  {{ macros.form_field(form.max_quota_bytes, step=1000000000, max=50000000000,
-      prepend='<span class="input-group-text"><span id="quota">'+((form.max_quota_bytes.data//1000000000).__str__() if form.max_quota_bytes.data else '∞')+'</span> GiB</span>',
-      oninput='$("#quota").text(this.value == 0  ? "∞" : this.value/1000000000);') }}
+  {{ macros.form_field(form.max_quota_bytes, step=10**9, max=50*10**9, data_infinity="true",
+      prepend='<span class="input-group-text"><span id="max_quota_bytes_value"></span>&nbsp;GB</span>') }}
   {{ macros.form_field(form.signup_enabled) }}
   {{ macros.form_field(form.comment) }}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/domain/details.html b/core/admin/mailu/ui/templates/domain/details.html
index 0560d5e0..a30b9357 100644
--- a/core/admin/mailu/ui/templates/domain/details.html
+++ b/core/admin/mailu/ui/templates/domain/details.html
@@ -1,66 +1,71 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Domain details{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
-{% if current_user.global_admin %}
+{%- block main_action %}
+{%- if current_user.global_admin %}
 <a class="btn btn-primary float-right" href="{{ url_for(".domain_genkeys", domain_name=domain.name) }}">
-  {% if domain.dkim_publickey %}
+  {%- if domain.dkim_publickey %}
   {% trans %}Regenerate keys{% endtrans %}
-  {% else %}
+  {%- else %}
   {% trans %}Generate keys{% endtrans %}
-  {% endif %}
+  {%- endif %}
 </a>
-{% endif %}
-{% endblock %}
+{%- endif %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table(datatable=False) %}
-{% set hostname = config["HOSTNAMES"].split(",")[0] %}
+{%- block content %}
+{%- call macros.table(datatable=False) %}
 <tr>
   <th>{% trans %}Domain name{% endtrans %}</th>
   <td>{{ domain.name }}</td>
 </tr>
 <tr>
-  <th>{% trans %}DNS MX entry{% endtrans %} <i class="fa {{ 'fa-check-circle' if domain.check_mx() else 'fa-exclamation-circle' }}"></i></th>
-  <td><pre>{{ domain.name }}. 600 IN MX 10 {{ hostname }}.</pre></td>
+  <th>{% trans %}DNS MX entry{% endtrans %} <i class="fa {{ 'fa-check-circle text-success' if domain.check_mx() else 'fa-exclamation-circle text-danger' }}"></i></th>
+  <td>{{ macros.clip("dns_mx") }}<pre id="dns_mx" class="pre-config border bg-light">{{ domain.dns_mx }}</pre></td>
 </tr>
 <tr>
   <th>{% trans %}DNS SPF entries{% endtrans %}</th>
-  <td><pre>
-{{ domain.name }}. 600 IN TXT "v=spf1 mx a:{{ hostname }} -all"</pre></td>
+  <td>{{ macros.clip("dns_spf") }}<pre id="dns_spf" class="pre-config border bg-light">{{ domain.dns_spf }}</pre>
+  </td>
 </tr>
-{% if domain.dkim_publickey %}
+{%- if domain.dkim_publickey %}
 <tr>
   <th>{% trans %}DKIM public key{% endtrans %}</th>
-  <td><pre style="white-space: pre-wrap; word-wrap: break-word;">{{ domain.dkim_publickey }}</pre></td>
+  <td>{{ macros.clip("dkim_key") }}<pre id="dkim_key" class="pre-config border bg-light">{{ domain.dkim_publickey }}</pre></td>
 </tr>
 <tr>
   <th>{% trans %}DNS DKIM entry{% endtrans %}</th>
-  <td><pre style="white-space: pre-wrap; word-wrap: break-word;">{{ config["DKIM_SELECTOR"] }}._domainkey.{{ domain.name }}. 600 IN TXT "v=DKIM1; k=rsa; p={{ domain.dkim_publickey }}"</pre></td>
+  <td>{{ macros.clip("dns_dkim") }}<pre id="dns_dkim" class="pre-config border bg-light">{{ domain.dns_dkim }}</pre></td>
 </tr>
 <tr>
   <th>{% trans %}DNS DMARC entry{% endtrans %}</th>
-  <td><pre>_dmarc.{{ domain.name }}. 600 IN TXT "v=DMARC1; p=reject;{% if config["DMARC_RUA"] %} rua=mailto:{{ config["DMARC_RUA"] }}@{{ config["DOMAIN"] }};{% endif %}{% if config["DMARC_RUF"] %} ruf=mailto:{{ config["DMARC_RUF"] }}@{{ config["DOMAIN"] }};{% endif %} adkim=s; aspf=s"</pre></td>
+  <td>
+    {{ macros.clip("dns_dmarc") }}<pre id="dns_dmarc" class="pre-config border bg-light">{{ domain.dns_dmarc }}</pre>
+    {{ macros.clip("dns_dmarc_report") }}<pre id="dns_dmarc_report" class="pre-config border bg-light">{{ domain.dns_dmarc_report }}</pre>
+  </td>
 </tr>
-{% endif %}
+{%- endif %}
+{%- set tlsa_record=domain.dns_tlsa %}
+{%- if tlsa_record %}
+<tr>
+  <th>{% trans %}DNS TLSA entry{% endtrans %}</br><span class="text-secondary text-xs font-weight-normal">Let's Encrypt</br>ISRG Root X1</span></th>
+  <td>{{ macros.clip("dns_tlsa") }}<pre id="dns_tlsa" class="pre-config border bg-light">{{ tlsa_record }}</pre></td>
+</tr>
+{%- endif %}
 <tr>
   <th>{% trans %}DNS client auto-configuration (RFC6186) entries{% endtrans %}</th>
-  <td>
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_submission._tcp.{{ domain.name }}. 600 IN SRV 1 1 587 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_imap._tcp.{{ domain.name }}. 600 IN SRV 100 1 143 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_pop3._tcp.{{ domain.name }}. 600 IN SRV 100 1 110 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-{% if config["TLS_FLAVOR"] != "notls" %}
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_submissions._tcp.{{ domain.name }}. 600 IN SRV 10 1 465 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_imaps._tcp.{{ domain.name }}. 600 IN SRV 10 1 993 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_pop3s._tcp.{{ domain.name }}. 600 IN SRV 10 1 995 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-{% endif %}</td>
+  <td>{{ macros.clip("dns_autoconfig") }}<pre id="dns_autoconfig" class="pre-config border bg-light">
+{%- for line in domain.dns_autoconfig %}
+{{ line }}
+{%- endfor -%}
+  </pre></td>
 </tr>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/domain/edit.html b/core/admin/mailu/ui/templates/domain/edit.html
index 13af23a5..736e43eb 100644
--- a/core/admin/mailu/ui/templates/domain/edit.html
+++ b/core/admin/mailu/ui/templates/domain/edit.html
@@ -1,9 +1,9 @@
-{% extends "domain/create.html" %}
+{%- extends "domain/create.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Edit domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/domain/list.html b/core/admin/mailu/ui/templates/domain/list.html
index c82647df..61c09151 100644
--- a/core/admin/mailu/ui/templates/domain/list.html
+++ b/core/admin/mailu/ui/templates/domain/list.html
@@ -1,17 +1,17 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Domain list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
-{% if current_user.global_admin %}
+{%- block main_action %}
+{%- if current_user.global_admin %}
 <a class="btn btn-primary float-right" href="{{ url_for('.domain_create') }}">{% trans %}New domain{% endtrans %}</a>
-{% endif %}
-{% endblock %}
+{%- endif %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -25,31 +25,31 @@
   </tr>
 </thead>
 <tbody>
-  {% for domain in current_user.get_managed_domains() %}
+  {%- for domain in current_user.get_managed_domains() %}
   <tr>
     <td>
       <a href="{{ url_for('.domain_details', domain_name=domain.name) }}" title="{% trans %}Details{% endtrans %}"><i class="fa fa-list"></i></a>&nbsp;
-      {% if current_user.global_admin %}
+      {%- if current_user.global_admin %}
       <a href="{{ url_for('.domain_edit', domain_name=domain.name) }}" title="{% trans %}Edit{% endtrans %}"><i class="fas fa-pencil-alt"></i></a>&nbsp;
       <a href="{{ url_for('.domain_delete', domain_name=domain.name) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>&nbsp;
-      {% endif %}
+      {%- endif %}
     </td>
     <td>
       <a href="{{ url_for('.user_list', domain_name=domain.name) }}" title="{% trans %}Users{% endtrans %}"><i class="far fa-envelope"></i></a>&nbsp;
       <a href="{{ url_for('.alias_list', domain_name=domain.name) }}" title="{% trans %}Aliases{% endtrans %}"><i class="fa fa-at"></i></a>&nbsp;
       <a href="{{ url_for('.manager_list', domain_name=domain.name) }}" title="{% trans %}Managers{% endtrans %}"><i class="fa fa-user"></i></a>&nbsp;
-      {% if current_user.global_admin %}
+      {%- if current_user.global_admin %}
       <a href="{{ url_for('.alternative_list', domain_name=domain.name) }}" title="{% trans %}Alternatives{% endtrans %}"><i class="fa fa-asterisk"></i></a>&nbsp;
-      {% endif %}
+      {%- endif %}
     </td>
     <td>{{ domain.name }}</td>
     <td>{{ domain.users | count }} / {{ '∞' if domain.max_users == -1 else domain.max_users }}</td>
     <td>{{ domain.aliases | count }} / {{ '∞' if domain.max_aliases == -1 else domain.max_aliases }}</td>
     <td>{{ domain.comment or '' }}</td>
-    <td>{{ domain.created_at }}</td>
-    <td>{{ domain.updated_at or '' }}</td>
+    <td>{{ domain.created_at | format_date }}</td>
+    <td>{{ domain.updated_at | format_date }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/domain/signup.html b/core/admin/mailu/ui/templates/domain/signup.html
index e9dbd75f..083242e4 100644
--- a/core/admin/mailu/ui/templates/domain/signup.html
+++ b/core/admin/mailu/ui/templates/domain/signup.html
@@ -1,18 +1,18 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Register a domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
 
-  {% call macros.card(title="Requirements") %}
+  {%- call macros.card(title="Requirements") %}
   <p>{% trans %}In order to register a new domain, you must first setup the
     domain zone so that the domain <code>MX</code> points to this server{% endtrans %}
-    (<code>{{ config["HOSTNAMES"].split(",")[0] }}</code>).
+    (<code>{{ config["HOSTNAME"] }}</code>).
   </p>
   <p>
     {% trans %}If you do not know how to setup an <code>MX</code> record for your DNS zone,
@@ -20,17 +20,17 @@
     couple minutes after the <code>MX</code> is set so the local server cache
     expires.{% endtrans %}
   </p>
-  {% endcall %}
+  {%- endcall %}
 
-  {% call macros.card() %}
-  {% if form.localpart %}
+  {%- call macros.card() %}
+  {%- if form.localpart %}
   {{ macros.form_fields((form.localpart, form.name), append='<span class="input-group-text">@</span>') }}
   {{ macros.form_fields((form.pw, form.pw2)) }}
-  {% else %}
+  {%- else %}
   {{ macros.form_field(form.name) }}
-  {% endif %}
+  {%- endif %}
   {{ macros.form_field(form.captcha) }}
   {{ macros.form_field(form.submit) }}
-  {% endcall %}
+  {%- endcall %}
 </form>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/fetch/create.html b/core/admin/mailu/ui/templates/fetch/create.html
index 1b5bc194..00698329 100644
--- a/core/admin/mailu/ui/templates/fetch/create.html
+++ b/core/admin/mailu/ui/templates/fetch/create.html
@@ -1,31 +1,31 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Add a fetched account{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
-  {% call macros.card(title="Remote server") %}
+  {%- call macros.card(title="Remote server") %}
   {{ macros.form_field(form.protocol) }}
   {{ macros.form_fields((form.host, form.port)) }}
   {{ macros.form_field(form.tls) }}
-  {% endcall %}
+  {%- endcall %}
 
-  {% call macros.card(title="Authentication") %}
+  {%- call macros.card(title="Authentication") %}
   {{ macros.form_field(form.username) }}
   {{ macros.form_field(form.password) }}
-  {% endcall %}
+  {%- endcall %}
 
-  {% call macros.card(title="Settings") %}
+  {%- call macros.card(title="Settings") %}
   {{ macros.form_field(form.keep) }}
-  {% endcall %}
+  {%- endcall %}
 
   {{ macros.form_field(form.submit) }}
 </form>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/fetch/edit.html b/core/admin/mailu/ui/templates/fetch/edit.html
index 9d0f3918..62af51a9 100644
--- a/core/admin/mailu/ui/templates/fetch/edit.html
+++ b/core/admin/mailu/ui/templates/fetch/edit.html
@@ -1,9 +1,9 @@
-{% extends "fetch/create.html" %}
+{%- extends "fetch/create.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Update a fetched account{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/fetch/list.html b/core/admin/mailu/ui/templates/fetch/list.html
index 77f66bb1..60b214de 100644
--- a/core/admin/mailu/ui/templates/fetch/list.html
+++ b/core/admin/mailu/ui/templates/fetch/list.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Fetched accounts{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.fetch_create', user_email=user.email) }}">{% trans %}Add an account{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -27,7 +27,7 @@
   </tr>
 </thead>
 <tbody>
-  {% for fetch in user.fetches %}
+  {%- for fetch in user.fetches %}
   <tr>
     <td>
       <a href="{{ url_for('.fetch_edit', fetch_id=fetch.id) }}" title="{% trans %}Edit{% endtrans %}"><i class="fa fa-pencil"></i></a>&nbsp;
@@ -36,12 +36,12 @@
     <td>{{ fetch.protocol }}{{ 's' if fetch.tls else '' }}://{{ fetch.host }}:{{ fetch.port }}</td>
     <td>{{ fetch.username }}</td>
     <td>{% if fetch.keep %}{% trans %}yes{% endtrans %}{% else %}{% trans %}no{% endtrans %}{% endif %}</td>
-    <td>{{ fetch.last_check or '-' }}</td>
+    <td>{{ fetch.last_check | format_datetime or '-' }}</td>
     <td>{{ fetch.error or '-' }}</td>
-    <td>{{ fetch.created_at }}</td>
-    <td>{{ fetch.updated_at or '' }}</td>
+    <td>{{ fetch.created_at | format_date }}</td>
+    <td>{{ fetch.updated_at | format_date }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/form.html b/core/admin/mailu/ui/templates/form.html
index 0e65ce33..2c635aac 100644
--- a/core/admin/mailu/ui/templates/form.html
+++ b/core/admin/mailu/ui/templates/form.html
@@ -1,7 +1,7 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 {{ macros.form(form) }}
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/login.html b/core/admin/mailu/ui/templates/login.html
deleted file mode 100644
index 26c47c08..00000000
--- a/core/admin/mailu/ui/templates/login.html
+++ /dev/null
@@ -1,9 +0,0 @@
-{% extends "form.html" %}
-
-{% block title %}
-{% trans %}Sign in{% endtrans %}
-{% endblock %}
-
-{% block subtitle %}
-{% trans %}to access the administration tools{% endtrans %}
-{% endblock %}
diff --git a/core/admin/mailu/ui/templates/macros.html b/core/admin/mailu/ui/templates/macros.html
index d1715c7a..0da069a9 100644
--- a/core/admin/mailu/ui/templates/macros.html
+++ b/core/admin/mailu/ui/templates/macros.html
@@ -1,104 +1,133 @@
-{% macro form_errors(form) %}
-  {% if form.errors %}
-    {% for fieldname, errors in form.errors.items() %}
-      {% if bootstrap_is_hidden_field(form[fieldname]) %}
-        {% for error in errors %}
+{%- macro form_errors(form) %}
+  {%- if form.errors %}
+    {%- for fieldname, errors in form.errors.items() %}
+      {%- if bootstrap_is_hidden_field(form[fieldname]) %}
+        {%- for error in errors %}
           <p class="error">{{error}}</p>
-        {% endfor %}
-      {% endif %}
-    {% endfor %}
-  {% endif %}
-{% endmacro %}
+        {%- endfor %}
+      {%- endif %}
+    {%- endfor %}
+  {%- endif %}
+{%- endmacro %}
 
-{% macro form_field_errors(field) %}
-  {% if field.errors %}
-    {% for error in field.errors %}
+{%- macro form_field_errors(field) %}
+  {%- if field.errors %}
+    {%- for error in field.errors %}
       <p class="help-block inline">{{ error }}</p>
-    {% endfor %}
-  {% endif %}
-{% endmacro %}
+    {%- endfor %}
+  {%- endif %}
+{%- endmacro %}
 
-{% macro form_fields(fields, prepend='', append='', label=True) %}
-  {% set width = (12 / fields|length)|int %}
+{%- macro form_fields(fields, prepend='', append='', label=True) %}
+  {%- set width = (12 / fields|length)|int %}
   <div class="form-group">
     <div class="row">
-      {% for field in fields %}
+      {%- for field in fields %}
       <div class="col-lg-{{ width }} col-xs-12 {{ 'has-error' if field.errors else '' }}">
-        {{ form_individual_field(field, prepend=prepend, append=append, label=label, **kwargs) }}
+        {%- if field.__class__.__name__ == 'list' %}
+          {%- for subfield in field %}
+            {{ form_individual_field(subfield, prepend=prepend, append=append, label=label, **kwargs) }}
+          {%- endfor %}
+        {%- else %}
+          {{ form_individual_field(field, prepend=prepend, append=append, label=label, **kwargs) }}
+        {%- endif %}
       </div>
-      {% endfor %}
+      {%- endfor %}
     </div>
   </div>
-{% endmacro %}
+{%- endmacro %}
 
-{% macro form_individual_field(field, prepend='', append='', label=True, class_="") %}
-  {% if field.type == "BooleanField" %}
-    {{ field(**kwargs) }}<span>&nbsp;&nbsp;</span>
-    {{ field.label if label else '' }}
-  {% else %}
+{%- macro form_individual_field(field, prepend='', append='', label=True, class_="") %}
+  {%- if field.type == "BooleanField" %}
+    {{ field(**kwargs) }}<span>&nbsp;&nbsp;</span>{{ field.label if label else '' }}
+  {%- else %}
     {{ field.label if label else '' }}{{ form_field_errors(field) }}
-      {% if prepend %}<div class="input-group-prepend">{% endif %}
-      {% if append %}<div class="input-group-append">{% endif %}
-        {{ prepend|safe }}{{ field(class_="form-control " + class_, **kwargs) }}{{ append|safe }}
-      {% if prepend or append %}</div>{% endif %}
-  {% endif %}
-{% endmacro %}
+    {%- if prepend %}<div class="input-group-prepend">{%- elif append %}<div class="input-group-append">{%- endif %}
+      {{ prepend|safe }}{{ field(class_=("form-control " + class_) if class_ else "form-control", **kwargs) }}{{ append|safe }}
+    {%- if prepend or append %}</div>{%- endif %}
+  {%- endif %}
+{%- endmacro %}
 
-{% macro form_field(field) %}
-  {% if field.type == 'SubmitField' %}
-  {{ form_fields((field,), label=False, class="btn btn-default", **kwargs) }}
-  {% else %}
-  {{ form_fields((field,), **kwargs) }}
-  {% endif %}
-{% endmacro %}
+{%- macro form_field(field) %}
+  {%- if field.type == 'SubmitField' %}
+  {{- form_fields((field,), label=False, class="btn btn-default", **kwargs) }}
+  {%- else %}
+  {{- form_fields((field,), **kwargs) }}
+  {%- endif %}
+{%- endmacro %}
 
-{% macro form(form) %}
+{%- macro form(form) %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
-  {% for field in form %}
-    {% if  bootstrap_is_hidden_field(field) %}
+  {%- for field in form %}
+    {%- if bootstrap_is_hidden_field(field) %}
       {{ field() }}
-    {% else %}
+    {%- else %}
       {{ form_field(field) }}
-    {% endif %}
-  {% endfor %}
+    {%- endif %}
+  {%- endfor %}
 </form>
-{% endmacro %}
+{%- endmacro %}
 
-{% macro card(title=None, theme="primary", header=True) %}
+{%- macro card(title=None, theme="primary", header=True) %}
 <div class="row">
   <div class="col-lg-12">
     <div class="card card-outline card-{{ theme }}">
-      {% if header %}
+      {%- if header %}
       <div class="card-header border-0">
-        {% if title %}
+        {%- if title %}
         <h3 class="card-title">{{ title }}</h3>
-        {% endif %}
+        {%- endif %}
       </div>
-      {% endif %}
+      {%- endif %}
       <div class="card-body">
-       {{ caller() }}
+       {{- caller() }}
       </div>
     </div>
   </div>
 </div>
-{% endmacro %}
+{%- endmacro %}
 
-{% macro table(title=None, theme="primary", datatable=True) %}
+{%- macro table(title=None, theme="primary", datatable=True) %}
 <div class="row">
   <div class="col-lg-12">
     <div class="card card-outline card-{{ theme }}">
+      {%- if title %}
       <div class="card-header border-0">
-        {% if title %}
         <h3 class="card-title">{{ title }}</h3>
-        {% endif %}
       </div>
+      {%- endif %}
       <div class="card-body">
-        <table class="table table-bordered {% if datatable %} dataTable {% endif %}">
-          {{ caller() }}
+        <table class="table table-bordered{% if datatable %} dataTable{% endif %}">
+          {{- caller() }}
         </table>
       </div>
     </div>
   </div>
 </div>
-{% endmacro %}
+{%- endmacro %}
+
+{%- macro fieldset(title=None, field=None, enabled=None, fields=None) %}
+{%- if field or title %}
+<fieldset{% if not enabled %} disabled{% endif %}>
+{%- if field %}
+<legend>{{ form_individual_field(field) }}</legend>
+{%- else %}
+<legend>{{ title }}</legend>
+{%- endif %}
+{%- endif %}
+{{- caller() }}
+{%- if fields %}
+  {%- set kwargs = {"enabled" if enabled else "disabled": ""} %}
+  {%- for field in fields %}
+    {{ form_field(field, **kwargs) }}
+  {%- endfor %}
+{%- endif %}
+</fieldset>
+{%- endmacro %}
+
+{%- macro clip(target, title=_("copy to clipboard"), icon="copy", color="primary", action="copy") %}
+<button class="btn btn-{{ color }} btn-xs btn-clip float-right ml-2 mt-1" data-clipboard-action="{{ action }}" data-clipboard-target="#{{ target }}">
+<i class="fas fa-{{ icon }}" title="{{ title }}" aria-expanded="false"></i><span class="sr-only">{{ title }}</span>
+</button>
+{%- endmacro %}
diff --git a/core/admin/mailu/ui/templates/manager/create.html b/core/admin/mailu/ui/templates/manager/create.html
index bc5e6ca9..e5812b74 100644
--- a/core/admin/mailu/ui/templates/manager/create.html
+++ b/core/admin/mailu/ui/templates/manager/create.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Add a manager{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
   {{ macros.form_field(form.manager, class_='mailselect') }}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/manager/list.html b/core/admin/mailu/ui/templates/manager/list.html
index 9a78e3ca..706594c4 100644
--- a/core/admin/mailu/ui/templates/manager/list.html
+++ b/core/admin/mailu/ui/templates/manager/list.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Manager list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.manager_create', domain_name=domain.name) }}">{% trans %}Add manager{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -21,14 +21,14 @@
   </tr>
 </thead>
 <tbody>
-{% for manager in domain.managers %}
+{%- for manager in domain.managers %}
 <tr>
   <td>
     <a href="{{ url_for('.manager_delete', domain_name=domain.name, user_email=manager.email) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>
   </td>
   <td>{{ manager }}</td>
 </tr>
-{% endfor %}
+{%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/relay/create.html b/core/admin/mailu/ui/templates/relay/create.html
index b22cb001..b1e4e8e5 100644
--- a/core/admin/mailu/ui/templates/relay/create.html
+++ b/core/admin/mailu/ui/templates/relay/create.html
@@ -1,5 +1,5 @@
-{% extends "form.html" %}
+{%- extends "form.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}New relay domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/relay/edit.html b/core/admin/mailu/ui/templates/relay/edit.html
index 83dafcba..df2418a4 100644
--- a/core/admin/mailu/ui/templates/relay/edit.html
+++ b/core/admin/mailu/ui/templates/relay/edit.html
@@ -1,9 +1,9 @@
-{% extends "form.html" %}
+{%- extends "form.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Edit relayd domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ relay }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/relay/list.html b/core/admin/mailu/ui/templates/relay/list.html
index 6c8c9196..80bc5338 100644
--- a/core/admin/mailu/ui/templates/relay/list.html
+++ b/core/admin/mailu/ui/templates/relay/list.html
@@ -1,17 +1,17 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Relayed domain list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
-{% if current_user.global_admin %}
+{%- block main_action %}
+{%- if current_user.global_admin %}
 <a class="btn btn-primary float-right" href="{{ url_for('.relay_create') }}">{% trans %}New relayed domain{% endtrans %}</a>
-{% endif %}
-{% endblock %}
+{%- endif %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -23,7 +23,7 @@
   </tr>
 </thead>
 <tbody>
-  {% for relay in relays %}
+  {%- for relay in relays %}
   <tr>
     <td>
       <a href="{{ url_for('.relay_edit', relay_name=relay.name) }}" title="{% trans %}Edit{% endtrans %}"><i class="fa fa-pencil"></i></a>&nbsp;
@@ -32,10 +32,10 @@
     <td>{{ relay.name }}</td>
     <td>{{ relay.smtp or '-' }}</td>
     <td>{{ relay.comment or '' }}</td>
-    <td>{{ relay.created_at }}</td>
-    <td>{{ relay.updated_at or '' }}</td>
+    <td>{{ relay.created_at | format_date }}</td>
+    <td>{{ relay.updated_at | format_date }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/sidebar.html b/core/admin/mailu/ui/templates/sidebar.html
index 0fdae9db..6145bef3 100644
--- a/core/admin/mailu/ui/templates/sidebar.html
+++ b/core/admin/mailu/ui/templates/sidebar.html
@@ -1,144 +1,156 @@
-<div class="sidebar">
-  {% if current_user.is_authenticated %}
+<div class="sidebar text-sm">
+  {%- if current_user.is_authenticated %}
   <div class="user-panel mt-3 pb-3 mb-3 d-flex">
+    <div class="image">
+      <div class="div-circle elevation-2"><i class="fa fa-user text-lg text-dark"></i></div>
+    </div>
     <div class="info">
-      <span class="text-center text-primary">{{ current_user }}</span>
+      <a href="{{ url_for('.user_settings') }}" class="d-block">{{ current_user }}</a>
     </div>
   </div>
-  {% endif %}
-
+  {%- endif %}
   <nav class="mt-2">
     <ul class="nav nav-pills nav-sidebar flex-column" role="menu">
-      {% if current_user.is_authenticated %}
-      <li class="nav-header">{% trans %}My account{% endtrans %}</li>
-      <li class="nav-item">
-        <a href="{{ url_for('.user_settings') }}" class="nav-link">
+      {%- if current_user.is_authenticated %}
+      <li class="nav-header text-uppercase text-primary" role="none">{% trans %}My account{% endtrans %}</li>
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.user_settings') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-wrench"></i>
-          <p class="text">{% trans %}Settings{% endtrans %}</p>
+          <p>{% trans %}Settings{% endtrans %}</p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.user_password') }}" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.user_password') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-lock"></i>
-          <p class="text">{% trans %}Update password{% endtrans %}</p>
+          <p>{% trans %}Update password{% endtrans %}</p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.user_reply') }}" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.user_reply') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-plane"></i>
-          <p class="text">{% trans %}Auto-reply{% endtrans %}</p>
+          <p>{% trans %}Auto-reply{% endtrans %}</p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.fetch_list') }}" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.fetch_list') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fas fa-download"></i>
-          <p class="text">{% trans %}Fetched accounts{% endtrans %}</p>
+          <p>{% trans %}Fetched accounts{% endtrans %}</p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.token_list') }}" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.token_list') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fas fa-ticket-alt"></i>
-          <p class="text">{% trans %}Authentication tokens{% endtrans %}</p>
+          <p>{% trans %}Authentication tokens{% endtrans %}</p>
         </a>
       </li>
-
-      {% if current_user.manager_of or current_user.global_admin %}
-      <li class="nav-header">{% trans %}Administration{% endtrans %}</li>
-      {% endif %}
-      {% if current_user.global_admin %}
-      <li class="nav-item">
-        <a href="{{ url_for('.announcement') }}" class="nav-link">
-          <i class="nav-icon fa fa-bullhorn"></i>
-          <p class="text">{% trans %}Announcement{% endtrans %}</p>
-        </a>
-      </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.admin_list') }}" class="nav-link">
-          <i class="nav-icon fa fa-user"></i>
-          <p class="text">{% trans %}Administrators{% endtrans %}</p>
-        </a>
-      </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.relay_list') }}" class="nav-link">
-          <i class="nav-icon fa fa-reply-all"></i>
-          <p class="text">{% trans %}Relayed domains{% endtrans %}</p>
-        </a>
-      </li>
-      <li class="nav-item">
-        <a href="{{ config["WEB_ADMIN"] }}/antispam/" target="_blank" class="nav-link">
-        <i class="nav-icon fas fa-trash-alt"></i>
-        <p class="text">{% trans %}Antispam{% endtrans %}</p>
-        </a>
-      </li>
-      {% endif %}
-      {% if current_user.manager_of or current_user.global_admin %}
-      <li class="nav-item">
-        <a href="{{ url_for('.domain_list') }}" class="nav-link">
-          <i class="nav-icon fa fa-envelope"></i>
-          <p class="text">{% trans %}Mail domains{% endtrans %}</p>
-        </a>
-      </li>
-      {% endif %}
-      {% endif %}
-
-      <li class="nav-header">{% trans %}Go to{% endtrans %}</li>
-      {% if config["WEBMAIL"] != "none" %}
-      <li class="nav-item">
-        <a href="{{ config["WEB_WEBMAIL"] }}" target="_blank" class="nav-link">
-        <i class="nav-icon far fa-envelope"></i>
-        <p class="text">{% trans %}Webmail{% endtrans %}</p>
-        </a>
-      </li>
-      {% endif %}
-      <li class="nav-item">
-        <a href="{{ url_for('.client') }}" class="nav-link">
+      {%- if current_user.is_authenticated %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.client') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-laptop"></i>
-          <p class="text">{% trans %}Client setup{% endtrans %}</p>
+          <p>{% trans %}Client setup{% endtrans %}</p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="{{ config["WEBSITE"] }}" target="_blank" class="nav-link">
+      {%- endif %}
+
+      {%- if current_user.manager_of or current_user.global_admin %}
+      <li class="nav-header text-uppercase text-primary" role="none">{% trans %}Administration{% endtrans %}</li>
+      {%- endif %}
+      {%- if current_user.global_admin %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.announcement') }}" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-bullhorn"></i>
+          <p>{% trans %}Announcement{% endtrans %}</p>
+        </a>
+      </li>
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.admin_list') }}" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-user"></i>
+          <p>{% trans %}Administrators{% endtrans %}</p>
+        </a>
+      </li>
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.relay_list') }}" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-reply-all"></i>
+          <p>{% trans %}Relayed domains{% endtrans %}</p>
+        </a>
+      </li>
+      <li class="nav-item" role="none">
+        <a href="{{ config["WEB_ADMIN"] }}/antispam/" data-clicked="{{ url_for('.antispam') }}" target="_blank" class="nav-link" role="menuitem">
+        <i class="nav-icon fas fa-trash-alt"></i>
+        <p>{% trans %}Antispam{% endtrans %}</p>
+        </a>
+      </li>
+      {%- endif %}
+      {%- if current_user.manager_of or current_user.global_admin %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.domain_list') }}" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-envelope"></i>
+          <p>{% trans %}Mail domains{% endtrans %}</p>
+        </a>
+      </li>
+      {%- endif %}
+      {%- endif %}
+
+      <li class="nav-header text-uppercase text-primary" role="none">{% trans %}Go to{% endtrans %}</li>
+      {%- if config["WEBMAIL"] != "none" and current_user.is_authenticated %}
+      <li class="nav-item" role="none">
+        <a href="{{ config["WEB_WEBMAIL"] }}" target="_blank" class="nav-link" role="menuitem">
+        <i class="nav-icon far fa-envelope"></i>
+        <p>{% trans %}Webmail{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
+        </a>
+      </li>
+      {%- endif %}
+      {%- if not current_user.is_authenticated %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.client') }}" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-laptop"></i>
+          <p>{% trans %}Client setup{% endtrans %}</p>
+        </a>
+      </li>
+      {%- endif %}
+      <li class="nav-item" role="none">
+        <a href="{{ config["WEBSITE"] }}" target="_blank" class="nav-link" role="menuitem" rel="noreferrer">
         <i class="nav-icon fa fa-globe"></i>
-        <p class="text">{% trans %}Website{% endtrans %}</p>
+        <p>{% trans %}Website{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="https://mailu.io" target="_blank" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="https://mailu.io" target="_blank" class="nav-link" role="menuitem" rel="noreferrer">
           <i class="nav-icon fa fa-life-ring"></i>
-          <p class="text">{% trans %}Help{% endtrans %}</p>
+          <p>{% trans %}Help{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
         </a>
       </li>
-      {% if config['DOMAIN_REGISTRATION'] %}
-      <li class="nav-item">
-        <a href="{{ url_for('.domain_signup') }}" class="nav-link">
+      {%- if config['DOMAIN_REGISTRATION'] %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.domain_signup') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-plus-square"></i>
-          <p class="text">{% trans %}Register a domain{% endtrans %}</p>
+          <p>{% trans %}Register a domain{% endtrans %}</p>
         </a>
       </li>
-      {% endif %}
-      {% if current_user.is_authenticated %}
-      <li class="nav-item">
-        <a href="{{ url_for('.logout') }}" class="nav-link">
+      {%- endif %}
+      {%- if current_user.is_authenticated %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('sso.logout') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fas fa-sign-out-alt"></i>
-          <p class="text">{% trans %}Sign out{% endtrans %}</p>
+          <p>{% trans %}Sign out{% endtrans %}</p>
         </a>
       </li>
       {% else %}
-      <li class="nav-item">
-        <a href="{{ url_for('.login') }}" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('sso.login') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fas fa-sign-in-alt"></i>
-          <p class="text">{% trans %}Sign in{% endtrans %}</p>
+          <p>{% trans %}Sign in{% endtrans %}</p>
         </a>
       </li>
-      {% if signup_domains %}
-      <li class="nav-item">
-        <a href="{{ url_for('.user_signup') }}" class="nav-link">
+      {%- if signup_domains %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.user_signup') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-user-plus"></i>
-          <p class="text">{% trans %}Sign up{% endtrans %}</p>
+          <p>{% trans %}Sign up{% endtrans %}</p>
         </a>
       </li>
-      {% endif %}
-      {% endif %}
+      {%- endif %}
+      {%- endif %}
     </ul>
   </nav>
 </div>
diff --git a/core/admin/mailu/ui/templates/token/create.html b/core/admin/mailu/ui/templates/token/create.html
index a64e662c..ab9286d5 100644
--- a/core/admin/mailu/ui/templates/token/create.html
+++ b/core/admin/mailu/ui/templates/token/create.html
@@ -1,9 +1,9 @@
-{% extends "form.html" %}
+{%- extends "form.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Create an authentication token{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/token/list.html b/core/admin/mailu/ui/templates/token/list.html
index 09d0fe76..d7c48737 100644
--- a/core/admin/mailu/ui/templates/token/list.html
+++ b/core/admin/mailu/ui/templates/token/list.html
@@ -1,38 +1,40 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Authentication tokens{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.token_create', user_email=user.email) }}">{% trans %}New token{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
     <th>{% trans %}Comment{% endtrans %}</th>
     <th>{% trans %}Authorized IP{% endtrans %}</th>
     <th>{% trans %}Created{% endtrans %}</th>
+    <th>{% trans %}Last edit{% endtrans %}</th>
   </tr>
 </thead>
 <tbody>
-  {% for token in user.tokens %}
+  {%- for token in user.tokens %}
   <tr>
     <td>
       <a href="{{ url_for('.token_delete', token_id=token.id) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>
     </td>
     <td>{{ token.comment }}</td>
     <td>{{ token.ip or "any" }}</td>
-    <td>{{ token.created_at }}</td>
+    <td>{{ token.created_at | format_date }}</td>
+    <td>{{ token.updated_at | format_date }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/create.html b/core/admin/mailu/ui/templates/user/create.html
index 886cbb88..9a32243d 100644
--- a/core/admin/mailu/ui/templates/user/create.html
+++ b/core/admin/mailu/ui/templates/user/create.html
@@ -1,33 +1,32 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}New user{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
 
-  {% call macros.card(_("General")) %}
+  {%- call macros.card(_("General")) %}
   {{ macros.form_field(form.localpart, append='<span class="input-group-text">@'+domain.name+'</span>') }}
   {{ macros.form_fields((form.pw, form.pw2)) }}
   {{ macros.form_field(form.displayed_name) }}
   {{ macros.form_field(form.comment) }}
   {{ macros.form_field(form.enabled) }}
-  {% endcall %}
+  {%- endcall %}
 
-  {% call macros.card(_("Features and quotas"), theme="success") %}
-  {{ macros.form_field(form.quota_bytes, step=1000000000, max=(max_quota_bytes or domain.max_quota_bytes or 50000000000),
-      prepend='<span class="input-group-text"><span id="quota">'+((form.quota_bytes.data//1000000000).__str__() if form.quota_bytes.data else '∞')+'</span> GiB</span>',
-      oninput='$("#quota").text(this.value == 0  ? "∞" : this.value/1000000000);') }}
+  {%- call macros.card(_("Features and quotas"), theme="success") %}
+  {{ macros.form_field(form.quota_bytes, step=1000000000, max=(max_quota_bytes or domain.max_quota_bytes or 50*10**9), data_infinity="true",
+      prepend='<span class="input-group-text"><span id="quota_bytes_value"></span>&nbsp;GB</span>') }}
   {{ macros.form_field(form.enable_imap) }}
   {{ macros.form_field(form.enable_pop) }}
-  {% endcall %}
+  {%- endcall %}
 
   {{ macros.form_field(form.submit) }}
 </form>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/edit.html b/core/admin/mailu/ui/templates/user/edit.html
index 25da5486..1a0b2150 100644
--- a/core/admin/mailu/ui/templates/user/edit.html
+++ b/core/admin/mailu/ui/templates/user/edit.html
@@ -1,9 +1,9 @@
-{% extends "user/create.html" %}
+{%- extends "user/create.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Edit user{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/forward.html b/core/admin/mailu/ui/templates/user/forward.html
deleted file mode 100644
index 6059f0ed..00000000
--- a/core/admin/mailu/ui/templates/user/forward.html
+++ /dev/null
@@ -1,25 +0,0 @@
-{% extends "base.html" %}
-
-{% block title %}
-{% trans %}Forward emails{% endtrans %}
-{% endblock %}
-
-{% block subtitle %}
-{{ user }}
-{% endblock %}
-
-{% block content %}
-{% call macros.card() %}
-<form class="form" method="post" role="form">
-  {{ form.hidden_tag() }}
-  {{ macros.form_field(form.forward_enabled,
-      onchange="if(this.checked){$('#forward_destination,#forward_keep').removeAttr('disabled')}
-                else{$('#forward_destination,#forward_keep').attr('disabled', '')}") }}
-  {{ macros.form_field(form.forward_keep,
-      **{("enabled" if user.forward_enabled else "disabled"): ""}) }}
-  {{ macros.form_field(form.forward_destination,
-      **{("enabled" if user.forward_enabled else "disabled"): ""}) }}
-  {{ macros.form_field(form.submit) }}
-</form>
-{% endcall %}
-{% endblock %}
diff --git a/core/admin/mailu/ui/templates/user/list.html b/core/admin/mailu/ui/templates/user/list.html
index cfec6276..7faddab5 100644
--- a/core/admin/mailu/ui/templates/user/list.html
+++ b/core/admin/mailu/ui/templates/user/list.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}User list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.user_create', domain_name=domain.name) }}">{% trans %}Add user{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -27,8 +27,8 @@
   </tr>
 </thead>
 <tbody>
-  {% for user in domain.users %}
-  <tr {% if not user.enabled %}class="warning"{% endif %}>
+  {%- for user in domain.users %}
+  <tr{% if not user.enabled %} class="warning"{% endif %}>
     <td>
       <a href="{{ url_for('.user_edit', user_email=user.email) }}" title="{% trans %}Edit{% endtrans %}"><i class="fas fa-pencil-alt"></i></a>&nbsp;
       <a href="{{ url_for('.user_delete', user_email=user.email) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>
@@ -45,10 +45,10 @@
     </td>
     <td>{{ user.quota_bytes_used | filesizeformat }} / {{ (user.quota_bytes | filesizeformat) if user.quota_bytes else '∞' }}</td>
     <td>{{ user.comment or '-' }}</td>
-    <td>{{ user.created_at }}</td>
-    <td>{{ user.updated_at or '' }}</td>
+    <td>{{ user.created_at | format_date }}</td>
+    <td>{{ user.updated_at | format_date }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/password.html b/core/admin/mailu/ui/templates/user/password.html
index 0ccf8fe3..e7209f96 100644
--- a/core/admin/mailu/ui/templates/user/password.html
+++ b/core/admin/mailu/ui/templates/user/password.html
@@ -1,9 +1,9 @@
-{% extends "form.html" %}
+{%- extends "form.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Password update{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/reply.html b/core/admin/mailu/ui/templates/user/reply.html
index 74c604fa..44d09cb1 100644
--- a/core/admin/mailu/ui/templates/user/reply.html
+++ b/core/admin/mailu/ui/templates/user/reply.html
@@ -1,30 +1,23 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Automatic reply{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
-  {{ macros.form_field(form.reply_enabled,
-      onchange="if(this.checked){$('#reply_subject,#reply_body,#reply_enddate,#reply_startdate').removeAttr('readonly')}
-                else{$('#reply_subject,#reply_body,#reply_enddate,#reply_startdate').attr('readonly', '')}") }}
-  {{ macros.form_field(form.reply_subject,
-      **{("rw" if user.reply_enabled else "readonly"): ""}) }}
-    {{ macros.form_field(form.reply_body, rows=10,
-        **{("rw" if user.reply_enabled else "readonly"): ""}) }}
-  {{ macros.form_field(form.reply_enddate,
-        **{("rw" if user.reply_enabled else "readonly"): ""}) }}
-  {{ macros.form_field(form.reply_startdate,
-        **{("rw" if user.reply_enabled else "readonly"): ""}) }}
-
+  {%- call macros.fieldset(
+      field=form.reply_enabled,
+      enabled=user.reply_enabled,
+      fields=[form.reply_subject, form.reply_body, form.reply_enddate, form.reply_startdate]) %}
+  {%- endcall %}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/settings.html b/core/admin/mailu/ui/templates/user/settings.html
index 9aa672ca..c1eb47f3 100644
--- a/core/admin/mailu/ui/templates/user/settings.html
+++ b/core/admin/mailu/ui/templates/user/settings.html
@@ -1,38 +1,36 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}User settings{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
-  
-  {% call macros.card(title=_("Displayed name")) %}
+
+  {%- call macros.card(title=_("Displayed name")) %}
   {{ macros.form_field(form.displayed_name) }}
-  {% endcall %}
+  {%- endcall %}
 
-  {% call macros.card(title=_("Antispam")) %}
-  {{ macros.form_field(form.spam_enabled) }}
+  {%- call macros.card(title=_("Antispam")) %}
+  {%- call macros.fieldset(field=form.spam_enabled, enabled=user.spam_enabled) %}
   {{ macros.form_field(form.spam_threshold, step=1, max=100,
-      prepend='<span class="input-group-text"><span id="threshold">'+form.spam_threshold.data.__str__()+'</span>&nbsp;/&nbsp;100</span>',
-      oninput='$("#threshold").text(this.value);') }}
-  {% endcall %}
+     prepend='<span class="input-group-text"><span id="spam_threshold_value"></span>&nbsp;/&nbsp;100</span>') }}
+  {%- endcall %}
+  {%- endcall %}
 
-  {% call macros.card(title=_("Auto-forward")) %}
-  {{ macros.form_field(form.forward_enabled,
-      onchange="if(this.checked){$('#forward_destination,#forward_keep').removeAttr('disabled')}
-                else{$('#forward_destination,#forward_keep').attr('disabled', '')}") }}
-  {{ macros.form_field(form.forward_keep,
-      **{("enabled" if user.forward_enabled else "disabled"): ""}) }}
-  {{ macros.form_field(form.forward_destination,
-      **{("enabled" if user.forward_enabled else "disabled"): ""}) }}
-  {% endcall %}
+  {%- call macros.card(title=_("Auto-forward")) %}
+  {%- call macros.fieldset(
+      field=form.forward_enabled,
+      enabled=user.forward_enabled,
+      fields=[form.forward_keep, form.forward_destination]) %}
+  {%- endcall %}
+  {%- endcall %}
 
   {{ macros.form_field(form.submit) }}
 </form>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/signup.html b/core/admin/mailu/ui/templates/user/signup.html
index 1157cfa3..51f89686 100644
--- a/core/admin/mailu/ui/templates/user/signup.html
+++ b/core/admin/mailu/ui/templates/user/signup.html
@@ -1,23 +1,23 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Sign up{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
-  {% call macros.card() %}
+  {%- call macros.card() %}
   {{ macros.form_field(form.localpart, append='<span class="input-group-text">@'+domain.name+'</span>') }}
   {{ macros.form_fields((form.pw, form.pw2)) }}
-  {% if form.captcha %}
+  {%- if form.captcha %}
     {{ macros.form_field(form.captcha) }}
-  {% endif %}
+  {%- endif %}
   {{ macros.form_field(form.submit) }}
-  {% endcall %}
+  {%- endcall %}
 </form>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/signup_domain.html b/core/admin/mailu/ui/templates/user/signup_domain.html
index 1cb65ae8..a7db4c97 100644
--- a/core/admin/mailu/ui/templates/user/signup_domain.html
+++ b/core/admin/mailu/ui/templates/user/signup_domain.html
@@ -1,26 +1,26 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Sign up{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {% trans %}pick a domain for the new account{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <tr>
   <th>{% trans %}Domain{% endtrans %}</th>
   <th>{% trans %}Available slots{% endtrans %}</th>
   <th>{% trans %}Quota{% endtrans %}</th>
 </tr>
-{% for domain_name, domain in available_domains.items() %}
+{%- for domain_name, domain in available_domains.items() %}
 <tr>
   <td><a href="{{ url_for('.user_signup', domain_name=domain_name) }}">{{ domain_name }}</a></td>
   <td>{{ '∞' if domain.max_users == -1 else domain.max_users - (domain.users | count)}}</td>
   <td>{{ domain.max_quota_bytes or config['DEFAULT_QUOTA'] | filesizeformat }}</td>
 </tr>
-{% endfor %}
-{% endcall %}
-{% endblock %}
+{%- endfor %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/working.html b/core/admin/mailu/ui/templates/working.html
index 29243e20..65c26530 100644
--- a/core/admin/mailu/ui/templates/working.html
+++ b/core/admin/mailu/ui/templates/working.html
@@ -1,5 +1,5 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block content %}
+{%- block content %}
 <div class="alert alert-warning" role="alert">{% trans %}We are still working on this feature!{% endtrans %}</div>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/views/base.py b/core/admin/mailu/ui/views/base.py
index eb5490bc..01e168a1 100644
--- a/core/admin/mailu/ui/views/base.py
+++ b/core/admin/mailu/ui/views/base.py
@@ -1,4 +1,4 @@
-from mailu import models
+from mailu import models, utils
 from mailu.ui import ui, forms, access
 
 from flask import current_app as app
@@ -11,31 +11,6 @@ import flask_login
 def index():
     return flask.redirect(flask.url_for('.user_settings'))
 
-
-@ui.route('/login', methods=['GET', 'POST'])
-def login():
-    form = forms.LoginForm()
-    if form.validate_on_submit():
-        user = models.User.login(form.email.data, form.pw.data)
-        if user:
-            flask.session.regenerate()
-            flask_login.login_user(user)
-            endpoint = flask.request.args.get('next', '.index')
-            return flask.redirect(flask.url_for(endpoint)
-                or flask.url_for('.index'))
-        else:
-            flask.flash('Wrong e-mail or password', 'error')
-    return flask.render_template('login.html', form=form)
-
-
-@ui.route('/logout', methods=['GET'])
-@access.authenticated
-def logout():
-    flask_login.logout_user()
-    flask.session.destroy()
-    return flask.redirect(flask.url_for('.index'))
-
-
 @ui.route('/announcement', methods=['GET', 'POST'])
 @access.global_admin
 def announcement():
@@ -57,3 +32,7 @@ def webmail():
 @ui.route('/client', methods=['GET'])
 def client():
     return flask.render_template('client.html')
+
+@ui.route('/webui_antispam', methods=['GET'])
+def antispam():
+    return flask.render_template('antispam.html')
diff --git a/core/admin/mailu/ui/views/domains.py b/core/admin/mailu/ui/views/domains.py
index f394ce7d..a48bb154 100644
--- a/core/admin/mailu/ui/views/domains.py
+++ b/core/admin/mailu/ui/views/domains.py
@@ -5,7 +5,6 @@ from flask import current_app as app
 import flask
 import flask_login
 import wtforms_components
-import dns.resolver
 
 
 @ui.route('/domain', methods=['GET'])
diff --git a/core/admin/mailu/ui/views/languages.py b/core/admin/mailu/ui/views/languages.py
index 9fb87d5c..121431b4 100644
--- a/core/admin/mailu/ui/views/languages.py
+++ b/core/admin/mailu/ui/views/languages.py
@@ -2,8 +2,8 @@ from mailu.ui import ui, forms, access
 
 import flask
 
-
-@ui.route('/language/<language>', methods=['GET'])
+@ui.route('/language/<language>', methods=['POST'])
 def set_language(language=None):
     flask.session['language'] = language
-    return flask.redirect(flask.url_for('.user_settings'))
+    return flask.Response(status=200)
+
diff --git a/core/admin/mailu/ui/views/users.py b/core/admin/mailu/ui/views/users.py
index 2784fe53..8790977b 100644
--- a/core/admin/mailu/ui/views/users.py
+++ b/core/admin/mailu/ui/views/users.py
@@ -129,23 +129,6 @@ def user_password(user_email):
     return flask.render_template('user/password.html', form=form, user=user)
 
 
-@ui.route('/user/forward', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/user/forward/<path:user_email>', methods=['GET', 'POST'])
-@access.owner(models.User, 'user_email')
-def user_forward(user_email):
-    user_email_or_current = user_email or flask_login.current_user.email
-    user = models.User.query.get(user_email_or_current) or flask.abort(404)
-    form = forms.UserForwardForm(obj=user)
-    if form.validate_on_submit():
-        form.populate_obj(user)
-        models.db.session.commit()
-        flask.flash('Forward destination updated for %s' % user)
-        if user_email:
-            return flask.redirect(
-                flask.url_for('.user_list', domain_name=user.domain.name))
-    return flask.render_template('user/forward.html', form=form, user=user)
-
-
 @ui.route('/user/reply', methods=['GET', 'POST'], defaults={'user_email': None})
 @ui.route('/user/reply/<path:user_email>', methods=['GET', 'POST'])
 @access.owner(models.User, 'user_email')
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index b1279d9e..024c487f 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -6,55 +6,96 @@ try:
 except ImportError:
     import pickle
 
+import dns.resolver
+import dns.exception
+import dns.flags
+import dns.rdtypes
+import dns.rdatatype
+import dns.rdataclass
+
 import hmac
 import secrets
 import time
 
 from multiprocessing import Value
-
 from mailu import limiter
+from flask import current_app as app
 
 import flask
 import flask_login
 import flask_migrate
 import flask_babel
+import ipaddress
 import redis
 
 from flask.sessions import SessionMixin, SessionInterface
 from itsdangerous.encoding import want_bytes
 from werkzeug.datastructures import CallbackDict
-from werkzeug.contrib import fixers
-
+from werkzeug.middleware.proxy_fix import ProxyFix
 
 # Login configuration
 login = flask_login.LoginManager()
-login.login_view = "ui.login"
+login.login_view = "sso.login"
 
 @login.unauthorized_handler
 def handle_needs_login():
     """ redirect unauthorized requests to login page """
     return flask.redirect(
-        flask.url_for('ui.login', next=flask.request.endpoint)
+        flask.url_for('sso.login')
     )
 
+# DNS stub configured to do DNSSEC enabled queries
+resolver = dns.resolver.Resolver()
+resolver.use_edns(0, 0, 1232)
+resolver.flags = dns.flags.AD | dns.flags.RD
+
+def has_dane_record(domain, timeout=10):
+    try:
+        result = resolver.query(f'_25._tcp.{domain}', dns.rdatatype.TLSA,dns.rdataclass.IN, lifetime=timeout)
+        if result.response.flags & dns.flags.AD:
+            for record in result:
+                if isinstance(record, dns.rdtypes.ANY.TLSA.TLSA):
+                    record.validate()
+                    if record.usage in [2,3] and record.selector in [0,1] and record.mtype in [0,1,2]:
+                        return True
+    except dns.resolver.NoNameservers:
+        # If the DNSSEC data is invalid and the DNS resolver is DNSSEC enabled
+        # we will receive this non-specific exception. The safe behaviour is to
+        # accept to defer the email.
+        app.logger.warn(f'Unable to lookup the TLSA record for {domain}. Is the DNSSEC zone okay on https://dnsviz.net/d/{domain}/dnssec/?')
+        return app.config['DEFER_ON_TLS_ERROR']
+    except dns.exception.Timeout:
+        app.logger.warn(f'Timeout while resolving the TLSA record for {domain} ({timeout}s).')
+    except dns.resolver.NXDOMAIN:
+        pass # this is expected, not TLSA record is fine
+    except Exception as e:
+        app.logger.error(f'Error while looking up the TLSA record for {domain} {e}')
+        pass
+
 # Rate limiter
 limiter = limiter.LimitWraperFactory()
 
+def extract_network_from_ip(ip):
+    n = ipaddress.ip_network(ip)
+    if n.version == 4:
+        return str(n.supernet(prefixlen_diff=(32-int(app.config["AUTH_RATELIMIT_IP_V4_MASK"]))).network_address)
+    else:
+        return str(n.supernet(prefixlen_diff=(128-int(app.config["AUTH_RATELIMIT_IP_V6_MASK"]))).network_address)
+
+def is_exempt_from_ratelimits(ip):
+    ip = ipaddress.ip_address(ip)
+    return any(ip in cidr for cidr in app.config['AUTH_RATELIMIT_EXEMPTION'])
+
 # Application translation
 babel = flask_babel.Babel()
 
 @babel.localeselector
 def get_locale():
     """ selects locale for translation """
-    translations = list(map(str, babel.list_translations()))
-    flask.session['available_languages'] = translations
-
-    try:
-        language = flask.session['language']
-    except KeyError:
-        language = flask.request.accept_languages.best_match(translations)
+    language = flask.session.get('language')
+    if not language in app.config.translations:
+        language = flask.request.accept_languages.best_match(app.config.translations.keys())
         flask.session['language'] = language
-
     return language
 
 
@@ -65,13 +106,10 @@ class PrefixMiddleware(object):
         self.app = None
 
     def __call__(self, environ, start_response):
-        prefix = environ.get('HTTP_X_FORWARDED_PREFIX', '')
-        if prefix:
-            environ['SCRIPT_NAME'] = prefix
         return self.app(environ, start_response)
 
     def init_app(self, app):
-        self.app = fixers.ProxyFix(app.wsgi_app, x_for=1, x_proto=1)
+        self.app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1)
         app.wsgi_app = self
 
 proxy = PrefixMiddleware()
@@ -230,7 +268,7 @@ class MailuSession(CallbackDict, SessionMixin):
 
         # set uid from dict data
         if self._uid is None:
-            self._uid = self.app.session_config.gen_uid(self.get('user_id', ''))
+            self._uid = self.app.session_config.gen_uid(self.get('_user_id', ''))
 
         # create new session id for new or regenerated sessions and force setting the cookie
         if self._sid is None:
@@ -450,7 +488,7 @@ class MailuSessionExtension:
                 with cleaned.get_lock():
                     if not cleaned.value:
                         cleaned.value = True
-                        flask.current_app.logger.error('cleaning')
+                        app.logger.info('cleaning session store')
                         MailuSessionExtension.cleanup_sessions(app)
 
             app.before_first_request(cleaner)
diff --git a/core/admin/migrations/env.py b/core/admin/migrations/env.py
index cdfd2248..65a4e471 100755
--- a/core/admin/migrations/env.py
+++ b/core/admin/migrations/env.py
@@ -1,10 +1,12 @@
-from __future__ import with_statement
+import logging
+import tenacity
+
 from alembic import context
 from sqlalchemy import engine_from_config, pool
 from logging.config import fileConfig
-import logging
-import tenacity
-from tenacity import retry
+
+from flask import current_app
+from mailu import models
 
 # this is the Alembic Config object, which provides
 # access to the values within the .ini file in use.
@@ -17,34 +19,26 @@ logger = logging.getLogger('alembic.env')
 
 # add your model's MetaData object here
 # for 'autogenerate' support
-# from myapp import mymodel
-# target_metadata = mymodel.Base.metadata
-from flask import current_app
-config.set_main_option('sqlalchemy.url',
-                       current_app.config.get('SQLALCHEMY_DATABASE_URI'))
-#target_metadata = current_app.extensions['migrate'].db.metadata
-from mailu import models
+config.set_main_option(
+    'sqlalchemy.url',
+    current_app.config.get('SQLALCHEMY_DATABASE_URI')
+)
 target_metadata = models.Base.metadata
 
-# other values from the config, defined by the needs of env.py,
-# can be acquired:
-# my_important_option = config.get_main_option("my_important_option")
-# ... etc.
-
 
 def run_migrations_offline():
     """Run migrations in 'offline' mode.
 
     This configures the context with just a URL
     and not an Engine, though an Engine is acceptable
-    here as well.  By skipping the Engine creation
+    here as well. By skipping the Engine creation
     we don't even need a DBAPI to be available.
 
     Calls to context.execute() here emit the given string to the
     script output.
 
     """
-    url = config.get_main_option("sqlalchemy.url")
+    url = config.get_main_option('sqlalchemy.url')
     context.configure(url=url)
 
     with context.begin_transaction():
@@ -69,28 +63,35 @@ def run_migrations_online():
                 directives[:] = []
                 logger.info('No changes in schema detected.')
 
-    engine = engine_from_config(config.get_section(config.config_ini_section),
-                                prefix='sqlalchemy.',
-                                poolclass=pool.NullPool)
+    engine = engine_from_config(
+        config.get_section(config.config_ini_section),
+        prefix    = 'sqlalchemy.',
+        poolclass = pool.NullPool
+    )
 
-    connection = tenacity.Retrying(
-        stop=tenacity.stop_after_attempt(100),
-        wait=tenacity.wait_random(min=2, max=5),
-        before=tenacity.before_log(logging.getLogger("tenacity.retry"), logging.DEBUG),
-        before_sleep=tenacity.before_sleep_log(logging.getLogger("tenacity.retry"), logging.INFO),
-        after=tenacity.after_log(logging.getLogger("tenacity.retry"), logging.DEBUG)
-        ).call(engine.connect)
+    @tenacity.retry(
+        stop   = tenacity.stop_after_attempt(100),
+        wait   = tenacity.wait_random(min=2, max=5),
+        before = tenacity.before_log(logging.getLogger('tenacity.retry'), logging.DEBUG),
+        before_sleep = tenacity.before_sleep_log(logging.getLogger('tenacity.retry'), logging.INFO),
+        after  = tenacity.after_log(logging.getLogger('tenacity.retry'), logging.DEBUG)
+    )
+    def try_connect(db):
+        return db.connect()
 
-    context.configure(connection=connection,
-                      target_metadata=target_metadata,
-                      process_revision_directives=process_revision_directives,
-                      **current_app.extensions['migrate'].configure_args)
+    with try_connect(engine) as connection:
+
+        context.configure(
+            connection      = connection,
+            target_metadata = target_metadata,
+            process_revision_directives = process_revision_directives,
+            **current_app.extensions['migrate'].configure_args
+        )
 
-    try:
         with context.begin_transaction():
             context.run_migrations()
-    finally:
-        connection.close()
+
+    connection.close()
 
 if context.is_offline_mode():
     run_migrations_offline()
diff --git a/core/admin/package.json b/core/admin/package.json
index d45dcb94..741482ab 100644
--- a/core/admin/package.json
+++ b/core/admin/package.json
@@ -12,20 +12,19 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
-    "@babel/core": "^7.15.0",
-    "@babel/preset-env": "^7.15.0",
     "admin-lte": "^3.1.0",
     "babel-loader": "^8.2.2",
+    "clipboard": "^2.0.8",
+    "compression-webpack-plugin": "^8.0.1",
     "css-loader": "^6.2.0",
-    "expose-loader": "^3.0.0",
-    "jquery": "^3.6.0",
-    "less": "^4.1.1",
+    "css-minimizer-webpack-plugin": "^3.0.2",
+    "datatables.net-plugins": "^1.10.24",
+    "import-glob": "^1.5.0",
     "less-loader": "^10.0.1",
     "mini-css-extract-plugin": "^2.2.0",
-    "node-sass": "^6.0.1",
+    "sass": "<1.33.0",
     "sass-loader": "^12.1.0",
-    "select2": "^4.0.13",
-    "webpack": "^5.50.0",
-    "webpack-cli": "^4.7.2"
+    "terser-webpack-plugin": "^5.2.0",
+    "webpack-cli": "^4.8.0"
   }
 }
diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 88ff2981..d6c7aca3 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -1,56 +1,75 @@
-alembic==1.0.10
-asn1crypto==0.24.0
-Babel==2.6.0
-bcrypt==3.1.6
+alembic==1.7.4
+appdirs==1.4.4
+Babel==2.9.1
+bcrypt==3.2.0
 blinker==1.4
-cffi==1.12.3
-Click==7.0
-cryptography==3.4.7
-decorator==4.4.0
-dnspython==1.16.0
-dominate==2.3.5
-Flask==1.0.2
-Flask-Babel==0.12.2
+CacheControl==0.12.9
+certifi==2021.10.8
+cffi==1.15.0
+chardet==4.0.0
+click==8.0.3
+colorama==0.4.4
+contextlib2==21.6.0
+cryptography==35.0.0
+decorator==5.1.0
+# distlib==0.3.1
+# distro==1.5.0
+dnspython==2.1.0
+dominate==2.6.0
+email-validator==1.1.3
+Flask==2.0.2
+Flask-Babel==2.0.0
 Flask-Bootstrap==3.3.7.1
-Flask-DebugToolbar==0.10.1
-Flask-Limiter==1.0.1
-Flask-Login==0.4.1
+Flask-DebugToolbar==0.11.0
+Flask-Limiter==1.4
+Flask-Login==0.5.0
 flask-marshmallow==0.14.0
-Flask-Migrate==2.4.0
+Flask-Migrate==3.1.0
 Flask-Script==2.0.6
-Flask-SQLAlchemy==2.4.0
-Flask-WTF==0.14.2
-gunicorn==19.9.0
-idna==2.8
-infinity==1.4
-intervals==0.8.1
-itsdangerous==1.1.0
-Jinja2==2.11.3
-limits==1.3
-Mako==1.0.9
-MarkupSafe==1.1.1
-mysqlclient==1.4.2.post1
-marshmallow==3.10.0
-marshmallow-sqlalchemy==0.24.1
+Flask-SQLAlchemy==2.5.1
+Flask-WTF==0.15.1
+greenlet==1.1.2
+gunicorn==20.1.0
+html5lib==1.1
+idna==3.3
+infinity==1.5
+intervals==0.9.2
+itsdangerous==2.0.1
+Jinja2==3.0.2
+limits==1.5.1
+lockfile==0.12.2
+Mako==1.1.5
+MarkupSafe==2.0.1
+marshmallow==3.14.0
+marshmallow-sqlalchemy==0.26.1
+msgpack==1.0.2
+mysqlclient==2.0.3
+ordered-set==4.0.2
+# packaging==20.9
 passlib==1.7.4
-psycopg2==2.8.2
-pycparser==2.19
-Pygments==2.8.1
-pyOpenSSL==20.0.1
-python-dateutil==2.8.0
-python-editor==1.0.4
-pytz==2019.1
-PyYAML==5.4.1
-redis==3.2.1
-#alpine3:12 provides six==1.15.0
-#six==1.12.0
-socrate==0.1.1
-SQLAlchemy==1.3.3
+# pep517==0.10.0
+progress==1.6
+psycopg2==2.9.1
+pycparser==2.20
+Pygments==2.10.0
+pyOpenSSL==21.0.0
+pyparsing==3.0.4
+pytz==2021.3
+PyYAML==6.0
+redis==3.5.3
+requests==2.26.0
+retrying==1.3.3
+# six==1.15.0
+socrate==0.2.0
+SQLAlchemy==1.4.26
 srslib==0.1.4
-tabulate==0.8.3
-tenacity==5.0.4
-validators==0.12.6
+tabulate==0.8.9
+tenacity==8.0.1
+toml==0.10.2
+urllib3==1.26.7
+validators==0.18.2
 visitor==0.1.3
-Werkzeug==0.15.5
-WTForms==2.2.1
-WTForms-Components==0.10.4
+webencodings==0.5.1
+Werkzeug==2.0.2
+WTForms==2.3.3
+WTForms-Components==0.10.5
diff --git a/core/admin/requirements.txt b/core/admin/requirements.txt
index e1de3b01..65130a8c 100644
--- a/core/admin/requirements.txt
+++ b/core/admin/requirements.txt
@@ -18,10 +18,8 @@ PyYAML
 PyOpenSSL
 Pygments
 dnspython
-bcrypt
 tenacity
 mysqlclient
-psycopg2
 idna
 srslib
 marshmallow
diff --git a/core/admin/webpack.config.js b/core/admin/webpack.config.js
index 3e823fa9..25c966c1 100644
--- a/core/admin/webpack.config.js
+++ b/core/admin/webpack.config.js
@@ -1,65 +1,76 @@
-var path = require("path");
-var webpack = require("webpack");
-var css = require("mini-css-extract-plugin");
+const path = require('path');
+const webpack = require('webpack');
+const css = require('mini-css-extract-plugin');
+const mini = require('css-minimizer-webpack-plugin');
+const terse = require('terser-webpack-plugin');
+const compress = require('compression-webpack-plugin');
 
 module.exports = {
-    mode: "development",
+    mode: 'production',
     entry: {
-        app: "./assets/app.js",
-        vendor: "./assets/vendor.js"
+        app: {
+            import: './assets/app.js',
+            dependOn: 'vendor',
+        },
+        vendor: './assets/vendor.js',
     },
     output: {
-        path: path.resolve(__dirname, "static/"),
-        filename: "[name].js"
+        path: path.resolve(__dirname, 'static/'),
+        filename: '[name].js',
+        assetModuleFilename: '[name][ext]',
     },
     module: {
         rules: [
             {
                 test: /\.js$/,
-                use: ['babel-loader']
+                use: ['babel-loader', 'import-glob'],
             },
             {
-                test: /\.scss$/,
-                use: [css.loader, 'css-loader', 'sass-loader']
+                test: /\.s?css$/i,
+                use: [css.loader, 'css-loader', 'sass-loader'],
             },
             {
-                test: /\.less$/,
-                use: [css.loader, 'css-loader', 'less-loader']
+                test: /\.less$/i,
+                use: [css.loader, 'css-loader', 'less-loader'],
             },
             {
-                test: /\.css$/,
-                use: [css.loader, 'css-loader']
+                test: /\.(json|png|svg|jpg|jpeg|gif)$/i,
+                type: 'asset/resource',
             },
-            {
-                // Exposes jQuery for use outside Webpack build
-                test: require.resolve('jquery'),
-                use: [{
-                    loader: 'expose-loader',
-                    options: {
-                      exposes: [
-                        {
-                          globalName: '$',
-                          override: true,
-                        },
-                        {
-                          globalName: 'jQuery',
-                          override: true,
-                        },
-                      ] 
-                    },               
-                }]
-            }
-        ]
+        ],
     },
     plugins: [
-	      new css({
-	          filename: "[name].css",
-	          chunkFilename: "[id].css"
-	      }),
+        new css({
+            filename: '[name].css',
+            chunkFilename: '[id].css',
+        }),
         new webpack.ProvidePlugin({
-            $: "jquery",
-            jQuery: "jquery"
-        })
-    ]
-}
-
+            $: 'jquery',
+            jQuery: 'jquery',
+            ClipboardJS: 'clipboard',
+        }),
+        new compress({
+            filename: '[path][base].gz',
+            algorithm: "gzip",
+            exclude: /\.(png|gif|jpe?g)$/,
+            threshold: 5120,
+            minRatio: 0.8,
+            deleteOriginalAssets: false,
+        }),
+    ],
+    optimization: {
+        minimize: true,
+        minimizer: [
+            new terse(),
+            new mini({
+                minimizerOptions: {
+                    preset: [
+                        'default', {
+                            discardComments: { removeAll: true },
+                        },
+                    ],
+                },
+            }),
+        ],
+    },
+};
diff --git a/core/dovecot/Dockerfile b/core/dovecot/Dockerfile
index 22145bde..7a2dbdc1 100644
--- a/core/dovecot/Dockerfile
+++ b/core/dovecot/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO as builder
 WORKDIR /tmp
 RUN apk add git build-base automake autoconf libtool dovecot-dev xapian-core-dev icu-dev
@@ -11,9 +11,12 @@ RUN git clone https://github.com/grosjo/fts-xapian.git \
   && make install
 
 FROM $DISTRO
+
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
-    python3 py3-pip git bash py3-multidict py3-yarl \
+    python3 py3-pip git bash py3-multidict py3-yarl tzdata \
   && pip3 install --upgrade pip
 
 # Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube
diff --git a/core/dovecot/README.md b/core/dovecot/README.md
index c8ae5982..e54b257e 100644
--- a/core/dovecot/README.md
+++ b/core/dovecot/README.md
@@ -4,7 +4,7 @@ Mailu Dovecot container
 Dovecot is an open source IMAP and POP3 email server for Linux/UNIX-like
 systems, written with security primarily in mind. It's fast, simple to set
 up, requires no special administration and it uses very little memory.
- 
+
 In the Mailu stack it is used as the IMAP/POP frontend service.
 
 Resources
diff --git a/core/dovecot/start.py b/core/dovecot/start.py
index 1845eb93..03bdfa80 100755
--- a/core/dovecot/start.py
+++ b/core/dovecot/start.py
@@ -6,7 +6,7 @@ import multiprocessing
 import logging as log
 import sys
 
-from podop   import run_server
+from podop import run_server
 from socrate import system, conf
 
 log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING"))
diff --git a/core/nginx/Dockerfile b/core/nginx/Dockerfile
index 1906ed31..d8899144 100644
--- a/core/nginx/Dockerfile
+++ b/core/nginx/Dockerfile
@@ -1,5 +1,8 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
+
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
     python3 py3-pip git bash py3-multidict \
@@ -9,13 +12,15 @@ RUN apk add --no-cache \
 RUN pip3 install socrate==0.2.0
 
 # Image specific layers under this line
-RUN apk add --no-cache certbot nginx nginx-mod-mail openssl curl \
+RUN apk add --no-cache certbot nginx nginx-mod-mail openssl curl tzdata \
  && pip3 install watchdog
 
 COPY conf /conf
 COPY static /static
 COPY *.py /
 
+RUN gzip -k9 /static/*.ico /static/*.txt; chmod a+rX -R /static
+
 EXPOSE 80/tcp 443/tcp 110/tcp 143/tcp 465/tcp 587/tcp 993/tcp 995/tcp 25/tcp 10025/tcp 10143/tcp
 VOLUME ["/certs"]
 VOLUME ["/overrides"]
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 9ce12980..71cbf9ee 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -1,24 +1,23 @@
-#  Basic configuration
+# Basic configuration
 user nginx;
 worker_processes auto;
-error_log /dev/stderr info;
+error_log /dev/stderr notice;
 pid /var/run/nginx.pid;
 load_module "modules/ngx_mail_module.so";
 
 events {
-    worker_connections  1024;
+    worker_connections 1024;
 }
 
 http {
     # Standard HTTP configuration with slight hardening
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
-    access_log /dev/stdout;
     sendfile on;
-    keepalive_timeout  65;
+    keepalive_timeout 65;
     server_tokens off;
     absolute_redirect off;
-    resolver {{ RESOLVER }} valid=30s;
+    resolver {{ RESOLVER }} ipv6=off valid=30s;
 
     {% if REAL_IP_HEADER %}
     real_ip_header {{ REAL_IP_HEADER }};
@@ -33,15 +32,33 @@ http {
       default $http_x_forwarded_proto;
       ''      $scheme;
     }
+    map $uri $expires {
+      default off;
+      ~*\.(ico|css|js|gif|jpeg|jpg|png|woff2?|ttf|otf|svg|tiff|eot|webp)$ 97d;
+    }
+
+    map $request_uri $loggable {
+      /health 0;
+      /auth/email 0;
+      default 1;
+    }
+    access_log /dev/stdout combined if=$loggable;
+
+    # compression
+    gzip on;
+    gzip_static on;
+    gzip_types text/plain text/css application/xml application/javascript
+    gzip_min_length 1024;
+    # TODO: figure out how to server pre-compressed assets from admin container
 
     {% if KUBERNETES_INGRESS != 'true' and TLS_FLAVOR in [ 'letsencrypt', 'cert' ] %}
     # Enable the proxy for certbot if the flavor is letsencrypt and not on kubernetes
-    # 
+    #
     server {
       # Listen over HTTP
       listen 80;
       listen [::]:80;
-      {% if TLS_FLAVOR == 'letsencrypt' %}      
+      {% if TLS_FLAVOR == 'letsencrypt' %}
       location ^~ /.well-known/acme-challenge/ {
           proxy_pass http://127.0.0.1:8008;
       }
@@ -50,6 +67,7 @@ http {
       location / {
         return 301 https://$host$request_uri;
       }
+
     }
     {% endif %}
 
@@ -68,7 +86,7 @@ http {
       {% endif %}
 
       # Listen on HTTP only in kubernetes or behind reverse proxy
-      {% if KUBERNETES_INGRESS == 'true' or TLS_FLAVOR in [ 'mail-letsencrypt', 'notls',  'mail' ] %}
+      {% if KUBERNETES_INGRESS == 'true' or TLS_FLAVOR in [ 'mail-letsencrypt', 'notls', 'mail' ] %}
       listen 80;
       listen [::]:80;
       {% endif %}
@@ -94,14 +112,14 @@ http {
       # Remove headers to prevent duplication and information disclosure
       proxy_hide_header X-XSS-Protection;
       proxy_hide_header X-Powered-By;
-      
+
       add_header X-Frame-Options 'SAMEORIGIN';
       add_header X-Content-Type-Options 'nosniff';
       add_header X-Permitted-Cross-Domain-Policies 'none';
       add_header X-XSS-Protection '1; mode=block';
       add_header Referrer-Policy 'same-origin';
 
-      {% if TLS_FLAVOR == 'mail-letsencrypt' %}      
+      {% if TLS_FLAVOR == 'mail-letsencrypt' %}
       location ^~ /.well-known/acme-challenge/ {
           proxy_pass http://127.0.0.1:8008;
       }
@@ -113,12 +131,19 @@ http {
         return 403;
       }
       {% else %}
-
       include /overrides/*.conf;
 
       # Actual logic
+      {% if ADMIN == 'true' or WEBMAIL != 'none' %}
+      location ~ ^/(sso|static) {
+        include /etc/nginx/proxy.conf;
+        proxy_pass http://$admin;
+      }
+      {% endif %}
+
       {% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %}
       location / {
+        expires $expires;
       {% if WEBROOT_REDIRECT %}
         try_files $uri {{ WEBROOT_REDIRECT }};
       {% else %}
@@ -135,10 +160,9 @@ http {
         {% endif %}
         include /etc/nginx/proxy.conf;
         client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};
-        proxy_pass http://$webmail;
-      {% if ADMIN == 'true' %}
         auth_request /internal/auth/user;
         error_page 403 @webmail_login;
+        proxy_pass http://$webmail;
       }
 
       location {{ WEB_WEBMAIL }}/sso.php {
@@ -153,27 +177,20 @@ http {
         auth_request_set $token $upstream_http_x_user_token;
         proxy_set_header X-Remote-User $user;
         proxy_set_header X-Remote-User-Token $token;
-        proxy_pass http://$webmail;
         error_page 403 @webmail_login;
+        proxy_pass http://$webmail;
       }
 
       location @webmail_login {
-        return 302 {{ WEB_ADMIN }}/ui/login?next=ui.webmail;
+        return 302 /sso/login;
       }
-      {% else %}
-      }
-      {% endif %}{% endif %}
+      {% endif %}
       {% if ADMIN == 'true' %}
-      location {{ WEB_ADMIN }} {
-        return 301 {{ WEB_ADMIN }}/ui;
-      }
-
-      location ~ {{ WEB_ADMIN }}/(ui|static) {
-        rewrite ^{{ WEB_ADMIN }}/(.*) /$1 break;
-        include /etc/nginx/proxy.conf;
-        proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
-        proxy_pass http://$admin;
-      }
+       location {{ WEB_ADMIN }} {
+         include /etc/nginx/proxy.conf;
+         proxy_pass http://$admin;
+         expires $expires;
+       }
 
       location {{ WEB_ADMIN }}/antispam {
         rewrite ^{{ WEB_ADMIN }}/antispam/(.*) /$1 break;
@@ -204,6 +221,7 @@ http {
       location /internal {
         internal;
 
+        proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header Authorization $http_authorization;
         proxy_pass_header Authorization;
         proxy_pass http://$admin;
@@ -233,7 +251,8 @@ mail {
     server_name {{ HOSTNAMES.split(",")[0] }};
     auth_http http://127.0.0.1:8000/auth/email;
     proxy_pass_error_message on;
-    resolver {{ RESOLVER }} valid=30s;
+    resolver {{ RESOLVER }} ipv6=off valid=30s;
+    error_log /dev/stderr info;
 
     {% if TLS and not TLS_ERROR %}
     include /etc/nginx/tls.conf;
diff --git a/core/nginx/static/android-chrome-192x192.png b/core/nginx/static/android-chrome-192x192.png
index 86231db9..75665d8c 100644
Binary files a/core/nginx/static/android-chrome-192x192.png and b/core/nginx/static/android-chrome-192x192.png differ
diff --git a/core/nginx/static/android-chrome-512x512.png b/core/nginx/static/android-chrome-512x512.png
index f029c9fd..32a69b21 100644
Binary files a/core/nginx/static/android-chrome-512x512.png and b/core/nginx/static/android-chrome-512x512.png differ
diff --git a/core/nginx/static/apple-touch-icon.png b/core/nginx/static/apple-touch-icon.png
index b4f92f33..d1b17a63 100644
Binary files a/core/nginx/static/apple-touch-icon.png and b/core/nginx/static/apple-touch-icon.png differ
diff --git a/core/nginx/static/favicon-16x16.png b/core/nginx/static/favicon-16x16.png
index ff35d4b0..6affc1f3 100644
Binary files a/core/nginx/static/favicon-16x16.png and b/core/nginx/static/favicon-16x16.png differ
diff --git a/core/nginx/static/favicon-32x32.png b/core/nginx/static/favicon-32x32.png
index 2b6b749b..3b936245 100644
Binary files a/core/nginx/static/favicon-32x32.png and b/core/nginx/static/favicon-32x32.png differ
diff --git a/core/nginx/static/mstile-150x150.png b/core/nginx/static/mstile-150x150.png
index 04c609f7..71c4702d 100644
Binary files a/core/nginx/static/mstile-150x150.png and b/core/nginx/static/mstile-150x150.png differ
diff --git a/core/nginx/static/robots.txt b/core/nginx/static/robots.txt
new file mode 100644
index 00000000..1f53798b
--- /dev/null
+++ b/core/nginx/static/robots.txt
@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /
diff --git a/core/none/Dockerfile b/core/none/Dockerfile
index 51b8d1c5..bae5e8a3 100644
--- a/core/none/Dockerfile
+++ b/core/none/Dockerfile
@@ -1,6 +1,6 @@
 # This is an idle image to dynamically replace any component if disabled.
 
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 
 CMD sleep 1000000d
diff --git a/core/postfix/Dockerfile b/core/postfix/Dockerfile
index 062155c1..9f0cc701 100644
--- a/core/postfix/Dockerfile
+++ b/core/postfix/Dockerfile
@@ -1,8 +1,11 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
+
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
-    python3 py3-pip git bash py3-multidict py3-yarl \
+    python3 py3-pip git bash py3-multidict py3-yarl tzdata \
   && pip3 install --upgrade pip
 
 # Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube
@@ -12,6 +15,10 @@ RUN pip3 install socrate==0.2.0
 RUN pip3 install "podop>0.2.5"
 
 # Image specific layers under this line
+RUN apk add --no-cache --virtual .build-deps gcc musl-dev python3-dev
+RUN pip3 install --no-binary :all: postfix-mta-sts-resolver==1.0.1
+RUN apk del .build-deps gcc musl-dev python3-dev
+
 RUN apk add --no-cache postfix postfix-pcre cyrus-sasl-login
 
 COPY conf /conf
diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 99c5179a..8ac646da 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -17,7 +17,7 @@ queue_directory = /queue
 message_size_limit = {{ MESSAGE_SIZE_LIMIT }}
 
 # Relayed networks
-mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {{ RELAYNETS }}
+mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }}  {% if RELAYNETS %}{{ RELAYNETS.split(",") | join(' ') }}{% endif %}
 
 # Empty alias list to override the configuration variable and disable NIS
 alias_maps =
@@ -58,13 +58,17 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET
 # 2. not all will have and up-to-date TLS stack.
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
-smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
-smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy.map
+smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
+smtp_tls_dane_insecure_mx_policy = {{ 'dane' if DEFER_ON_TLS_ERROR else 'may' }}
+smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy.map, ${podop}dane, socketmap:unix:/tmp/mta-sts.socket:postfix
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
 smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
 smtp_host_lookup = dns
 smtp_dns_support_level = dnssec
+delay_warning_time = 5m
+smtp_tls_loglevel = 1
+notify_classes = resource, software, delay
 
 ###############
 # Virtual
diff --git a/core/postfix/conf/mta-sts-daemon.yml b/core/postfix/conf/mta-sts-daemon.yml
new file mode 100644
index 00000000..1527b73f
--- /dev/null
+++ b/core/postfix/conf/mta-sts-daemon.yml
@@ -0,0 +1,10 @@
+path: "/tmp/mta-sts.socket"
+mode: 0600
+shutdown_timeout: 20
+cache:
+  type: internal
+  options:
+    cache_size: 10000
+default_zone:
+  strict_testing: {{ 'true' if DEFER_ON_TLS_ERROR else 'false' }}
+  timeout: 4
diff --git a/core/postfix/conf/outclean_header_filter.cf b/core/postfix/conf/outclean_header_filter.cf
index 7e0e92d3..9c880843 100644
--- a/core/postfix/conf/outclean_header_filter.cf
+++ b/core/postfix/conf/outclean_header_filter.cf
@@ -1,17 +1,8 @@
 # This configuration was copied from Mailinabox. The original version is available at:
 # https://raw.githubusercontent.com/mail-in-a-box/mailinabox/master/conf/postfix_outgoing_mail_header_filters
 
-# Remove the first line of the Received: header. Note that we cannot fully remove the Received: header
-# because OpenDKIM requires that a header be present when signing outbound mail. The first line is
-# where the user's home IP address would be.
-/^\s*Received:[^\n]*(.*)/         REPLACE Received: from authenticated-user ({{OUTCLEAN}} [{{OUTCLEAN_ADDRESS}}])$1
-
-# Remove other typically private information.
-/^\s*User-Agent:/        IGNORE
-/^\s*X-Enigmail:/        IGNORE
-/^\s*X-Mailer:/          IGNORE
-/^\s*X-Originating-IP:/  IGNORE
-/^\s*X-Pgp-Agent:/       IGNORE
+# Remove typically private information.
+/^\s*(Received|User-Agent|X-(Enigmail|Mailer|Originating-IP|Pgp-Agent)):/	IGNORE
 
 # The Mime-Version header can leak the user agent too, e.g. in Mime-Version: 1.0 (Mac OS X Mail 8.1 \(2010.6\)).
 /^\s*(Mime-Version:\s*[0-9\.]+)\s.+/  REPLACE $1
diff --git a/core/postfix/start.py b/core/postfix/start.py
index 799d42f5..06a097b8 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -7,7 +7,7 @@ import multiprocessing
 import logging as log
 import sys
 
-from podop   import run_server
+from podop import run_server
 from pwd import getpwnam
 from socrate import system, conf
 
@@ -19,9 +19,10 @@ def start_podop():
     url = "http://" + os.environ["ADMIN_ADDRESS"] + "/internal/postfix/"
     # TODO: Remove verbosity setting from Podop?
     run_server(0, "postfix", "/tmp/podop.socket", [
-		("transport", "url", url + "transport/§"),
-		("alias", "url", url + "alias/§"),
-		("domain", "url", url + "domain/§"),
+        ("transport", "url", url + "transport/§"),
+        ("alias", "url", url + "alias/§"),
+        ("dane", "url", url + "dane/§"),
+        ("domain", "url", url + "domain/§"),
         ("mailbox", "url", url + "mailbox/§"),
         ("recipientmap", "url", url + "recipient/map/§"),
         ("sendermap", "url", url + "sender/map/§"),
@@ -30,6 +31,12 @@ def start_podop():
         ("senderrate", "url", url + "sender/rate/§")
     ])
 
+def start_mta_sts_daemon():
+    os.chmod("/root/", 0o755) # read access to /root/.netrc required
+    os.setuid(getpwnam('postfix').pw_uid)
+    from postfix_mta_sts_resolver import daemon
+    daemon.main()
+
 def is_valid_postconf_line(line):
     return not line.startswith("#") \
             and not line == ''
@@ -39,15 +46,6 @@ os.environ["FRONT_ADDRESS"] = system.get_host_address_from_environment("FRONT",
 os.environ["ADMIN_ADDRESS"] = system.get_host_address_from_environment("ADMIN", "admin")
 os.environ["ANTISPAM_MILTER_ADDRESS"] = system.get_host_address_from_environment("ANTISPAM_MILTER", "antispam:11332")
 os.environ["LMTP_ADDRESS"] = system.get_host_address_from_environment("LMTP", "imap:2525")
-os.environ["OUTCLEAN"] = os.environ["HOSTNAMES"].split(",")[0]
-try:
-    _to_lookup = os.environ["OUTCLEAN"]
-    # Ensure we lookup a FQDN: @see #1884
-    if not _to_lookup.endswith('.'):
-        _to_lookup += '.'
-    os.environ["OUTCLEAN_ADDRESS"] = system.resolve_hostname(_to_lookup)
-except:
-    os.environ["OUTCLEAN_ADDRESS"] = "10.10.10.10"
 
 for postfix_file in glob.glob("/conf/*.cf"):
     conf.jinja(postfix_file, os.environ, os.path.join("/etc/postfix", os.path.basename(postfix_file)))
@@ -68,10 +66,13 @@ for map_file in glob.glob("/overrides/*.map"):
     os.system("postmap {}".format(destination))
     os.remove(destination)
 
-if not os.path.exists("/etc/postfix/tls_policy.map.db"):
-    with open("/etc/postfix/tls_policy.map", "w") as f:
-        for domain in ['gmail.com', 'yahoo.com', 'hotmail.com', 'aol.com', 'outlook.com', 'comcast.net', 'icloud.com', 'msn.com', 'hotmail.co.uk', 'live.com', 'yahoo.co.in', 'me.com', 'mail.ru', 'cox.net', 'yahoo.co.uk', 'verizon.net', 'ymail.com', 'hotmail.it', 'kw.com', 'yahoo.com.tw', 'mac.com', 'live.se', 'live.nl', 'yahoo.com.br', 'googlemail.com', 'libero.it', 'web.de', 'allstate.com', 'btinternet.com', 'online.no', 'yahoo.com.au', 'live.dk', 'earthlink.net', 'yahoo.fr', 'yahoo.it', 'gmx.de', 'hotmail.fr', 'shawinc.com', 'yahoo.de', 'moe.edu.sg', 'naver.com', 'bigpond.com', 'statefarm.com', 'remax.net', 'rocketmail.com', 'live.no', 'yahoo.ca', 'bigpond.net.au', 'hotmail.se', 'gmx.at', 'live.co.uk', 'mail.com', 'yahoo.in', 'yandex.ru', 'qq.com', 'charter.net', 'indeedemail.com', 'alice.it', 'hotmail.de', 'bluewin.ch', 'optonline.net', 'wp.pl', 'yahoo.es', 'hotmail.no', 'pindotmedia.com', 'orange.fr', 'live.it', 'yahoo.co.id', 'yahoo.no', 'hotmail.es', 'morganstanley.com', 'wellsfargo.com', 'wanadoo.fr', 'facebook.com', 'yahoo.se', 'fema.dhs.gov', 'rogers.com', 'yahoo.com.hk', 'live.com.au', 'nic.in', 'nab.com.au', 'ubs.com', 'shaw.ca', 'umich.edu', 'westpac.com.au', 'yahoo.com.mx', 'yahoo.com.sg', 'farmersagent.com', 'yahoo.dk', 'dhs.gov']:
-            f.write(f'{domain}\tsecure\n')
+if os.path.exists("/overrides/mta-sts-daemon.yml"):
+    shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml")
+else:
+    conf.jinja("/conf/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
+
+if not os.path.exists("/etc/postfix/tls_policy.map.lmdb"):
+    open("/etc/postfix/tls_policy.map", "a").close()
     os.system("postmap /etc/postfix/tls_policy.map")
 
 if "RELAYUSER" in os.environ:
@@ -81,6 +82,7 @@ if "RELAYUSER" in os.environ:
 
 # Run Podop and Postfix
 multiprocessing.Process(target=start_podop).start()
+multiprocessing.Process(target=start_mta_sts_daemon).start()
 os.system("/usr/libexec/postfix/post-install meta_directory=/etc/postfix create-missing")
 # Before starting postfix, we need to check permissions on /queue
 # in the event that postfix,postdrop id have changed
diff --git a/core/rspamd/Dockerfile b/core/rspamd/Dockerfile
index 6706ef14..33174c1a 100644
--- a/core/rspamd/Dockerfile
+++ b/core/rspamd/Dockerfile
@@ -1,8 +1,11 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
+
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
-    python3 py3-pip git bash py3-multidict \
+    python3 py3-pip git bash py3-multidict tzdata \
   && pip3 install --upgrade pip
 
 # Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube
diff --git a/core/rspamd/conf/arc.conf b/core/rspamd/conf/arc.conf
index 205d4284..93414a96 100644
--- a/core/rspamd/conf/arc.conf
+++ b/core/rspamd/conf/arc.conf
@@ -1,4 +1,6 @@
-try_fallback = true;
-path = "/dkim/$domain.$selector.key";
-selector = "dkim"
+try_fallback = false;
 use_esld = false;
+allow_username_mismatch = true;
+use_vault = true;
+vault_url = "http://{{ ADMIN_ADDRESS }}/internal/rspamd/vault";
+vault_token = "mailu";
diff --git a/core/rspamd/conf/dkim_signing.conf b/core/rspamd/conf/dkim_signing.conf
index e00e8d67..93414a96 100644
--- a/core/rspamd/conf/dkim_signing.conf
+++ b/core/rspamd/conf/dkim_signing.conf
@@ -1,4 +1,6 @@
-try_fallback = true;
-path = "/dkim/$domain.$selector.key";
+try_fallback = false;
 use_esld = false;
 allow_username_mismatch = true;
+use_vault = true;
+vault_url = "http://{{ ADMIN_ADDRESS }}/internal/rspamd/vault";
+vault_token = "mailu";
diff --git a/core/rspamd/conf/options.inc b/core/rspamd/conf/options.inc
new file mode 100644
index 00000000..22bae565
--- /dev/null
+++ b/core/rspamd/conf/options.inc
@@ -0,0 +1,3 @@
+{% if RELAYNETS %}
+local_networks = [{{ RELAYNETS }}];
+{% endif %}
diff --git a/core/rspamd/conf/settings.conf b/core/rspamd/conf/settings.conf
new file mode 100644
index 00000000..01e9780f
--- /dev/null
+++ b/core/rspamd/conf/settings.conf
@@ -0,0 +1,4 @@
+apply {
+	# see https://github.com/Mailu/Mailu/issues/1705
+	RCVD_NO_TLS_LAST = 0;
+}
diff --git a/core/rspamd/start.py b/core/rspamd/start.py
index e2e72bcb..fcb33a97 100755
--- a/core/rspamd/start.py
+++ b/core/rspamd/start.py
@@ -11,6 +11,7 @@ log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING"))
 # Actual startup script
 
 os.environ["REDIS_ADDRESS"] = system.get_host_address_from_environment("REDIS", "redis")
+os.environ["ADMIN_ADDRESS"] = system.get_host_address_from_environment("ADMIN", "admin")
 
 if os.environ.get("ANTIVIRUS") == 'clamav':
     os.environ["ANTIVIRUS_ADDRESS"] = system.get_host_address_from_environment("ANTIVIRUS", "antivirus:3310")
diff --git a/design/mailu-directory-structure.md b/design/mailu-directory-structure.md
new file mode 100644
index 00000000..ad75eeaa
--- /dev/null
+++ b/design/mailu-directory-structure.md
@@ -0,0 +1,199 @@
+# RFC: Mailu directory structure
+The current layout of the Mailu directory structure can be improved to allow for easier replicated deployments, like Docker Swarm and Kubernetes. Please read https://usrpro.com/publications/mailu-persistent-storage/ for the background motivation of this RFC.
+
+## Scope
+This document only describes the re-arrangement of the `$ROOT` Mailu filesystem as-is. This means moving around of current files and directories. The linked article also proposes more advanced improvements. Those are not included in this RFC and need to be evaluated and implemented independently. However, the changes proposed in this document should make such improvements easier.
+
+Currently some services are wrongfully sharing mountpoints or have unused volumes declared. Those are also taken care of in this RFC.
+
+## Compatibility
+If these changes were to be accepted, it will break compatibility with previous Mailu version `<=1.7`. As such, we will propably increment to version `2.0`.
+
+## Root
+The root of the Mailu filesystem is located at `/mailu` by default. For simplicity we will assume this location throughout the document. Within `/mailu` we will aim to define 3 main sub-directories:
+
+### Config
+
+- Path: `/mailu/config/`
+
+Small config bearing files, sometimes shared between multiple services. The performance and storage needs for this filesystem are low. Availability is important for correct functioning of the mail server. No file locking issues are expected from concurrent access. A basic (and redundant) filesystem should suffice.
+
+#### Dovecot
+
+- Old path: `/mailu/overrides` (shared with postfix, nginx and rspamd)
+- New Path `/mailu/config/dovecot`
+
+Dovecot configuration overrides.
+
+#### Postfix
+
+- Old path: `/mailu/overrides` (shared with dovecot, nginx and rspamd)
+- New Path `/mailu/config/posfix`
+
+Postfix configuration overrides.
+
+#### Rspamd
+
+- Old path: `/mailu/overrides/rspamd`
+- New path: `/mailu/config/rspamd`
+
+RSpamD configuration overrides.
+
+#### Rainloop
+
+- Old path: `/mailu/webmail/_data_/_default_/storage` (part of `/mailu/webmail` mountpoint, shared with Roundcube)
+- New path: `/mailu/config/rainloop`
+
+User specific configs. The remaining files under the old `/mailu/webmail` don't need to be persistent. Except for `AddressBook.sqlite`, see `/mailu/data`.
+
+#### Roundcube
+
+- Old path: `/mailu/webmail/gpg` (part of `/mailu/webmail` mountpoint, shared with Rainloop)
+- New path: `/mailu/config/roundcube/gpg`
+
+User configured GPG keys.
+
+#### Redis
+
+- Old path: `/mailu/redis`
+- New path: `/mailu/config/redis`
+
+Holds `dump.rdb` for data restoration. Although technically a database, Redis works from memory. The dump file is only written to every minute and read from during start. Hence it fits better in the replicated config directory filesystem.
+
+#### Share
+
+- Path: `/mailu/config/share/`
+
+Shared configuration between different services
+
+##### DKIM
+
+- Old path: `/mailu/dkim/`
+- New path: `/mailu/config/share/dkim`
+
+DKIM private keys store. Read/write access by Admin. Read only access by rSpamD.
+
+##### Certs
+
+- Old path: `/mailu/certs`
+- New path: `/mailu/config/share/certs` (Proposal in anticipation of the RFC outcome at: https://github.com/Mailu/Mailu/issues/1222.)
+
+TLS certificates. Write access from `nginx` in case `TLS_FLAVOR=letsencrypt`. Or write access from `treafik-certdumper` or any other tool obtaining certificates.
+
+`letsencrypt` setting is not compatible with replicated setups. Multiple instances would disrupt the ACME challenge verification and cause race conditions on requesting certificates. In such cases certificates will need to be provided by other tools.
+
+If RFC issue #1222 is accepted, Dovecot will need read-only access to the certificates.
+
+### Data
+
+- Path: `/mailu/data/`
+
+Database files, like SQLite or PostgreSQL files. Databases don't perform well on network filesystems as they depend heavily on file locking and full controll on the database files. Making it unfit for concurrent access from multiple hosts. This directory should always live on a local filesystem. This makes it only usable in `docker-compose` deployments. Usage of this directory should be avoided in Kubernetes and Docker Swarm deployments. Some services will need to be improved to allow for this.
+
+#### admin data
+
+- Old path: `/mailu/data/`
+- New path: `/mailu/data/admin/` (mount point on `admin` directory)
+
+Holds `main.db` SQLite database file holding domains, users, aliases etcetera. Read/write access only by admin. Can be avoided by using a remote DB server like PostgreSQL, MySQL or MariaDB.
+
+Also holds `instance` for unique statistics transmission. Removing of this file is proposed in RFC [issue 129](https://github.com/Mailu/Mailu/issues/1219).
+
+This move is needed in order to be able to mount the directory without exposing data files from other services into admin.
+
+#### rspamd
+
+- Old path: `/mailu/filter` (shared with ClamAV)
+- New path: `/mailu/data/rspamd`
+
+Storage of Bayes and Fuzzy learning SQLite databases and caches. As future optimization we should look into moving all this into Redis.
+
+#### Rainloop
+
+- Old path: `/mailu/webmail/_data_/_default_/AddressBook.sqlite` (part of `/mailu/webmail` mountpoint, shared with Roundcube)
+- New path: `/mailu/data/rainloop/AddressBook.sqlite` (mount on `rainloop` directory)
+
+Addressbook SQLite file. For future replicated deployments this might better be configured to use an external DB.
+
+For this modification, the `AddressBook.sqlite` will need to be moved to a different directory inside the container.
+
+#### Roundcube
+
+- Old path: `/mailu/webmail/roundcube.db` (part of `/mailu/webmail` mountpoint, shared with Rainloop)
+- New path: `/mailu/data/roundcube/roundcube.db` (mount on `roundcube` directory)
+
+User settings SQLite database file for roundcube. For future replicated deployments this might better be configured to use an external DB.
+
+For this modification, the `rouncube.db` file will need to be moved to a different directory inside the container.
+
+### Mail
+
+- Path: `/mailu/mail` (unmodified)
+
+User mail, managed my Dovecot IMAP server. In replicated deployments, this filesystem needs to be shared over all IMAP server instances. It should be high performant and capable of propgating file locks. Storage size is proportional to the users and their quotas. Old versions of NFS are known to be buggy with file locking. Also Samaba or CIFS should be avoided.
+
+In the old situation, Maildir indexes are stored on the same volume. However, they need not to be persistent and should be located on a voletile filesystem instead. This allows better performance on network filesystems.
+
+### Local
+
+- Path: `/mailu/local` (new)
+
+Persistent storage not suitable for replication. In `docker-compose` deployments it lives inside `/mailu` and in replicated deployments it should live somewhere on the local host machine.
+
+#### Mailqueue
+
+- Old path: `/mailu/mailqueue`
+- New path: `/mailu/local/mailqueue`
+
+The SMTP mailqueue should be persistant, as per SMTP spec it is not allowed to loose mail. However, persistance should be local only for performance reasons and the possibility to replicate Postfix servers. In setups like Docker Swarm and Kubernetes, admins should take care that Postfix is always restarted on same hosts in order to empty any remaining queue after a crash.
+
+#### ClamAV
+
+- Old path: `/mailu/filters` (shared with rSpamD)
+- New path: `/mailu/local/clamav`
+
+Virus definitions do not need to be replicated, as they can be easily pulled in when ClamAV instances migrate to other nodes. Persistance does allow for some bandwith and time saving if ClamAV would be restarted on a previously used node (in case of updates or similar cases). Local only storage also prevents `freshclam` race conditions.
+
+## Conclusion
+
+The final layout of the Mailu filesystem will look like:
+
+````
+/mailu
+├── config
+│   ├── dovecot
+│   ├── postfix
+│   ├── rainloop
+│   ├── redis
+│   ├── roundcube
+│   │   └── gpg
+│   ├── rspamd
+│   └── share
+│       ├── certs
+│       └── dkim
+├── data
+│   ├── admin
+│   ├── rainloop
+│   ├── roundcube
+│   └── rspamd
+├── local
+│   ├── clamav
+│   └── mailqueue
+└── mail
+````
+
+Where in replicated environments:
+
+- `/mailu/config/`: should be a small, low performant and shared filesystem.
+- `/mailu/data`: should be avoided. More work will need to be done to configure external DB servers for relevant services. Ideally, this directory should only exist on docker-compose deployments.
+- `/mailu/local/`: Should exist only on local file systems of worker nodes.
+- `/mailu/mail`: A distributed filesystem with sufficient performance and storage requirements to hold and process all user mailboxes. Ideally only Maildir without indexes.
+
+### Implementing
+
+The works to implement this changes should happen outside the `master` branch. Inclusion into `master` can only be accepted if:
+
+1. `docker-compose.yml` from setup reflects this changes correctly.
+2. Kubernetes documentation is updated.
+3. Legacy `docker-compose.yml` is either updated or deleted.
+4. A clear data migration guide is written.
\ No newline at end of file
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 3d536fd4..8f363a63 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -39,14 +39,25 @@ address.
 
 The ``WILDCARD_SENDERS`` setting is a comma delimited list of user email addresses that are allowed to send emails from any existing address (spoofing the sender).
 
-The ``AUTH_RATELIMIT`` holds a security setting for fighting attackers that
-try to guess user passwords. The value is the limit of failed authentication attempts
-that a single IP address can perform against IMAP, POP and SMTP authentication endpoints.
+The ``AUTH_RATELIMIT_IP`` (default: 60/hour) holds a security setting for fighting
+attackers that waste server resources by trying to guess user passwords (typically
+using a password spraying attack). The value defines the limit of authentication
+attempts that will be processed on non-existing accounts for a specific IP subnet
+(as defined in ``AUTH_RATELIMIT_IP_V4_MASK`` and ``AUTH_RATELIMIT_IP_V6_MASK`` below).
 
-If ``AUTH_RATELIMIT_SUBNET`` is ``True`` (default: False), the ``AUTH_RATELIMIT``
-rules does also apply to auth requests coming from ``SUBNET``, especially for the webmail.
-If you disable this, ensure that the rate limit on the webmail is enforced in a different
-way (e.g. roundcube plug-in), otherwise an attacker can simply bypass the limit using webmail.
+The ``AUTH_RATELIMIT_USER`` (default: 100/day) holds a security setting for fighting
+attackers that attempt to guess a user's password (typically using a password
+bruteforce attack). The value defines the limit of authentication attempts allowed
+for any given account within a specific timeframe.
+
+The ``AUTH_RATELIMIT_EXEMPTION_LENGTH`` (default: 86400) is the number of seconds
+after a successful login for which a specific IP address is exempted from rate limits.
+This ensures that users behind a NAT don't get locked out when a single client is
+misconfigured... but also potentially allow for users to attack each-other.
+
+The ``AUTH_RATELIMIT_EXEMPTION`` (default: '') is a comma separated list of network
+CIDRs that won't be subject to any form of rate limiting. Specifying ``0.0.0.0/0, ::/0``
+there is a good way to disable rate limiting altogether.
 
 The ``TLS_FLAVOR`` sets how Mailu handles TLS connections. Setting this value to
 ``notls`` will cause Mailu not to server any web content! More on :ref:`tls_flavor`.
@@ -58,22 +69,28 @@ The ``MESSAGE_SIZE_LIMIT`` is the maximum size of a single email. It should not
 be too low to avoid dropping legitimate emails and should not be too high to
 avoid filling the disks with large junk emails.
 
-The ``MESSAGE_RATELIMIT`` is the limit of messages a single user can send. This is
-meant to fight outbound spam in case of compromised or malicious account on the
-server.
+The ``MESSAGE_RATELIMIT`` (default: 200/day) is the maximum number of messages
+a single user can send. ``MESSAGE_RATELIMIT_EXEMPTION`` contains a comma delimited
+list of user email addresses that are exempted from any restriction.  Those
+settings are meant to reduce outbound spam in case of compromised or malicious
+account on the server.
 
-The ``RELAYNETS`` are network addresses for which mail is relayed for free with
-no authentication required. This should be used with great care. If you want other
-Docker services' outbound mail to be relayed, you can set this to ``172.16.0.0/12``
-to include **all** Docker networks. The default is to leave this empty.
+The ``RELAYNETS`` (default: unset) is a comma delimited list of network addresses
+for which mail is relayed for with no authentication required. This should be
+used with great care as misconfigurations may turn your Mailu instance into an
+open-relay!
 
-The ``RELAYHOST`` is an optional address of a mail server relaying all outgoing
-mail in following format: ``[HOST]:PORT``.
-``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed.
+The ``RELAYHOST`` is an optional address to use as a smarthost for all outgoing
+mail in following format: ``[HOST]:PORT``. ``RELAYUSER`` and ``RELAYPASSWORD``
+can be used when authentication is required.
 
 By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
-by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is highly recommended
-if you are using a relayhost that supports TLS.
+by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is
+highly recommended if you are using a relayhost that supports TLS but discouraged
+otherwise. ``DEFER_ON_TLS_ERROR`` (default: True) controls whether incomplete
+policies (DANE without DNSSEC or "testing" MTA-STS policies) will be taken into
+account and whether emails will be defered if the additional checks enforced by
+those policies fail.
 
 Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed
 by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for
@@ -89,9 +106,10 @@ go and fetch new email if available. Do not use too short delays if you do not
 want to be blacklisted by external services, but not too long delays if you
 want to receive your email in time.
 
-The ``RECIPIENT_DELIMITER`` is a character used to delimit localpart from a
-custom address part. For instance, if set to ``+``, users can use addresses
-like ``localpart+custom@domain.tld`` to deliver mail to ``localpart@domain.tld``.
+The ``RECIPIENT_DELIMITER`` is a list of characters used to delimit localpart
+from a custom address part. For instance, if set to ``+-``, users can use
+addresses like ``localpart+custom@example.com`` or ``localpart-custom@example.com``
+to deliver mail to ``localpart@example.com``.
 This is useful to provide external parties with different email addresses and
 later classify incoming mail based on the custom part.
 
@@ -124,6 +142,13 @@ Both ``SITENAME`` and ``WEBSITE`` are customization options for the panel menu
 in the admin interface, while ``SITENAME`` is a customization option for
 every Web interface.
 
+- ``LOGO_BACKGROUND`` sets a custom background colour for the brand logo in the topleft of the main admin interface.
+  For a list of colour codes refer to this page of `w3schools`_.
+
+- ``LOGO_URL`` sets a URL for a custom logo. This logo replaces the Mailu logo in the topleft of the main admin interface.
+
+.. _`w3schools`: https://www.w3schools.com/cssref/css_colors.asp
+
 .. _admin_account:
 
 Admin account - automatic creation
@@ -169,7 +194,13 @@ The ``LETSENCRYPT_SHORTCHAIN`` (default: False) setting controls whether we send
 
 .. _`android handsets older than 7.1.1`: https://community.letsencrypt.org/t/production-chain-changes/150739
 
-The ``REAL_IP_HEADER`` (default: unset) and ``REAL_IP_FROM`` (default: unset) settings controls whether HTTP headers such as ``X-Forwarded-For`` or ``X-Real-IP`` should be trusted. The former should be the name of the HTTP header to extract the client IP address from and the later a comma separated list of IP addresses designing which proxies to trust. If you are using Mailu behind a reverse proxy, you should set both. Setting the former without the later introduces a security vulnerability allowing a potential attacker to spoof his source address.
+.. _reverse_proxy_headers:
+
+The ``REAL_IP_HEADER`` (default: unset) and ``REAL_IP_FROM`` (default: unset) settings controls whether HTTP headers such as ``X-Forwarded-For`` or ``X-Real-IP`` should be trusted. The former should be the name of the HTTP header to extract the client IP address from and the later a comma separated list of IP addresses designating which proxies to trust. If you are using Mailu behind a reverse proxy, you should set both. Setting the former without the later introduces a security vulnerability allowing a potential attacker to spoof his source address.
+
+The ``TZ`` sets the timezone Mailu will use. The timezone naming convention usually uses a ``Region/City`` format. See `TZ database name`_  for a list of valid timezones This defaults to ``Etc/UTC``. Warning: if you are observing different timestamps in your log files you should change your hosts timezone to UTC instead of changing TZ to your local timezone. Using UTC allows easy log correlation with remote MTAs.
+
+.. _`TZ database name`: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
 
 Antivirus settings
 ------------------
diff --git a/docs/faq.rst b/docs/faq.rst
index a2c6bd33..177e65d7 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -369,6 +369,83 @@ How do I use webdav (radicale)?
 .. _`575`: https://github.com/Mailu/Mailu/issues/575
 .. _`1591`: https://github.com/Mailu/Mailu/issues/1591
 
+How do I setup a MTA-STS policy?
+````````````````````````````````
+
+Mailu can serve an `MTA-STS policy`_; To configure it you will need to:
+
+1. add ``mta-sts.example.com`` to the ``HOSTNAMES`` configuration variable (and ensure that a valid SSL certificate is available for it; this may mean restarting your smtp container)
+
+2. configure an override with the policy itself; for example, your ``overrides/nginx/mta-sts.conf`` could read:
+
+.. code-block:: bash
+
+   location ^~ /.well-known/mta-sts.txt {
+   return 200 "version: STSv1
+   mode: enforce
+   max_age: 1296000
+   mx: mailu.example.com\r\n";
+   }
+
+3. setup the appropriate DNS/CNAME record (``mta-sts.example.com`` -> ``mailu.example.com``) and DNS/TXT record (``_mta-sts.example.com`` -> ``v=STSv1; id=1``) paying attention to the ``TTL`` as this is used by MTA-STS.
+
+*issue reference:* `1798`_.
+
+.. _`1798`: https://github.com/Mailu/Mailu/issues/1798
+.. _`MTA-STS policy`: https://datatracker.ietf.org/doc/html/rfc8461
+
+How do I setup client autoconfiguration?
+````````````````````````````````````````
+
+Mailu can serve an `XML file for autoconfiguration`_; To configure it you will need to:
+
+1. add ``autoconfig.example.com`` to the ``HOSTNAMES`` configuration variable (and ensure that a valid SSL certificate is available for it; this may mean restarting your smtp container)
+
+2. configure an override with the policy itself; for example, your ``overrides/nginx/autoconfiguration.conf`` could read:
+
+.. code-block:: bash
+
+   location ^~ /mail/config-v1.1.xml {
+   return 200 "<?xml version=\"1.0\"?>
+   <clientConfig version=\"1.1\">
+   <emailProvider id=\"%EMAILDOMAIN%\">
+   <domain>%EMAILDOMAIN%</domain>
+
+   <displayName>Email</displayName>
+   <displayShortName>Email</displayShortName>
+
+   <incomingServer type=\"imap\">
+   <hostname>mailu.example.com</hostname>
+   <port>993</port>
+   <socketType>SSL</socketType>
+   <username>%EMAILADDRESS%</username>
+   <authentication>password-cleartext</authentication>
+   </incomingServer>
+
+   <outgoingServer type=\"smtp\">
+   <hostname>mailu.example.com</hostname>
+   <port>465</port>
+   <socketType>SSL</socketType>
+   <username>%EMAILADDRESS%</username>
+   <authentication>password-cleartext</authentication>
+   <addThisServer>true</addThisServer>
+   <useGlobalPreferredServer>true</useGlobalPreferredServer>
+   </outgoingServer>
+
+   <documentation url=\"https://mailu.example.com/admin/ui/client\">
+   <descr lang=\"en\">Configure your email client</descr>
+   </documentation>
+   </emailProvider>
+   </clientConfig>\r\n";
+   }
+
+3. setup the appropriate DNS/CNAME record (``autoconfig.example.com`` -> ``mailu.example.com``).
+
+*issue reference:* `224`_.
+
+.. _`224`: https://github.com/Mailu/Mailu/issues/224
+.. _`XML file for autoconfiguration`: https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat
+
 Technical issues
 ----------------
 
@@ -397,6 +474,22 @@ Any mail related connection is proxied by nginx. Therefore the SMTP Banner is al
 
 .. _`1368`: https://github.com/Mailu/Mailu/issues/1368
 
+My emails are getting defered, what can I do?
+`````````````````````````````````````````````
+
+Emails are asynchronous and it's not abnormal for them to be defered sometimes. That being said, Mailu enforces secure connections where possible using DANE and MTA-STS, both of which have the potential to delay indefinitely delivery if something is misconfigured.
+
+If delivery to a specific domain fails because their DANE records are invalid or their TLS configuration inadequate (expired certificate, ...), you can assist delivery by downgrading the security level for that domain by creating an override at ``overrides/postfix/tls_policy.map`` as follow:
+
+.. code-block:: bash
+
+   domain.example.com   may
+   domain.example.org   encrypt
+
+The syntax and options are as described in `postfix's documentation`_. Re-creating the smtp container will be required for changes to take effect.
+
+.. _`postfix's documentation`: http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
+
 403 - Access Denied Errors
 ---------------------------
 
diff --git a/docs/reverse.rst b/docs/reverse.rst
index 14a9154e..6cde55f2 100644
--- a/docs/reverse.rst
+++ b/docs/reverse.rst
@@ -11,7 +11,10 @@ There are basically three options, from the most to the least recommended one:
 - `use Traefik in another container as central system-reverse-proxy`_
 - `override Mailu Web frontend configuration`_
 
-All options will require that you modify the ``docker-compose.yml`` file.
+All options will require that you modify the ``docker-compose.yml`` and ``mailu.env`` file.
+
+Mailu must also be configured with the information what header is used by the reverse proxy for passing the remote client IP. 
+This is configured in the mailu.env file. See the :ref:`configuration reference <reverse_proxy_headers>` for more information.
 
 Have Mailu Web frontend listen locally
 --------------------------------------
@@ -43,24 +46,30 @@ Then on your own frontend, point to these local ports. In practice, you only nee
     # [...] here goes your standard configuration
 
     location / {
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr
       proxy_pass https://localhost:8443;
     }
   }
 
-Because the admin interface is served as ``/admin`` and the Webmail as ``/webmail`` you may also want to use a single virtual host and serve other applications (still Nginx):
+.. code-block:: docker
+
+  #mailu.env file
+  REAL_IP_HEADER=X-Real-IP
+  REAL_IP_FROM=x.x.x.x,y.y.y.y.y
+  #x.x.x.x,y.y.y.y.y is the static IP address your reverse proxy uses for connecting to Mailu. 
+  
+Because the admin interface is served as ``/admin``, the Webmail as ``/webmail``, the single sign on page as ``/sso``, webdav as ``/webdav`` and the static files endpoint as ``/static``, you may also want to use a single virtual host and serve other applications (still Nginx):
 
 .. code-block:: nginx
 
   server {
     # [...] here goes your standard configuration
 
-    location /webmail {
-      proxy_pass https://localhost:8443/webmail;
-    }
-
-    location /admin {
-      proxy_pass https://localhost:8443/admin;
-      proxy_set_header Host $http_host;
+    location ~ ^/(admin|sso|static|webdav|webmail)/ {
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr
+      proxy_pass https://localhost:8443;     
     }
 
     location /main_app {
@@ -80,6 +89,13 @@ Because the admin interface is served as ``/admin`` and the Webmail as ``/webmai
     }
   }
 
+.. code-block:: docker
+  
+  #mailu.env file
+  REAL_IP_HEADER=X-Real-IP
+  REAL_IP_FROM=x.x.x.x,y.y.y.y.y
+  #x.x.x.x,y.y.y.y.y is the static IP address your reverse proxy uses for connecting to Mailu. 
+
 Finally, you might want to serve the admin interface on a separate virtual host but not expose the admin container directly (have your own HTTPS virtual hosts on top of Mailu, one public for the Webmail and one internal for administration for instance).
 
 Here is an example configuration :
@@ -92,6 +108,8 @@ Here is an example configuration :
     # [...] here goes your standard configuration
 
     location /webmail {
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr
       proxy_pass https://localhost:8443/webmail;
     }
   }
@@ -102,12 +120,21 @@ Here is an example configuration :
     # [...] here goes your standard configuration
 
     location /admin {
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr
       proxy_pass https://localhost:8443/admin;
       proxy_set_header Host $http_host;
     }
 
   }
 
+.. code-block:: docker
+
+  #mailu.env file
+  REAL_IP_HEADER=X-Real-IP
+  REAL_IP_FROM=x.x.x.x,y.y.y.y.y
+  #x.x.x.x,y.y.y.y.y is the static IP address your reverse proxy uses for connecting to Mailu. 
+
 Depending on how you access the front server, you might want to add a ``proxy_redirect`` directive to your ``location`` blocks:
 
 .. code-block:: nginx
@@ -155,7 +182,16 @@ If your Traefik is configured to automatically request certificates from *letsen
 and this is the ``DOMAIN`` in your ``.env``?
 To support that use-case, Traefik can request ``SANs`` for your domain. The configuration for this will depend on your Traefik version.
 
-----
+Mailu must also be configured with the information what header is used by the reverse proxy for passing the remote client IP.  This is configured in mailu.env:
+
+.. code-block:: docker
+  
+  #mailu.env file
+  REAL_IP_HEADER=X-Real-IP
+  REAL_IP_FROM=x.x.x.x,y.y.y.y.y
+  #x.x.x.x,y.y.y.y.y is the static IP address your reverse proxy uses for connecting to Mailu. 
+
+For more information see the :ref:`configuration reference <reverse_proxy_headers>` for more information.
 
 Traefik 2.x using labels configuration
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -183,53 +219,6 @@ Of course, be sure to define the Certificate Resolver ``foo`` in the static conf
 
 Alternatively, you can define SANs in the Traefik static configuration using routers, or in the static configuration using entrypoints. Refer to the Traefik documentation for more details.
 
-Traefik 1.x with TOML configuration
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Lets add something like
-
-.. code-block:: yaml
-
-  [acme]
-    [[acme.domains]]
-      main = "your.example.com" # this is the same as $TRAEFIK_DOMAIN!
-      sans = ["mail.your.example.com", "webmail.your.example.com", "smtp.your.example.com"]
-
-to your ``traefik.toml``.
-
-----
-
-You might need to clear your ``acme.json``, if a certificate for one of these domains already exists.
-
-You will need some solution which dumps the certificates in ``acme.json``, so you can include them in the ``mailu/front`` container.
-One such example is ``mailu/traefik-certdumper``, which has been adapted for use in Mailu. You can add it to your ``docker-compose.yml`` like:
-
-.. code-block:: yaml
-
-  certdumper:
-    restart: always
-    image: mailu/traefik-certdumper:$VERSION
-    environment:
-    # Make sure this is the same as the main=-domain in traefik.toml
-    # !!! Also don’t forget to add "TRAEFIK_DOMAIN=[...]" to your .env!
-      - DOMAIN=$TRAEFIK_DOMAIN
-    volumes:
-      # Folder, which contains the acme.json
-      - "/data/traefik:/traefik"
-      # Folder, where cert.pem and key.pem will be written
-      - "/data/mailu/certs:/output"
-
-
-Assuming you have ``volume-mounted`` your ``acme.json`` put to ``/data/traefik`` on your host. The dumper will then write out ``/data/mailu/certs/cert.pem`` and ``/data/mailu/certs/key.pem`` whenever ``acme.json`` is updated.
-Yay! Now let’s mount this to our ``front`` container like:
-
-.. code-block:: yaml
-
-    volumes:
-      - /data/mailu/certs:/certs
-
-This works, because we set ``TLS_FLAVOR=mail``, which picks up the key-certificate pair (e.g., ``cert.pem`` and ``key.pem``) from the certs folder in the root path (``/certs/``).
-
 .. _`Traefik`: https://traefik.io/
 
 Override Mailu configuration
diff --git a/docs/swarm/master/README.md b/docs/swarm/master/README.md
index 42e742da..0e933308 100644
--- a/docs/swarm/master/README.md
+++ b/docs/swarm/master/README.md
@@ -100,6 +100,9 @@ https://github.com/moby/moby/issues/25526#issuecomment-336363408
 ### Don't create an open relay !
 As a side effect of this ingress mode "feature", make sure that the ingress subnet is not in your RELAYHOST, otherwise you would create an smtp open relay :-(
 
+### Ratelimits
+
+When using ingress mode you probably want to disable rate limits, because all requests originate from the same ip address. Otherwise automatic login attempts can easily DoS the legitimate users.
 
 ## Scalability
 - smtp and imap are scalable
diff --git a/optional/clamav/Dockerfile b/optional/clamav/Dockerfile
index 20cebcdc..e17d2d70 100644
--- a/optional/clamav/Dockerfile
+++ b/optional/clamav/Dockerfile
@@ -1,8 +1,11 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
+
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
-    python3 py3-pip bash \
+    python3 py3-pip bash tzdata \
   && pip3 install --upgrade pip
 # Image specific layers under this line
 RUN apk add --no-cache clamav rsyslog wget clamav-libunrar
diff --git a/optional/clamav/conf/freshclam.conf b/optional/clamav/conf/freshclam.conf
index 88d12bef..828163a0 100644
--- a/optional/clamav/conf/freshclam.conf
+++ b/optional/clamav/conf/freshclam.conf
@@ -3,9 +3,9 @@
 ###############
 
 DatabaseDirectory /data
-LogSyslog yes
+UpdateLogFile /dev/stdout
 LogTime yes
-PidFile /run/clamav/freshclam.pid
+PidFile /run/freshclam.pid
 DatabaseOwner root
 
 ###############
@@ -15,5 +15,4 @@ DatabaseOwner root
 DatabaseMirror database.clamav.net
 ScriptedUpdates yes
 NotifyClamd /etc/clamav/clamd.conf
-SafeBrowsing yes
 Bytecode yes
diff --git a/optional/fetchmail/Dockerfile b/optional/fetchmail/Dockerfile
index 506e409a..068a5dce 100644
--- a/optional/fetchmail/Dockerfile
+++ b/optional/fetchmail/Dockerfile
@@ -1,17 +1,19 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
-    python3 py3-pip bash \
+    python3 py3-pip bash tzdata \
   && pip3 install --upgrade pip
 
 # Image specific layers under this line
 RUN apk add --no-cache fetchmail ca-certificates openssl \
  && pip3 install requests
 
+RUN mkdir -p /data
+
 COPY fetchmail.py /fetchmail.py
 
-USER fetchmail
-
-CMD ["/fetchmail.py"]
+CMD ["/fetchmail.py"]
\ No newline at end of file
diff --git a/optional/fetchmail/fetchmail.py b/optional/fetchmail/fetchmail.py
index 4be3c2bd..5459de59 100755
--- a/optional/fetchmail/fetchmail.py
+++ b/optional/fetchmail/fetchmail.py
@@ -13,6 +13,7 @@ import traceback
 
 FETCHMAIL = """
 fetchmail -N \
+    --idfile /data/fetchids --uidl \
     --sslcertck --sslcertpath /etc/ssl/certs \
     -f {}
 """
diff --git a/optional/postgresql/Dockerfile b/optional/postgresql/Dockerfile
index 0f5034da..3ddbb40a 100644
--- a/optional/postgresql/Dockerfile
+++ b/optional/postgresql/Dockerfile
@@ -1,8 +1,11 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
+
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
-    python3 py3-pip bash py3-multidict \
+    python3 py3-pip bash py3-multidict tzdata \
   && pip3 install --upgrade pip
 
 # Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube
diff --git a/optional/radicale/Dockerfile b/optional/radicale/Dockerfile
index 13761164..4eb8d5a7 100644
--- a/optional/radicale/Dockerfile
+++ b/optional/radicale/Dockerfile
@@ -1,9 +1,11 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
-    python3 py3-pip bash \
+    python3 py3-pip bash tzdata \
   && pip3 install --upgrade pip
 
 # Image specific layers under this line
diff --git a/optional/traefik-certdumper/Dockerfile b/optional/traefik-certdumper/Dockerfile
index a7127ce1..506c09c2 100644
--- a/optional/traefik-certdumper/Dockerfile
+++ b/optional/traefik-certdumper/Dockerfile
@@ -1,6 +1,8 @@
 FROM ldez/traefik-certs-dumper
 
-RUN apk --no-cache add inotify-tools util-linux bash
+ENV TZ Etc/UTC
+
+RUN apk --no-cache add inotify-tools util-linux bash tzdata
 
 COPY run.sh /
 
diff --git a/optional/unbound/Dockerfile b/optional/unbound/Dockerfile
index abb45420..bf5d4840 100644
--- a/optional/unbound/Dockerfile
+++ b/optional/unbound/Dockerfile
@@ -1,8 +1,11 @@
-ARG DISTRO=alpine:3.12
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
+
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
-    python3 py3-pip git bash py3-multidict \
+    python3 py3-pip git bash py3-multidict tzdata \
   && pip3 install --upgrade pip
 
 # Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube
diff --git a/optional/unbound/unbound.conf b/optional/unbound/unbound.conf
index 6c8fc64d..df0c76ff 100644
--- a/optional/unbound/unbound.conf
+++ b/optional/unbound/unbound.conf
@@ -1,19 +1,20 @@
 server:
   verbosity: 1
   interface: 0.0.0.0
-  interface: ::0
+  {{ 'interface: ::0' if SUBNET6 }}
   logfile: ""
   do-ip4: yes
-  do-ip6: yes
+  do-ip6: {{ 'yes' if SUBNET6 else 'no' }}
   do-udp: yes
   do-tcp: yes
   do-daemonize: no
   access-control: {{ SUBNET }} allow
+  {{ 'access-control: {{ SUBNET6 }} allow' if SUBNET6 }}
   directory: "/etc/unbound"
   username: unbound
   auto-trust-anchor-file: trusted-key.key
   root-hints: "/etc/unbound/root.hints"
   hide-identity: yes
   hide-version: yes
-  max-udp-size: 4096
-  msg-buffer-size: 65552
+  cache-min-ttl: 300
+
diff --git a/setup/Dockerfile b/setup/Dockerfile
index 5775ab6b..e0f685ee 100644
--- a/setup/Dockerfile
+++ b/setup/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 
 RUN mkdir -p /app
diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml
index 08bba13b..18a881b8 100644
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@@ -90,7 +90,6 @@ services:
     env_file: {{ env }}
     volumes:
       - "{{ root }}/filter:/var/lib/rspamd"
-      - "{{ root }}/dkim:/dkim:ro"
       - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d:ro"
     depends_on:
       - front
@@ -130,6 +129,8 @@ services:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}fetchmail:${MAILU_VERSION:-{{ version }}}
     restart: always
     env_file: {{ env }}
+    volumes:
+      - "{{ root }}/data/fetchmail:/data"
     {% if resolver_enabled %}
     depends_on:
       - resolver
diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index 52f4ee04..a8709ab3 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -29,9 +29,14 @@ POSTMASTER={{ postmaster }}
 # Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
 TLS_FLAVOR={{ tls_flavor }}
 
-# Authentication rate limit (per source IP address)
-{% if auth_ratelimit_pm > '0' %}
-AUTH_RATELIMIT={{ auth_ratelimit_pm }}/minute
+# Authentication rate limit per IP (per /24 on ipv4 and /56 on ipv6)
+{% if auth_ratelimit_ip > '0' %}
+AUTH_RATELIMIT_IP={{ auth_ratelimit_ip }}/hour
+{% endif %}
+
+# Authentication rate limit per user (regardless of the source-IP)
+{% if auth_ratelimit_user > '0' %}
+AUTH_RATELIMIT_USER={{ auth_ratelimit_user }}/day
 {% endif %}
 
 # Opt-out of statistics, replace with "True" to opt out
@@ -150,9 +155,8 @@ DOMAIN_REGISTRATION=true
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME={{ compose_project_name or 'mailu' }}
 
-# Default password scheme used for newly created accounts and changed passwords
-# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME={{ password_scheme or 'PBKDF2' }}
+# Number of rounds used by the password hashing scheme
+CREDENTIAL_ROUNDS=12
 
 # Header to take the real ip from
 REAL_IP_HEADER={{ real_ip_header }}
@@ -166,6 +170,9 @@ REJECT_UNLISTED_RECIPIENT={{ reject_unlisted_recipient }}
 # Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET)
 LOG_LEVEL=WARNING
 
+# Timezone for the Mailu containers. See this link for all possible values https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+TZ=Etc/UTC
+
 ###################################
 # Database settings
 ###################################
diff --git a/setup/flavors/stack/docker-compose.yml b/setup/flavors/stack/docker-compose.yml
index df1fe7b4..0c744d7e 100644
--- a/setup/flavors/stack/docker-compose.yml
+++ b/setup/flavors/stack/docker-compose.yml
@@ -74,7 +74,6 @@ services:
     env_file: {{ env }}
     volumes:
       - "{{ root }}/filter:/var/lib/rspamd"
-      - "{{ root }}/dkim:/dkim:ro"
       - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d:ro"
     deploy:
       replicas: 1
@@ -111,7 +110,7 @@ services:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}fetchmail:${MAILU_VERSION:-{{ version }}}
     env_file: {{ env }}
     volumes:
-      - "{{ root }}/data:/data"
+      - "{{ root }}/data/fetchmail:/data"
     deploy:
       replicas: 1
     healthcheck:
diff --git a/setup/templates/steps/config.html b/setup/templates/steps/config.html
index f532f757..74a45800 100644
--- a/setup/templates/steps/config.html
+++ b/setup/templates/steps/config.html
@@ -48,10 +48,18 @@ Or in plain english: if receivers start to classify your mail as spam, this post
 </div>
 
 <div class="form-group">
-  <label>Authentication rate limit (per source IP address)</label>
+  <label>Authentication rate limit per IP for failed login attempts or non-existing accounts</label>
   <!--   Validates number input only -->
-  <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_pm"
-  		value="10000" required > / minute
+  <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_ip"
+  		value="60" required > / hour
+  </p>
+</div>
+
+<div class="form-group">
+  <label>Authentication rate limit per user</label>
+  <!--   Validates number input only -->
+  <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_user"
+  		value="100" required > / day
   </p>
 </div>
 
diff --git a/tests/compose/core/mailu.env b/tests/compose/core/mailu.env
index a78515b8..254c3c7d 100644
--- a/tests/compose/core/mailu.env
+++ b/tests/compose/core/mailu.env
@@ -128,10 +128,6 @@ WEBSITE=https://mailu.io
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME=mailu
 
-# Default password scheme used for newly created accounts and changed passwords
-# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME=PBKDF2
-
 # Header to take the real ip from
 REAL_IP_HEADER=
 
diff --git a/tests/compose/fetchmail/mailu.env b/tests/compose/fetchmail/mailu.env
index afb57751..a015eaa8 100644
--- a/tests/compose/fetchmail/mailu.env
+++ b/tests/compose/fetchmail/mailu.env
@@ -128,10 +128,6 @@ WEBSITE=https://mailu.io
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME=mailu
 
-# Default password scheme used for newly created accounts and changed passwords
-# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME=PBKDF2
-
 # Header to take the real ip from
 REAL_IP_HEADER=
 
diff --git a/tests/compose/filters/mailu.env b/tests/compose/filters/mailu.env
index 4c8c219d..1b4fb93d 100644
--- a/tests/compose/filters/mailu.env
+++ b/tests/compose/filters/mailu.env
@@ -128,10 +128,6 @@ WEBSITE=https://mailu.io
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME=mailu
 
-# Default password scheme used for newly created accounts and changed passwords
-# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME=PBKDF2
-
 # Header to take the real ip from
 REAL_IP_HEADER=
 
diff --git a/tests/compose/rainloop/mailu.env b/tests/compose/rainloop/mailu.env
index 1f5fce0c..944dd376 100644
--- a/tests/compose/rainloop/mailu.env
+++ b/tests/compose/rainloop/mailu.env
@@ -128,10 +128,6 @@ WEBSITE=https://mailu.io
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME=mailu
 
-# Default password scheme used for newly created accounts and changed passwords
-# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME=PBKDF2
-
 # Header to take the real ip from
 REAL_IP_HEADER=
 
diff --git a/tests/compose/roundcube/mailu.env b/tests/compose/roundcube/mailu.env
index ba153ac2..9db7fcbe 100644
--- a/tests/compose/roundcube/mailu.env
+++ b/tests/compose/roundcube/mailu.env
@@ -128,10 +128,6 @@ WEBSITE=https://mailu.io
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME=mailu
 
-# Default password scheme used for newly created accounts and changed passwords
-# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME=PBKDF2
-
 # Header to take the real ip from
 REAL_IP_HEADER=
 
diff --git a/tests/compose/webdav/mailu.env b/tests/compose/webdav/mailu.env
index 939f453b..f1de013d 100644
--- a/tests/compose/webdav/mailu.env
+++ b/tests/compose/webdav/mailu.env
@@ -128,10 +128,6 @@ WEBSITE=https://mailu.io
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME=mailu
 
-# Default password scheme used for newly created accounts and changed passwords
-# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME=PBKDF2
-
 # Header to take the real ip from
 REAL_IP_HEADER=
 
diff --git a/towncrier/newsfragments/1154.enhancement b/towncrier/newsfragments/1154.enhancement
new file mode 100644
index 00000000..d19b3d09
--- /dev/null
+++ b/towncrier/newsfragments/1154.enhancement
@@ -0,0 +1 @@
+Add support for timezones
\ No newline at end of file
diff --git a/towncrier/newsfragments/116.feature b/towncrier/newsfragments/116.feature
new file mode 100644
index 00000000..4f73e7a8
--- /dev/null
+++ b/towncrier/newsfragments/116.feature
@@ -0,0 +1 @@
+ Make the rate limit apply to a subnet rather than a specific IP (/24 for v4 and /56 for v6)
diff --git a/towncrier/newsfragments/1194.bugfix b/towncrier/newsfragments/1194.bugfix
new file mode 100644
index 00000000..866c6c3b
--- /dev/null
+++ b/towncrier/newsfragments/1194.bugfix
@@ -0,0 +1 @@
+Fix rate-limiting on /webdav/
diff --git a/towncrier/newsfragments/1223.bugfix b/towncrier/newsfragments/1223.bugfix
new file mode 100644
index 00000000..3c23d1a4
--- /dev/null
+++ b/towncrier/newsfragments/1223.bugfix
@@ -0,0 +1,4 @@
+Fixed fetchmail losing track of fetched emails upon container recreation. 
+The relevant fetchmail files are now retained in the /data folder (in the fetchmail image).
+See the docker-compose.yml file for the relevant volume mapping.
+If you already had your own mapping, you must double check the volume mapping and take action.
diff --git a/towncrier/newsfragments/1612.feature b/towncrier/newsfragments/1612.feature
new file mode 100644
index 00000000..04d8d508
--- /dev/null
+++ b/towncrier/newsfragments/1612.feature
@@ -0,0 +1 @@
+Refactor the rate limiter to ensure that it performs as intented.
diff --git a/towncrier/newsfragments/1705.enhancement b/towncrier/newsfragments/1705.enhancement
new file mode 100644
index 00000000..9a6cb11a
--- /dev/null
+++ b/towncrier/newsfragments/1705.enhancement
@@ -0,0 +1 @@
+Ensure that RCVD_NO_TLS_LAST doesn't add to the spam score (as TLS usage can't be determined)
diff --git a/towncrier/newsfragments/1798.feature b/towncrier/newsfragments/1798.feature
new file mode 100644
index 00000000..125b1767
--- /dev/null
+++ b/towncrier/newsfragments/1798.feature
@@ -0,0 +1 @@
+Implement MTA-STS and DANE validation. Introduce DEFER_ON_TLS_ERROR (default: True) to harden or loosen the policy enforcement.
diff --git a/towncrier/newsfragments/1926.feature b/towncrier/newsfragments/1926.feature
new file mode 100644
index 00000000..fdd4ae87
--- /dev/null
+++ b/towncrier/newsfragments/1926.feature
@@ -0,0 +1 @@
+Log authentication attempts on the admin portal
diff --git a/towncrier/newsfragments/1929.enhancement b/towncrier/newsfragments/1929.enhancement
new file mode 100644
index 00000000..12c4f607
--- /dev/null
+++ b/towncrier/newsfragments/1929.enhancement
@@ -0,0 +1,10 @@
+Improved the SSO page. Warning! The new endpoints /sso and /static are introduced.
+These endpoints are now used for handling sign on requests and shared static files.
+You may want to update your reverse proxy to proxy /sso and /static to Mailu (to the front service).
+The example section of using a reverse proxy is updated with this information.
+ - New SSO page is used for logging in Admin or Webmail.
+ - Made SSO page available separately. SSO page can now be used without Admin accessible (ADMIN=false).
+ - Introduced stub /static which is used by all sites for accessing static files.
+ - Removed the /admin/ prefix to reduce complexity of routing with Mailu. Admin is accessible directly via /admin instead of /admin/ui
+Note: Failed logon attempts are logged in the logs of admin. You can watch this with fail2ban.
+
diff --git a/towncrier/newsfragments/1962.bugfix b/towncrier/newsfragments/1962.bugfix
new file mode 100644
index 00000000..70b2aa72
--- /dev/null
+++ b/towncrier/newsfragments/1962.bugfix
@@ -0,0 +1,5 @@
+Reverse proxy documentation has been updated to reflect new security hardening from PR#1959.
+If you do not set the configuration parameters in Mailu what reverse proxy header to trust,
+then Mailu will not have access to the real ip address of the connecting client.
+This means that rate limiting will not properly work. You can also not use fail2ban. 
+It is very important to configure this when using a reverse proxy.
diff --git a/towncrier/newsfragments/1966.feature b/towncrier/newsfragments/1966.feature
new file mode 100644
index 00000000..e379df0b
--- /dev/null
+++ b/towncrier/newsfragments/1966.feature
@@ -0,0 +1,33 @@
+AdminLTE3 design optimizations, asset compression and caching
+
+- fixed copy of qemu-arm-static for alpine
+- added 'set -eu' safeguard
+- silenced npm update notification
+- added color to webpack call
+- changed Admin-LTE default blue
+- AdminLTE 3 style tweaks
+- localized datatables
+- moved external javascript code to vendor.js
+- added mailu logo
+- moved all inline javascript to app.js
+- added iframe display of rspamd page
+- updated language-selector to display full language names and use post
+- added fieldset to group and en/disable input fields
+- added clipboard copy buttons
+- cleaned external javascript imports
+- pre-split first hostname for further use
+- cache dns_* properties of domain object (immutable during runtime)
+- fixed and splitted dns_dkim property of domain object (space missing)
+- added autoconfig and tlsa properties to domain object
+- suppressed extra vertical spacing in jinja2 templates
+- improved accessibility for screen reader
+- deleted unused/broken /user/forward route
+- updated gunicorn to 20.1.0 to get rid of buffering error at startup
+- switched webpack to production mode
+- added css and javascript minimization
+- added pre-compression of assets (gzip)
+- removed obsolete dependencies
+- switched from node-sass to dart-sass
+- changed startup cleaning message from error to info
+- move client config to "my account" section when logged in
+
diff --git a/towncrier/newsfragments/1990.bugfix b/towncrier/newsfragments/1990.bugfix
new file mode 100644
index 00000000..394fc05b
--- /dev/null
+++ b/towncrier/newsfragments/1990.bugfix
@@ -0,0 +1 @@
+Fixed roundcube sso login not working.
diff --git a/towncrier/newsfragments/1992.enhancement b/towncrier/newsfragments/1992.enhancement
new file mode 100644
index 00000000..56a11538
--- /dev/null
+++ b/towncrier/newsfragments/1992.enhancement
@@ -0,0 +1,3 @@
+Make unbound work with ipv6
+Add a cache-min-ttl of 5minutes
+Enable qname minimisation (privacy)
diff --git a/towncrier/newsfragments/1996.enhancement b/towncrier/newsfragments/1996.enhancement
new file mode 100644
index 00000000..d1bc2ccf
--- /dev/null
+++ b/towncrier/newsfragments/1996.enhancement
@@ -0,0 +1 @@
+Disable the login page if SESSION_COOKIE_SECURE is incompatible with how Mailu is accessed as this seems to be a common misconfiguration.
diff --git a/towncrier/newsfragments/2002.enhancement b/towncrier/newsfragments/2002.enhancement
new file mode 100644
index 00000000..bd025141
--- /dev/null
+++ b/towncrier/newsfragments/2002.enhancement
@@ -0,0 +1 @@
+Derive a new subkey (from SECRET_KEY) for SRS
diff --git a/towncrier/newsfragments/2007.enhancement b/towncrier/newsfragments/2007.enhancement
new file mode 100644
index 00000000..802e6d36
--- /dev/null
+++ b/towncrier/newsfragments/2007.enhancement
@@ -0,0 +1 @@
+allow sending emails as user+detail@domain.tld
diff --git a/towncrier/newsfragments/2017.enhancement b/towncrier/newsfragments/2017.enhancement
new file mode 100644
index 00000000..076914d2
--- /dev/null
+++ b/towncrier/newsfragments/2017.enhancement
@@ -0,0 +1 @@
+rspamd: get dkim keys via REST API instead of filesystem
diff --git a/towncrier/newsfragments/224.enhancement b/towncrier/newsfragments/224.enhancement
new file mode 100644
index 00000000..9e4edccf
--- /dev/null
+++ b/towncrier/newsfragments/224.enhancement
@@ -0,0 +1 @@
+Document how to setup client autoconfig using an override
diff --git a/towncrier/newsfragments/360.bugfix b/towncrier/newsfragments/360.bugfix
new file mode 100644
index 00000000..d433e0e3
--- /dev/null
+++ b/towncrier/newsfragments/360.bugfix
@@ -0,0 +1 @@
+RELAYNETS should be a comma separated list of networks
diff --git a/towncrier/newsfragments/466.feature b/towncrier/newsfragments/466.feature
new file mode 100644
index 00000000..12049b94
--- /dev/null
+++ b/towncrier/newsfragments/466.feature
@@ -0,0 +1 @@
+Remove the Received header with PRIMARY_HOSTNAME [PUBLIC_IP]
diff --git a/webmails/rainloop/Dockerfile b/webmails/rainloop/Dockerfile
index f1394d64..02910e39 100644
--- a/webmails/rainloop/Dockerfile
+++ b/webmails/rainloop/Dockerfile
@@ -4,9 +4,11 @@ ARG ARCH=""
 FROM ${ARCH}alpine:3.14
 ONBUILD COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
 
+ENV TZ Etc/UTC
+
 # Shared later between dovecot postfix nginx rspamd rainloop and roundloop
 RUN apk add --no-cache \
-    python3 py3-pip \
+    python3 py3-pip tzdata \
  && pip3 install socrate==0.2.0
 
 #  https://www.rainloop.net/docs/system-requirements/
diff --git a/webmails/rainloop/defaults/application.ini b/webmails/rainloop/defaults/application.ini
index 0504f174..d67ec9f0 100644
--- a/webmails/rainloop/defaults/application.ini
+++ b/webmails/rainloop/defaults/application.ini
@@ -8,10 +8,8 @@ allow_admin_panel = Off
 
 [labs]
 allow_gravatar = Off
-{% if ADMIN == "true" %}
 custom_login_link='sso.php'
-custom_logout_link='{{ WEB_ADMIN }}/ui/logout'
-{% endif %}
+custom_logout_link='/sso/logout'
 
 [contacts]
 enable = On
diff --git a/webmails/roundcube/Dockerfile b/webmails/roundcube/Dockerfile
index 4d3e36df..4ad89022 100644
--- a/webmails/roundcube/Dockerfile
+++ b/webmails/roundcube/Dockerfile
@@ -7,11 +7,15 @@ ONBUILD COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/
 FROM ${ARCH}php:7.4-apache as build_other
 
 FROM build_${QEMU}
+
+ENV TZ Etc/UTC
+
 #Shared layer between rainloop and roundcube
 RUN apt-get update && apt-get install -y \
-  python3 curl python3-pip git python3-multidict \
+  python3 curl python3-pip git python3-multidict tzdata \
   && rm -rf /var/lib/apt/lists \
-  && echo "ServerSignature Off" >> /etc/apache2/apache2.conf
+  && echo "ServerSignature Off\nServerName roundcube" >> /etc/apache2/apache2.conf \
+  && sed -i 's,CustomLog.*combined$,\0 "'"expr=!(%{HTTP_USER_AGENT}=='health'\&\&(-R '127.0.0.1/8' || -R '::1'))"'",' /etc/apache2/sites-available/000-default.conf
 
 # Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube
 RUN pip3 install socrate
@@ -25,7 +29,6 @@ RUN apt-get update && apt-get install -y \
       python3-jinja2 \
       gpg \
  && docker-php-ext-install zip pdo_mysql pdo_pgsql \
- && echo date.timezone=UTC > /usr/local/etc/php/conf.d/timezone.ini \
  && rm -rf /var/www/html/ \
  && cd /var/www \
  && curl -sL ${ROUNDCUBE_URL} | tar xz \
@@ -33,12 +36,17 @@ RUN apt-get update && apt-get install -y \
  && mv roundcubemail-* html \
  && mv carddav html/plugins/ \
  && cd html \
- && rm -rf CHANGELOG INSTALL LICENSE README.md UPGRADING composer.json-dist installer \
+ && rm -rf CHANGELOG INSTALL LICENSE README.md UPGRADING composer.json-dist installer composer.* \
  && sed -i 's,mod_php5.c,mod_php7.c,g' .htaccess \
  && sed -i 's,^php_value.*post_max_size,#&,g' .htaccess \
  && sed -i 's,^php_value.*upload_max_filesize,#&,g' .htaccess \
- && chown -R www-data: logs temp \
- && rm -rf /var/lib/apt/lists
+ && ln -sf index.php /var/www/html/sso.php \
+ && ln -sf /dev/stderr /var/www/html/logs/errors.log \
+ && chown -R root:root . \
+ && chown www-data:www-data logs temp \
+ && chmod -R a+rX . \
+ && rm -rf /var/lib/apt/lists \
+ && a2enmod rewrite deflate expires headers
 
 COPY php.ini /php.ini
 COPY config.inc.php /var/www/html/config/
@@ -50,4 +58,4 @@ VOLUME ["/data"]
 
 CMD /start.py
 
-HEALTHCHECK CMD curl -f -L http://localhost/ || exit 1
+HEALTHCHECK CMD curl -f -L -H 'User-Agent: health' http://localhost/ || exit 1
diff --git a/webmails/roundcube/config.inc.php b/webmails/roundcube/config.inc.php
index 797f229c..99f147fc 100644
--- a/webmails/roundcube/config.inc.php
+++ b/webmails/roundcube/config.inc.php
@@ -37,11 +37,11 @@ $config['managesieve_usetls'] = false;
 
 // Customization settings
 if (filter_var(getenv('ADMIN'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE)) {
-	array_push($config['plugins'], 'mailu');
-	$config['support_url'] = getenv('WEB_ADMIN') ? '../..' . getenv('WEB_ADMIN') : '';
-	$config['sso_logout_url'] = getenv('WEB_ADMIN').'/ui/logout';
+	$config['support_url'] = getenv('WEB_ADMIN') ? '../..' . getenv('WEB_ADMIN') : '';	
 }
 $config['product_name'] = 'Mailu Webmail';
+array_push($config['plugins'], 'mailu');
+$config['sso_logout_url'] = '/sso/logout';
 
 // We access the IMAP and SMTP servers locally with internal names, SSL
 // will obviously fail but this sounds better than allowing insecure login
diff --git a/webmails/roundcube/mailu.php b/webmails/roundcube/mailu.php
index bb4d65e9..f5079e98 100644
--- a/webmails/roundcube/mailu.php
+++ b/webmails/roundcube/mailu.php
@@ -52,6 +52,12 @@ class mailu extends rcube_plugin
   }
   function login_failed($args)
   {
+      $ua = $_SERVER['HTTP_USER_AGENT'];
+      $ra = $_SERVER['REMOTE_ADDR'];
+      if ($ua == 'health' and ($ra == '127.0.0.1' or $ra == '::1')) {
+        echo "OK";
+        exit;
+      }
       header('Location: sso.php');
       exit();
   }
diff --git a/webmails/roundcube/php.ini b/webmails/roundcube/php.ini
index 27992231..dafa0578 100644
--- a/webmails/roundcube/php.ini
+++ b/webmails/roundcube/php.ini
@@ -1,5 +1,4 @@
 expose_php=Off
-date.timezone=UTC
+date.timezone={{ TZ }}
 upload_max_filesize = {{ MAX_FILESIZE }}M
 post_max_size = {{ MAX_FILESIZE }}M
-
diff --git a/webmails/roundcube/start.py b/webmails/roundcube/start.py
index cd42ba06..efaac357 100755
--- a/webmails/roundcube/start.py
+++ b/webmails/roundcube/start.py
@@ -34,11 +34,7 @@ else:
 conf.jinja("/php.ini", os.environ, "/usr/local/etc/php/conf.d/roundcube.ini")
 
 # Create dirs, setup permissions
-os.system("mkdir -p /data/gpg /var/www/html/logs")
-os.system("touch /var/www/html/logs/errors.log")
-os.system("chown -R www-data:www-data /var/www/html/logs")
-os.system("chmod -R a+rX /var/www/html/")
-os.system("ln -sf /var/www/html/index.php /var/www/html/sso.php")
+os.system("mkdir -p /data/gpg")
 
 try:
     print("Initializing database")
@@ -61,8 +57,5 @@ except subprocess.CalledProcessError as e:
 # Setup database permissions
 os.system("chown -R www-data:www-data /data")
 
-# Tail roundcube logs
-subprocess.Popen(["tail", "-f", "-n", "0", "/var/www/html/logs/errors.log"])
-
 # Run apache
 os.execv("/usr/local/bin/apache2-foreground", ["apache2-foreground"])