From cc9a6b05a80de3669fddfd1fb34f95a0ee14ffaf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <muhlemmer@gmail.com>
Date: Mon, 14 Oct 2019 22:13:05 +0300
Subject: [PATCH 001/222] RFC: Mailu directory structure

---
 design/mailu-directory-structure.md | 199 ++++++++++++++++++++++++++++
 1 file changed, 199 insertions(+)
 create mode 100644 design/mailu-directory-structure.md

diff --git a/design/mailu-directory-structure.md b/design/mailu-directory-structure.md
new file mode 100644
index 00000000..ad75eeaa
--- /dev/null
+++ b/design/mailu-directory-structure.md
@@ -0,0 +1,199 @@
+# RFC: Mailu directory structure
+The current layout of the Mailu directory structure can be improved to allow for easier replicated deployments, like Docker Swarm and Kubernetes. Please read https://usrpro.com/publications/mailu-persistent-storage/ for the background motivation of this RFC.
+
+## Scope
+This document only describes the re-arrangement of the `$ROOT` Mailu filesystem as-is. This means moving around of current files and directories. The linked article also proposes more advanced improvements. Those are not included in this RFC and need to be evaluated and implemented independently. However, the changes proposed in this document should make such improvements easier.
+
+Currently some services are wrongfully sharing mountpoints or have unused volumes declared. Those are also taken care of in this RFC.
+
+## Compatibility
+If these changes were to be accepted, it will break compatibility with previous Mailu version `<=1.7`. As such, we will propably increment to version `2.0`.
+
+## Root
+The root of the Mailu filesystem is located at `/mailu` by default. For simplicity we will assume this location throughout the document. Within `/mailu` we will aim to define 3 main sub-directories:
+
+### Config
+
+- Path: `/mailu/config/`
+
+Small config bearing files, sometimes shared between multiple services. The performance and storage needs for this filesystem are low. Availability is important for correct functioning of the mail server. No file locking issues are expected from concurrent access. A basic (and redundant) filesystem should suffice.
+
+#### Dovecot
+
+- Old path: `/mailu/overrides` (shared with postfix, nginx and rspamd)
+- New Path `/mailu/config/dovecot`
+
+Dovecot configuration overrides.
+
+#### Postfix
+
+- Old path: `/mailu/overrides` (shared with dovecot, nginx and rspamd)
+- New Path `/mailu/config/posfix`
+
+Postfix configuration overrides.
+
+#### Rspamd
+
+- Old path: `/mailu/overrides/rspamd`
+- New path: `/mailu/config/rspamd`
+
+RSpamD configuration overrides.
+
+#### Rainloop
+
+- Old path: `/mailu/webmail/_data_/_default_/storage` (part of `/mailu/webmail` mountpoint, shared with Roundcube)
+- New path: `/mailu/config/rainloop`
+
+User specific configs. The remaining files under the old `/mailu/webmail` don't need to be persistent. Except for `AddressBook.sqlite`, see `/mailu/data`.
+
+#### Roundcube
+
+- Old path: `/mailu/webmail/gpg` (part of `/mailu/webmail` mountpoint, shared with Rainloop)
+- New path: `/mailu/config/roundcube/gpg`
+
+User configured GPG keys.
+
+#### Redis
+
+- Old path: `/mailu/redis`
+- New path: `/mailu/config/redis`
+
+Holds `dump.rdb` for data restoration. Although technically a database, Redis works from memory. The dump file is only written to every minute and read from during start. Hence it fits better in the replicated config directory filesystem.
+
+#### Share
+
+- Path: `/mailu/config/share/`
+
+Shared configuration between different services
+
+##### DKIM
+
+- Old path: `/mailu/dkim/`
+- New path: `/mailu/config/share/dkim`
+
+DKIM private keys store. Read/write access by Admin. Read only access by rSpamD.
+
+##### Certs
+
+- Old path: `/mailu/certs`
+- New path: `/mailu/config/share/certs` (Proposal in anticipation of the RFC outcome at: https://github.com/Mailu/Mailu/issues/1222.)
+
+TLS certificates. Write access from `nginx` in case `TLS_FLAVOR=letsencrypt`. Or write access from `treafik-certdumper` or any other tool obtaining certificates.
+
+`letsencrypt` setting is not compatible with replicated setups. Multiple instances would disrupt the ACME challenge verification and cause race conditions on requesting certificates. In such cases certificates will need to be provided by other tools.
+
+If RFC issue #1222 is accepted, Dovecot will need read-only access to the certificates.
+
+### Data
+
+- Path: `/mailu/data/`
+
+Database files, like SQLite or PostgreSQL files. Databases don't perform well on network filesystems as they depend heavily on file locking and full controll on the database files. Making it unfit for concurrent access from multiple hosts. This directory should always live on a local filesystem. This makes it only usable in `docker-compose` deployments. Usage of this directory should be avoided in Kubernetes and Docker Swarm deployments. Some services will need to be improved to allow for this.
+
+#### admin data
+
+- Old path: `/mailu/data/`
+- New path: `/mailu/data/admin/` (mount point on `admin` directory)
+
+Holds `main.db` SQLite database file holding domains, users, aliases etcetera. Read/write access only by admin. Can be avoided by using a remote DB server like PostgreSQL, MySQL or MariaDB.
+
+Also holds `instance` for unique statistics transmission. Removing of this file is proposed in RFC [issue 129](https://github.com/Mailu/Mailu/issues/1219).
+
+This move is needed in order to be able to mount the directory without exposing data files from other services into admin.
+
+#### rspamd
+
+- Old path: `/mailu/filter` (shared with ClamAV)
+- New path: `/mailu/data/rspamd`
+
+Storage of Bayes and Fuzzy learning SQLite databases and caches. As future optimization we should look into moving all this into Redis.
+
+#### Rainloop
+
+- Old path: `/mailu/webmail/_data_/_default_/AddressBook.sqlite` (part of `/mailu/webmail` mountpoint, shared with Roundcube)
+- New path: `/mailu/data/rainloop/AddressBook.sqlite` (mount on `rainloop` directory)
+
+Addressbook SQLite file. For future replicated deployments this might better be configured to use an external DB.
+
+For this modification, the `AddressBook.sqlite` will need to be moved to a different directory inside the container.
+
+#### Roundcube
+
+- Old path: `/mailu/webmail/roundcube.db` (part of `/mailu/webmail` mountpoint, shared with Rainloop)
+- New path: `/mailu/data/roundcube/roundcube.db` (mount on `roundcube` directory)
+
+User settings SQLite database file for roundcube. For future replicated deployments this might better be configured to use an external DB.
+
+For this modification, the `rouncube.db` file will need to be moved to a different directory inside the container.
+
+### Mail
+
+- Path: `/mailu/mail` (unmodified)
+
+User mail, managed my Dovecot IMAP server. In replicated deployments, this filesystem needs to be shared over all IMAP server instances. It should be high performant and capable of propgating file locks. Storage size is proportional to the users and their quotas. Old versions of NFS are known to be buggy with file locking. Also Samaba or CIFS should be avoided.
+
+In the old situation, Maildir indexes are stored on the same volume. However, they need not to be persistent and should be located on a voletile filesystem instead. This allows better performance on network filesystems.
+
+### Local
+
+- Path: `/mailu/local` (new)
+
+Persistent storage not suitable for replication. In `docker-compose` deployments it lives inside `/mailu` and in replicated deployments it should live somewhere on the local host machine.
+
+#### Mailqueue
+
+- Old path: `/mailu/mailqueue`
+- New path: `/mailu/local/mailqueue`
+
+The SMTP mailqueue should be persistant, as per SMTP spec it is not allowed to loose mail. However, persistance should be local only for performance reasons and the possibility to replicate Postfix servers. In setups like Docker Swarm and Kubernetes, admins should take care that Postfix is always restarted on same hosts in order to empty any remaining queue after a crash.
+
+#### ClamAV
+
+- Old path: `/mailu/filters` (shared with rSpamD)
+- New path: `/mailu/local/clamav`
+
+Virus definitions do not need to be replicated, as they can be easily pulled in when ClamAV instances migrate to other nodes. Persistance does allow for some bandwith and time saving if ClamAV would be restarted on a previously used node (in case of updates or similar cases). Local only storage also prevents `freshclam` race conditions.
+
+## Conclusion
+
+The final layout of the Mailu filesystem will look like:
+
+````
+/mailu
+├── config
+│   ├── dovecot
+│   ├── postfix
+│   ├── rainloop
+│   ├── redis
+│   ├── roundcube
+│   │   └── gpg
+│   ├── rspamd
+│   └── share
+│       ├── certs
+│       └── dkim
+├── data
+│   ├── admin
+│   ├── rainloop
+│   ├── roundcube
+│   └── rspamd
+├── local
+│   ├── clamav
+│   └── mailqueue
+└── mail
+````
+
+Where in replicated environments:
+
+- `/mailu/config/`: should be a small, low performant and shared filesystem.
+- `/mailu/data`: should be avoided. More work will need to be done to configure external DB servers for relevant services. Ideally, this directory should only exist on docker-compose deployments.
+- `/mailu/local/`: Should exist only on local file systems of worker nodes.
+- `/mailu/mail`: A distributed filesystem with sufficient performance and storage requirements to hold and process all user mailboxes. Ideally only Maildir without indexes.
+
+### Implementing
+
+The works to implement this changes should happen outside the `master` branch. Inclusion into `master` can only be accepted if:
+
+1. `docker-compose.yml` from setup reflects this changes correctly.
+2. Kubernetes documentation is updated.
+3. Legacy `docker-compose.yml` is either updated or deleted.
+4. A clear data migration guide is written.
\ No newline at end of file

From 4f96e991449b52400b5a1fe8d968f07ff9346842 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 29 Aug 2021 17:40:37 +0200
Subject: [PATCH 002/222] MTA-STS (use rather than publish policies)

---
 core/postfix/Dockerfile         |  5 +++++
 core/postfix/conf/main.cf       |  2 +-
 core/postfix/mta-sts-daemon.yml | 10 ++++++++++
 core/postfix/start.py           | 10 ++++++++++
 4 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 core/postfix/mta-sts-daemon.yml

diff --git a/core/postfix/Dockerfile b/core/postfix/Dockerfile
index 062155c1..8efe5da4 100644
--- a/core/postfix/Dockerfile
+++ b/core/postfix/Dockerfile
@@ -12,10 +12,15 @@ RUN pip3 install socrate==0.2.0
 RUN pip3 install "podop>0.2.5"
 
 # Image specific layers under this line
+RUN apk add --no-cache --virtual .build-deps gcc musl-dev python3-dev
+RUN pip3 install --no-binary :all: postfix-mta-sts-resolver==1.0.1
+RUN apk del .build-deps gcc musl-dev python3-dev
+
 RUN apk add --no-cache postfix postfix-pcre cyrus-sasl-login
 
 COPY conf /conf
 COPY start.py /start.py
+COPY mta-sts-daemon.yml /etc/
 
 EXPOSE 25/tcp 10025/tcp
 VOLUME ["/queue"]
diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 7f84ade7..0194324f 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -59,7 +59,7 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
 smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
-smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map
+smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
 smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
diff --git a/core/postfix/mta-sts-daemon.yml b/core/postfix/mta-sts-daemon.yml
new file mode 100644
index 00000000..39f60e48
--- /dev/null
+++ b/core/postfix/mta-sts-daemon.yml
@@ -0,0 +1,10 @@
+path: "/tmp/mta-sts.socket"
+mode: 0600
+shutdown_timeout: 20
+cache:
+  type: internal
+  options:
+    cache_size: 10000
+default_zone:
+  strict_testing: false
+  timeout: 4
diff --git a/core/postfix/start.py b/core/postfix/start.py
index 799d42f5..50565e3d 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -30,6 +30,12 @@ def start_podop():
         ("senderrate", "url", url + "sender/rate/§")
     ])
 
+def start_mta_sts_daemon():
+    os.chmod("/root/", 0o755) # read access to /root/.netrc required
+    os.setuid(getpwnam('postfix').pw_uid)
+    from postfix_mta_sts_resolver import daemon
+    daemon.main()
+
 def is_valid_postconf_line(line):
     return not line.startswith("#") \
             and not line == ''
@@ -68,6 +74,9 @@ for map_file in glob.glob("/overrides/*.map"):
     os.system("postmap {}".format(destination))
     os.remove(destination)
 
+if os.path.exists("/overrides/mta-sts-daemon.yml"):
+    shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml")
+
 if not os.path.exists("/etc/postfix/tls_policy.map.db"):
     with open("/etc/postfix/tls_policy.map", "w") as f:
         for domain in ['gmail.com', 'yahoo.com', 'hotmail.com', 'aol.com', 'outlook.com', 'comcast.net', 'icloud.com', 'msn.com', 'hotmail.co.uk', 'live.com', 'yahoo.co.in', 'me.com', 'mail.ru', 'cox.net', 'yahoo.co.uk', 'verizon.net', 'ymail.com', 'hotmail.it', 'kw.com', 'yahoo.com.tw', 'mac.com', 'live.se', 'live.nl', 'yahoo.com.br', 'googlemail.com', 'libero.it', 'web.de', 'allstate.com', 'btinternet.com', 'online.no', 'yahoo.com.au', 'live.dk', 'earthlink.net', 'yahoo.fr', 'yahoo.it', 'gmx.de', 'hotmail.fr', 'shawinc.com', 'yahoo.de', 'moe.edu.sg', 'naver.com', 'bigpond.com', 'statefarm.com', 'remax.net', 'rocketmail.com', 'live.no', 'yahoo.ca', 'bigpond.net.au', 'hotmail.se', 'gmx.at', 'live.co.uk', 'mail.com', 'yahoo.in', 'yandex.ru', 'qq.com', 'charter.net', 'indeedemail.com', 'alice.it', 'hotmail.de', 'bluewin.ch', 'optonline.net', 'wp.pl', 'yahoo.es', 'hotmail.no', 'pindotmedia.com', 'orange.fr', 'live.it', 'yahoo.co.id', 'yahoo.no', 'hotmail.es', 'morganstanley.com', 'wellsfargo.com', 'wanadoo.fr', 'facebook.com', 'yahoo.se', 'fema.dhs.gov', 'rogers.com', 'yahoo.com.hk', 'live.com.au', 'nic.in', 'nab.com.au', 'ubs.com', 'shaw.ca', 'umich.edu', 'westpac.com.au', 'yahoo.com.mx', 'yahoo.com.sg', 'farmersagent.com', 'yahoo.dk', 'dhs.gov']:
@@ -81,6 +90,7 @@ if "RELAYUSER" in os.environ:
 
 # Run Podop and Postfix
 multiprocessing.Process(target=start_podop).start()
+multiprocessing.Process(target=start_mta_sts_daemon).start()
 os.system("/usr/libexec/postfix/post-install meta_directory=/etc/postfix create-missing")
 # Before starting postfix, we need to check permissions on /queue
 # in the event that postfix,postdrop id have changed

From 52d3a338751c6f7dd14c63de6c2164d3a9d9f8da Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 29 Aug 2021 17:41:55 +0200
Subject: [PATCH 003/222] Remove the domains that have a valid MTA-STS policy

gmail.com
comcast.net
mail.ru
googlemail.com
wp.pl
---
 core/postfix/start.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/postfix/start.py b/core/postfix/start.py
index 50565e3d..de559b27 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -79,7 +79,7 @@ if os.path.exists("/overrides/mta-sts-daemon.yml"):
 
 if not os.path.exists("/etc/postfix/tls_policy.map.db"):
     with open("/etc/postfix/tls_policy.map", "w") as f:
-        for domain in ['gmail.com', 'yahoo.com', 'hotmail.com', 'aol.com', 'outlook.com', 'comcast.net', 'icloud.com', 'msn.com', 'hotmail.co.uk', 'live.com', 'yahoo.co.in', 'me.com', 'mail.ru', 'cox.net', 'yahoo.co.uk', 'verizon.net', 'ymail.com', 'hotmail.it', 'kw.com', 'yahoo.com.tw', 'mac.com', 'live.se', 'live.nl', 'yahoo.com.br', 'googlemail.com', 'libero.it', 'web.de', 'allstate.com', 'btinternet.com', 'online.no', 'yahoo.com.au', 'live.dk', 'earthlink.net', 'yahoo.fr', 'yahoo.it', 'gmx.de', 'hotmail.fr', 'shawinc.com', 'yahoo.de', 'moe.edu.sg', 'naver.com', 'bigpond.com', 'statefarm.com', 'remax.net', 'rocketmail.com', 'live.no', 'yahoo.ca', 'bigpond.net.au', 'hotmail.se', 'gmx.at', 'live.co.uk', 'mail.com', 'yahoo.in', 'yandex.ru', 'qq.com', 'charter.net', 'indeedemail.com', 'alice.it', 'hotmail.de', 'bluewin.ch', 'optonline.net', 'wp.pl', 'yahoo.es', 'hotmail.no', 'pindotmedia.com', 'orange.fr', 'live.it', 'yahoo.co.id', 'yahoo.no', 'hotmail.es', 'morganstanley.com', 'wellsfargo.com', 'wanadoo.fr', 'facebook.com', 'yahoo.se', 'fema.dhs.gov', 'rogers.com', 'yahoo.com.hk', 'live.com.au', 'nic.in', 'nab.com.au', 'ubs.com', 'shaw.ca', 'umich.edu', 'westpac.com.au', 'yahoo.com.mx', 'yahoo.com.sg', 'farmersagent.com', 'yahoo.dk', 'dhs.gov']:
+        for domain in ['yahoo.com', 'hotmail.com', 'aol.com', 'outlook.com', 'icloud.com', 'msn.com', 'hotmail.co.uk', 'live.com', 'yahoo.co.in', 'me.com', 'cox.net', 'yahoo.co.uk', 'verizon.net', 'ymail.com', 'hotmail.it', 'kw.com', 'yahoo.com.tw', 'mac.com', 'live.se', 'live.nl', 'yahoo.com.br', 'libero.it', 'web.de', 'allstate.com', 'btinternet.com', 'online.no', 'yahoo.com.au', 'live.dk', 'earthlink.net', 'yahoo.fr', 'yahoo.it', 'gmx.de', 'hotmail.fr', 'shawinc.com', 'yahoo.de', 'moe.edu.sg', 'naver.com', 'bigpond.com', 'statefarm.com', 'remax.net', 'rocketmail.com', 'live.no', 'yahoo.ca', 'bigpond.net.au', 'hotmail.se', 'gmx.at', 'live.co.uk', 'mail.com', 'yahoo.in', 'yandex.ru', 'qq.com', 'charter.net', 'indeedemail.com', 'alice.it', 'hotmail.de', 'bluewin.ch', 'optonline.net', 'yahoo.es', 'hotmail.no', 'pindotmedia.com', 'orange.fr', 'live.it', 'yahoo.co.id', 'yahoo.no', 'hotmail.es', 'morganstanley.com', 'wellsfargo.com', 'wanadoo.fr', 'facebook.com', 'yahoo.se', 'fema.dhs.gov', 'rogers.com', 'yahoo.com.hk', 'live.com.au', 'nic.in', 'nab.com.au', 'ubs.com', 'shaw.ca', 'umich.edu', 'westpac.com.au', 'yahoo.com.mx', 'yahoo.com.sg', 'farmersagent.com', 'yahoo.dk', 'dhs.gov']:
             f.write(f'{domain}\tsecure\n')
     os.system("postmap /etc/postfix/tls_policy.map")
 

From a01960787362ed3fc5e7774c3bc573b3c52a86d9 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 29 Aug 2021 17:46:28 +0200
Subject: [PATCH 004/222] towncrier

---
 towncrier/newsfragments/1798.feature | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 towncrier/newsfragments/1798.feature

diff --git a/towncrier/newsfragments/1798.feature b/towncrier/newsfragments/1798.feature
new file mode 100644
index 00000000..1b63a85c
--- /dev/null
+++ b/towncrier/newsfragments/1798.feature
@@ -0,0 +1 @@
+Implement MTA-STS (use published policies)

From 5634354911bf645ea6b8204af4964d51e06178db Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 29 Aug 2021 18:28:56 +0200
Subject: [PATCH 005/222] document how to publish an MTA-STS policy

---
 docs/faq.rst | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/docs/faq.rst b/docs/faq.rst
index a2c6bd33..98026ab1 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -369,6 +369,31 @@ How do I use webdav (radicale)?
 .. _`575`: https://github.com/Mailu/Mailu/issues/575
 .. _`1591`: https://github.com/Mailu/Mailu/issues/1591
 
+How do I setup a MTA-STS policy?
+````````````````````````````````
+
+Mailu can serve an `MTA-STS policy`_; To configure it you will need to:
+
+1. setup the appropriate DNS/CNAME record (``mta-sts.example.com`` -> ``mailu.example.com``) and DNS/TXT record (``_mta-sts.example.com`` -> ``v=STSv1; id=1``) paying attention to the ``TTL`` as this is used by MTA-STS.
+
+2. configure an override with the policy itself; for example, your ``overrides/mta-sts.conf`` could read:
+
+.. code-block:: bash
+
+   location ^~ /.well-known/mta-sts.txt {
+   return 200 "version: STSv1
+   mode: enforce
+   max_age: 86401
+   mx: mailu.example.com\r\n";
+   }
+
+3. add ``mta-sts.example.com`` to the ``HOSTNAMES`` configuration variable (and ensure that a valid SSL certificate is available for it)
+
+*issue reference:* `1798`_.
+
+.. _`1798`: https://github.com/Mailu/Mailu/issues/1798
+.. _`MTA-STS policy`: https://datatracker.ietf.org/doc/html/rfc8461
+
 Technical issues
 ----------------
 

From 5efe35329be9862cf4dcb34292b7b5a9b1976b5f Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 29 Aug 2021 18:29:44 +0200
Subject: [PATCH 006/222] doh

---
 docs/faq.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/faq.rst b/docs/faq.rst
index 98026ab1..92b208de 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -376,7 +376,7 @@ Mailu can serve an `MTA-STS policy`_; To configure it you will need to:
 
 1. setup the appropriate DNS/CNAME record (``mta-sts.example.com`` -> ``mailu.example.com``) and DNS/TXT record (``_mta-sts.example.com`` -> ``v=STSv1; id=1``) paying attention to the ``TTL`` as this is used by MTA-STS.
 
-2. configure an override with the policy itself; for example, your ``overrides/mta-sts.conf`` could read:
+2. configure an override with the policy itself; for example, your ``overrides/nginx/mta-sts.conf`` could read:
 
 .. code-block:: bash
 

From 7c5dcfa025e8b7e1f7e5bb6b3ac56331bc928287 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 29 Aug 2021 18:32:17 +0200
Subject: [PATCH 007/222] MTA-STS is a major feature

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c4354b28..8c7d1640 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ Main features include:
 - **Web access**, multiple Webmails and administration interface
 - **User features**, aliases, auto-reply, auto-forward, fetched accounts
 - **Admin features**, global admins, announcements, per-domain delegation, quotas
-- **Security**, enforced TLS, Letsencrypt!, outgoing DKIM, anti-virus scanner
+- **Security**, enforced TLS, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner
 - **Antispam**, auto-learn, greylisting, DMARC and SPF
 - **Freedom**, all FOSS components, no tracker included
 

From a8142dabbe4df86a2aa87d3f323de20c045d7db3 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 30 Aug 2021 14:21:28 +0200
Subject: [PATCH 008/222] Introduce DEFER_ON_TLS_ERROR

This will default to True and defer emails that fail even "loose"
validation of DANE or MTA-STS

It should work most of the time but if it doesn't and you would rather
see your emails delivered, you can turn it off.
---
 core/postfix/conf/main.cf       | 6 +++++-
 core/postfix/mta-sts-daemon.yml | 2 +-
 core/postfix/start.py           | 1 +
 docs/configuration.rst          | 2 +-
 4 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 0194324f..78ffcee1 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -58,13 +58,17 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET
 # 2. not all will have and up-to-date TLS stack.
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
-smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
+smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
+smtp_tls_dane_insecure_mx_policy = dane
 smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
 smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
 smtp_host_lookup = dns
 smtp_dns_support_level = dnssec
+delay_warning_time = 5m
+smtp_tls_loglevel = 1
+notify_classes = resource, software, delay
 
 ###############
 # Virtual
diff --git a/core/postfix/mta-sts-daemon.yml b/core/postfix/mta-sts-daemon.yml
index 39f60e48..361bcbf9 100644
--- a/core/postfix/mta-sts-daemon.yml
+++ b/core/postfix/mta-sts-daemon.yml
@@ -6,5 +6,5 @@ cache:
   options:
     cache_size: 10000
 default_zone:
-  strict_testing: false
+  strict_testing: {{ DEFER_ON_TLS_ERROR |default('true') }}
   timeout: 4
diff --git a/core/postfix/start.py b/core/postfix/start.py
index de559b27..5e439bdb 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -76,6 +76,7 @@ for map_file in glob.glob("/overrides/*.map"):
 
 if os.path.exists("/overrides/mta-sts-daemon.yml"):
     shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml")
+conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
 
 if not os.path.exists("/etc/postfix/tls_policy.map.db"):
     with open("/etc/postfix/tls_policy.map", "w") as f:
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 27f8db7d..4fd84c07 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -73,7 +73,7 @@ mail in following format: ``[HOST]:PORT``.
 
 By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
 by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is highly recommended
-if you are using a relayhost that supports TLS.
+if you are using a relayhost that supports TLS but discouraged otherwise. ``DEFER_ON_TLS_ERROR`` (default: True) controls whether incomplete policies (DANE without DNSSEC or "testing" MTA-STS policies) will be taken into account and whether emails will be defered if the additional checks enforced by those policies fail.
 
 Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed
 by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for

From 05b57c972ec3a6fbe6a8f9cc048246e24747390c Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 30 Aug 2021 14:44:13 +0200
Subject: [PATCH 009/222] remove the static policy as it will override MTA-STS
 and DANE

---
 core/postfix/start.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/postfix/start.py b/core/postfix/start.py
index 5e439bdb..69855e29 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -80,7 +80,7 @@ conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
 
 if not os.path.exists("/etc/postfix/tls_policy.map.db"):
     with open("/etc/postfix/tls_policy.map", "w") as f:
-        for domain in ['yahoo.com', 'hotmail.com', 'aol.com', 'outlook.com', 'icloud.com', 'msn.com', 'hotmail.co.uk', 'live.com', 'yahoo.co.in', 'me.com', 'cox.net', 'yahoo.co.uk', 'verizon.net', 'ymail.com', 'hotmail.it', 'kw.com', 'yahoo.com.tw', 'mac.com', 'live.se', 'live.nl', 'yahoo.com.br', 'libero.it', 'web.de', 'allstate.com', 'btinternet.com', 'online.no', 'yahoo.com.au', 'live.dk', 'earthlink.net', 'yahoo.fr', 'yahoo.it', 'gmx.de', 'hotmail.fr', 'shawinc.com', 'yahoo.de', 'moe.edu.sg', 'naver.com', 'bigpond.com', 'statefarm.com', 'remax.net', 'rocketmail.com', 'live.no', 'yahoo.ca', 'bigpond.net.au', 'hotmail.se', 'gmx.at', 'live.co.uk', 'mail.com', 'yahoo.in', 'yandex.ru', 'qq.com', 'charter.net', 'indeedemail.com', 'alice.it', 'hotmail.de', 'bluewin.ch', 'optonline.net', 'yahoo.es', 'hotmail.no', 'pindotmedia.com', 'orange.fr', 'live.it', 'yahoo.co.id', 'yahoo.no', 'hotmail.es', 'morganstanley.com', 'wellsfargo.com', 'wanadoo.fr', 'facebook.com', 'yahoo.se', 'fema.dhs.gov', 'rogers.com', 'yahoo.com.hk', 'live.com.au', 'nic.in', 'nab.com.au', 'ubs.com', 'shaw.ca', 'umich.edu', 'westpac.com.au', 'yahoo.com.mx', 'yahoo.com.sg', 'farmersagent.com', 'yahoo.dk', 'dhs.gov']:
+        for domain in ['example.com']:
             f.write(f'{domain}\tsecure\n')
     os.system("postmap /etc/postfix/tls_policy.map")
 

From 67db72d7743a5f2850e6c6a7d19b2ff99e8ea6d5 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 30 Aug 2021 17:00:12 +0200
Subject: [PATCH 010/222] Behave like documented

---
 core/postfix/conf/main.cf            | 2 +-
 docs/configuration.rst               | 8 ++++++--
 towncrier/newsfragments/1798.feature | 2 +-
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 78ffcee1..ae54326d 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -59,7 +59,7 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
 smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
-smtp_tls_dane_insecure_mx_policy = dane
+smtp_tls_dane_insecure_mx_policy = {% if DEFER_ON_TLS_ERROR == 'false' %}may{% else %}dane{% endif %}
 smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 4fd84c07..7cf3c926 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -72,8 +72,12 @@ mail in following format: ``[HOST]:PORT``.
 ``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed.
 
 By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
-by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is highly recommended
-if you are using a relayhost that supports TLS but discouraged otherwise. ``DEFER_ON_TLS_ERROR`` (default: True) controls whether incomplete policies (DANE without DNSSEC or "testing" MTA-STS policies) will be taken into account and whether emails will be defered if the additional checks enforced by those policies fail.
+by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is
+highly recommended if you are using a relayhost that supports TLS but discouraged
+otherwise. ``DEFER_ON_TLS_ERROR`` (default: True) controls whether incomplete
+policies (DANE without DNSSEC or "testing" MTA-STS policies) will be taken into
+account and whether emails will be defered if the additional checks enforced by
+those policies fail.
 
 Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed
 by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for
diff --git a/towncrier/newsfragments/1798.feature b/towncrier/newsfragments/1798.feature
index 1b63a85c..125b1767 100644
--- a/towncrier/newsfragments/1798.feature
+++ b/towncrier/newsfragments/1798.feature
@@ -1 +1 @@
-Implement MTA-STS (use published policies)
+Implement MTA-STS and DANE validation. Introduce DEFER_ON_TLS_ERROR (default: True) to harden or loosen the policy enforcement.

From fccb0cc57f82f88235d3d10d58be4aff7762a483 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 30 Aug 2021 17:16:41 +0200
Subject: [PATCH 011/222] Add a longer max_age (15days)

---
 docs/faq.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/faq.rst b/docs/faq.rst
index 92b208de..b5627743 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -383,7 +383,7 @@ Mailu can serve an `MTA-STS policy`_; To configure it you will need to:
    location ^~ /.well-known/mta-sts.txt {
    return 200 "version: STSv1
    mode: enforce
-   max_age: 86401
+   max_age: 1296000
    mx: mailu.example.com\r\n";
    }
 

From fb34f5349348ebc22af08737a6ef641bd6a156a7 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 30 Aug 2021 17:18:19 +0200
Subject: [PATCH 012/222] Do operations in the right (safe) order

---
 docs/faq.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/faq.rst b/docs/faq.rst
index b5627743..fb6f66df 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -374,7 +374,7 @@ How do I setup a MTA-STS policy?
 
 Mailu can serve an `MTA-STS policy`_; To configure it you will need to:
 
-1. setup the appropriate DNS/CNAME record (``mta-sts.example.com`` -> ``mailu.example.com``) and DNS/TXT record (``_mta-sts.example.com`` -> ``v=STSv1; id=1``) paying attention to the ``TTL`` as this is used by MTA-STS.
+1. add ``mta-sts.example.com`` to the ``HOSTNAMES`` configuration variable (and ensure that a valid SSL certificate is available for it)
 
 2. configure an override with the policy itself; for example, your ``overrides/nginx/mta-sts.conf`` could read:
 
@@ -387,7 +387,7 @@ Mailu can serve an `MTA-STS policy`_; To configure it you will need to:
    mx: mailu.example.com\r\n";
    }
 
-3. add ``mta-sts.example.com`` to the ``HOSTNAMES`` configuration variable (and ensure that a valid SSL certificate is available for it)
+3. setup the appropriate DNS/CNAME record (``mta-sts.example.com`` -> ``mailu.example.com``) and DNS/TXT record (``_mta-sts.example.com`` -> ``v=STSv1; id=1``) paying attention to the ``TTL`` as this is used by MTA-STS.
 
 *issue reference:* `1798`_.
 

From d607ba0ef2b345a44f9f95cd227a73f0a63f9489 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 30 Aug 2021 17:52:31 +0200
Subject: [PATCH 013/222] Clarify that a restart may be required

---
 docs/faq.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/faq.rst b/docs/faq.rst
index fb6f66df..43fb8606 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -374,7 +374,7 @@ How do I setup a MTA-STS policy?
 
 Mailu can serve an `MTA-STS policy`_; To configure it you will need to:
 
-1. add ``mta-sts.example.com`` to the ``HOSTNAMES`` configuration variable (and ensure that a valid SSL certificate is available for it)
+1. add ``mta-sts.example.com`` to the ``HOSTNAMES`` configuration variable (and ensure that a valid SSL certificate is available for it; this may mean restarting your smtp container)
 
 2. configure an override with the policy itself; for example, your ``overrides/nginx/mta-sts.conf`` could read:
 

From a1da4daa4c30668d98325cebd640ae3cf2f5fc97 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 31 Aug 2021 20:24:06 +0200
Subject: [PATCH 014/222] Implement the DANE-only lookup policyd

https://github.com/Snawoot/postfix-mta-sts-resolver/issues/67 for
context
---
 core/admin/mailu/internal/views/postfix.py |  3 +++
 core/admin/mailu/utils.py                  | 24 +++++++++++++++++++++-
 core/postfix/conf/main.cf                  |  2 +-
 core/postfix/start.py                      |  1 +
 4 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/internal/views/postfix.py b/core/admin/mailu/internal/views/postfix.py
index 2e7d0b9b..330fed5b 100644
--- a/core/admin/mailu/internal/views/postfix.py
+++ b/core/admin/mailu/internal/views/postfix.py
@@ -7,6 +7,9 @@ import idna
 import re
 import srslib
 
+@internal.route("/postfix/dane/<domain_name>")
+def postfix_dane_map(domain_name):
+    return flask.jsonify('dane-only') if utils.has_dane_record(domain_name) else flask.abort(404)
 
 @internal.route("/postfix/domain/<domain_name>")
 def postfix_mailbox_domain(domain_name):
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 02150754..914638fa 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -6,6 +6,9 @@ try:
 except ImportError:
     import pickle
 
+import dns
+import dns.resolver
+
 import hmac
 import secrets
 import time
@@ -25,7 +28,6 @@ from itsdangerous.encoding import want_bytes
 from werkzeug.datastructures import CallbackDict
 from werkzeug.contrib import fixers
 
-
 # Login configuration
 login = flask_login.LoginManager()
 login.login_view = "ui.login"
@@ -37,6 +39,26 @@ def handle_needs_login():
         flask.url_for('ui.login', next=flask.request.endpoint)
     )
 
+# DNS stub configured to do DNSSEC enabled queries
+resolver = dns.resolver.Resolver()
+resolver.use_edns(0, 0, 1500)
+resolver.flags = dns.flags.AD | dns.flags.RD
+
+def has_dane_record(domain, timeout=5):
+    try:
+        result = resolver.query(f'_25._tcp.{domain}', dns.rdatatype.TLSA,dns.rdataclass.IN, lifetime=timeout)
+        if (result.response.flags & dns.flags.AD) == dns.flags.AD:
+            for record in result:
+                if isinstance(record, dns.rdtypes.ANY.TLSA.TLSA):
+                    record.validate()
+                    if record.usage in [2,3]: # postfix wants DANE-only
+                        return True
+    except dns.resolver.NoNameservers:
+        # this could be an attack / a failed DNSSEC lookup
+        return True
+    except:
+        pass
+
 # Rate limiter
 limiter = limiter.LimitWraperFactory()
 
diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index ae54326d..16fdfa6e 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -60,7 +60,7 @@ smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
 smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
 smtp_tls_dane_insecure_mx_policy = {% if DEFER_ON_TLS_ERROR == 'false' %}may{% else %}dane{% endif %}
-smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix
+smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, ${podop}dane, socketmap:unix:/tmp/mta-sts.socket:postfix
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
 smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
diff --git a/core/postfix/start.py b/core/postfix/start.py
index 69855e29..03dca93c 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -21,6 +21,7 @@ def start_podop():
     run_server(0, "postfix", "/tmp/podop.socket", [
 		("transport", "url", url + "transport/§"),
 		("alias", "url", url + "alias/§"),
+                ("dane", "url", url + "dane/§"),
 		("domain", "url", url + "domain/§"),
         ("mailbox", "url", url + "mailbox/§"),
         ("recipientmap", "url", url + "recipient/map/§"),

From 9f66e2672b3c646570fba1f644f1b35e44ebaeec Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 31 Aug 2021 20:44:57 +0200
Subject: [PATCH 015/222] Use DEFER_ON_TLS_ERROR here too

We just don't know whether the lookup failed because we are under attack
or whether it's a glitch; the safe behaviour is to defer
---
 core/admin/mailu/configuration.py | 1 +
 core/admin/mailu/utils.py         | 6 ++++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 7cd3a56b..4c48fcc4 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -35,6 +35,7 @@ DEFAULT_CONFIG = {
     'WILDCARD_SENDERS': '',
     'TLS_FLAVOR': 'cert',
     'INBOUND_TLS_ENFORCE': False,
+    'DEFER_ON_TLS_ERROR': True,
     'AUTH_RATELIMIT': '1000/minute;10000/hour',
     'AUTH_RATELIMIT_SUBNET': False,
     'DISABLE_STATISTICS': False,
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 914638fa..2313a1e6 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -54,8 +54,10 @@ def has_dane_record(domain, timeout=5):
                     if record.usage in [2,3]: # postfix wants DANE-only
                         return True
     except dns.resolver.NoNameservers:
-        # this could be an attack / a failed DNSSEC lookup
-        return True
+        # If the DNSSEC data is invalid and the DNS resolver is DNSSEC enabled
+        # we will receive this non-specific exception. The safe behaviour is to
+        # accept to defer the email.
+        return app.config['DEFER_ON_TLS_ERROR']
     except:
         pass
 

From 489520f0673a25482294cb5b1b7d6bb28a3b8dd1 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 1 Sep 2021 08:41:39 +0200
Subject: [PATCH 016/222] forgot about alpine/lmdb

---
 core/postfix/conf/main.cf | 2 +-
 core/postfix/start.py     | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 16fdfa6e..6152388c 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -60,7 +60,7 @@ smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
 smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
 smtp_tls_dane_insecure_mx_policy = {% if DEFER_ON_TLS_ERROR == 'false' %}may{% else %}dane{% endif %}
-smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, ${podop}dane, socketmap:unix:/tmp/mta-sts.socket:postfix
+smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy.map, ${podop}dane, socketmap:unix:/tmp/mta-sts.socket:postfix
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
 smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
diff --git a/core/postfix/start.py b/core/postfix/start.py
index 03dca93c..8aa279ef 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -20,7 +20,7 @@ def start_podop():
     # TODO: Remove verbosity setting from Podop?
     run_server(0, "postfix", "/tmp/podop.socket", [
 		("transport", "url", url + "transport/§"),
-		("alias", "url", url + "alias/§"),
+                ("alias", "url", url + "alias/§"),
                 ("dane", "url", url + "dane/§"),
 		("domain", "url", url + "domain/§"),
         ("mailbox", "url", url + "mailbox/§"),
@@ -79,7 +79,7 @@ if os.path.exists("/overrides/mta-sts-daemon.yml"):
     shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml")
 conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
 
-if not os.path.exists("/etc/postfix/tls_policy.map.db"):
+if not os.path.exists("/etc/postfix/tls_policy.map.lmdb"):
     with open("/etc/postfix/tls_policy.map", "w") as f:
         for domain in ['example.com']:
             f.write(f'{domain}\tsecure\n')

From 92cc664e82f3f40f9a247093d440c3b75ff768d8 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 1 Sep 2021 08:41:59 +0200
Subject: [PATCH 017/222] Cosmetic change

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8c7d1640..4c19ad78 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ Main features include:
 - **Web access**, multiple Webmails and administration interface
 - **User features**, aliases, auto-reply, auto-forward, fetched accounts
 - **Admin features**, global admins, announcements, per-domain delegation, quotas
-- **Security**, enforced TLS, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner
+- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner
 - **Antispam**, auto-learn, greylisting, DMARC and SPF
 - **Freedom**, all FOSS components, no tracker included
 

From c1d94bb72563430d151916de0e3d9e31708348fe Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 1 Sep 2021 09:01:04 +0200
Subject: [PATCH 018/222] Ensure that postfix will be able to use the TLSA
 records

see https://www.huque.com/dane/testsite/ for the testcases
---
 core/admin/mailu/utils.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 2313a1e6..66cf0476 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -44,14 +44,14 @@ resolver = dns.resolver.Resolver()
 resolver.use_edns(0, 0, 1500)
 resolver.flags = dns.flags.AD | dns.flags.RD
 
-def has_dane_record(domain, timeout=5):
+def has_dane_record(domain, timeout=10):
     try:
         result = resolver.query(f'_25._tcp.{domain}', dns.rdatatype.TLSA,dns.rdataclass.IN, lifetime=timeout)
         if (result.response.flags & dns.flags.AD) == dns.flags.AD:
             for record in result:
                 if isinstance(record, dns.rdtypes.ANY.TLSA.TLSA):
                     record.validate()
-                    if record.usage in [2,3]: # postfix wants DANE-only
+                    if record.usage in [2,3] and record.selector in [0,1] and record.mtype in [0,1,2]:
                         return True
     except dns.resolver.NoNameservers:
         # If the DNSSEC data is invalid and the DNS resolver is DNSSEC enabled

From 4abf49edf429e2ebb594a002c9f5e922a6e824e7 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 1 Sep 2021 09:15:13 +0200
Subject: [PATCH 019/222] indent

---
 core/postfix/start.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/core/postfix/start.py b/core/postfix/start.py
index 8aa279ef..19c23c19 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -19,10 +19,10 @@ def start_podop():
     url = "http://" + os.environ["ADMIN_ADDRESS"] + "/internal/postfix/"
     # TODO: Remove verbosity setting from Podop?
     run_server(0, "postfix", "/tmp/podop.socket", [
-		("transport", "url", url + "transport/§"),
-                ("alias", "url", url + "alias/§"),
-                ("dane", "url", url + "dane/§"),
-		("domain", "url", url + "domain/§"),
+        ("transport", "url", url + "transport/§"),
+        ("alias", "url", url + "alias/§"),
+        ("dane", "url", url + "dane/§"),
+        ("domain", "url", url + "domain/§"),
         ("mailbox", "url", url + "mailbox/§"),
         ("recipientmap", "url", url + "recipient/map/§"),
         ("sendermap", "url", url + "sender/map/§"),

From fe186afb6f319fb6cc9dc5f903db7fa4a7414532 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 1 Sep 2021 18:52:35 +0200
Subject: [PATCH 020/222] Revert "Switch to openssl to workaround alpine
 #12763"

This reverts commit f8362d04e4d46c44ab07beffb77cdd041af193c0.
---
 core/admin/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index 97cf1736..f10d3251 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -24,9 +24,9 @@ RUN mkdir -p /app
 WORKDIR /app
 
 COPY requirements-prod.txt requirements.txt
-RUN apk add --no-cache openssl curl postgresql-libs mariadb-connector-c \
+RUN apk add --no-cache libressl curl postgresql-libs mariadb-connector-c \
   && apk add --no-cache --virtual build-dep \
-  openssl-dev libffi-dev python3-dev build-base postgresql-dev mariadb-connector-c-dev cargo \
+  libressl-dev libffi-dev python3-dev build-base postgresql-dev mariadb-connector-c-dev cargo \
   && pip3 install -r requirements.txt \
   && apk del --no-cache build-dep
 

From 0c4455ccf5e453f5dc2e1810601696d7b4707f01 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 1 Sep 2021 18:53:20 +0200
Subject: [PATCH 021/222] Revert "Rollback to alpine 1.12"

This reverts commit e1ddbb6eec85cde7a6efed13f66e887c56334a80.
---
 optional/unbound/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/optional/unbound/Dockerfile b/optional/unbound/Dockerfile
index abb45420..2b472d44 100644
--- a/optional/unbound/Dockerfile
+++ b/optional/unbound/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.12
+ARG DISTRO=alpine:3.14
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \

From d7c2b510c7321cfa79989f6817f16e63e88946de Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 1 Sep 2021 18:56:44 +0200
Subject: [PATCH 022/222] Give alpine 3.14.2 a shot

---
 core/admin/Dockerfile          | 2 +-
 core/dovecot/Dockerfile        | 2 +-
 core/nginx/Dockerfile          | 2 +-
 core/none/Dockerfile           | 2 +-
 core/postfix/Dockerfile        | 2 +-
 core/rspamd/Dockerfile         | 2 +-
 optional/clamav/Dockerfile     | 2 +-
 optional/fetchmail/Dockerfile  | 2 +-
 optional/postgresql/Dockerfile | 2 +-
 optional/radicale/Dockerfile   | 2 +-
 optional/unbound/Dockerfile    | 2 +-
 setup/Dockerfile               | 2 +-
 12 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index f10d3251..4b991269 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -1,5 +1,5 @@
 # First stage to build assets
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 ARG ARCH=""
 FROM ${ARCH}node:8 as assets
 COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
diff --git a/core/dovecot/Dockerfile b/core/dovecot/Dockerfile
index 22145bde..49fcb866 100644
--- a/core/dovecot/Dockerfile
+++ b/core/dovecot/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO as builder
 WORKDIR /tmp
 RUN apk add git build-base automake autoconf libtool dovecot-dev xapian-core-dev icu-dev
diff --git a/core/nginx/Dockerfile b/core/nginx/Dockerfile
index 1906ed31..3837e64b 100644
--- a/core/nginx/Dockerfile
+++ b/core/nginx/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
diff --git a/core/none/Dockerfile b/core/none/Dockerfile
index 51b8d1c5..bae5e8a3 100644
--- a/core/none/Dockerfile
+++ b/core/none/Dockerfile
@@ -1,6 +1,6 @@
 # This is an idle image to dynamically replace any component if disabled.
 
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 
 CMD sleep 1000000d
diff --git a/core/postfix/Dockerfile b/core/postfix/Dockerfile
index 062155c1..652404e8 100644
--- a/core/postfix/Dockerfile
+++ b/core/postfix/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
diff --git a/core/rspamd/Dockerfile b/core/rspamd/Dockerfile
index 6706ef14..0b3b94f7 100644
--- a/core/rspamd/Dockerfile
+++ b/core/rspamd/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
diff --git a/optional/clamav/Dockerfile b/optional/clamav/Dockerfile
index 20cebcdc..efad01ad 100644
--- a/optional/clamav/Dockerfile
+++ b/optional/clamav/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
diff --git a/optional/fetchmail/Dockerfile b/optional/fetchmail/Dockerfile
index 506e409a..d3397a22 100644
--- a/optional/fetchmail/Dockerfile
+++ b/optional/fetchmail/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 
 # python3 shared with most images
diff --git a/optional/postgresql/Dockerfile b/optional/postgresql/Dockerfile
index 0f5034da..ab197b62 100644
--- a/optional/postgresql/Dockerfile
+++ b/optional/postgresql/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
diff --git a/optional/radicale/Dockerfile b/optional/radicale/Dockerfile
index 13761164..21c1d437 100644
--- a/optional/radicale/Dockerfile
+++ b/optional/radicale/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 
 # python3 shared with most images
diff --git a/optional/unbound/Dockerfile b/optional/unbound/Dockerfile
index 2b472d44..da979496 100644
--- a/optional/unbound/Dockerfile
+++ b/optional/unbound/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
diff --git a/setup/Dockerfile b/setup/Dockerfile
index 5775ab6b..e0f685ee 100644
--- a/setup/Dockerfile
+++ b/setup/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 
 RUN mkdir -p /app

From 9fac3d7ad3895c1e03016dd3eadbff186c875711 Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Thu, 2 Sep 2021 13:36:42 +0200
Subject: [PATCH 023/222] Initial implementation for standalone sso page

---
 core/admin/Dockerfile                        |  1 +
 core/admin/mailu/__init__.py                 |  4 +-
 core/admin/mailu/sso/__init__.py             |  6 +++
 core/admin/mailu/sso/forms.py                | 14 ++++++
 core/admin/mailu/sso/templates/base_sso.html | 51 ++++++++++++++++++++
 core/admin/mailu/sso/templates/form_sso.html |  7 +++
 core/admin/mailu/sso/templates/login.html    |  9 ++++
 core/admin/mailu/sso/views/__init__.py       |  3 ++
 core/admin/mailu/sso/views/base.py           | 30 ++++++++++++
 core/admin/mailu/sso/views/hello.py          |  6 +++
 core/admin/mailu/ui/forms.py                 |  4 +-
 core/admin/mailu/ui/templates/login.html     |  9 ----
 core/admin/mailu/ui/views/base.py            |  3 +-
 core/admin/mailu/utils.py                    |  4 +-
 14 files changed, 135 insertions(+), 16 deletions(-)
 create mode 100644 core/admin/mailu/sso/__init__.py
 create mode 100644 core/admin/mailu/sso/forms.py
 create mode 100644 core/admin/mailu/sso/templates/base_sso.html
 create mode 100644 core/admin/mailu/sso/templates/form_sso.html
 create mode 100644 core/admin/mailu/sso/templates/login.html
 create mode 100644 core/admin/mailu/sso/views/__init__.py
 create mode 100644 core/admin/mailu/sso/views/base.py
 create mode 100644 core/admin/mailu/sso/views/hello.py
 delete mode 100644 core/admin/mailu/ui/templates/login.html

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index 97cf1736..2406bb5c 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -31,6 +31,7 @@ RUN apk add --no-cache openssl curl postgresql-libs mariadb-connector-c \
   && apk del --no-cache build-dep
 
 COPY --from=assets static ./mailu/ui/static
+COPY --from=assets static ./mailu/sso/static
 COPY mailu ./mailu
 COPY migrations ./migrations
 COPY start.py /start.py
diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
index 8ab8ed0e..f80533fe 100644
--- a/core/admin/mailu/__init__.py
+++ b/core/admin/mailu/__init__.py
@@ -48,10 +48,10 @@ def create_app_from_config(config):
         )
 
     # Import views
-    from mailu import ui, internal
+    from mailu import ui, internal, sso
     app.register_blueprint(ui.ui, url_prefix='/ui')
     app.register_blueprint(internal.internal, url_prefix='/internal')
-
+    app.register_blueprint(sso.sso, url_prefix='/sso')
     return app
 
 
diff --git a/core/admin/mailu/sso/__init__.py b/core/admin/mailu/sso/__init__.py
new file mode 100644
index 00000000..2d3c6d84
--- /dev/null
+++ b/core/admin/mailu/sso/__init__.py
@@ -0,0 +1,6 @@
+from flask import Blueprint
+
+
+sso = Blueprint('sso', __name__, static_folder='static', template_folder='templates')
+
+from mailu.sso.views import *
diff --git a/core/admin/mailu/sso/forms.py b/core/admin/mailu/sso/forms.py
new file mode 100644
index 00000000..a81667a2
--- /dev/null
+++ b/core/admin/mailu/sso/forms.py
@@ -0,0 +1,14 @@
+from wtforms import validators, fields, widgets
+from wtforms_components import fields as fields_
+from flask_babel import lazy_gettext as _
+
+import flask_login
+import flask_wtf
+import re
+
+class LoginForm(flask_wtf.FlaskForm):
+    class Meta:
+        csrf = False
+    email = fields.StringField(_('E-mail'), [validators.Email()])
+    pw = fields.PasswordField(_('Password'), [validators.DataRequired()])
+    submit = fields.SubmitField(_('Sign in'))
diff --git a/core/admin/mailu/sso/templates/base_sso.html b/core/admin/mailu/sso/templates/base_sso.html
new file mode 100644
index 00000000..a95cb23b
--- /dev/null
+++ b/core/admin/mailu/sso/templates/base_sso.html
@@ -0,0 +1,51 @@
+{% import "macros.html" as macros %}
+{% import "bootstrap/utils.html" as utils %}
+<!doctype html>
+<html>
+  <head>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <link rel="stylesheet" href="{{ url_for('.static', filename='vendor.css') }}">
+    <link rel="stylesheet" href="{{ url_for('.static', filename='app.css') }}">
+    <title>Mailu-login - {{ config["SITENAME"] }}</title>
+  </head>
+  <body class="hold-transition skin-blue sidebar-mini">
+    <div class="wrapper">
+      <header class="main-header">
+        <div class="logo">
+          <a href="#" class="sidebar-toggle" data-toggle="push-menu" role="button">
+            <span class="sr-only">Toggle navigation</span>
+          </a>
+
+          <a>
+            <span class="logo-lg"></span>
+          </a>
+        </div>
+      </header>
+
+      <div class="content-wrapper">
+        <section class="content-header">
+          <div class="pull-right">
+            {% block main_action %}
+            {% endblock %}
+          </div>
+          <h1>
+            {% block title %}{% endblock %}
+            <small>{% block subtitle %}{% endblock %}</small>
+          </h1>
+        </section>
+
+        <section class="content">
+          {{ utils.flashed_messages(container=False) }}
+          {% block content %}{% endblock %}
+        </section>
+      </div>
+      <footer class="main-footer">
+        Built with <i class="fa fa-heart"></i> using <a class="white-text" href="http://flask.pocoo.org/">Flask</a> and
+        <a class="white-text" href="https://almsaeedstudio.com/preview">AdminLTE</a>
+        <span class="pull-right"><i class="fa fa-code-fork"></i> on <a class="white-text" href="https://github.com/Mailu/Mailu">Github</a></a></span>
+      </footer>
+    </div>
+    <script src="{{ url_for('static', filename='vendor.js') }}"></script>
+    <script src="{{ url_for('static', filename='app.js') }}"></script>
+  </body>
+</html>
diff --git a/core/admin/mailu/sso/templates/form_sso.html b/core/admin/mailu/sso/templates/form_sso.html
new file mode 100644
index 00000000..fcabad41
--- /dev/null
+++ b/core/admin/mailu/sso/templates/form_sso.html
@@ -0,0 +1,7 @@
+{% extends "base_sso.html" %}
+
+{% block content %}
+{% call macros.box() %}
+{{ macros.form(form) }}
+{% endcall %}
+{% endblock %}
diff --git a/core/admin/mailu/sso/templates/login.html b/core/admin/mailu/sso/templates/login.html
new file mode 100644
index 00000000..851e6643
--- /dev/null
+++ b/core/admin/mailu/sso/templates/login.html
@@ -0,0 +1,9 @@
+{% extends "form_sso.html" %}
+
+{% block title %}
+{% trans %}Sign in{% endtrans %}
+{% endblock %}
+
+{% block subtitle %}
+{% trans %}to access IF statement for switch text for loggin in what the administration tools{% endtrans %}
+{% endblock %}
diff --git a/core/admin/mailu/sso/views/__init__.py b/core/admin/mailu/sso/views/__init__.py
new file mode 100644
index 00000000..38efde4c
--- /dev/null
+++ b/core/admin/mailu/sso/views/__init__.py
@@ -0,0 +1,3 @@
+__all__ = [
+    'base', 'hello'
+]
diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
new file mode 100644
index 00000000..dd6f60c9
--- /dev/null
+++ b/core/admin/mailu/sso/views/base.py
@@ -0,0 +1,30 @@
+from mailu import models
+from mailu.sso import sso, forms
+
+from flask import current_app as app
+import flask
+import flask_login
+
+@sso.route('/login', methods=['GET', 'POST'])
+def login():
+    form = forms.LoginForm()
+    if form.validate_on_submit():
+        user = models.User.login(form.email.data, form.pw.data)
+        if user:
+            flask.session.regenerate()
+            flask_login.login_user(user)
+            endpoint = flask.request.args.get('next', 'ui.index')
+            return flask.redirect(flask.url_for(endpoint)
+                or flask.url_for('ui.index'))
+        else:
+            flask.flash('Wrong e-mail or password', 'error')
+    return flask.render_template('login.html', form=form)
+
+"""
+@ui.route('/logout', methods=['GET'])
+@access.authenticated
+def logout():
+    flask_login.logout_user()
+    flask.session.destroy()
+    return flask.redirect(flask.url_for('.index'))
+"""
\ No newline at end of file
diff --git a/core/admin/mailu/sso/views/hello.py b/core/admin/mailu/sso/views/hello.py
new file mode 100644
index 00000000..2e9b5e35
--- /dev/null
+++ b/core/admin/mailu/sso/views/hello.py
@@ -0,0 +1,6 @@
+from mailu.sso import sso
+from flask import current_app as app
+
+@sso.route("/")
+def hello_world():
+    return "<p>Hello, World!</p>"
diff --git a/core/admin/mailu/ui/forms.py b/core/admin/mailu/ui/forms.py
index 32bb31ab..dff7008e 100644
--- a/core/admin/mailu/ui/forms.py
+++ b/core/admin/mailu/ui/forms.py
@@ -44,14 +44,14 @@ class MultipleEmailAddressesVerify(object):
 class ConfirmationForm(flask_wtf.FlaskForm):
     submit = fields.SubmitField(_('Confirm'))
 
-
+"""
 class LoginForm(flask_wtf.FlaskForm):
     class Meta:
         csrf = False
     email = fields.StringField(_('E-mail'), [validators.Email()])
     pw = fields.PasswordField(_('Password'), [validators.DataRequired()])
     submit = fields.SubmitField(_('Sign in'))
-
+"""
 
 class DomainForm(flask_wtf.FlaskForm):
     name = fields.StringField(_('Domain name'), [validators.DataRequired()])
diff --git a/core/admin/mailu/ui/templates/login.html b/core/admin/mailu/ui/templates/login.html
deleted file mode 100644
index 26c47c08..00000000
--- a/core/admin/mailu/ui/templates/login.html
+++ /dev/null
@@ -1,9 +0,0 @@
-{% extends "form.html" %}
-
-{% block title %}
-{% trans %}Sign in{% endtrans %}
-{% endblock %}
-
-{% block subtitle %}
-{% trans %}to access the administration tools{% endtrans %}
-{% endblock %}
diff --git a/core/admin/mailu/ui/views/base.py b/core/admin/mailu/ui/views/base.py
index eb5490bc..fc9daba6 100644
--- a/core/admin/mailu/ui/views/base.py
+++ b/core/admin/mailu/ui/views/base.py
@@ -12,6 +12,7 @@ def index():
     return flask.redirect(flask.url_for('.user_settings'))
 
 
+""" 
 @ui.route('/login', methods=['GET', 'POST'])
 def login():
     form = forms.LoginForm()
@@ -26,7 +27,7 @@ def login():
         else:
             flask.flash('Wrong e-mail or password', 'error')
     return flask.render_template('login.html', form=form)
-
+"""
 
 @ui.route('/logout', methods=['GET'])
 @access.authenticated
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 02150754..c30f259e 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -28,13 +28,13 @@ from werkzeug.contrib import fixers
 
 # Login configuration
 login = flask_login.LoginManager()
-login.login_view = "ui.login"
+login.login_view = "sso.login"
 
 @login.unauthorized_handler
 def handle_needs_login():
     """ redirect unauthorized requests to login page """
     return flask.redirect(
-        flask.url_for('ui.login', next=flask.request.endpoint)
+        flask.url_for('sso.login', next=flask.request.endpoint)
     )
 
 # Rate limiter

From 8868aec0dcd02101ea09396c5d064b046b75ea44 Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Thu, 2 Sep 2021 17:08:50 +0200
Subject: [PATCH 024/222] Merge master. Make sso login working for admin.

---
 core/admin/mailu/configuration.py             |  1 +
 core/admin/mailu/sso/forms.py                 |  2 +
 core/admin/mailu/sso/templates/base_sso.html  | 61 +++++++++++--------
 core/admin/mailu/sso/templates/form_sso.html  |  2 +-
 core/admin/mailu/sso/templates/login.html     |  6 +-
 .../mailu/sso/templates/sidebar_sso.html      | 60 ++++++++++++++++++
 core/admin/mailu/sso/views/base.py            | 15 ++---
 core/admin/mailu/ui/templates/sidebar.html    |  2 +-
 core/nginx/conf/nginx.conf                    |  8 ++-
 9 files changed, 115 insertions(+), 42 deletions(-)
 create mode 100644 core/admin/mailu/sso/templates/sidebar_sso.html

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 7cd3a56b..025a173c 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -51,6 +51,7 @@ DEFAULT_CONFIG = {
     # Web settings
     'SITENAME': 'Mailu',
     'WEBSITE': 'https://mailu.io',
+    'ADMIN' : 'none',
     'WEB_ADMIN': '/admin',
     'WEB_WEBMAIL': '/webmail',
     'WEBMAIL': 'none',
diff --git a/core/admin/mailu/sso/forms.py b/core/admin/mailu/sso/forms.py
index a81667a2..bc2b5363 100644
--- a/core/admin/mailu/sso/forms.py
+++ b/core/admin/mailu/sso/forms.py
@@ -6,6 +6,8 @@ import flask_login
 import flask_wtf
 import re
 
+LOCALPART_REGEX = "^[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+)*$"
+
 class LoginForm(flask_wtf.FlaskForm):
     class Meta:
         csrf = False
diff --git a/core/admin/mailu/sso/templates/base_sso.html b/core/admin/mailu/sso/templates/base_sso.html
index a95cb23b..0edd692c 100644
--- a/core/admin/mailu/sso/templates/base_sso.html
+++ b/core/admin/mailu/sso/templates/base_sso.html
@@ -6,46 +6,53 @@
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <link rel="stylesheet" href="{{ url_for('.static', filename='vendor.css') }}">
     <link rel="stylesheet" href="{{ url_for('.static', filename='app.css') }}">
-    <title>Mailu-login - {{ config["SITENAME"] }}</title>
+    <title>Mailu - {{ config["SITENAME"] }}</title>
   </head>
-  <body class="hold-transition skin-blue sidebar-mini">
+  <body class="hold-transition sidebar-mini layout-fixed">
     <div class="wrapper">
-      <header class="main-header">
-        <div class="logo">
-          <a href="#" class="sidebar-toggle" data-toggle="push-menu" role="button">
-            <span class="sr-only">Toggle navigation</span>
-          </a>
-
-          <a>
-            <span class="logo-lg"></span>
-          </a>
-        </div>
-      </header>
-
+      <nav class="main-header navbar navbar-expand navbar-white navbar-light">
+        <ul class="navbar-nav">
+          <li class="nav-item">
+            <a class="nav-link" data-widget="pushmenu" href="#" role="button"><i class="fas fa-bars"></i></a>
+          </li>
+        </ul>
+      </nav>
+      <aside class="main-sidebar sidebar-dark-primary">
+        <a class="brand-link">
+         <span class="brand-text font-weight-light">{{ config["SITENAME"] }}</span>
+        </a>
+        {% block sidebar %}
+        {% include "sidebar_sso.html" %}
+        {% endblock %}
+      </aside>
       <div class="content-wrapper">
         <section class="content-header">
-          <div class="pull-right">
-            {% block main_action %}
-            {% endblock %}
+          <div class="container-fluid">
+            <div class="row mb-2">
+              <div class="col-sm-6">
+                <h1 class="m-0">{% block title %}{% endblock %}</h1>
+                <small>{% block subtitle %}{% endblock %}</small>
+              </div>
+              <div class="col-sm-6">
+                {% block main_action %}
+                {% endblock %}
+              </div>
+            </div>
           </div>
-          <h1>
-            {% block title %}{% endblock %}
-            <small>{% block subtitle %}{% endblock %}</small>
-          </h1>
         </section>
 
-        <section class="content">
+        <div class="content">
           {{ utils.flashed_messages(container=False) }}
           {% block content %}{% endblock %}
-        </section>
+        </div>
       </div>
       <footer class="main-footer">
         Built with <i class="fa fa-heart"></i> using <a class="white-text" href="http://flask.pocoo.org/">Flask</a> and
-        <a class="white-text" href="https://almsaeedstudio.com/preview">AdminLTE</a>
-        <span class="pull-right"><i class="fa fa-code-fork"></i> on <a class="white-text" href="https://github.com/Mailu/Mailu">Github</a></a></span>
+        <a class="white-text" href="https://adminlte.io/themes/v3/index3.html">AdminLTE</a>
+        <span class="pull-right"><i class="fa fa-code-fork"></i>on <a class="white-text" href="https://github.com/Mailu/Mailu">Github</a></a></span>
       </footer>
     </div>
-    <script src="{{ url_for('static', filename='vendor.js') }}"></script>
-    <script src="{{ url_for('static', filename='app.js') }}"></script>
+    <script src="{{ url_for('.static', filename='vendor.js') }}"></script>
+    <script src="{{ url_for('.static', filename='app.js') }}"></script>
   </body>
 </html>
diff --git a/core/admin/mailu/sso/templates/form_sso.html b/core/admin/mailu/sso/templates/form_sso.html
index fcabad41..d28b82bf 100644
--- a/core/admin/mailu/sso/templates/form_sso.html
+++ b/core/admin/mailu/sso/templates/form_sso.html
@@ -1,7 +1,7 @@
 {% extends "base_sso.html" %}
 
 {% block content %}
-{% call macros.box() %}
+{% call macros.card() %}
 {{ macros.form(form) }}
 {% endcall %}
 {% endblock %}
diff --git a/core/admin/mailu/sso/templates/login.html b/core/admin/mailu/sso/templates/login.html
index 851e6643..81d83a46 100644
--- a/core/admin/mailu/sso/templates/login.html
+++ b/core/admin/mailu/sso/templates/login.html
@@ -5,5 +5,9 @@
 {% endblock %}
 
 {% block subtitle %}
-{% trans %}to access IF statement for switch text for loggin in what the administration tools{% endtrans %}
+{% if endpoint == 'ui.index' %}
+{% trans %}to access the configuration page{% endtrans %}
+{% elif endpoint == 'ui.webmail' %}
+{% trans %}to access the webmail page{% endtrans %}
+{% endif %}
 {% endblock %}
diff --git a/core/admin/mailu/sso/templates/sidebar_sso.html b/core/admin/mailu/sso/templates/sidebar_sso.html
new file mode 100644
index 00000000..6e919731
--- /dev/null
+++ b/core/admin/mailu/sso/templates/sidebar_sso.html
@@ -0,0 +1,60 @@
+<div class="sidebar">
+
+
+  <nav class="mt-2">
+    <ul class="nav nav-pills nav-sidebar flex-column" role="menu">
+      {% if config['ADMIN'] %} 
+      <li class="nav-item">
+        <a href="{{ url_for('ui.client') }}" class="nav-link">
+          <i class="nav-icon fa fa-laptop"></i>
+          <p class="text">{% trans %}Client setup{% endtrans %}</p>
+        </a>
+      </li>
+      <li class="nav-item">
+        <a href="https://mailu.io" target="_blank" class="nav-link">
+          <i class="nav-icon fa fa-life-ring"></i>
+          <p class="text">{% trans %}Help{% endtrans %}</p>
+        </a>
+      </li>
+      {% endif %}
+      {% if False %}
+      <!-- Domain self-registration is only available when
+           - Admin is available
+           - Domain Self-registration is enabled 
+           - The current user is not logged on
+      -->
+      {% endif %}
+      {% if config['DOMAIN_REGISTRATION'] %}
+      {% if not current_user.is_authenticated %}
+      {% if config['ADMIN'] %} 
+      <li class="nav-item">
+        <a href="{{ url_for('ui.domain_signup') }}" class="nav-link">
+          <i class="nav-icon fa fa-plus-square"></i>
+          <p class="text">{% trans %}Register a domain{% endtrans %}</p>
+        </a>
+      </li>
+      {% endif %}
+      {% endif %}
+      {% endif %}
+      {% if False %}
+      <!-- User self-registration is only available when
+           - Admin is available
+           - Self-registration is enabled 
+           - The current user is not logged on
+      -->
+      {% endif %}
+      {% if not current_user.is_authenticated %}
+      {% if signup_domains %}
+      {% if config['ADMIN'] %} 
+      <li class="nav-item">
+        <a href="{{ url_for('ui.user_signup') }}" class="nav-link">
+          <i class="nav-icon fa fa-user-plus"></i>
+          <p class="text">{% trans %}Sign up{% endtrans %}</p>
+        </a>
+      </li>
+      {% endif %}
+      {% endif %}
+      {% endif %}  
+    </ul>
+  </nav>
+</div>
diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index dd6f60c9..702b1582 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -1,5 +1,6 @@
 from mailu import models
 from mailu.sso import sso, forms
+from mailu.ui import access
 
 from flask import current_app as app
 import flask
@@ -8,23 +9,15 @@ import flask_login
 @sso.route('/login', methods=['GET', 'POST'])
 def login():
     form = forms.LoginForm()
+    endpoint = flask.request.args.get('next', 'ui.index')
     if form.validate_on_submit():
         user = models.User.login(form.email.data, form.pw.data)
         if user:
             flask.session.regenerate()
             flask_login.login_user(user)
-            endpoint = flask.request.args.get('next', 'ui.index')
             return flask.redirect(flask.url_for(endpoint)
                 or flask.url_for('ui.index'))
         else:
             flask.flash('Wrong e-mail or password', 'error')
-    return flask.render_template('login.html', form=form)
-
-"""
-@ui.route('/logout', methods=['GET'])
-@access.authenticated
-def logout():
-    flask_login.logout_user()
-    flask.session.destroy()
-    return flask.redirect(flask.url_for('.index'))
-"""
\ No newline at end of file
+    return flask.render_template('login.html', form=form, endpoint=endpoint)
+    
\ No newline at end of file
diff --git a/core/admin/mailu/ui/templates/sidebar.html b/core/admin/mailu/ui/templates/sidebar.html
index 0fdae9db..0938f8ac 100644
--- a/core/admin/mailu/ui/templates/sidebar.html
+++ b/core/admin/mailu/ui/templates/sidebar.html
@@ -125,7 +125,7 @@
       </li>
       {% else %}
       <li class="nav-item">
-        <a href="{{ url_for('.login') }}" class="nav-link">
+        <a href="{{ url_for('sso.login') }}" class="nav-link">
           <i class="nav-icon fas fa-sign-in-alt"></i>
           <p class="text">{% trans %}Sign in{% endtrans %}</p>
         </a>
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 9ce12980..ac5aabe2 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -117,6 +117,12 @@ http {
       include /overrides/*.conf;
 
       # Actual logic
+      location /sso {
+        include /etc/nginx/proxy.conf;
+        proxy_set_header   Host $host;
+        proxy_pass http://$admin/sso;
+      }
+
       {% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %}
       location / {
       {% if WEBROOT_REDIRECT %}
@@ -158,7 +164,7 @@ http {
       }
 
       location @webmail_login {
-        return 302 {{ WEB_ADMIN }}/ui/login?next=ui.webmail;
+        return 302 {{ WEB_ADMIN }}/sso/login?next=ui.webmail;
       }
       {% else %}
       }

From 960033525d4075b5f6c91da50b4b2e2b0a0e2303 Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Thu, 2 Sep 2021 18:02:20 +0200
Subject: [PATCH 025/222] configure sso in nginx

---
 core/admin/mailu/sso/__init__.py       |  1 -
 core/admin/mailu/sso/views/__init__.py |  2 +-
 core/admin/mailu/sso/views/hello.py    |  6 ------
 core/admin/mailu/ui/forms.py           |  9 ---------
 core/admin/mailu/ui/views/base.py      | 18 ------------------
 core/nginx/conf/nginx.conf             | 10 ++++++++--
 6 files changed, 9 insertions(+), 37 deletions(-)
 delete mode 100644 core/admin/mailu/sso/views/hello.py

diff --git a/core/admin/mailu/sso/__init__.py b/core/admin/mailu/sso/__init__.py
index 2d3c6d84..fcdc9cd0 100644
--- a/core/admin/mailu/sso/__init__.py
+++ b/core/admin/mailu/sso/__init__.py
@@ -1,6 +1,5 @@
 from flask import Blueprint
 
-
 sso = Blueprint('sso', __name__, static_folder='static', template_folder='templates')
 
 from mailu.sso.views import *
diff --git a/core/admin/mailu/sso/views/__init__.py b/core/admin/mailu/sso/views/__init__.py
index 38efde4c..990c7919 100644
--- a/core/admin/mailu/sso/views/__init__.py
+++ b/core/admin/mailu/sso/views/__init__.py
@@ -1,3 +1,3 @@
 __all__ = [
-    'base', 'hello'
+    'base'
 ]
diff --git a/core/admin/mailu/sso/views/hello.py b/core/admin/mailu/sso/views/hello.py
deleted file mode 100644
index 2e9b5e35..00000000
--- a/core/admin/mailu/sso/views/hello.py
+++ /dev/null
@@ -1,6 +0,0 @@
-from mailu.sso import sso
-from flask import current_app as app
-
-@sso.route("/")
-def hello_world():
-    return "<p>Hello, World!</p>"
diff --git a/core/admin/mailu/ui/forms.py b/core/admin/mailu/ui/forms.py
index dff7008e..640408e3 100644
--- a/core/admin/mailu/ui/forms.py
+++ b/core/admin/mailu/ui/forms.py
@@ -44,15 +44,6 @@ class MultipleEmailAddressesVerify(object):
 class ConfirmationForm(flask_wtf.FlaskForm):
     submit = fields.SubmitField(_('Confirm'))
 
-"""
-class LoginForm(flask_wtf.FlaskForm):
-    class Meta:
-        csrf = False
-    email = fields.StringField(_('E-mail'), [validators.Email()])
-    pw = fields.PasswordField(_('Password'), [validators.DataRequired()])
-    submit = fields.SubmitField(_('Sign in'))
-"""
-
 class DomainForm(flask_wtf.FlaskForm):
     name = fields.StringField(_('Domain name'), [validators.DataRequired()])
     max_users = fields_.IntegerField(_('Maximum user count'), [validators.NumberRange(min=-1)], default=10)
diff --git a/core/admin/mailu/ui/views/base.py b/core/admin/mailu/ui/views/base.py
index fc9daba6..278176fa 100644
--- a/core/admin/mailu/ui/views/base.py
+++ b/core/admin/mailu/ui/views/base.py
@@ -11,24 +11,6 @@ import flask_login
 def index():
     return flask.redirect(flask.url_for('.user_settings'))
 
-
-""" 
-@ui.route('/login', methods=['GET', 'POST'])
-def login():
-    form = forms.LoginForm()
-    if form.validate_on_submit():
-        user = models.User.login(form.email.data, form.pw.data)
-        if user:
-            flask.session.regenerate()
-            flask_login.login_user(user)
-            endpoint = flask.request.args.get('next', '.index')
-            return flask.redirect(flask.url_for(endpoint)
-                or flask.url_for('.index'))
-        else:
-            flask.flash('Wrong e-mail or password', 'error')
-    return flask.render_template('login.html', form=form)
-"""
-
 @ui.route('/logout', methods=['GET'])
 @access.authenticated
 def logout():
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index ac5aabe2..d428b0d0 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -117,10 +117,16 @@ http {
       include /overrides/*.conf;
 
       # Actual logic
-      location /sso {
+      location ^~ /sso {
         include /etc/nginx/proxy.conf;
         proxy_set_header   Host $host;
-        proxy_pass http://$admin/sso;
+        proxy_pass http://$admin;
+      }
+      location ^~ {{ WEB_ADMIN }}/sso {
+        include /etc/nginx/proxy.conf;
+        rewrite ^{{ WEB_ADMIN }}/(.*)$ /$1 break;
+        proxy_set_header   Host $host;
+        proxy_pass http://$admin;
       }
 
       {% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %}

From 39d7a5c504e93f1f6940f7fb2e42256681970ee6 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 2 Sep 2021 20:46:08 +0200
Subject: [PATCH 026/222] pngcrushed images

---
 core/nginx/static/android-chrome-192x192.png | Bin 6274 -> 4993 bytes
 core/nginx/static/android-chrome-512x512.png | Bin 18169 -> 15628 bytes
 core/nginx/static/apple-touch-icon.png       | Bin 5802 -> 4662 bytes
 core/nginx/static/favicon-16x16.png          | Bin 978 -> 924 bytes
 core/nginx/static/favicon-32x32.png          | Bin 1523 -> 1483 bytes
 core/nginx/static/mstile-150x150.png         | Bin 4788 -> 3897 bytes
 6 files changed, 0 insertions(+), 0 deletions(-)

diff --git a/core/nginx/static/android-chrome-192x192.png b/core/nginx/static/android-chrome-192x192.png
index 86231db9042b8cf7191d469d5c1c39c164ba9514..75665d8c2e5be997b14c00a099033bee75f9a94b 100644
GIT binary patch
delta 4723
zcmV-(5{&JFF@YzLgntquNkl<Zc-rlq2apw27KU4b2q-~BL`)<>Q52N|#K>xy*M#fp
z3c6UkYd{HGt1H%;%Uv<+mH~A^L`4}SN>D)%RFoM6QD8uV7#PyL$$4JyIj_%5&-2Zj
zmpa_;{%_TXRw?iGyZ!&&=iYnnxtfNSd7GKfG$#%wx)3K2XMYn{5F?4P#KXjs#B0R=
z;=upy3F0B*ZeoOd#!#XUakzX(^T>Cip*bvarkRMahlqTnh<h^e5wVWgLF^?;h-#vi
z2orjegyrv4%V+E%w##QPCf*<(6oZ^abSK)%wP`R1nw5fYNgOF+A5FYWd`4^|ibbfp
zOVr3UY$cWxFMkoYiz$vETEGx!sfwPTqMaq|_&f1Fv4JRZS?tMDE7!W7c!wB6oJkx;
z8~`(*H70s~QXWeTm#63&q9DbvMOFAWgote7dEy%4XpAEudVbO$Mf{O?lh{I3`atlB
zs30~Hlf>}d>c<Xffr#nb6BiIKNN5uT(Z_>-`**~%#D6fN9mWj)ecJaV?jn}Sz)=TL
z@VH?Kafi$*;jQ2U;qwg6K;mf$acUs+q-K_KWj$hm^da=*G2tIXoJUL{c0<%@vx|70
zI9K`<`cgc;ZzaN?M&v`lmXR-gdY<$##t90BI=uMv7KCrR5qQOWQ2insnybR+g`IxH
zi;^w?k$*Zvp3EHe!Qz^G;SMK;-6LrL5T!c{Y&=*VFDvH=iyRU^$DmgdD<oMAVssb2
z2cHs`5(mNr_CED{Nvc92gr^)KNww&Xw}Cy=nm0*;R~TYbIxJdCTwgz1gqHDB|2RoO
z#_FwiD3nx_WAHXeU;Lb{cro!cp8B4B8+;*oSAR&WNb#xPPG)#8wds%5WS%KH1aE`n
z#NSg^9V;OoU!`DAmOU3RK@;NV)!bDOjBi6Cp1K|k6U2(2m(_2Sjo%Q9zu6)iaj+vz
z#NV3u2Xc4<#Xc$f65tF|L;M}2R!%uY5jaYT$Lj~j0Tln?Qr`yY48h)#`HEDm2$cAF
zBY*Y`kCYh!_U}M@OKL9#Vy1_u!e(M|3;bq=D68HCzB7U;eomBHgc}ZmV**qB{KIDB
zMuP<S%ml^{=_)@AVGl^=P4JFC2F8Z?50&Z+5I;zzzUid;LR}sfe_Pokf!Q9A&Q7z5
zvQX+t@pGky`y~+yHx#5pnN;ZZPz4IJT7Sczv2_txREp(BZw!jf8J`P@pK<emMR1bj
zIqI9hxWK+d4sIH-m{n2~L22=KB4*)c0h^dE<?WTt>3<Xzn1RhRLle~6OJK(R!;#Yu
z9NJ58xf<gEQ~W1L%^ut!-~>5pj0X(y^O?DC<E8+IdEMPbGV|$w8+LR7mlnxJxqlZ5
z8DD&=Y;wj80dBB~ILUbfn4!;f+yvk<Q=AQj%+Ti+gg!t4N;KoFXNN)|<BNI_>(Kc?
z5msw;g?Jqhe{(5if{q6&ZK8QZv-P;9=<<bm=yaeMoP2qPeW8%?!EG?`1q$<~J=NyS
zr~g$N4ypj^QlJ@UN?80BFg~y&@qZCI87R&?&C+s<=F|TMOnU;4Op9J^wE_6){|P!5
zc!c@Zyal44{@C0Oyh3UHTOcD7nCEpN_6J^Lu9W4;`00Oz#8v22;3c>s$wleE1<V7g
z-$!Qxk1|y=>Qkj{fFT-=Dh1x<SK_qP4PX|xdJ3HgJkF!3he75+78}ulz<=X#)^fMx
z4PXv_N1?<C@Bw@dSqh~U&7(`_p!0xF;E9}8sTkl441R&n2E+Xm8^8>I?n9>mpD`|R
z7-akpoI|k`9R_^HqQoo1h5-f<`(3@*ET9DbG60A4r^h#dLgCMVC58HJYfAOM0oNF@
zx<qd`H{>@HjEx@#nOhzgxqtoipYUCoj^=L5E3egiE-LWbn_zbQEt7@;PLdHb3;+Z8
z(EvM$-mwOVE_PJ|1EBfT09C~Gv0;#z`!mV)i-ZAS0DE~Mo&h>Zg)JBW&Cdq-oaoS)
z0S3B0{RsoW0M1N@p3;~BZq-yc(H#bW0qlj(8T*rI05ksouM!ss1Ao8(_Vc7U4lw?O
zmx!0a0B8X*z+$cbOaa3HJvHMrZWsV92nN`!)t6H@3@}V;slWheK`=lOF|?rp{;C-@
z)?om&AQ*rrdqy@iz(i#(4hDb$oZ+!L1MpU{8884^zzi^rXu$?Jl=vD3Kns`wmJ{tY
z$&T9^Gy~Lzb-lDE9Dkuq{;4tzuQ3b*Siz>qOc4EXHnBHo24EpQvawtr@@bKN<}z<E
zlz4Vag<eq$16aVWNcs=`ajmA(!50pOK-)`e^{c-u)(=p9YvPQ2y#@8nE!idduJT%h
zK-R!VeO<-|xKpVDSPqW?_Ed!RQ8^`gix1SjSqII^*T=3a)qe}B!WaWsn-g>k8{iRT
z)&N`@1cyji<JOhwt!629lc+Bao*mL3+)y3~*)RyUd@W!C8{k#dZn_(@Kqb{-{UH)s
z+u0#y`k~|8kp9e;az|qR02+XKmJN^v0~n2k_RQvTz5Se!yEmS``|$Z8{k82CdUe>9
zt_X?&-qa*B4u1xaRz)UY;dP$xk_qTLk6uuqzxPvRWU3bH0Jbuh4e$jF5W7ae0z7Jg
z!vdi1I(~71z96p(3t`T%lnsy#1H?9d_%0+N_Hs%D^d0>_DbzpPSB;fm=lD{S+-Mje
zPWx<cwSMx)h4u=8KARWhazZsog>aTtFhCNGg*li6YJZCu=rb=|QLJw)s!{4U2gCs1
z!vIOP4J6PDNT^l{;sAnIqIZ<mD))N>Vt~ysKsu=t7W~fUALQ#JS38&500RWb05y{7
zX-8whvT&Pc@EZ@Dm9LLpTdL>Vl-j^X{kE`19RsLarajk}2H0O2j(o-sCH6dB_tEFG
zfLnf$`hRb0GdmQywql!BxQtM(NPl@-g%Sqf9IGQgEQm}grvtBvw70KJdk!05y&nzG
z@1sI}*k?r%LD<oXNWk~gb+(=rO8R%Tn-kKX$Sv2)ZF)Op(_noN4c0kCQ^ElBcaK?E
zps(0ht#2x-jSTctWpi<@K4x91t<#{Z{Ahp^d4KA1hB3XEoo|l`c#{eX`jAAa6ZGE>
zn-_|RvdX5Ae|dxHS~kEdiWq=DBQL{o&SRU(?FxlfYRVMEvcmvb<^t2Qz4k0HRnonE
zd25B<X<i%?WEmmA+dJ(^ZQzgma9357Sbb-JjkXzJ0UKbRuMHrd*?Vz8L@0Iy9~{w4
zBY%Oj(4%e?{d*4*z}#Q$`Cc~E^hQ!PV1T4~pA9h8_Xd#9WuZ*}$-XBs3%&cog8Da4
zKe~ob_t^91;W6~9B=XLUym?@Nq<Mu6@N^&yAfL^GnY7KmG~*>C_!DUWe)^I^eYH(v
z4^G>Ds)@917$7Oak=j7?$304vMR&pg@_+d(oTo`ZcCA729DHuEJ>ut$I}dzcW^CNa
zioe1P10<v-vK^TI7$IjT1;YRh=HnmOVBdVa9gVkc@|0krt(!1FQdAJb*#H+4g@H1F
zz(N{Ff(lisZ-U(w;Yd}8WH#@^07<crIFAi*D)Dm=4N$jId23Foo>!r+33is%>VLym
zmFUe<NV0<g62iv;^koBdCB6%)0qO*E9SQ751+y}9i);0ZR;HGK2LmL<8lp2B;1J^D
zARD0WdoLlO*)@1gr+rgU6R8H5>dl7%lH3nGGrx^G=L5TK0Qv5-NpLJYx7*5n)%t)X
z>Fq>=0g~dyhUWwP69zE9pM|&5#ecoIi}I@UK8w@eh6w{C#n^@hxJH?&P`3>r*T4e&
zXt%S~8F&~z^Oq|9*oB!14+cnT3iQ&31~^p?5QYI7Tn7u01?fb69?mD4yrWV-Vt(d1
z_%J|1ekJ-fG{9lRS{NYqTDr^+MTBYRdKqVwKDVVJQVP+E8w~>_gb#%2(0|YXEs6JF
zfX1(<0}1n`t@h*(l_$HWzzqX%C^jRrvhMsD3L0Pv(Y&DnnEPOW_}9ewLlbkYEmX_9
z$|gj1m08<|Rv3V{eR2T+PU;)Dv?wk3@A7BxXDMcY@#abKTD=J_A<AHYrt^pHw`f1_
z{&e>hJ7fU<g<M#Ge`_XKaet(f#Re!L&Nszx8sIqM2N)nh{tyZFuC<xv4_Q%J!fpeo
z)GRhYu6as)v;kVl>KF`=ME=mt*(G{j8u3tFZJ}m1_8|<=Br{~p8)E?Gei$G*Sisk$
zSk<krWQpCyreJ_385bS@N1Nbxa(EaFkfhMKuIHvCO0U>jUlayNmVW|bXsq~619WkH
zJ-|Z-sJmW1!gNg&m7Tf5G*_l@s>~n^(B%Aor=|?RiE%H%0I6T|DJ1X}zbU;^SF)s+
z!!<TxfVe!<c=!`N4!BlwC18LQue*1H(_QLLnd!E``2w>rK%?*!{}u5KV4C1q%{WFL
z21utAAPN4Rot65e?SGAzEP(-BGr&68{H4Wjh5?$nx<A0n253+N^k5fHnuG!3=Kmki
zv;nlJ^yqRJz?;ATF_aRQB^JMFfUd612EhO@fb|CWDzg7K1p_eufdOCupBUi5rU$=`
zo8U~TodN^E0PY$fv-0S>i8GQHziEIr#2hyaaQC{>NFgXr8h=Zbyz+1)<>2_m!8QQz
zG1!x4AF2fZhI`kSWmW;&$a72C0L)E9rPDXC^Zby0@+XCn10T|Xi_^B66$+&I>)`c=
z{u%V4GSF}6!rMgC>j$35xh}QvCpI-A+pV#Hq6e#agDfABem{H>KlLH`x4^xD7ZdOz
zT=9HNdQbmo6Mytp?j%V760<=zd1>i4GePcgbSUr`|H|y?9~}mrNNhu=0*}DCY`roQ
zf9zY}-{@H25gy3==^twXehX|x=Yrro{bSz(52J&D!i1&1m1eC0OcV4V)}y0=qVS;?
zM_Vuc=mGI)q8gnI6oWGs{$kJ5KiULbNOuW394N*Dvwz^NW~%|1%ZU&=9Vo(n;zE0$
z{?R5lka!s#4;10~*lKU~o1ibT5uFcQhBv$SbWZ%yq0p_a?HvZdsPuf3Goer8Cg3Ah
z-^GmpF7Z0i+IjIuo1h;;A>abv5`Ekge{?7`LUX&QE(j8Z#2?%VeHu3b@40+ImZEWk
zfZgd1Pk%Z)>yzADpc}CqHwf6w$HWn8h(Fc@XAwJalYmWZAqJ`?{#X;-g7E;b0Y2Q~
z1~uaT#H+-QBVi6$oapwTI&ptu6Lch|;l=@rm`t=&U;NRb&@spw1s1SSCRjA@G}8p9
zXl|c52E5E_*@~-q%K*_PI9F5Q0B+#Ly}d)cDS!T06Y$wgKjWr?B-!Cye!nv&;0^VB
z>dY?OT#$gDh^zb|{#X-?B=+JagC@j(wU*RbUfwhTAHa7ru?IIB1V{X_CK!$}0cgNZ
z5x?eN@yCWkS8Av?3XIC*7y0|iAAfe}d=%OWG~Y-9r4}6V$C}_YVg<wyIF=G82UGm9
zCV${v{aHi}gyDNQN%Cz;l?kx;V~xNS=bqM#Q@tS+e^M-&!W|*}#!bLG{BI+EfmnPw
z(=$ra<)QZkGepBQ<9K`QG4{tE-j&4J!J6sGd|c3-c!MZ|h&&62v#%iDPu~b_iQ9?o
z5R>QFDwP9UL-?78M7$AtE>Q(xd1CwGOn+hkLLO^FBAz)IPy7gxDgD$RUB7)1;<x2(
zaJtkZ#dN7!)0<O?{&?y;H#Xp^z}ZAC1n3&PaQP*19nl8DcRnmSN;A%cMKLbtr#3m<
z;S(9VBHVG;2+bs?<RxM^#A!RctM56@s0!W;!dJ%#Tr_DgF-0@ZjDlFLg&!`j5`Tk;
z77)I=VG&oVK1VYSPsoFCEqUVC3BM(T@2xiiuOB=s3uzcEr#86dLbOjwx;ljKVIwpr
zjwkLRRw1<_Vd}!?#5kfCVtoItAsi+pH>OH<BHju{AN(lwH~IYMLouu4|8WAR<eng_
zmJ4No7Y^7oCjaL7#GRUP)>cahKYy5JXe)Uu<3$j^__VZpwN&EZoT{<%n_ENlXbsJ9
zkQ8I(0$#5XYlx6XL#0}|_8dt`=7S9T%5Q||(Gr@02Y{VrZQ%~toA8xP3#yovS}AWY
z9_UY!H1feR?!jOdEn`FQY*Gi}B;xnPy|UK8XCUNCOkHl{+afHVT_)=rn^2^(!fP_a
zb-BE~I>@!+-k~`%#d?VBcp4%FfXB$@{&&S3IZ_^;%Rv?;7;J~-|Jg0`@SN=Tv7ELu
zk+@sFV~~7jJBU5A_J7Q!bkAkbyO@))7l8r@nUgdaJ`h%*GN}Ln002ovPDHLkV1ga5
ByypM_

delta 6014
zcmV-^7lG)3CxS7Mgnt(!Nkl<Zc-rlqd7NBTmB+uYx_YZh(&>aGkc6xdmOxhcL>>4j
zh$D;x3Q<Q9RD#IPprXhqiprp}34#cMD2vFbLC_IY6o(zfPB#e>vb6-VbcZb6>2!5h
zbydCj<5cBUI$hnhyjO3j^Zk74ldej4)qStd@7{CIJ@;G#rGI>u?*ym;8i6P<4mbc9
z3p8h*Hv^H(Yc+Y^DFy5V`ZE9S0=hCkZ_hlBW&S_K(s6EIx$iODZh&tPBL@f}hCC6N
z0?Y(v1Jg3kCjm`}5E_B{%-<Lke!tDkBMrn6qwfWF10BF7;7y<%_$RO#*oFur4WQyE
z3>82=EQ7BFCVwDCJ|CEyc}&f`9zhJ;4N{2FZ$m`!4`5a1u^t&Ul7I>#4=R9M#OOo7
zcwi3j4qypz6k_mE+%xt<Nh71hMnnjI1zrZ$0y_Xx#bBWV5Tg$x?#r>jiHPCP0><F~
zdt?ILzy{!X;Aun<ThMug@4wvAuzLE*z;VDSz`GDXzJJc`<~d9pnKwKO{1JE&*b1bp
zQ4G~10L!OuLVEhsfRhm4KIlfDj|8v|coO(6@ONaQT{Uxt;0wU&?Pmi21}p^@1Ebt-
zn#brtT%+Z{6UZDQ@S{R-1t5lB3oHOWhV=L|$sdDPgcLGgcocXTcoi53st|%F05SXq
zWFq@%#DBk^=ytPwN(b;e-~l9>)E_h<1VaFpe_s#06Zj0`?limIw1BV+cpSI~nKZ|N
zK+F^TF96HcSpu97d;m3kr`QEN2HXj>07<`#z`p_z!#98<feV2DKvrfI=jjA~jtF5b
zK3-h&p8za(XCmU`pN}kBDV4=ULa28kbA-16-+#G9{t|!~e?4$Aa0N2a4ZGc}Dklj%
z2iySs2}t-!1pW|!)$1Pud>;4&lBS?|hc4iL;1*=1*%zaM_XS{uH9rhoiDY7Wzunb|
z39JOZjjSWYy)FXp8j{uP&p-_SEOhnOFYE^H18zk2EqHb`@TLH)9airHz6l)T*|sYA
zFn@uUfUf~h;nB1TZyA-<>yJS~n^&NrO~2EDOpxzJ@{K$-8hA$lmhsO9z5#rM>dn#&
z8gXRZ;2I>!&NCwLh5#(%KMwI5m$=;|#db_&L(Ufw*T@qhaDRKBwIl0HWI;uZKbROu
z2loIH(W}Yn_*`w2d&muF1TF!tLUVYkg?}ALaN|d~oMGyo0L1vm0$)J{(BN8I6gP+g
zw<2o>J#LA>9RY~(Pt08WC((3<Y9#^u1o$ej-3<{`UI1eJQ;;R|Gw{MZL~)Z85+S-0
z*ivZ`R89cagl9T%GjMuEKVR`OCh!Pw8B(sLViBUs7@%eRGl3rh@2|+`Dt^Kh5q~%@
z0L%C%19t!)bo?_FKeL<)il9>d_d&q-k;)8;G8|_hi=hWp;=`O3fb{<3kZ8{tsL!vA
zjDc)#y$%@T^kSKF0+5DBfv*E+qsFfkP6#*$36C~9DFSB%U{z|k9NDw0p-!b(!pH*Y
zML^go5!i2-R<(w+fG;6?con4-8h?>YfsX<>Ap(2d603plLss~vICyiE>fsIGQ@}HT
zt&t%oT$96r@1Vx7*vAaudZZ|Vt=K03>HWte5uZhsxi3l;u>`mlXtL84vPS?`PXFb=
zsTIF9O0}>QxELGv5|l3ht05oS+c-sWhA>hW>J-41NpX1suo`d#67SayEq{vBj7Rp2
z+cF=p!vz|JELa@n;!RPii$%bfv0;&{bOBf&d=`@CpeU8(OyJ`{S*}pIBftXS3+Q%6
zrSdc)3$0~&9;FFD6gLVPhHQ_`DoTMIh7?aL*%c~Y0M-Y67|rch+{d!R5=2m{3p5M(
z9P0Wg?h{4a@M)#|ad85$ihtH#2+VW)$`vKUV&q^%qu5cPZ~<6v{7xjlUs1e*0W3p=
zP?RfFtP2!Da<nJ8eZ`70h$+CO6zP^1CICxO|B4(#swiIMgTQ-$f=7X3Mu28ycaEOY
zqIi`iBp+>bp?@&404yb)3>@$F6)MUIoB*6u=r0#K0yG2XqG3<P`+r0cTOD198#KHC
z_U-+TbNk8^r9iAvU<45qG6IZ2N>u3PcEvA55SxvT^o#igU@7O_z`NYOB1I{Zca!y6
zh8YD$8UY%RMXwQ+q$nO^4Dbo0K2=^u62L;TaaBd}A147v5BCd03&1LFwG=(4SMe_g
zA?Hx!b%TZ*0j8m=zJH4UIgMdzRP8SSODXRK4t2Zric%(rBNO5wM}d4JKqHb@p(Rcf
zzf*^l>=`nQpHBdDk+f$;2?EC<+b8#9Ujgh}+*T*QN>Dfmaq0JSgN7ObMk4}Hlpyhb
zhFH%U>VWDaf%&dB)pYgKl`O$J(`OMfA#TZi(Gq|)G@OW>>wo1M3!7_L(i~PDxJWEz
z^4Qh^b`J#RTbO{P^S7{k=iW0029E#{vLPe4FyWL*wfy(oMpv6r?R561d0|JA-3c>D
zBf)!sJAwY}3xnqXv(Rb}N^n^K9Gv@t2*7fGjsYgR-AYAqh{<FRZ^_tv?g(HYY0tX&
zr395);9qiI$bS{UI3)X1QG(23U~KkDt^j6b9*PoV4h5!XpX3T)9y!WTlz`GqPD%Ap
zPVWCg^h9?h_=J&Y5G>!h*We@Q5l2e(Fb~Oi-Yb9u$?=O6CE&~?lkAxlz;rbJuT&2Q
zl35VT3g8ejLxQ4I0a0K!>??raWPB*f@PvRl*&pf=pMOYEs)-puID`xbIssOyje~(`
z7&&@=yxXm*G-(t1(~|3M;Qc)~xovE$G1OlzpGiPd7?}}|al18@rax_R)4DiMbPQnl
z#F`A?!&B<Ga8^C_x@1`{O~9lu68@~ZQ(q!A24_#JqqQr^qnii3Jp!2Gte!Q!j*m^P
zRpYmZQGdY1><Ca>=9~GF8IcfoEsWA!7vuho36dUFK|>8(Fsq(xj%cK*)+fW2_h|qo
zgb`n;YWtK4^#(T`9ib^4;*R!y;%T>Al!FPQ!UkWM)4-SJ)Dx*u<F}CzFgYuLs=l*h
zYYo12WCKmL1~;tjr#Iz+p}>UZI)kf^XyBq*4S(wP*iQ(U5TXhrKtmA?8+`e&1`$Ho
za5pSu!o&uH>yK{a(%EYK4l*u85l2b}o%#@5GP{8r=QT2+!6gxxaBw8VZSx~6n_f@2
zs>f!>X;uLYqBaD}rq^@({0LJcp~{NDggK)_+_fmeN2k^iQsZ};Q6Z#yu98E@fR9YA
z<A3f&5e^wuArY7`Z)^?sERJ%@q^b<cxj|!yDqI9B1OqsEQZ4r`j&gKUjk6*!;hp2d
z{A6*I<Hv`~e?O&A44qz$!0`u!`ROrH-Z4Jxj0jA4-=tdZT^wQ2SglA?VMeO}3SiOL
z8tz>j;iO5mwu-<2PM=cC-HRd|K3a|61%GN)00nZy=o;=`6yfwKwYDsp)EIE~v^wrs
z5Mg>mzXrDm<eg8MQr*~YW<)~Vu^__P)9T79pH~-x3uo1H%lrrjHrW3ayb(*YYIn-^
z_bnN-%!h+53*?Ned%)zTb^R=xQP1qCy#{t*Lx`K_MHo|Sa94YrqN<0R5D6Pxet$?k
zR~^>CC<lW4t9w#h_DYPUQ|dT+jQeg?*no)*p^`(o2CzG6((O!{_B~-B?%wTjj>onP
z@Y2pCw=alrgw6i-_&S5@<~Gt4Hn@3RoW67cUycc5Y7M?}cmtQsuBX9)yq=b>6c@L}
z_}k7TOQ(1sx^2SbNQj>u8)ZUW2!FGL?!3k@_(6L=x2|`@OcP<C*X{e{1f~H`btXBt
zCB|*@BP?#VR|KQOV$5S|4X%B?pPqqX>gbzrK)u1Y<~DNf^m<2TUe9b#a!Ff^Roy8J
z!#l}cwFVp-4Kb+<S8qanW-Z44i%NyaIV>P>81UkbB+FLx^7Qtk?Qh>$V}Ee@Aq`xA
zR3qc-^Q2CgFu5_rt@9&%c82}NZvu~Z46v-FmsQ;<?^wRw7wHVULqLz)*XJk(tn5m0
z-ilrx@34R4OI--gn_17T^CL`d9JFd|!mLpt?pzq*;|JTH+K@Kk7n>5C-x_1Xo^&vc
z-&yvAfL(64!f^~(*OTV_)_)kk*p#3Um%SKj3^?=PI__K;VP-V6H+nI*sfHgfigM~f
z_JmGzNt$ra8*wgei?J!D#$O^k!@%2ax1u5#uql@2(zY182TabHVQ;3T0i1eJEzxk4
zOWR^J*1(+$qa0)N+yfw<hTAvv^R3nW5*<<FF9j3W9tJvrGyz=`*nbBD-j17maaA8Z
zNt26aH(+-d{=^Ak9$pfqJ_K_{*>C*4Nt5f>_H)y^IK4?V{xV1dTf@LsAVoC@0KkxS
zf~#Nar#or##Y63n$2%2&?;0?<W_2HTw#Q}brW$`aB!SKl;sW)#-I|JG$V%~d*YxwX
z*ZS!4!CAQ5;wGP48Gqvk8{*#Dx9nf`0NX=A2SJYn<sqJi+cw0xVpSiVaqo)Yt-drD
zw|TpAg%9ZgIzq@Cpv&#nxJA;0do$6LH)G!GTG#GLbKZ&=%Qq+RUh90#E?`Fp849+#
z-5NJBfnRP)a6xN~wR^miMAp`wVp&Tse{f*^LSYlon-#!6-G6S4>lpAv#{i#ciP6^W
zz6hS*kz`p*FVAmJ>SWg$HUhB_(gC)+-5O6|z_Z&khPT81)QLj*L+1eJw!~=N70}cM
zZ?FNZ(C1oU!0i@!0s~rir8u`G#*^DBdrM5<ku3w9-x_00j~c&&#1Wg{D}Z*Ycp|(X
z2CV5xao&m;kAG|#uswBRC{iZew=u!RtuZ$CYHEYS>_l9ky#m+-Y;n6)p2C2Qy=g9L
z?dASAoee)G(s28RIG<k`qoZGqzXEImHiIRAZeWeut@0cOboR>v)ZPD#J0gPql*ujY
z`?>nHK6WKMmfBG6Rz~NyG?vP1WY)g2TOtR5HsGUfw|~rY7|@k4x$4zE_9RU%JH)<P
zojpmD@2u(Pd+Yk?^H^#_IAkzyYz<@U3_>NIAd)ssrbR-8y;tIHC6fL_n5E-j`A!f4
z^r6S4?oTFv=$cIS<(F;P&$}~W^7Yky#qTSw5aa3$9y~T$_WUPg$i^WL(F?Q!uyh=`
zo8ng^^M8QZZnw~rWb%h@T-(p?q{%mrY-DVShgEd+r@8XgK7RIQ0{2%O@?LIG&m-7O
zCIkxmW`J%*d?RHT;wJpCJ<jDTV|12~mG(v~%|&f79`vyB2b`7UWIp5yAP)T1?bi8$
zqzMmfOmI<ajEzO)53TNzt(m{xJfL|!?(qUSYkyuMfTiQI&tF1PBa{(H1Haxfz<Db&
zi&i7BqASI+mKcBP)YJwS=?4A=?6vv9@r+l=@sE_@F@YyL2UxZuMr&7o5j?v+$vG{(
zytG4&-(}VUujjrnSOD9QAwnq>1764&_;Z6wujH02S=ptj4Ibb*U`Or?g9Ts$e<q;S
z;(r{&fLFRwEL+jb6P@B-rcFt){%mWE^;)vT3-keh8T_Ip0Baubci;`TTkAVArB^Ok
z5##4?CHV2iIG41=*sLW>yuv!fwsUQrp^D?a1v~>B=5~vHhXHTK(p=CQBMt1)k|kc^
z8D#tKKJ4oPi89i_?+J3rL?<z%n(-bjS%2asVu($fxxGK+FNN|VnjEJDhgZplKL?Rd
z09z5oC`u4`oIDi}_ZNUQMEr(9AtOa`h4Ng<ZNTpU2D?8n^dvY-8}K}ETBWadPs(Il
z+$3!lpNeQ;uyY_yvdVJ}x(7_&j+>-PxQAY%#xRCIdtqdr23F<!&!OK|(xU;+0)Ku?
zg%8u7P;bcDStWjVDHAsIrioW#FQZ49(imcVoq^Bo9}L*mZ<dsJhy-#z3H%Zmas<e)
zD-ppYWcXNI@e42ai>vksjNc7Em(st>7lBiO9YYyE4DSMgRE_&3ZU~^-4Y*wN{-uHc
zVT5^X{>^=sVje+O(G<l`tN|Va$bZ-SLt!P+*8{(D`)U-WNPbQMDLsV<zyuyd%O@)S
zVGSaHVS9fVNdVR#uSWbSMezd<A)d>Kj64E}2u$Dsw1%kSebyiX7_s+<;*LdHjkrRJ
z;#ExGJ__vpp-=%>qriPgVv(YFkv6iObOF6T6n`*YJ8&0rz?h<Vi3IRNWPd+P!4xh4
zOHmIan+p`hOZ=H(QXcYAN|np)!1vH{>WX*RNr^UDoB%9k{Sg@n6vYcX2>c&VRPPU^
zi~#Zh3E)-+)mTv!7gz~=9~das_@TVh;a>-CME4FW?$Ha}KpDl{N)v#kv|j*^x_uXv
zs^wu|IZ(9glcl_*S=lo%7k^2XJKXKNp;Q&CfR6xcN;Q5c&jrfz58yhqsIF2ub_3U9
zL*<h41hB6w^b>-$4@vPRCh#NR*FedxPZpa_yCM#J7kJji8>3VQe+F)%#Hi0;?AbVH
zZK6L8iOEiP=iVp*XFYHx@Uk7o4|a_JR%4z6u0iJmiv4s0UjtsY^M6h4a)EM1@DOkt
znlPu>M*>N8kgd5k_5NU|0IY^3ki`kzL8jQnLx=!u@%wYJR{$2ffd2xXa`wI`Rlx6o
zuL8U6HhyqI09GU41U?VE;@rJa0?yxoFCb_8I)XDJfF*)gfd51f-cyQa4R9IRv#TBG
z{lPgGD7V2+1E0e|6@M#%V<T`WQrgfl;|C`Nuy4cv7g2LZ>2Ib~37de+fhPe+jUSvA
zfOP>TvUGhVvZG8<hGG-aQI1&B&@P-8fOR3+3UgPG=d=!`s>vGvqYQDDms3=>hOnee
zgn%=ETYxDQ{d~o%yoCfyY)Nn{hRPSw77-Z8$ur*rW>&lnihq|_hfH|?NCkWTEbdg1
zx02^hK=yMU<w`pgw`oI+|2d$dJ%5(U%mD^tUFctcPwl+{N;UBp<oF`jj33+*z`hr}
z0{Aqtw=?Bhdz4C%L~?sRP4@6Qmy930a*&R=L<ay@0T%!fx0|Fm!X6}3_y%B?n}(mo
z8v=l=2pSQW=znTpvfE8kY~?LvugHTy!VAU^UJ?N0Mu<)Tz6~7fxi%`rVgfH9qx*BX
z5a}5X?-`dBA)1M#!G0VW85I8!Lk?EC4#^I7)!!cq?+GA_2qB6@3cdu)aJxxLQM4n5
z{}9mUHN(&1T>(I@OLPn}FE|;fb-P*0uq2S=$7_)|zkjD(p22uq0FdhvH3R1$OXkzu
zZk946?a1o>{YddD&$&E<@xB1ESfjxrB%$s!G+gQx_8@sYHzKipPxtz{_(uR)thvGI
zNZ$BD++5JBZc<2@lAD3w0WrTAeir`;0CL@;slc+#LyK`$4ih;z{T|?_z*fNX?#@v7
zQvg}4^ndEPz=gn4V4~a23OF4|$(y^8qjS@KH2f_77C;seLM^ZuNu@Xy@b9<cO|~JM
zRqh2^fTW)dKT9wK0J&~aJ+K5>KlpcGlG{!5IUT@n5W`=A1I4M_Bsc=d#TpS7AjMQa
zgoI9YvRoJ`#K(UOS;$&Nzzjc2Fa?lBgir&_Mt?+b1~3mzt;k0VS-koc@LMFV?`t1_
zB!Vq~EY=#rc%+2;8NhpxJ;~KRDx{GO=}#ehGG0K=-SuTur&y{(09mYgLLD+HychTY
zvbZ*(itdMrROWaYcmntn(%TOJRblv9s^tscA4?2TU=EUkeIl~3HW3KB-9(#70-eZ2
z_J1j)V&CgPA5c|BpG)-$AQwvv4ZtiU`R;fmtU41Iga2HmG?I_gj`Z};Xa0SI?Agv$
zYV^6N00v`;A%x5sW+N`rVx)S-w9M;X%SufkRrlUPPET*mJk}#VeV`|^rJ@2D2}=+)
zz-T1>Vis@&a40fDOa;awBSjs~j233*5nD%k_AX!xQh9qFQboBv^I8v(QiC5E6+o$2
zA=U_zsyzib2sjuSB_<<tiLpQvB8~=N6#4JFiDXvxAx7Sf95&L481|;jV>6O}(*^XR
s#$Gc254p}<e4r*{J(I8!fdY7(lQR=O5b{Dbl>h($07*qoM6N<$f+aoj&j0`b

diff --git a/core/nginx/static/android-chrome-512x512.png b/core/nginx/static/android-chrome-512x512.png
index f029c9fd484a7603a43cb63159b8d95fca06f95a..32a69b21675b748d731d9cd624c8624a412f35f3 100644
GIT binary patch
literal 15628
zcmZ{LXH=6-(CDTBK@d<7R8WJBUPOv0kkAxFdIxC&0#XgVCMY%p0clbM6lo$wkX{lS
zRf>T0rZlAsQUW2lPkjBpd+v{WJjduhv(t8Fc4v0>k)F<#{risY0|4yT)KD`301o{V
z4p5BH&!2$49q0$?q^zwBz}pxWiX8*=f3&@Zfi?g^X8|BY06+&J`~<*P5`cMI04_cQ
zfX6GnR$l@7z<5LJiW;EN|711f#X}=ZKAPI<Oj9sMHZGp2#kK$dE){92DH{b0FO4y!
zAKGZx`dzNIf<EadDp+Zze=0X+FuKY5#*G{8(O*9$4L%jPZ0~VH^wH($x5<Y~^p&w{
zdhg+pH`E!pTnt_<4>bl?cC7DZu3xgW4HwJ1My6Po_%FvRY+ZhK{ycHz3q?!xvc8ez
z{LslfY;DSNkKs<L(k6zf?dB2LtRXz!BIYJOsd#g4%KxQc<jZ_N=}qze?qE&KF9}r#
zmh$IA>N-h=(>^t7RAITak(ncb#<@3JT-PEfHA9#=Zuyd-%o)KU^U5lW(@vM-AXR)%
z^o>tB$Hx^NeJ*wN+14?|Gh3AcJ_DmwamO60L$o?$Z7fu2b@igXGhzj?5d|)}CiDIJ
znRfd(F#~&ZeZ}ienl!TTVi)CpR0Xk}*2chnn5~Ss&gRE@e~_1vCv0C}JQl*tQ1LY{
z^Tz{=cwT;{wnw-W#T<;weq6XrhcEAPZ9TzdX{DR8@~o7&%j+jf9T>k^Eyuh&lJ?}-
z;^EEms#8cr<V(Reo{q-u#(SPFy6<e_RcGebECY?k6VAZgCdr#A_YnT9CGp-43CE_s
zbF&5=MA21qU16wB*~_vuqd#i2YNc>SIdCk)dBJ(y+;CvA==~n<EuYg1SKVFrpac8p
z;GNQxV%dl8?Bv|gOycm-nB7JzzHZZXyIx!3y<P3&u_Dt*7KY{C_Sxw3ToAnA>%{vL
zpBY~rvz>T>KkMHrQWkZYSI{Hm{mB$(1P84-thd3PWXB&)cqu4ct3A=sGckPmRh=oB
znDk&t6UU$}?PD^S&{Q|WvlcoukSoOPrL4!Les5QZ7^BEg`*nMu<y8ObKo9!V){t$%
zwYXrnn@#Kva+j`DTSK(r<EwSUFQu;xQFi`}?noSY^T3ypr&gDdbDE9!dcd;={vQ^Q
zaqQFR^>6Q87RS6hv~amS&p<m{mDjk9sq*EI6Vs<H<Fi=kytUbAPiXHAcQG!H*(0`+
z2Cw=`OZ(hsd1BMTg3EhuA3XT9={lZET|dxy$K${=)oEPdXyZ(Y!>!|G3VyaZMXFwz
z9pZ=IORGW(T$Bsl>hmq_*a&O0?k#?Cj-P!L*JLwfy`Oz3E&O@P4Gn#+#G0m++=cz|
zEHmfG8YaDj$#Ufgan^cwEgl=&h5eEZv5;C3y1QvZQYFjxcQVFo$+_&r!U}KS`_WhA
z?<=xEvdfMx+D8X}%Hy7`X&gFxkvVlA{GxSMPi}gnU7BiW(Ga<_^FCzCjlXz?J%V@!
z6&CLq+?X(PIgM%$2tPQ|;`}CE9I-Sifkx?Z9m;81@d#;fd^LJ9QzQLzAV-`oQhn2W
z;cT!-cg5{hv>oAPK8I}B)~nvJersBzSoc)FQ^}3_<0p4avU-|W6!@<US0{VaAIcIG
zzNWkD@gn1x`^V@0Iq9%aZ1&N*v*V?|B1T3?%6EXeez+UOW2jGgGnFQ5?uOXeu4H%H
zF2Yt=iO97T_hfb<AQ#CY*EL~`o|GQi=^yS@Dj|ngcA@ht)QhPuk8RxFTO+yD$rZo1
z-Z2C}Npf1!yr0YNLoLF_xnG+uE-D&)04*g(hWdOuZ*zaV=Pq_r_AE|$Qo3%|%=Y2S
z{CerIs-<Nwc~fi0_s7vr2mLypyAIg0(;2I|Me*?JAy+PW9FlWDOT1n@sxVQkN&jN*
zLh)duc~lB@X~{lFNt2AlC;DkyI}bSf)4!&;Q83AxvNkDc;**#ezvx<5U!I%$^|-!$
zZJPMpC}AxsarKCt8Jc6X;-YouTXV!4eyqMx+EILX#}w^RRJ?&lJ{Fyme1!T|?EDwS
zCol6&c!|ANbe;-09+A^SbB$Jn5cwoR15ZJd)@LWiWKY%T&f-2IRa&h^{M+Qru04F|
zOt~jZS}{ray#L_CPfe=lXD%N3THOV47I%xfoHi-5cJ%Q!h~rEysN6+QAq0g_Mo)-w
zuOU)wU8BmaF&tys50Zx0J~Rt30Yk1s!?QG*8q>zuiyj29Xf4^*#I*Qj1VrxB?e%AD
zF<ygdZNUdydOmozt49|yA7m61E{&d$A2neT`R<D$$hu+bEvO<7Dyx$rn|j!^!o5DE
zOg+6m^pXdAsV2CIug0SCG*T~tmPT}?G`L~ATr2Sxboao;9a)mQw6uAnd;47;4y0fk
zUUzT#$EdzXQlj5)948|7k@B6#(~QC8W-Yw1$h9s*JVt(uk^H;%1XebewKlk&OTIse
zYt|j8&yWiyie@+bNA@KQ?18dl$WiorUPpmSzTA9@!p2sW=U#8M5Uk~H@^qT)^1~_^
zSK{5-m4jR2Yr*CpwNcpPp+d=3hj}4gn^=?UmV$_9B)q0zlczl7zpJ_x+-5`>7%?IU
z!40z4!W^@2ll$38p7w~F?SW+syZiKvZl)50i~M30L=TNRgY9R$Q6Y~PwNP34oei7*
zB^2GnBW~jeG`0|>6P@FCZ0X}1h`fbg_kX-|U8Fs5h8;~PMAbUBl*GEDU|ioSn^vNp
zURm-zD#r<wXJq-kEn{OGywK|I_2fG8JEvAlgO42uEXrtP-<`Zc#V5Op>P5Yjs-%gb
zdJB)E;KQcoq<4*htN>Eas8<BP6||@<^y4xN{b^L{gMX`a1Q4F@m?)a}zf&)4Jjw^u
z2x*-P{7J(%p52BSole8ETS`xrAGX|rKO8rDzcurqC!PbVUO@J=b0wEdUIyq7+(Sn1
zl_4zqIwssFc0C_?|3+ZHTGSX;LImxO{haGx$Cz1Hx}3Yd4Z5YpCut6uW<joYAHbof
zvlG3HyB!XiHehfv2(~h);(QOn!`eZtN*C8Uvd9F|u1nZHN$;z6=HMsnb6%ggR{VBG
zvZfkl+dDcg;K81dc@?7q4!xUQX|&s)n0CYMI}13*40GHBGS#=Q19gThvZn~m?)C}r
zGvO*ZO)OCdl@&5ZVR7dw<n2hE{J}toVrBDTHySwr7sO!5D-xdPdrknUHbp(fGrQ0j
zQHHjR%leW<Mqo|)h7|oyBM?Fu8Cv{|Vk!nWC?f06FdYE-A#yYi+-uRv4@g3KBlC8#
zBH?Qc6kBM$4oW<y!SpD+j>-QNQm@8?>eQkjt^!)p0{tY;BK725sCzTbYw|oN!1VJv
zo=i<tR@oS3tf$em?V$KYuo~Tkf*Dn&5iOI}M8stQ8mT9Z2LMup-MYV}f%Qp|nrc9R
z*23u>&HUO1f<W5O>fi^yeTM?W>@%rv?BI^P`l>WH%gc*B6y2HD69DesIM&V#>pRPf
zU$59RALjvgx|VuzUgg0Gdrxjvkp1IMIUeBI4<b}TMJvK%N7PFp^cDRSmKl)J%76eb
zSYRHA7kj*_KwZX_y4yN(uJR89K@zvMDO7gK6P7=#OIwZzcreQjUYLmJwpG?MXOVdZ
zAFaN6e)u{XaCk72W8B`S5uBL_{C+1-R|^8P)az-BBWmE`&Gm^dI)tm@jNoDVzM88+
zobZ?5D8WPQHl6AK#PxA#xv$Qeuq<k#9$sEw5zcFu5(nU6eGU$O7oL6Y2MuNZMUx$r
z%D`{R7ISOdlLb-lKBMR5f5AXUE>olEDHQCx8};Li{ACIP$V#4{oRGZ~)p+FP?8<EL
zxKp;0{8tz#5_*c!uu;KYNX4_)TsHB>L6CMe6on*<lNm}!SC#Qjp9hC|K(}A!&=+8`
zkJSrYxHdlHzzE)XM-xnEuyCwo8tu5$lLItBV9QUs;&_-JZPtMoA?HQUPpdHkAGH*U
z=FS25ov)O!r%#AUGU@ezpku*5ckVd)@Lj4-8H_I-TFz_R*hW>b>c2iQVdDKGf&n=6
z;2n9!k=x~DPci@VKiNSngUs5MBUsd`>H5m4<g3gALIADx1Lqg@91+S1MsI01w}$BG
z0BlmnQ`JD0$(TIa*i4|#Re)t{Ml4=KwRo;iT&I3$MS+&LBKE(u@1kJx?7$;FGgCue
z;3Pmdo3#G!Nd&PYvn!0YeCTp{W*7)uvk<LVRPco1w&(G@fl=`g7fw|zXcepn9P633
zHb8pB1X{|k%3IZPf-=m^%0k(*cs4M}>1|(-=*+?l8?svRbc^~%1%UcJsAo#{e6%ji
z{OHC?u2r8`84QFpb!gNPbYUs%V7a1AFnFV@3J(Yq(t~+~xYi7H$5-S!A-w7gL&4N(
z1lTqzQV>D}vc#r<NpACM9pMW#04UAL=G2+hc9SmA{?OdbNriZT#VRp`2%mbY7&X62
zB2uNkS{HiVfPp(%7RTScU-+}m#z<(-c^1zMI3x>a+~C;eRHCJk9d`*824GgaliEY!
z9Nmqx6CK>f8eRus0N%FWnsy166$+b_HviCy0H|s*j+H;ly#p_h(nhDJ(a#u=Q~?{V
z9H(WzN{D9!90y&e=MV29-QJP$1B}$$9{~8^kh-V>oE5>Jgex}||1bemrf|*kDo}*k
z%RHi0wB7s&O5d{OaSHrdj$lwHV{RINh|!Nd4?y>yKlq$a^5>ucP-WCPBZi#^i$W6K
zP||nuMu=#S2r@Sn|6)|oH=P3z9(q|a+HiMN0qqhhQE0_W3Ib|sAdg>q4I{a4?E34#
z0Tx;F&7&l__$xC^TbFjF^*Vh_twHR;<vBy_yhQE2(T_3g;Ni9<A<aH+P$28qFPf40
zXZlceAWm(20{)76XQV}y0_BdU$Ar`F$pLA_y-Yz@@_QK2z_m}}<?20Q0Xs~<R@Ec!
zJrtH9Dju8>H^Q6&urL#yV4JWc<mS<?Y{$XC!w;4OqjiZ``&S7k4g-RT*#3c9P(W-k
zSv!n@{5&oF0LL9j7G5f!&>>1G0B(JzYa6yi2Ir&Oaz+`GR~SH+wuk3+9&{`}dV^`@
z<O8iU7(oEs%M94w{q_zI-SM9|cYL}T39>pykHh3X8`RA*`c2a`%sXP30k*FC8|(qo
z%6aTO`>5`6Y*3g60K+*t#qs0snIQ$z{GZ;VJOsdJTa2{%9x}U~yPHpG0x}c=G^U}_
z8NW<rrwcb?fpeK;f@r9Y3jC>Z^rjIRH1=S1<~Is{G$TNk;i&YEy}L!j3W9_V{KhD`
zIt2sWHSY;iuSzBm1k25>pNG>R_lOlLbh8M3k(o&y^SMWp+GYoYsDdQ?X(q&uG^oCZ
z-;AH3m;vAr#jA(0sa&6PBJ_cKm}axB6Hw^z&g_@ioPdTFXkrfBhBN?L+7d`EQY0Hs
zm_Z2*FRV_1WOHzroP0}V1_gPv<7@SOYX}&Kt$0s}Ienrwlnby$zFo!uFeGcbx!MdZ
z3#hhgBilikgtrRzOv&t^U>2h{{{0FJpal%!Hg9!T0@;Dnc{=@c^V3(RC4lr2Wy>ro
zkxu<k)p#f7M&Jm)<OchA*DQ7YE+pZl<=)`qCX8-DJH%@y>#ER*;d1Y8AbB59bUcWG
z10Zke>I$FUh8E<+wtGrP3;<Z`dXeB+aUk75r4@Z5!ywcwRnn_DHEbZ%0nP-`t`Cw*
z8jcZgf=$+~ontyqAFyHT3<J*O9byE69l}u5+2I6P*@{Hh?QR%Yz1N&$>8FYn1|bqn
zKOlj(KVOqS9SqC*wL$Ye=SOWXb^?T8{$V$F(ZWlRYte45Ni$u#R2wC}#`xrMuxdt3
za2n#Fg1_$M_(RzsbZ{oj05<7Geu#K}Ox5?j&8}w7*5u1uD~<QS%f)eqZ><kt%hAr+
z1NH@bfo0r4d};%~X}ufs?D}GZmC*uJ2>2!&Fy1M_?d_>%Srp~y=t;=^N@MqmE$0D#
zDQX}~FcR8ScGG-1+)x?}gu4z$nVtctegFfFf9hGgE`x2&s3JTw;8H&TCQa9;Bfc=u
zMdh#Z^7=REI`CPlQr&Bw=*)AZJ^T!Sa%w;*Q502`Is%@=OI#>Lg2<OBu)6n}F!3`4
zI9u$kB=Z@;p|k-BwlhZZSJFH2j2e49Zv0!f_5Q=jfx^d)r=Y;86zY}#I3#)5Z~83-
z0Oz1R{L?o-2nT^+B($S&%no-pJZA&R-je@j9^P2%eG-Gv*gN5IX6t`Pt8at7OPpXc
z`4^wYf0U7JT4koY2yE{HZAI$<)6@TC4lgr$^3xgo{6N9~1M80&#;~C`@TD>nw0|Vb
z@K0gKm_aa9Q2IAZW_)wa#UEUVTKcCc4zqPfqY(u5HJPVH_d>vb8bG}{YWbxkdI}iO
z9^akeW;+gpGDtXpFAek*D#C1?Qb^&a{%Q}KrRZ>XXQTqwt-{9l56J!gV$Cnm{SI`;
z88rVdTw<%-@KI3PeveQ3KYk-Vm>X38=7`+~RHwz+4*xe<<vV+tHAlV+nB@AuLzpsc
zOE^iXECO-)KNage6FMc!2T~b9nCa0Aw*PqUxPxVK4^YnPqg~M@A7Og@pTsZL?(Szt
zUSlA1Ov|!y{i9NK(sm-6flxFp^uI$hVM90UVWbYQO+cvsBNJ$Kzv#qYGTLqOdjH5I
zGL$XchZ9EN+n4xG{}ZLBWy1;D3lLRSlj?lv{~0{eQ&a&Y^*p|V1OM4TLYPp4B@0Mv
zpZdQ*M7LU65X?3><umN$e<~G>PI^(q0OT0F#F!rb6XMTX#l;dihHiJbQP=;%9UA%=
z_84><KRE?B{v+`2dJJYTcdzOhd|Lz#{t0^w=(wlud$tekP2a49odw$kCPs1ra(I&&
zt6j}ADnBpQTrS?J?g@5rEK1IwOBVoWCfKA@@J~-xaCaJm1aLy;E#H^#>+Jjz2mGU+
zbm0e1M%4bS$M^-MY&E40JABNBPEo=GQ?y&`d(kl4hxJzh8f+I`_2sD#4y%xJyYbeP
z6nId0?9gIoXw_(%X;U@^2IN@*ZQva@wpW%^E`I?DFeZsRAJ1!Xjz5VYbf+(jUEvAD
z7_Zxy>8wNiG{Yuk{_-=TDa7;uOb)!(&ph1lrfDRcgJXL=q-8q*$4ctCnhN0!lx#k}
z!;2uHG`(z5AdJYbV{W_<x=>-znM}x-N-HGWVCs5AUVpz!hc&p#zV~+474-duEx9<x
zHFoYK64_<zO8qPixz(D`*LO#4Zz)X{Kw1F&VCZ6%ztO4SklS}=bpe)IV~uxP`))()
zF%*xpU}J@$HTZ4)T%K>0ZwX)U59y2^*(RQ0o+WdF$xPs7@fY$6Rn(X7FdW-`OF6K?
zKU@VM5PNy;KTmp=Bwux=LQ&>%@F30cFQ}=<8E9GWSgap{hy7N*H{j`(zTR@B15Y!(
zTA!lsOXrW0(|LSnw;HmsrZRQ_L$_4Oew`eX&Wq%jM2t1PN~P8PuAR<18VSGz1Hm$$
zomP3Wn+viF^v@Z_XJc6$l3v%-b>V?Mh8?u+UykF!e{t5IAjM0ekAZR9BerntVc}v9
zujcys>DS@urZwMGJ7}Ne+Up$?H;y-C0${^LC}<t`)PjqjhIsv8P)t^+j^&8e3T<v`
zh@TMFDqg-qU%v}5TP>lvEC|AcT@V@7ea;urbD_D+f4o*#JUPVdyI9GMcPF3&=j8EC
zrxsf}gMFUx%Mw}vOgcipYY)Q9aGh)h>%<-Vq|Gw`ZQI|X2ki(@Dg{1Vk2mQHcyLW@
zqZXIp_$OqHdhf=Hf2K*0>p{9K@LUD*Y6+hF#0ZB)0Xufs6<v|_ptZAE>lxx#Wpjgh
zjDmA2=zw?lfKHq+8w!SA+|a-M+<zwur-Btoqj|~XJm5J~kE2_bvN8XqI^ZP*BLI%X
zR7;DM=No=C19!cPRp)-T2o>anw$m37nG(D}Q>2T4+b}n8@E^L8XuUFLCR3_7m&beM
zoTG7(sqPA-lAo`ideSx|1P%fe&@X(criuf+&@p;$cHkSu<^^Ok9J#=&j0F(mZqeDg
zI<xa^1T(o+E)w59fMfHpwW57hAOG!{6nMVBzwDg^4Dhpps%C>-gts0F#6cM<b!Tk7
zu%YOzSGIc*Idjb<MK15%llXgp5X(rgWClorps8`_-L0QLko;LG*7lM0<>Nwm5M3;Q
zc%SCaDt^DamCWoZ;Qul7?C{(V!tL8DJu$-dXA(u1v;g)Yf}~0J3CBb|V(@KsZQQTP
z{QCr|{nYr(Eo!0pSPURYYPD?8K`J`6w-SwITFJ}$mzbDhVuJChmY;hXksu;-fn0R}
zlE3fb%;h>_Wo`d%ziUpMJng=c&EgnQ@;x0$O#qD2<B48TLfVQ_VRh%F^`$kvOn-)c
z$_b<O5{C@PZjg{A<QsK}7p&`;q6AUj<xMYK^zBrvNPxT)&_Ca5NHw)yvDyw(&o|lc
z(}AyQJu|*g=o)|bgb<Wy{KeikKhL-lY5v{p;-J`Sd9zl*tj$Myj6ecN{e<Cwny<gb
zk*s_??27`h0ZL3jcHeGkwKz^|SC)f**#slZJ0~s_hpampkIPCRSDHqRJ7_I(ZS{eU
z8`i2we3km44QpRT=)4H=DrIm+X1{gc%_lWS;8pnJSsYp3g%g7TIK#}Y_Lo)fO45b{
zR_@%Q+i{@C>!T<D7U+}o{X_Ma8hB#H7aVxt9)>6{qIoiqrai{IS#5kBIqpn66f{jV
zCdQ}D2Q1ee8gIJ=2eu-xaV$jA=XK+`ioQ!8LFTyc>8TGlczA*`%u`o4Lu)=|@{>|&
zXKqp3PYzQ`(v83G?>pz!{DZQE0^|!!h%*+!uyk!Y260etG5<M3e2pz2=TlmJ+1aPr
zZC51L?NHt1cVjG{$Bj>zUWNpiG47`{f9CaEMiNHnm2z7~LUEetMgEUAqQ8TlJR0{P
z{9W+p`#{$#lLT*m+n&gy5|M?iPxMh2Zds%Zbg<7og%A00MmFF>^q=!(AE?-Q_e#9R
z<71Z3Iz9=+vU>zC%@JS!K3lv><T33FVi&ur_A6e?9#r=?GId8VgJW!<^|PY`<{p8G
z+vLi!H^Eip#G!#ef%=p=j;x6ryN^DPKR@73E!SG8H*`u6a8h^|kfQ}!<hPvIdp?pV
zYeAk+cs<DjI^W?{InM$gVQ_jNX@C~&dIm2ye=)KgaUHcC&H~F`_hzfnJwT&MegAx_
zpE4E@<v-;+?(%DPqU|j|v{<r-z~*CHaN!Z;PAx`2!&7o9x249kTm68mnm97Vz+ld5
zNB`b{`!$cQ%!Y52X0eh-(@{}Eg|`|!i6*t*C)NMjiN$^(zzNxB3M<gA`|`PABINp!
z8jeY7rAOOyOPNwvwsB-NzA3*TC(ez!ymAS$xCKKkIi<)nh$<RLn+i44y~~^#bmYC*
z3o?;bCGb94hU;aDE}w|C9_xB8r@uS>!(=P?mga{`0frr!f2X}ERJmLYyrObosgf{s
zIgIq@1kV<<0jc8%CVeV|5w)M5>#ytIPfeM-P(7?@>_5I*j+LmyP-Dce23*n+^;qBd
zkNKmC?MdQ*wMrTb>Cxc~xS-hlDL%V=F5$ALPEgA79gokS98fLYH%>J)aRufzSS5}2
z3EVRNl}h^&A@@aw<`jv7d=HKlfRmCoJ)J)w32zv{7O_`V_f4Mq1!VQFxQ_yd{4XM_
z#U6FxOGbC4?yyj*efMY=@}z27^y{9Sg2FUi3mjmL3tWpiw_M?yvNb>db1CRqzOLBe
zcLQ2yj<LZS`X~~5>o(ShI%Zc)WEZ>B=({5U#P*{zTcAvfH8D}z4vrOv6M7we;{03s
zdZv5c>x=lShIj;O3nSmH^ZmleE<+oxa7|MvR~nI5FXj4h)!hM}zr>wcK}qY)x6?!g
zOX&`(>d|vB^a2d6sJ%K_aAsWVz<yXsN%2PGR*-pG%m9#SyfkYZ{P{q-_IFvSi@%D>
zrlX#AUbmqKP#C(vI#-q*7%pL69pD7GgW#za6Qu4ZKm4+5va5Yo>(qV6&-J#+9!X$~
zjuA-S6f24ze|fcCcp+Xy#4jkG`>#yh3Lq*m9Fpm2GNf6;btZzeT-L(x&yS|%*7Cmv
z|29Gi@{I+p`=1)KG1HGv-{j80;m722e8+$Hwo8?(^8OV`qp;kHu-o*M_H;+iSNaAV
zs|3ehL{eOprR7S=DsmYox<t2vipy=g+4?Ej+)<<Pv@b6&dQK-i{ZjNw<L_#uG7*Rx
znLc1!gs$f<5SuZ+IagymKCJdfg<yGcyWU^qDL<)U|DdmdG;||!c=_lBud6PFp6dUZ
zL*BQxZ$0e{gz+^dx?(0^=o;Ht7FecnV4+X8$3t6`mv&px@>W>AI1Z1OtFc>a8=g*j
z!(d+B_}_ek==8H=H(K$5l|PMk*<C&%3H6MGzSrUE<DQtJKisB$0ya!n3SQ42efpSD
z-QDoS040+m^?m8jjoVFK0)O>bY7H*v)aD{czoE4u*ub$n0oSv5D|eNwPc%rt<Amkv
z-tUKxow5AqPSVL59>_m#`cN(k9~$^;1*8)&k~U|EtZy&%)vG5Q96c8C&Z{1orc3TL
z749_5Uqzewi%c%{z|c2o_m9DtLE}E~i(_&&oLEySi!1q@-A(a)X83D=>*U$LyD-c)
zp1ZBT13}o8TZd!<L<Rz6s6VLko^J|fw6PkHO8mzJ<ZnUe6G(<EvJ|P;@$oFomSvaS
zob4HytOK!Zum|&*Gf8Y7Xe6?h`{(80@4JVrGv{!96zHq~`QbW{v|yBjN~H3WdGrw?
zBf$qXXv*`GNW2!{K(Ouq5E-;G>fhe5Y#)gm_}@vZ{=X&^z@I8wEaZ)=?m$B#X2C-=
zMogz$8)3BE+i~Ty@A%M4f<RS7XY;?n@l=sIP)XIb2VS(<eGt2(6&U&$d^F^D-P{$=
zyXjf7H2=u?`i~QWT5R)Q2L5MKFg0ClER6|Nag$ozP-+0B0yKDcLPqQCbc}J|`Pzsb
zw6TEa{(}qTOS=D=!eb!WmP?ak1ap6VOan&R^Ja<>KyFuz&WCl075-*RwU~dr0Hu+T
z;hqkr6c@~978`-X;)kT|;aFQZ;aFAp)Q|BqCrnOXNj9VkRz3P!uH{;PApYuFa2N*^
zc#(uzrFgp{2Ex(|XDa0UdN9%xtCe%=tz&<<55hyfQsT9Cp{!eBD)S!^u7=@vD7|)2
znsY7d2q%E^fW_?^?TAtBac!CGwXI=VlYHX%Cg<bx#OxD)t>ovM2dVwQ`3M-b09#+9
zm_axz@M8^*eiVE~TTATNwV6ipgk)V0?^?*H%|Cm5WpyUhf(0~8pQN)?3PU&GNk3ms
z=dT}$Af$gAR=expVDrxgH7?l%RdR#cmbY|)yAjxR4oP3*qGn|HV$w)ov)Jl++jQOk
zf#n^#u<rRBaFn};r|i=Js1TqbeoWz_@3m&}5`Lt^i%~w>w_EubgY}iA{*5j2-(^!%
z0B>T)EM;j){I)#g^!wKUN)<SVojO{=q1Q1;ib||2!CyC+d#;qNP*I=@iY4eS{{v>5
zyZG)cC@oUZRXqzLgupA$%j}|WHX~gF4#hs2#b|ZV>PnK&PLv^Mc1}X^|KxFS+<BO>
zdIOZ!jH=S7h=B`xO-=E;ObHzDi{BEI1a*oQY&c5)uEN6rP~GUlL+VEmc#mykq#d9X
zh%R~Q#jm8K4@+-SgSyh*mG$%HOw^+Ze*-<oZ{T&`XUq(E@gn)I(DBQF3!zZbw&jvj
z^{y;~qq_-LxEpP0J+-us)0_<R{2NB}j6|3!#wnKf341vYb0NuHfmdy`_?q}$X^*7}
zYS5uZEIHHS>FTC;2kqCSHGLz%Mj%LTL)l_bkplVbvLQrB9@<s8;9+FDds~{C$M|g#
zGmP5fGQ{B#yBoJ{@lO8{`jfu2Ro)6p84yq)(MN$+IoR4=D2LnnQ4v8fNu@18+j)@y
zvK~77(`}YGjH9Kof`%EXR4EvG9}K-GKiT4vGydgd5}VFI<b2Qyd$~x1`-krTe4HfD
zdmL0#BMAcC2@rZ_pyPiJ$d!cth)ivfqm{g#Z?Fk9iyO5%$Mx3$ANqm(1W)L~wu%+@
zphfuTc^Fz4M!Ib{vKdnFiML#|mf!YXDv_7x>q5<{)nB325G2u|JgDdtaV_T@CwR#P
zdiZT6?h(GWAB=OQ7WVN;kV!JM0Kt;K*6|WH*{aPBuH)57BQ9T%gnR}lOl_yCkjk~P
z55PxrmAtPm)R*5WEnxraK+Yu-TEtBxsFGQ|Cw&u+<w8K)*`iX-r(iF;3RC?7j`>-P
zWe08Wm*aa&D5s%Ef_J_QB(q>R!TVK0cRD07D{vX9*IV3kx2`Zf@_}PAmA3o);>u4K
zN9*rDS8Z${kM!7MsM<CFHJD2<^h#2D)kr^m*%8yBsgU$-P}mu(OxIf+J5UB4?S!Fx
zHi$`EXg_|P-5Ge{dw#jzYDhNe50EH%v!83r$q&DYwmQeZA4qrxG5j@B=~YiUo*oz}
zEUlxdxuH<0_)n7Yw+BC3X`c_twBBaBcc8ZM4mS{lV;QU8hTOe$5R7&bOus_B$FYOW
z-D(&v8E^DUjNJ?6)j^}52e$8jcu3d1@EzFXXeFLzgXbf)8YtgA3)GarpyzaM%ifQ>
z`#km4S5*kXOZbsF<MGl*pT8epg$kf3&}kuG8QMW~L|u4xo4#|9E~cTNfYeMhPa0Jd
z)IhX(q?so2^_g*erTd$@D5%!n+g!K?yr#hMJY~8KiuoR~nm#7i@MZU1AB~^nK0npJ
zF@aN2=%Kq?q#4*wb{k3o-P*-Df5Ca#V4fvK8%sWU0ou2GiLj|3aYSghH~Iu8<t)*t
zMCt`l^$;thoeC|Vvm$cw9JIRb6+{)nZuT1;>C*!nD{``(P&~?dc?fW~o;wEJWANK1
ze0ilw=Y`i=M)DZ^_59vf+u5XVftZjyg^KJGe;Kg=&rS#X)|2HJ2=3G8JWkSO%}r(t
z`_Ud@nlZ<4cQ&a%Fz<_C%&aX2DhL8EsyIUG07$p-=KPx>xUX(kL)o{Q^(K3Mfv(un
zLMn#H0LkYDG+G#*yHdqeNkWyml5z(jFSg~BHAMwD>z}M?@F;GJ#&~I!9=}*2UBP{c
zh=8Wt0^4eAT@Jv@n>o+x6dn8U&F<=IXv<HOce$|KIw3=w_Ed%nF?#y!psVc(lutCw
zuz8%O$CQzcVDV+ELXOgtkG1oz#ZYx6v;!tyL9qa`m$nl*=<~2FA>{Q>Wh6TAE~_4@
z8fW5&GYXSUrR}j4HXQ4*Y{Jzu1EW3!=_>j5Y%1Omx)D~Iys1KW6>rWL=hVl|R}zBD
zrK)|r0@r7|enVU!2?+&dp0aS#tQ-3^2+n7*%6I*@ZifDBsL?2yLodO3wK&sClg==b
z;5&9ou?*7Nf?Fg^j($APYPiHKjO06C^d+tA^%U`~<p3=;M#Qji_x31M^@e3>#)ZC)
zacnezO<qX(xc?rs>OZ&dC__H=`)pCZ%fM|vch}qM4gQI#cs#wF1d-Ti5SeJZ2?i}P
zrtZ`E_K`&<1aUUL{ykiVE8Vp*&!5FNjm*4R(52fq?^*)umz&UXidKvo(F5iak%Y0c
z$pJB<R|CFnq<K(1e2K-`@*YsN7<3C)*-d<VK0?WJ=buETv}^z6hT^FN)kL>e8C3|b
z#w$$=^(X4hXMODrPteU|u$0|B*IG0<aUU3IckmFVtNmu!){>3j=CYOE^Ynp<dTSf2
zh3KB&Gp(5bdjPtgkNVRAnb-2uAP-SG^sMZG+S`7KRcF6;4^qZ1gp2d>{zY7UqvmW~
z2@MK8y^b(BdQyP)CK7ok=aSf{BlW_bnaNu80v5zIclq?lkSA3eW{b*%(M9~SP{<)^
zdwq1_gDakn%Q<Z>$5b3a@GdmMdDHC;OV>=GB}L%MUjp{i-X7u*FOUOq!O#*)ah|iq
zbU#sE+b72Z5e9TJvEKXF+-3);p1V#2-kb<tRv2M|<L?K<!s(}@ja1Jg@XK!nIiNrd
zVNwSzH8Bn=qjI!d$n~wK8CAig91=!238te)61Ton6!xGkg{S?NhZGVJ=!(JJNJ)<)
z&Q5RvzvP&jR*rvI9v$hy5a~v(fHod=hKeh691g}Q6d76vQ3&w4mz=Kt`ai(Ot5|8U
zFsO3wAk2$A@DD?(#SxLQy#v62KMN~fZuO{o=zqZLD{z(gRD7=`;n>W157~c=l$EVb
zJSeLn!m+|gpE$gxj9mJYu`Ivm*8nK<4YkS#rI7&Zei|&UtN=ZJ{IyMs3FG<mB)iSX
zJG?qfZi+7k>q4z7<Zi1MZBa~R8n<3j(}Nq0Q~(yuCtvg>7>YM?{9u3^x4;l+YxiM<
z{P_m4Yj5JxkZb5+a6?w&cOY**NjvX(ZH&;`eQnWAzqIQI4>x2yULWD-V2pYk{81ng
zIlrT_y!dK%!aK^dYvL$5=Fi&10xc;MHVW?HJT4r=8y^v*+??D|G27l66-)e>BRM;A
zHI#9%M^?!8DjI<2h5{1pSenwFTqvVgFsDtsEf#8`?kFnToie+%t~kL2wzzGX$dM=5
zpk@#4y<L^cCo{ft#LasICESCC+Q}<OkY#_DRvec>rJG%r-ln}Ig!Wh^)KvADK?q#9
zJFOXf?>#$oPd!o-{s*da1}}ZOV^{ztbCF@qCK5lIAp}b%Lur5Rpc#SF!v==Qzaz(E
zat8L;jezq$m`D4E^C<^W0Gn3x+xx*#K&{#8>tAA|N~x3+T!0`OXjF-s?WOH_!a9G5
z0qC|p!Fsa_T}|J|4xi;D+rhwK{(~C@XEyBLmly#rt;1BwB#WL{`bGW5p?3ZEVH*=c
zs6nBmVc};djzD8$5|;P!=q6vhcB)|d3M0t6SAlb@&Y(i>_g(7AiKBqPz05KJQ7lAc
zaN0w+yP#+EHC`ZM{TD=XP(5Rci3y+=b!iJLTmcygzq1kG<g$po(5Nm=OqDP)zA6+3
zwVj`$J-&aRNUpkma+}q>joy}!U-SJKnfRMy(r;f#EGGaQ`c;|}Kc#6&o-myRi3`jC
z99VzEccdr}I&){mjJ7_48i-;oYQE++HNP~~_JobrHkV)EhoH_`u|?iox4|GsPc!T6
z1K5_DGkA%Z*+N>sD#=<ZkrM$paGZ`#srdFPAbz0eJH11r?<Dyg#PI`yn7tbp5}@)f
z25QvyQY`T-UQ)eqs6;J2!q~9>hX}Ql7$3LAq5)cMl&u<{L-vFYT>|Ij?VzrX->IzG
z<SH@b_4foUz@py7W`3oNROyn|D=iKRZ~*kf*E5gIru%nSLQog3b9+Hp;R>rOwyAjN
zf>e(DIN>(ENhMdUIEU=7fOHc%|0;vt+rl9uWi2ZJd=!veEl1w=4Y#Hn0Rr0W<byN8
zhrbn60grF5h$FW9bVLCm)40jNa&L3;7v{Vt%r7#hl6BS)08+^)ju`L2n?XI#10UTN
zJ~x=PPe+R0ozr3}d$))s`cio&oU!fhoBaT+{vr`4u1Z+%IVl0IHtV&wXT)?a0D?^h
zRiMRhb11d(c}@jP$JQMHLd=_lm9sW`y_9lpkRFEP^n^i8Jb^pJi%HhY$sl%vqqMNT
z^>0_v+qZvo@Y1yO2p}giDad=fl^MEpdmu55Zrq)lGbDMM@j@*GOdg`cU57U^i5!#G
zb(A#D10Z&4g}T+&U%%7kiMpURi&KFE-1PpT2eT_N1>u;alk|?LB(cOP^72Y%6-aB%
zyiwr$OkNoVhGJtE+*pt5(v%?INhCc=&jJL|&@KFRzgOhl^GLo^nYfp5Ahmexi2Br)
zC(3JA!sZk7jDo;wanfmZdWFUzso{}yRmTEg1!~-Xju{ZgT&V9+Fpq*sr^8$*@H0ZV
zMz`_>nMnl6CwyK$90rc@{gKn$%po&*>rJMV5jc;4Zk=-XM$E(>qFy6*M8Z}^;5^8R
zPHO!evc(>TI_x&#MMpHqRrPxDgd^y{@IguB5eb>}Q9#)5#U9Dts+WqdRw1>R-9j+k
zgx-Sm&jfvRecSiC>`w;=+ddx=hR!)PCh%tJy!<m|{P+DZ4{Y;LS!Db%V9VY5NSe0#
zfH02BDO&#Yh#h?8PG+$$$eI2Xe*gtT%!otiu&)w_5O$bU{5ur_?+n>lw1Nm(22gu!
zIlC2Sc8hj+=f)=$tg>i@6UnDw<^~|Nc(I4Yv?jG$W7XHhurC&cJg+M9Fn|c_BE{|K
zQYPgcyNEnSzc~Fe$)sUQI13VdD0rVr%h&`h`FIs9E@<-W+rB2{2mnw5{xK6Vv$_@B
z@F($Su0t1Z7d;MC+uIjt|8S=E1@UK<P=uS7!vV+H^+gy2=PnKPXk{h0T@^nHPzqIR
z3kA^~nJ;Azz<1gm%kDg80&v%RW9_@Wl!DC&0<2PnYZsDkRW!MM$y&!Id-xcfvHe6&
z`eSAQw@;Cwg-hdKpXY~yd0qleA4XUaOB8XY8l6=oDMGAekqx2033$;LWWx|P05T{-
z!c+XVhoOKHA~zZHm1@+fLaOllaT^8)hI{#_dw`n-4!FrLPV&LU9p9os3z<OFa-kYE
zLNV?V$sPUf{^Nt7Y?(zqV^)_egiIHD{3@J<3rKa2S@L{J_57u!ufz;foH=YRxN-dr
zh&|`K_Lff!vb2N~s)S4DV%~99JbBCwE*6>OwhsiX<x!5qN11DrpO?y9uLs?B-=wrR
z6I4<$Gh0yIg45SO@T-okxC3y`yb5gxad(<_MbsJ4$ZAeM*TB<Fejh;h@iVw&)|}sl
z%4~4e>6?$d^%11AHA3G^n|c;@ApH>@fU0XbBl$l>#66%^UJV)<SNSKGY-pFp?^X82
z@jd`=<a%iP)2@!)ZPLAW4mu2coHk};f@7y_iNA3`ch87RiFxsquEseY3<2f6n?EXW
z%9&!6aEG+H#?!<AMfcBZyu5<iHd!a3AS5{Oc-k<Dosr|fvh`MY`unm*qdus@zluw*
z|56P_Qd54;Y0Hq6y!_nTFc0u$&)}0b9E&PSy5z2nU*6-Y(BT*~DULrhDheWgCK7kQ
z1ZqyTg>k7@9EI<+{#vW-h@N4Dqw^0+eVg6ddPO!g8o5JKt~_v=LGA$58Q4X$9*SAn
z<N8MBD9yfpMk^<rcOQXJzec+j=8-8=lWAxqpv25)-|kQrAqj{QzZNQ$G1r5>QiNWw
zD?{7+)8JQ8P?6z;a3ZgpF%en<b;o6GY`EK*xptnAgHX%lvh|-hvBmO~vBGLkL!<ku
z*e{oRYL#VZb{kj_=s{UN{)f=9w9;gYiEInw@G2Rod<(l{a{vjZ?Xo69cz?<z<b_4H
z?FodBuN||rC{OBw!rp41%_-fHG>wcMA>o)zWRE8zOrZT4)HeF~6lH8X+op|MVZ$(i
z*u)spl{;Blz(Kgyxa`mJR8ip6(u=#Zy822iu+DzjLryOmUQaPHW@X=Uiy&Gy<Gro7
z42>l3kocu^B9EL#Wj!Cw`;@p=y*Tk>Tt(jqeTQUQV{~)P9AJ5C2KIVq6n<$<<>lKx
z2yd7PGyj5C2E2h|7*mgAE0-OvLr|^AxHF-(Qj5os5%wx?vna`FMx)NuYvNTt2V=OM
ztmCR!TK~uW91n}H26iYN+RXcHXtaG78?HT9(_Fda5R2w$C<rZ|HW@k}s0%$iG4Mpx
zwrj3My!oDsQv0A{Nu)W~F?nHL<v+Yn_~RCC)3SYdWIw{L!lbEfNb2F|5W&c+4+!E?
z*NbE2%+ye*ZwDJC+SSX-trkYN1S2gZP=8_(GndH;X#yNSn=sm8oUV;l66*SWXYXKb
zMqE~Pr5>aSaR_?5X|Bdq>Y}z}B3}+eZw>mgJli_f&d8aN29%O9!!qsflp<eB9Yl_1
zy*M>(ZT>l$do_{VzkQ_@9K}EnN7!HtmF(N!ahY7Vrx@05#f_e3YRA&Q)a-*lXvH|l
zYq21p23!9}(OvR{CS83ar90RcZfAE}GaZkl?T49<z4TA9a@}2foe4d8L5Baaec#|-
zn#KDtVX_Fs#+?b~tkjyADKng!RDz67Uujo*GMC*$z;sv%k+>)We4N?vIbv<TDOQFJ
z&O6Yv8-7%EO|xZN%;H&-w)s1xvu749Zd<Nr*x9=WmAXN~D^sMqzcm_%>1M>`7<`_C
zWqo#~?&BTY(k0(-m|bZr42yjEfdjd3>CmiFCBrYbw974)Fg4?7_wMyZinZUnTpNw4
zJVD_o<t!3p`z^>|5j{;+tXl4B;?M`h>?Il6&5mN0<wMYmrIW0m-0nWT>#i8i?vS&e
z@X{RZc6VpAX0MV`qCK_H|HA_6j*IjX9JCfMeG6aaR6b|Vz_IGN>*{XWkvE+u6>(En
zpR3|KdNL!5?dihInKYeeSufCN;l=dlZkE4~YxL#`LJuzvd$p$@7xHg4GXEj~-~Mxm
zxLb_Tq~4kn)%s(=rS6DEaSh)P^soxQwA4XL7FCQ=km%UWdH#4gT|u4k{IeM7EnBc%
z*5gH6yGg&`d5gBlyDeW;6rs0be#?6;ou9>}L!ozIqxWHQo<Y^=?%9Qzl?^B}8<1k)
za@SyNvX6Iq`lk104VzHp%McF6QKvgaGrPEGg_Gyq#$}>em%ewV{K63_7Eda@3uAL3
zab{@P$$ovzCvHAma9+%uAxu{4p=U;eGH$L-*X?W@`lyn+zESB%g5~{yh=ya;YRgHc
z?zg%7k3O7@3=vu4^E!X6Gx?NTot58MHuN0M1ua<0U_RQ2Y;Nfi<ER&Rb$;@qqA6^u
zZb=T))EUm->U{@#H5WNL0^73k&kxaNOJ;Gm7;p%_`YMpo`%vS|CU0#Z8I$mFQSNwK
zRS5kBU<J1OTgE>BxRMddvg-^pS)<LRv~emaI^!(+h^Oz%(2o<}WJl~$kE`o*eOty(
zre3iby6l%6x2Z;^P3xz*=xK9y4pr?|AM^HKEGc&hWHPh$uDiCG{oN3Ha5uD%VJwH(
zpyTKLVJj)yO)_P-Nx?+v-M1g}+N$TJ*Ee{BEp`IF4V~k2ZT=HtdBb1#(yVIH(D@UP
zS46hC3VKZ>1`qeWeNpN2+XI&$E#k#;Nb%-+``l1p`BB4>t7fR)t!*FG64#lPr6-@;
z*RmRn<p-V&dHAtD7(TbuS``e5CoK2^t+<etr&z>Rw!u7FIPdP5kbbMKspkDH+S{Ak
zPu$N~depTWr_A5%D9<%FEOO;WmkqTn$ac55E_NkRy-l8dll|5yHb5bCyd{33c4jXg
zc5}2BADxvCeRah?J8y_CCjWkvmD}!=wQQ#?;a<f1&FQ+t&<UlljHhbln5&)zi;C8}
z<POQc8!}_8X`<HU4Ph3<f@Sbd<(RH}n@$Sv`>zl7P}$OkCJKl$+ZmhwvzHXrXWmjV
z-SNkhVlVn^Ls{1uA9XVy2Rk3fi}pB2=m$tio|6}oJSQe8YjjTfqLk!Csq-R|=PpW0
zX0+Aw{67=iJsn(b2LAsitRy1~p$VozMrJ++cK&EDoaap!H%GKjpqC@s#mmPYI?JU@
zt+AqRn+OWF>9&8-oG}21Q!L{4ES#q}wc@!DoM<(I^hXE8sd6K9`(R(or!SxQJ~6cu
dG_tOWgL$3<J|<aG1rQ0Ksjj0|tYUlT{{Z(j?6m*@

literal 18169
zcmX6_c|4Tg_kU)y%a(*}8HB7Mvdk34SR-2{MA@=ND9b$4V);m9-^rSUBwLnwDkV!1
zDOtx(!l0~U=J)viUjAU_x%WQzo_o%@?{m-lh`nfT$jK(e1^@sj!N|Z00FdyXNPvY2
z{`EKX`!4(o?S9tmECAFbu+y$%;LqZ&MpkA3a8DWlz=r^E&;(onfIG?n@Y@*x&SU_9
zfPc<gOC9(DlZ%O=0l+x;DQGQAhQDDBBAA_Lo<=YoIxH~#rz;cy&Swz}&RT~KFOP-f
zIN04~to8N;t9K`Pcb~7nQPJo+z}lX8A-X*y@#01innlFL+Z9q1zHi3)Fbg2{S%Me&
z&T+Ojbtavx81b^L`Th0J%Ae5*v0la6-&fr>zvk}UB|F~gl&h%y7rq+!^{zRB@at8O
z03P8XwwsE)cx;W)88e~uW5-DhEvH{i90D$itohjijV`vstFnZmiy7M$iE0umH4X8h
zo-%D3&Ces^gE{wyI33jfF8M&6P-Z)tqfg~8Bk%%k*npoD2F8ECf1bx4@kdmsJJMO5
zhmE(uZ=sj-$#xyW>+Err6Gn@wfKj|{*lj=5nP|r|7idF=a+q?AO&2zzB3I89L}z#_
z%~52C7ihG;>gjvLYXUK>v_5>mLNzC&1v#qmcUsX|q>ufj$Sxx+D)J@wvjSqfiP#4l
z4C?;(i%dYdqZePqX_d<s64F#fXD0tM%K4$^aQvFC3qQ@vG@7``PxNmt-%{85T5SWG
z=__q<OI$zYFYroa$nfC<ULMii7|>Zc@i+F?gmv*8cXGtjjF~dd*1z0*`{yBVXO&km
zp@lffWeN8lIf`SUm%j`TuPxuZ0=2)>q6OaKiJv+EaS@B<&PX<ucfCk+@w_PktL%kd
z@w}Che$m@;LfB0SZ=@}<0a%KSU}=uM`DhH^c~M*>AAvt(ZMwbOZh(sp&BDc>m{7w0
znCq2%4?5{D8iTFvQSI8`tU-yh%q!Q0jxqd4xKEFtqm_>Uee_wn7IeA&Q}YHG7z-45
zFEH10KcjqoCiatSfB4Ap!`7VWE^QRJ?zvcntcwrb05K4z{RSD(lv<W}QB}`#)>+F^
zcF5?De53HtNB-L1cWzj9alq{*^480c^ME@a-+mLs>%uwF@s4H`!^d0^(~7Q$xx^B}
zOQL{-h*=T>Us+!Nged2)r_!0P|8hb}+IZLZ2VeW#`>>cU$m=-wNg3ojw-4ZzRJf(2
z^uFR0E5nKs*}g)PYM+@<U-?<7Bg>P_5ONmum-jzqDRNYe`?<|gAjL;zaf^GF#*9e6
zD8JM@OJUOPxBtg8NU|}w<19$MRCxUxcpZP)4Y;`3UOZu@GmAUihzrnJ^`>BHEw-*$
zgY@?{?NRS15V+%V7|~PKbKCJ&zqpelnN@z_j)k(UrQi}Y%aqJY<(Na{Xj0S&ms8IS
zIZ|1f0QCmVst{?a2PGl)&i+75?XK0SqgXkVaO@=vgE?GeXmahG`Y9BcWudd&ixg$j
zi63gh=`1#vR=e3soZ<EbBDum*+Y;lK3#4xV7vH+Pjvh{}<zf<L)`>c?ns4e5FMpGO
zOeudvT17H2qmh02s)tXUX9CRH9?0w?RXTAzjX9dNxVXk^)ft-?OU^t;?!_KyZ$RZ^
z=+TWI#1Xs?z<y_-Z>HRgcHTvRu>(zTThPi-12tL+SFS#4><Sg3icsR(WAFd&i?czP
z386rt>fl^oW_V<dP*JL3d)?b>+fC2I%XxK~HUS(!7ui<eIV5M#--o4UR|!p1%Jvlt
zWqbLd30||XxBmM1Xl4AUbLc6mpbHslHNY#gJipEXyr>>-pJ3_{ze3d$36-n+8eX+*
z5?#T2-C5X@XPe7ezJ>_RA_j92_<wxKMBxC3RTqjDG#xA67nSeV?}0V&Bk4lvBnzG}
zrr@b-=ogY?iCa@%m3J)=Ur}_?P-H-OZ?B3c?Zx*^R+@Z(%C|!;(fB)*)9&$3K2tc(
zMvhRuZ`l)d5#{t<(2rM!Ig;7?6O(=xfC4{N1uw7Y6zZ-{@M!P(3`wdx;;8H{`4EHW
z=ix0uw3;mw5bp?&5tp%@fA-kyl6jbi)uB{UJ}O`GKE%X<6hfiECrZ+E^QpIEIO*LD
z+_42hm`BnH1P;|^fF{-9$!GB$u0Y>65uG*Me;$K-{?1;*`pH2VC<E?oxd8RGD>~{0
zuFAlIf8BIAdyL85JOfkOK)+~K@$@hkEk^U)wyra~GZ#YS6Ht(KrF%S?)WMs(Cwl(P
zYHEtY)!69=6PPy4A62vm76o1iUd?9H$+Dj&Kh_+VksZ-MO-NTs(j_b<UL6-l;a3KK
z?1-Izv((CApS1Z3J2;lxuHNp1jC}Ov;q6`^(N1Mefb<b!kC9=-^^2wzM+u3)WsT&w
zXB)*>b0T+c0H2F8XzmClw5VawYHe&nidZx0D%gv1dbf{gf}bW|k<9PlO=f%mGq>-G
z&sv`Q!?i8-&4!xopdwEQyO^aDIo%tVK~q9HveC4Z^EH3V$WAcDjxdo?En@br>f&M?
zK;_H&W(Jya9vUD8*4(Ks{*X!<iCKzf#5V>)14xA)pzl8~K3w|%{Z{N9`r@`qdQgy!
zvp|3Yb>G1Koin$GmN`>pvBsJ}40{+|bo(mBw58Clf58SEG*G8Z#Fn0m0*|-?9{hER
zkz?(b7^#qc%-DWpj#Ru2{{kwKZB+TME58v3vhrQ5#FCfAzE68HJ&wd+?vePqW72QH
zf!yLw1uc-mvEt6>#iu!d%eG;^^DpGg6Gi+b()OeV?arY|4AeM=_OLOc&kG+V2)tgP
zl+hnSIPNi8DW${OY8nffQ$DoQLC(-we>bhmH_VpHiD#%r6tAflj)W{z273$twnD%|
zxc8@{z-z2DLxbWyWy+8Te|d75Sow}|wxl;+72jk!id6joBx0DIe(nJjA(t;sNm=i#
zC}YrSY%<E1y9Wq~b^kzZqR*r9rSI*SSk;EIebc38LY>?GnXHkCS!4az&QnP37szEi
z!u!~AK@o8cmdGQGgWZp^vJnNB&;KIIS^g#`u^=4BCCh)=#FU<0mDFGp_17xU5(Kg=
zP3i108f{9<b5kA0R>9V!e-IgPLTd;jvl5bxPnG*@?nzE<w#moHf!Leh94Q+RnYRNo
zc5KLi1Nd@WnjuQ5j+u_&0?xo%hBdn=Mhz?!qWTovVDUJ_1iEo2Gd!UUPyo5nFPelM
zwB)x(g{L%La*mb|k6;4T294<-nrTYR=B8oxN#Dh_V{{Q>h%`ZD|4qQiq_Sdy5B$k(
zw-sEbdy?Sw%8_CS#X|{*ElhDckQkLgYmO-uwBr-l9ZDfsIa-4wvDp{~-w9!)bUwoQ
z^~V{aD%FJ|1<87H5t6K4BevZs$xuWT*m)DkFjd)6LW~=w(A`UQu>|8^iiLrcW-uOp
z2y4`v;R|FW)tSOX;c4duv9g<(a8xL>zc9DLLrxUuO~9jgcxHlACo6QFeE90FasRX3
zm`;Wbq!e59APQts1=Ngv*7K1%JfU3va=x3%#YN@F3h)-}@1-E_K5-`S!gDivZOkXV
zYLr_sys$11J!Je4EP?dk#{d&}FRqh}|MQoqMfGZVZ<qAxxJ1>FHpI4Ojis^*`g=N}
zAkQnAv1pJS*Im<;fQ`3{^$-i^dxg=*UlRm=OGz`1`}0_?laDPNh%_Z2!l1UGf)u8V
z{vMAg5cRU4rz6Freb)oa$k;(c995l?4_<{IK0-Jbx~#9FSD3@W#-WZ*r=;JvxVIIk
zub+vH9o0N5O302Go?#eF1<T7230{viro#R($CP?yiOU1i{K-USYI=JV8FL`%+s=)=
z{tDDf1rx^5_EF$dk;V>#zef5_@UVVTan5B!Zw{J}vNOw3?R4PN3ymEdCRE#;o|F=W
zY2Tuh0V0w@uRK#;0*}v!-~S@sMfXD=DS>yWtEm}Wim4*mB0oWZ@)ebxUSyt$gKfYC
zcu*`NfCyzPqaVj2oYi2_u#@bNfdjC%Es95hDyqP-gk&=I<|7Gbj!|^zNtK-~pjTY+
zU%+~L@m$@}P<DTeFNcmI3i@^|{QK%)`*LJb@m&4UQ2D$=nu_Vblj0wft4gu1((DH#
zdYanueYxNE<jeghp8@~putaW9aznp5CB61i_;zxEtc*VP2~d7%D=oCL%uw`Rl_y-@
z3WHU!nogBxLO=kw7knC0-JuS!_P|;^-@kyWN$DsuiWlMrvjIbM`gsa3g(-(7Rc>=Q
zb_9iEarlp`jpz)poTo%W(J>a>1goVJymqW)_6#n{BG|$V4$DB7Awv=~cQ=q!{G*?V
zrV{XaiK8HKi#u@w;1=6PuEkP=r#dI#9lc_w{Y{K=fr1tPnF`XFK;`IdgHX1$SP6oc
zPcAeIZIJi|L`}2S1p%-9eJ6a-?viPkQBpBsfU^a$9p-H8SOM&?19fz|65xpY8%VHf
z`^)V!o(}}gtDtA(fp+Fbkx<@%+KKOPqG6jlPimwrw?ajolcf+14GuGJT7cOgd=@5Q
zW$%<B{jm2iGsclfe5g28!)2a~B}isN3Z0ku#l;ZfdIjvUW@71cbIWPi_zT)p|3Y4W
zE5~#AC5wk^Bpty<wr%#&H6_9shtt$hN(uBv=OOsx5U_^$gUmC`*~>}VOvDn*mJBG5
zpjyzSA{zX`3Dj|oUW(yb$T^ss*S#{{4pctNo1iiXel%$T646JBbz$MUokTjKbWSXj
z)U0kXfkxi*e6n9h_OS$4OF)#Zg+sH#rUIxG0H#oP<fyk@2Aq~!<CBUnEEU#2)M@3{
z$KNu0vWEE0l*dZ@*VijW5K8cDFF8x(d@~ve{$Pct&@&ywF6veWE40;I?m6oevD8ic
z@5;nY;CG?M&P0CW_*U<Me9BA0GaK<Mia=FH>Sn0)$vu8>c!nrs`C=#ef790@Vsw}_
z5gxI#pf{`m%+7K(7dBq@kj;{c-M*jAVGBL3V5RH#sPnba%P%d+jHjE<Sc1YWX@7O9
zA%3m`_ytQNgvLt|18WbIx_tH;x`kJh`EwA<XE)$^>xX%O$gCr=ECJi{bakvQVgT%k
z0==2QzVoIuC6h4mq~g)0tf8RsyiNQk`7nfdk}aY!aT_o-JJ6O<E!IX}dyX5g*%B)O
zf9g}R9diD_f~|b7G3lf?UeFAb5Wk8LH$~(bAKOXB%9<%jt>iA6hKakT<^tTEFIXH*
z9R`MY=ar=hnLki1srG4#Zslx=@xaBf=&u+@=A5Son=AA>rZG})7v+vc-;e|zDpD5P
zZ{jWsHDJr@_(|QdMWoEjY@fRfuAoKnL3`bQp0X3Hy0gyZur+2p?y3BO`&`n@)*cXd
z8Yr6{CS%KY4#%v343?hH?^W>|%z%fa?@rjv!3KI=Scaxa?n$Jb7fmR<&ORJCAZiAz
zU@>cmgtET!_c(Ox$`@gvFkDrnktrj(gh;U35O!p1WLxl_D*@+V)!KnR_)q6!Wwqae
zGJIxBS+;?&TA6OiTsisGC`>a68~^QOp$UcNR*6(|0%Ag}nZH?IXHBC^5q@2QeQ}H2
zGU?bY@XJCqX!!J56k8Hj#D$HDr38Gj$9Pl$+^Yq(u_7sDWxB@*Nzx0ZQ`nInH+IAq
zKEP`=W1jCC<K(_c((9_+1=o$^1?4NO9#0OWNRzcx%*;EG;)~>8?W6Uuwm<%U3?Uwb
z>P09T!P|=+{DlIEKvpSRVkE2&l61Dlm$IMWEsVIs*YHb^)#E?zzLUwzI+V-M{Wr|V
z304ns*mW=&S(|wAW#FO--a_&o-6ZLI7yW+5hE+9EO&>!+7M@f+wM;Tf`tDrDX9Mnd
za$#HH-7aIHaen)2m{hFO_;_e5&5K_=7oOn*u|qm(9HZGM30Ap1Kpu-j&YXC^12O~Q
zfY3SdB?QD0WVbI-ZWriQ%0V-*{tNFaPc1qn6}QL&3CyC%;@5{0Z84M^6s6b^I(&2#
zF(WLbOU$Ur!hjd+yeg&Kv*le9Ry`IOa9lj?y-X8Z;sp#PsPIpK6&s@-OZaj_f_l{X
z#|_4ZWC6gdbMCCcj#Co$JU@lk*{T9azJ}1uwO`HnTP#ViO1^?uYtPorWGu{}!7GJL
zxTis|l)emr>?A@3($ozec50Ntn!N32oRorb=lw#Gu4L=m2Dk~O_#mD2gE>ovoe6NI
z6k8*tE0D?|3!K?{1V$c~a5?bIHxYlU7eG90tL#L@<6R8+JX^?PJ&6=@#CSLW&pByW
z$|@+!8DRo1v8|~+3er^g2?K})DNti-k+IIi&`!eE{pXIH=iZwaDpf%gq}jXi-eTy+
zhfBg9P(p@>b3^E@U)5875czGC(itC)g1=V5Pz2jQ-sQZ?<Z%PYVA2t8rW2CXY~6Xo
z5JL6DDmsEf`9iet{Y;i1SlzmXas+x1LRJ`$?=z$N-Y%N0XRF~Q*@m2<&g0!B9q&e<
z@Cwg*nDW@)oTiGv@{+&B?1=6Ge#0v;z!acD)%@i+_1=pUtk{Kpi?^Iz2n8$EE#sw#
zUWxngCJT|xDIe7+nh~uiJWnV~z_Q=iz<*eR)&P@EN+b4pRbcSG<K>rTu-XdmS|(x5
zMmY*gBCl-?4xTbQ3`#+guV_jHtJWZ70<(Gf`~~P96L|dF8|S&=wyW?$eK10OSIhLO
zPw;knQ&{ck>Dcn|Qr?gy(`q~Z0!Kn2K1Jp$R78Yr;VO?khfYggwZF^p*dU}u$-C16
zgrpSLQ!yo*Z*@F=Rv`Ux6yzV848f`>h{q7wThXD4Z$-l4v+!Y98K!egN4b=*^RWX@
z@ov0^jM7q?`BQB9;1@KVcOlDzzd)29l;O^1z)fBG!9cKEdiTFiVzAy#t8h%%og^d)
zE#D}Vfgbv@<al5xRutZYH}&6Glvo+dJpI&8wGB47V+q)*{ZuR=d7gu!B)!fiZG~81
z5{;fE!cJj?z_E%tI<E>DAfbodTrh-j7$&jDit0?OZo*xK5}<YX==Ib}X8nsk>W6Wb
zqZ)>8<R5$!yTD<8v{w}hMZtm9415^$*P=tIq4cRCBwpdV4tzxfx5_rOMtt(t;Rgkw
z2T_qJSi)i^N{4&l=n~uy2|a)hn8-LO0xvMnE8%Q<ff(VZa9Ib9!n;a&a^bBmJ@2ku
z?IP92MsGMho>hw110G&B*mLru-vaBArhZC&mTD-Y`+K{5O#5yH)7cmY(~~F;|Bo*%
z_e*M+z&%vlK%~jl!JMzi-t38w?>*0x7fNy}q^X}~rRukKzTk^qXLxV~ZFn%=+oPaI
z?dlI-G@#vrk8D>AoC&4Iy6(R+@={Ml`(ClpfFXYxH~+3BGx*I1`S>40&;WQvn-I4l
zf0ZIk2det>^yv)`0IpgX|CPQtSb6l~z@4J~53a1hJdYF;A?bT~8Ze)*$t8vZ3}m0h
zonVChtA-tkr-X`K!tehm-)w=e?PIV3t2du-mpa>_J`B9dU>((hcUSu3qsO<K=tGDC
z+jE-22@H6wKSxfDR&Hr_14ZQkhnNEFroZ?w)$sUtt<fnSNGS91b-QOUyc)a<33lx1
z8*%}4{qJ-}ffEEP+mjM=E3QIj7-zkrQOgr>(9;kz3HU#b06N%#G8fp56`z#l%?)!u
zw#p?EhrlNl|G5j)M6W)7at!d2dN2_41r1{}?XQxeQwhKA`9Te5gulzM-y_%*lLttb
zz@inDrY)d}Y1CY9z{5vZ_g#q9aPNyN2GnY#!?tF7%~WkeyAb~TE0hku?B$t!*JIN-
z9iaWnS<;a1!as5n_U3@jlNv6H2S0e3V?q{|!0YD^8b4Rh8<Fq60hIZEGNcGyZ#T5M
zJll#eAfF0gl$3I(hy$oozkm7h)NuqXpYMv!9Q>d;<zyibESs(>&vsPAT3<Y9$Ogy&
zTP9)cFrraR0|vPEKT2Xi!T-&y!rs&xdFXaApd8<5Vh_(^;`kF7<=#To#+smE)7u<N
znAApG_=D1XgY4rxi9LfbhJ~{vUd5#6@fD{Am`Z4{!`S9WO-#l#gVG1|VPF_?LW*E@
zO<__K;mkIEApVNW?<GQz2EcP4wv78S0IVnK?%XzX+|kR36WlUDX{oL;A<5c~Jw^{l
z3|$Zt1m2S1pcvjuub99XJ_Pg*QNXULz5I=kR2-$5S%e0IoqdOklCcEN013-w=0k^o
zOH^KQLeiB%!m$!$A4vg(0g6rB(EwiOnSE#g%=An!hjpxd@z^tD-xCo4etJ^|2n3NP
zA^Q?Q5O)Xc;H{Rj40Zl?5Thb>MEnree7}CAQ&)v|hjbH*bq}lK5zmo>X!_L5A;s(g
zbN7J4YMcImoU=VUC`lC5^2Sgq{<|%>E*?&)Qr+W3D3n*)Q&h@=sl}JHPwZ|>s9!;7
z#!FfQ<|bh``i%n5u(#Z^6bO9FHrn{2=hL{{C-BF&%MabZF3k)}>7LA)D<Z2AzTWVV
zq<l65Wu|$-te(G{|Fh&~rQg@-DTVn3mExqYNF7&4nV-2!GfHN!FOf7f8<7-QK)qz;
zxX#XZ^Zy<ptD7p*Ic<@z<w?nJ*;<^>3MlC|#|?z#&`Jo_;-Z@)&ukGH?<IbsjlUEZ
zu~?j`dtjmCEJxHSi<qjun5;z7x`uJQZ7xuKZFG4?sl+vuPyFMv{FCkL<Sd6U1T2KF
zW&;2GGbO|W-9q?77qzan+`E2SCU|@Kf-ylxe<LDbK}Odz!AK~+9;xG8Dj|M}*Iv2q
z^PXbf`wD^J!28MMlu~4X?8UIBLmbKi@<3P2BscY`Ng4J1PL+dt^UkHXmg)PVdBGRT
zlF8qXl_DPn9|wleMw$J#;6`afz?UT77ZAB}HPF>LS&)9Tb#l~K5mz}Njk5|o!OgYr
zv#ie;P^tMTQ{wvW`|;|l{buewdbKtA5&W+BQy%irzPZPAQM&o;6yGo`jyaW4j^{q1
ze3auaffGev^RCSJ%y0SsoANDf*z?S(f8t_F7i(r%E9NfFD5*a?RB#cifi$-WQ|mYA
z`F)c5I`D1d?SRv#wAo63r348~*2siV*Y+%CllX=`Hc%4k*~pqd6B;e?Z&C0n8~M(#
zwM^wGy44GWPW)C~x>w=JC2RNgKkCq>Gu!DVrT$(C*Mv)?HPWBKSmh7$`4N@cBB)y+
zcr7Zh`LgoI;f))aKO8Bnf!f;zumlA^lmX`N*}y9Xh|qDGA}^)X=BBOKbJc}$=#!DN
zn>)!p_g80~$y=?ukv=K)rpa*}M!Wp^O<li8fm&Dxr@yM6UKMReA@8I?vAGz>#)7zt
z^r10}t{CLE{f1VN1@ka9E6KxPx5d&8udAff)h9Nxukp)ya=oy@`p=~t@71bEw)-_~
z*OlcPB?oMjUt`18<rwDk`Y4V!zfBMu)5iZYhT5$sa~97#HaBLw_bmNgC`qwA@2pY9
zsQ9S6n{sIU?sYB;y~<=?+(<_?8+)0+-49K=I^CU4T`!Qzbs~QXUW7MpKhzk%7s=&=
z+3pS7T{H>9UrvTl?hOI6g}!;p4G+rA=~lM<;EpfSy6R-6<IER$>x@I5CR8pJ{hUS=
zB|{(F8UjCHbaif<YoDKwl<j7NdX76c9G>l(@;qOq-H`qB<ZqY%Dt|vwB1M1ooxdkT
zEKkLbqY50deqE*vvNy{fp?uQrPKkeK_}voh$QypQlpeGJ@#WG=Y^~7dA1?u2naF^s
zeH-@XyIUVGc{>N9MKGc3<sze@*SWYd2YsE0<sTc-1*39+Oz>fNm(1yl??v??7Txoq
zzXfw0h-bOx&HYT^ct;2_1G`#RTu5cP<7clTs;)Y^EYrQJ1U{NCoS-tk{+{VNKbG^&
z^+eJY>nXbibWj8T_R@g%PM_4J(7u=TqoPl8;Ty=i?swLs0uOBbhYeb>9x2Ybc=COI
z?&w)Vo+?M%sfI1iQr%*LdUGvw>&TsrLd><Em7V}r1Fr~-a}<x0(6d$`A!p!Svr^Xk
zn}O@e2^NcT>lOm$le6=hJ0@C_ykO9C*qmL0wZ&Q{4%0Uue|-}@a1rCOPTYe99OxKb
z8Bubqvsdzo8q-IlL(n<lpSdGu{M+lg`w9&T1@>TI>5(QnY}INF4@7%+2u&_P;*-f1
zL7!3ovs^MkhqwQHqNjO^IGlv0Jbl9d^vmkpu+`4}fh-wa>vlZz<Pq!>_GzMy;la1w
z99lU6H4V6~6BoQ?h_cl$0iz=2vI+>+b;Nf2uHGgGHq(K3;RIA<?loT;SL#3cxZdH;
zmdWQkVa$ulZbZ)%w~!;DOLxawd<mz^Zc-nIhau=Q#fS8QI;|D;B%G2NB;)t6V~*I=
zO{I&6O?>=ry?F?0{d)U^j`^h#c88|t*+hq-kBgUC5v(v8qc%2)gj175kC@BP{U(Gu
zNloHbR_2|4Zq+v94D(<1*YK;Zi<o}-eM)$*$){Ib;q_@>>;EvJv+sQ!YhT5kANWu0
zP8khd8ge-F>*d^og`dp&@x7?B*(btAuf8hbw1QG?xphfm*^H#fHRPYufXBHu{}9|y
z1*NsxTz;n8){Y{F5UY&^(Q)P;x4v>KtL-qxF6TNl7iTwVHUIIr>Xe#oo7xn4KGSFR
zg`HrTMCXu6q&3OL7x}&YFy(4C^U#&5^(X9Mq2CE2K{GSLKCtp>wkEqE#@`n9EQc|9
zX3f20?a8*9S==~tcSq}5PFigz(WI%Xc~x%1Z)xwBZesQ7pD%^AEc2#5T^`{X$Udh>
zVa5+qHa5gBd3D6sWIadHBDch=ui8#63qbjKqi6Gkx~@fDk-<<Tmv(pF)gzetMK7vL
zGb)aRY~-BM&U~6~pmAeo{Oou`X+rhrsW)>@;(it(X4iw=pJprm?re7(Kw>n~D@I?v
zZqGvP5P)Uq5N*8=Ed_mPW^S5$!mFfUbN6fJwV;`WXB$cuOEZ7UeOhW*CVnNkuozK#
zV5@gX>Fp$bY&$#trm*Ly#@40sscEzSO5eP5HShfT0UAcx=w;Marw2QW)QF0k8SyvH
zww;B|u`~(Vm=C!*7e_2)gC3n44jtLiJq-H!i8%Mm_p&;u*2c>Vgls%)5^2h!G4nOv
z>=j>a3G`Us>LY)W@UwWojCUG-aB<0qt%kl^pL&z&1-0jtww8(vpJffV1SN|7UIwo2
zbM%i*v++-#(TaJ$K3(lyom>mlR<#VSO!q?KepyZ`$Q#qb-KFe0tV&`}xR~4KN<nj0
zsY`Zgp&hw5SGvDRzjQ%-&HwgEJ+2wvsIg=#gr^cD_QiL8_n0~TfqpWhE+l1pZL@2}
z?pm?8F{o#OcrL-~d{t{w^46XaZ{z0Z%BVGx4U!#$MfCmrRfOJ~(gYNzS4y8Fh|?{9
z&~UBq%f5U4yw^JJB4PW-55#!w+XScOm)j>K;~kMNeVL7C{1)|-pK)Is(yMPv7=QOL
zJ$K;a-GSPGlg|(Noe6A?bEtcsJ@A&@f&9AX>zR;eaX;FYTQ=T{DrROTY%RTlJCtNI
zg>L-E3!jVT^!_0%ly}@;08TsijguZ)yj-1sJA2c1rMowB02vV5$37RbmbP&(W9;(t
z5xXlEJc_v12ib~QNzI*PwG3*i8Ooudu>I{ZkzYx_D@BG95O_{oQPb^DbCGP&foMk;
zceErmD|O$l-D!A-tCXv~H_@JFU-pJSbhqWuc#tF4#_QW+XLJ8lU|WcHGU4-N-Z!6C
z!rJ*WgsY?sh+w7tOpA03xTS;}w<LraBzs*6Bf01Q`e-Jw=|9QpGyP;#*9ViQQvIMI
zH@~-&v735xyy0zcr;`vFZO>&r98I4Gl+~9l%m4kenPeVe9&#dtcJGYQK6Z+Da(VU#
z9hr<R3${9OIP`;vRNAu0)oF_0GN$Uv=oj`QLAQ<V=+caa%99&wcOt$G|Lk<iipj;-
zi5wN*MC3elvduz2V5Qx*dvsb+$r7OJ7)lhh0u~t~?_NGZ`dzl1+Z!?bd5ZcF{-9eO
zP1deR=DU463purT1GedI-^E$tYUQh5eR{uv6o)!PIP&pPC<4ebV5Mg7G2NY94cqw}
zMRyp(4mpB`J+WhZ3EHzmlVw28&}9mYny8~YJ6W^}R&QCGyPaQJ!`+v_WU@6bOz;JO
z#kU=~F?jd|>&vCe^{81X*Z~d;<_66bzrF^D`nw4Kbm~Jv#0hP@x)!ZBN2}y>v{LSS
z$@w>@qzt1E?CBOm+-}TqDs1b}%wm*A`8VFe-%hf;7K{cL3|_XW*?M+Z+c?}yUo0%}
zN7pj_)W|jjpNw-Y=5M(&DZN5jG{&FeCk|%xL9Alhy-hzZYOW8A98lKajqSVLN-8D4
zSFBR)CTyqlZ|x1)%tvW`S;;9s@7wY!+C7Iy0zSJw4*VDH;j!LpVuLP7g8V}4LOT^&
zVZT-ov0t)l0`48Xf_#o_g%R&>5!2A_F4e=79rrsbWfh6p*UDkdhmW|^kC5JfL}qdY
zE<DI@Y1!wNF^GI!^j^LDUen#J0x3ed3a_(*eh0t|-ZbF;Y-ggPp1bb+{%TtKfoe?B
z6u&OWTJ?0E)NE+}%)I(jUn+Kku64JTltClEEzkd{q*N13cBhpvEn$)-yTKM-d$S^k
zN5Zx#ziiDL-3X`IOJ`)zLGvD!#Gy9h_dic_QGf8mCWbWv2RUp2IcThr_2QReAm4t%
z5D6oBhvO;f+=(*UdwhDWHThd(Hf}{@`^BBgpZi`js47sdKKX=tyd1UjU&Nn<irfE^
zd_}`u+Nzp;?!Z0hH+?d>s#aXX^5HIo*YVGGB14I5;;*EZEeX*tkQ1Y-kWEAS_Q$HO
z>+Z9uX4%~~<ALePWVKFS=TrKv#3&RVGxT3K;C1c+q!eu1=yo|)%v(%+tyXQ|hsg8w
zIsTjDt8hRv`HBty$OvO~NeCU;RQvu`dg}J5?!NTk<0}(aXMN;NXnRq5hpb^Bbl4kf
z&QJ+wD?oZ1hgtX6a3C92L}$#pO|1DsH#2kLyj+pBne(slv%U^CbMo1{i`7%`@YAAE
zX}|?0Fy1r4_)H$!KCGZC+b(6uj&RV&)GtKZ(`^tP*$|d^YxTt1gD_@qZMhN|iOoHc
zH_Xm}eL@(Jg7_dosgyTv3ArP-w=6L7<^}6$i+f^4`oDGZ2s|z6S5NfQ;FKmO`~smk
zpV@~*$7@U!b@t{AH>ra1zc!Q2SD8ciUZ|4CZEE1KBU%Lip1=0Q?T;@fokme91EQH~
zUYMa@>D2M&u9lT2yi13+!+)LJt)Nyapd4CXwpWMT8)^KGwLMk1vHCge({5}(m?DB1
z8q24~-ibKyzxVX<zv1R3VY>%MX2mAwF8r1R1&&n4vwAeZ184vO#k%J_P1*XiS@N5k
z6V4&V{e4ewl+7$08k6p~dn9a^y8ZLt{^;0MDL7x4)p_NKC4zdQ;B`4Ldv<&DQ>0^f
zpb~lL=C8Z2VF#BRlC}+HwPnx-L=%hkD{r)0F+Q{5SsS(Bkbc@0v{Ijh&AQLYEVKj0
zkvDAj+MTMO+_EFS$5qR2Jgb9s%;X?U3+ijdMcV>8tOY&rUDmV+zhj7Dte8(VMfTmN
z;a~aG|E`AJo$!JIeCJqK3>)+rP&Rsl3KmFJt<Hihf~`X*zc6oa{y^yCQPzAz-_ofs
zu7>UWo<nSMz~I)*Ti73P-u~+pFvH;3pUZk<C_DJU85y!%y`D94Z)fEPV)t?Von)YU
zi*vpIDx3}$3HqI$H9Gcq2w-8h17Oel(l{)|O1Dz$;;c=>zjZO;y`fVS19eN*Z$BBS
z4V$ln0&&dnB2G5)58>7Y4silETlnw_9$!du)oqpS?yD>A)e_F5a;&3o-4lO~+D=7}
z$ZKwyWCom$R@>7Kiu)URT*^qn9fp=!H>ChLE|#g)X5V}+_<$rw^EZ6d@bbi3TrU65
zy%O)stbd=-9_h;i5$!f4E0bY6LgT&5v0K%OwM{dZ|9$&i{XV3D(|>Tel@=Zi$B-)g
zg#&&!+w;gg2=T~(?HABqzi8$66MOQkt1Y!XW)-_bH&`^QB2ph#`>f2vRx^4pA4d5c
zZ{zfTFea&N0Ho)9cep53$Wxq@@KPag`h{xu)*&I}6PI56`?AxUf&X6f!a=6adI$&M
zi!VQXUlj(zbic~)9uchJH_XJU$wlp7niXz|dBN>vH2$t_PMV~JucyEM9fP14MObZ3
zTjFQi0qSxkD&+<1>70oVD2q3Dl%e`IIkC$l9UVXa!ONOax;d)qy!wnBTFi!53UEzK
zVMnpj7RK4^l;qdOd{BJEM}iG?4ztVh-L!$+n;Kd>CYSAyKLS59;WgEO?~#FfeQ_!5
z`>Ztout)NKN^5mrb~q6uT{h#9?wJYIt3?hU;fS<tu)Uvt{Yia^yMVvpa8a7{CFIEo
z?a#vL>D#~O=x?G=E!J;I9at8*YPC#FbM2>0x$NjWOY=<;1>jG61u0dZ)xQG<wQpK_
zh`wEhEYGE1-JTGyZmCSS@Lnjp5r!*IeMvcipm=EKtqAX$Sgmkuy(NBFS8ZnIr3X98
zTpGSod&JR<@^$}#!`-mhRc{e0_Tl$?E7&JnVsjn{XYL{VA0hbaZK0$y4UpgDygl}x
zYM4B=5R?1&jXlfrL;wDfH=pn_0;`jWmyAEJV3s4#sXtJFY(f3g!2732h`-i(Q8DHw
zs1B8Qk}+0SH2&G%oqwTvp0axN1e!ydx*sOr5^y(mVx{WhzwA2$p7Kzcm|7|f*<Oxa
zd77wPQi+cXZ@Tg8_LG`t4EyN32Cn^^FjKMuxN2fE{`z%$>FrcI#XnPTR=gWNz{X47
zIz$~FF&V81QLg36sH_5L-@Ny%JkI%|>P41MC;ZF(<M@Z=#92h}KdEqkGqKexgB@wN
zgUfonkgzYxx0{%oQJRI84b&MiPxzI(+jrhMIvc~+u_-T*e{Fg7URNcwdA+xZYu37D
zTrY=sz<Pk-h>imtpB$CWCS4g-jLN4cyrOd%Rsi4WRB0FHXT``ACO*1P1Wt)um#)3(
zHvcMIinIlLpS(dBC78by*FcC4u8Cf+ch(nQ6pt8u2*ZBL@0(I-tGDRfuiV8aqf({d
z>+;QAS6SQ&MH4{@)i$lC3_|_a;bHy#pgZ%yfegM8Prvsfz3_&PhZ@HAj*j)_A<80U
z4bx7Aqp2sJ*ddOJD>4m77eC;L2IuKj>G`WKFM1a4s3U^^$~ZK%w3GdU*3)mhp^6#@
zw-yiu^;{I+QD$+GZ_d1&59pI~EQncYt&3zY2CP(d=?T?Ku1=?<_z209<}NFGzhPC6
z!~n+$Lr3h-{5M%eQfg~TXN;;rq?EA5i6+0qpA(jI8zEcClYDVWpZqW%5R{`A_yCRT
zIAAd&N*|K<UB0<kinw=)1%a|@ybFhOPL6JirIDxi2s_`oPNFuCEiH;YfwO|dyCNOG
z%ucWdZ_3c7eOklU@(}e~X5)t)2oxD@xfWWQW7>Fb!c`6_k#E<a-EXva--1;yv%fUm
zt4w<B+;NfR;96|U{2a^C=kF65><)qf+=!*%zFl3hZIDbrLT^C)=GBk61}0|-Mg9}`
z_sq6iYi)x!>(!Off2y(J5hgeo;!c%~<kF;Sa^BhiE`kN=&w;<C`)P#BHGayI`W1VP
zo;I1<TR+Ly`{>5+1y&a4>tHm3gSk5a(Y<owTI0L8$IDkg8D9vfx@h$!&-i`x&y>5}
z|EV_othqxaJ?msdrQZA@_WaC_$^Fn>u{(8<Cnq#~JL;kSp~D3s+-)!zgD=VgM)G2#
zK{!9-`?kU%o0k0w^{m+Xr87szX2<Pce-9nM_7|1wNlvwLJ6xaxN2aRyawL4w`XxU{
ztu1VPivxRbF-(5B>^gym!HDNjMEiq#6CPa*<zY7ba_X3I4ojli5zGmjqB~R=Kkno|
z3qxO!M`&!?-rdW+srM%Md2@a;xj3utag8zVN9u>{8iiMCzW<Nlr`J^{#?L?=XP9N6
zsBt+v1^Kl}_=K&igGq>$*B_hheG&pR_?FmH-%MD^R`609wrsXLMohxpTyYVDu8d!t
ztu|FHt?m70`<wsLgRpzx1gg1XJ^cclnCk|}&M9V0Sdq*8_Dvy)rz=ma?KCGGL-JC#
znwjqoR<^<+6TS4U&qb?Cm)U7T&Tp0&%55L?8vx;f$Xg{n@=z4Y26m6_Wg35L7>R=P
zGFV@xemJ((-2o9w|DFZ~ErAn{|0%`G0N&VL#I^zfzFF`-X>)g9L~1<DPE31G5>1<U
z!e%$_IAy0TueW1zCQTQr2KQa}<6O1lf<B(Kf6GphfmsU}Px7pl{Ln7}_dS!rhsn)s
zaNL0F-sG@i&`C*GdM>zlMw-qNkKO{F??}9YX~NcG7#R7%2u5$1?b{q2Z}p$>z7e`l
zeEewyAEX^HT9C4NRk1E<KlPz5iuFO-zLdyB1Y{vN@1O%G66ICG#TsRn8ysPZ*Dwc-
z<7nWHm~`-?&q}1`fygB|r}ONgN6+c1b)4x*VAK$s(CSGRfRi_wBJGhaZEJ1!*D&Cf
z^2uf>?ac&x5_Y!d$dti&BdiK*SKEoGmlk`iaFY1RU%pCW$M-$P#c3|!sU{QX$6dk#
zCxk+^W7ueo`Sj~k`~WBhTpft?gR@3_A*hMW1^G;SAZDiKzK6cO`JOIJRfrq0c)7ot
z`*{HOy$lIZ`JL^$Ru98Dm9bz-+`rKC|JVTB2lo4LPNta6f3L6mp_vX~!0Ljd-f?#N
zZ}lkL@RuXS1kW(&W?Uq*;m@H#pT$-uxcOz)nw?eh(m%E(KHzw)H#)K%{g!w3+Oxz>
zmSXsplEynwqqZ||7^@jfbkfbEU#I;<h!Oa=kyPt~Tm2L2m+ioP6ty<@!JpsJ?}~S-
zAKX$p+~`-Z(;;gKa+b(VG>3qhA{g4sL8J4|fm*&(-Y(4~rAr;H!T&e_R;o5d0CN3J
zdmDJ&keCXCpn-uOGg?6pIa>!y6Ta|5)xkC}v^Q?fuRe31?)84oYGB1x42a|y#r*58
z{<m*s|F(h?rq>oh-wEOKZ=RGMDlnv+zI2oDqpeM?DQj!*mmWnH;)1I|F4+R&#(WdZ
zKL7zMvRTy5x0Za+YIEmb$sa*%6>VSPj-Hp(D(e}EDpoqu@->{Dn?4QDwEYXls~dSN
z7WSd}SaCRi^+^Vy!IS#$EzbJqX`ubv!-pO=+fs!=aEAF)6_O_Zp>lI6h~{Ts^kcyU
zDx=;%=y6Nn+ZI_O(6b1M=eM^|Q}CatggIH4FnY{?fZz1LT=6VG-PskXC#W=`zhB|>
zy3I0LPk*#-fID8N^fb#Tf@X(eaKfASjmX!^5Vk$<X9_&GL2PoTqwnJ2G<H!Su#M&%
zrk#HIE&kpvDIbaRq>^F2LWRAtb)WEXc4NQ+dtwEn7i$9$lAgGW)ohYQJcb5vYHyL;
zs8#03L$p`V7-?9-uPuIO!9=y&>(QM{gXByjwM|SScJcEj_dLD9{1fg6O#NVW17IHY
z*NZTfXQdnR!RwnaK1grWx5dMm;s3REZU(E7SEZN4a&iucBIm3T^pMx%nuH`(7g_&P
z%CZ&=<tA9s@3b>Tzje9==N&KjFt>GL_4Ys9fT=}la6I{nO`OpGsv1E?NG~snNt2Pl
zt0)hy(O2|OaOSh!mZELCK7ca~24ZeplDdZs4|_dfPe{t@IUVb$mAw0xYtb4;`be70
zE7=kvoW*@JM)*UUNc)7-+kvIvABi6ghVzJ`5pk2vx21O$#ri7%{GWR?rWzSIp{&#N
zAe6=22j_4GZX47V9frUXcB~}Q-W6&4vRN<^eKA0x7}NlcToQ$Oc*(Or+vmvd-bfRT
zP66M?7Z}n{Fq>r>N8r48hhm|`c=dp&(OZ7-3d=U~Lx(tQW!K2kqW3Pz?{k@iu{sZ_
zPKmt!e^QaSFxdMIn>{fAXT#Bd@4iGDC0!X151{SG;eT5&`Zy2;Zt_&wEUX}$fHka$
z=_Gq@Hme%~&!wI*kdX#_tq-t-tO8Vf6~iO)CmQZ>5&=X_Nbpmf4q*HfEaA?&wu|qr
ztWL2kSpcGH&$+qaKw+d5;c^4#_Q_YzGNp+g^}xjqK}x#8c~}Z3e@njIk5GiUTZ9b^
zXk;`(+Cqf<kEHd<Q-RtG(cQv!qun?FbsSTh!G8i$MoDVsVX<DD)mZ`S(Qcf;+E*b!
z&uBEm`hZb~jqe8nzN~f(h<>h7a|ggl?pLg#O0Tq+C*f|!Bj6UGo&9f7EK3V`h~Ad7
zyZ~p9lwsvEWZlMo`=vn$Q|{;=g>lqjYOjHSR5}u-6L@iN<0wUV;wjv|el0Tq%DYKH
z7bw>nB`zj?&*7aykC;I}o;6jJs}lhh{z5aV-K*0eOp>#XiC@A=$|1~@<PpG>(Z?`S
zs@l%m|FE)lyp%AgjC6bWfncRK8niboM}{D)WfW}_VKTZm^EjtBQ<9t0o>&@8;yVS<
zxI=Nauv#pd#7Gj!(vl^N>%U-bq(NQ6iCUWK|5%5s!jQnx@#4IvWkm4YFzRS+Ni#4^
z!lCpqJ^$kvI$S~Nptd;$<@UL{%`p^b{=&}pVF#1+TwiAPMf=J;NXFez0gkmCrb<yZ
z4oJx<@~qU$lx%}}vT2ti06vv)Mp2d87h!9b{?H3@@io&=)ve&HG*H0f@My-7Mnt31
z!A!1<OBenn3Mc;R6nhPGB;X^5$MfVRLuD)>v!5%RWt&IA|FG@|tm-YnJYk5o^aE0z
zg6y;URd2Dx#WLdODHTW(CL;m~l8T&XaQ_>z%MY|e;Cgr4aVJOk!RvKgpSWVWkJca1
z(5<=~qdorZZM<Q&vZ&+%oHfyZc|<bx%%T$9jFPfGIZnM>ufWfB(<ST7VKw0DiGaw6
ziBD#vq~bMsloOhcTJS6B6uY7TK>jTD=N&}C1BX96#on|+(jE@|BbN`tTKW;z(o-&9
z+^!9y;3r>=;nkT8qdZf7z!Zz(`jiE(S8!<?>}p(3eY?3yCZ%235-V3n0USh#3AEtO
zK0SK)1mR5HUd-Jhsh|6XUSk08LBd(apN|@GoZBcV2rEUoWw1!Jkhh@s{f2EwAG!uz
z1)U~40Yd*IQ>+_q6;WTeJHvIC1yCnr#?42?PZ0WzZh;lxO;4^HuV*BI?@6Ouq$P0q
zVAH;<X#jS7HdAS1e?y*!qk*GzaFb6MIY9^tfic2}@09V*D$tZkldynag?rU%PzLo<
z;8%6k?nD0!*mv4=%;<>?|C{1zss^Rozy_a`qI9#+u15xpxSLITW>bX{O@OJO&~dmj
z-~nm#fLxn(c;6s_Q4u4;APl37_33heI_oQ;P>F!QMOmBhS;1*1Vg6_g@Rppr@6Z(p
zfEj=7kakGn&NZ3)*jYT1mK92Ej>{qT_O9{*Q2(_LxFs|_rSYGq-d!Tu$m-S=W(UM*
zm;d1D=v#~r>(>y^BPe?$F+hn~qXaGmuo|nxI9^cO?c9fD#0B_!uxzUY_<;?~##T%A
zoGr+0(GMZ-XTsN+O~#nxq)3Z!WyLL0^8c9W=ju^Ph_*u<a7=EGI4Y~BvdLqJnmGH1
zI~C^KXiOc-V7%*OC^LcjA7wr}9!HNp++s4aI^rWS+(zUbTACqhqM)bkGF_sSOE8-p
zbs&B<uk2XnMhhgIXiew={MFW2Ym<jt5%ARsOhs(eK&(njGsev6hV#;JWmi0DBR1`6
z?{N)Q<D{%!X^O4^ktoBMRt6qNN#K*R#&n^ufORqTbl`%d-qRnb)5!dfvjD+MI@^C;
z?36s<%99G#g110-7b$#Ff4yL+fXYtuq#p+d;A+E;=oKF}&P#)hOSY_@yLmsC*6|Kd
z7Ue;@af_g;5#|KgOQxI}0g1<@iM=}s4-n2RUJ{fhXo-}3FxT03U4vf}(l|b6AR}gY
z4AG0JLj8|}?G<nfwBt)}(Au#8;qnK#537OJZ_{wHu~n;7yXVVvmGFxEWX3~H%R&8z
zpfAM&<l>QlB-4_t#U4OxlsbqDjFe%-!bg|MLzs|cX&~IS0oK2XmLdq+AtE_jj@rjs
z(C@ec&&ya4A`tHs?=xo3eKOYb&n`HDR5~sP*vK$;YfP^ZQP6D)#-RL#(lUZz#gqyv
zA&L6o7L}#C1-7o3g7HE&V69D;KUAA){l99n;>SZKqwjY$rdr@L`DZ?&z|!k11xqo8
z>FzxTZ#VOmp&pu&+Z+Rvi4TqfLgh!0=0KjsALra`xKON|l@lo(lPBkdxrdNpz~w5Y
zQNyex8D0}4``SYg%UJ=Cv2D0d<FYdJs8fJx8VkY)x(Q{2(a39X)l!m`EwYWPMQ~e$
za*2Ue0ZdDWlc0UDB4&job5P7;+!+kJfYlW3+-;e3gg7S;`YYNINfTLNPfWoHlem!i
z$a?J^3q2J6%5iiLI?w!Xy`I3Hs*zWO4Mk&WC8gTs>csb>K>uNh0`~2|so)AjN*h3^
ztPt4dp_)@<z@>dzRiL=CUWtM*s9ur>;fjScn6G>YE=%eljpS|*xC0(X;Fkh<s21cw
zi7UZM#5&d_T#qAMaA<C3;uu`CggplZQ34<wa*KKRpnLo!95oQGi-^Ym>LlMi3YSEo
zNz5pim(G)MP)XqVc#~I(k$^mns@gg&h{D(Y$NdV}zU4xosL?_RUXeD=>QqNcHl%A#
z`_jo;k~x@$7DYI)>u_9UG4XQbFRYko2J;b8GK{&Kz~}oV&Hq6=2Ga%ZsQ;Bhh`5NY
zeP?J<6bpXOOpL-+XmC*)@|y~E4O#+g*QRA;BUt^l1D^J7fqP(kCwWJUbmM%b6aKWn
zXh0ox!g&i%STu@q)MIUdEAUPOjlYy6;W7Bm7O>>7=_D_RhpI9m2+3t^FPVLh5ATe}
zS?p)J0-p<qlki+{on0MN6w7%((o{;__?-9Oy)%~UPEl}+*&9!7>ZC}MUQi&3D1L_J
zo)zAz)du7=Xkx^*+qCKZbI(ACFC7{ehU+qfs3%&ijjST9NvbvPR_{@^II0=iJMLMC
z0{-vk0D}(&0z4sXIfsIZb#(}t>cC5JMd}VR;90^f{m6B|LyDQ16wT9tQIgDJZ6aLk
z_uxcolNb_THyLy;^7PDvDqKYP{0Q0&)hl$bi6tF_6>(DXXQ%o>>EJ%dM`Tw8-n?Z&
z380i@%-M3DWTT}-d;xp*aN%v1S6u{hoglC-eh#l4P)peWqq)10ku)hOco8z~Um|dT
zoH@O+msQ;2I7`m?Q5h<lLNZWJOtFxnoQ8<JBKw<X*5;!T;t6RhasZe33j~qrWV_jY
zt2}Fxc8pnMJ~}P%<4f%FS<l<>OXOZ4at)*?<&bNP*@L7jBlo7d#;dt!>5=)n8=XL+
zJ9GY#ZDC4)0iQ&*aN3n#MM_!wSGpgnxhB)1N)S*xh8~8CvXkMuh4}j#JV~#sk+h@s
z#woO)s0ZdWRp7bweY`+`H<bYKLojjPq`%P`bm9@%3QwP0x|h4H-VPLeIM1DNA%}OH
z9S+o*4w^i##2W8Ui2MGL*IrwKYvM(&p-F<Uoys6BnCA{o8pAsR0hcBiK*Lmxp2!0P
zzC++F#h~!GKgN<rQ+D|}VfR5DG!L$FckFFyt}TUf07AJe2#m`V`Dmz6KsdGiO|<mv
z5EBI#W5vjYd}Siz(-3&qK!5H=@HvwMqUU3;jHfCVlBNt8Fq73a*KQr7MOCiFieE&#
z@h(5gXM)RDFiOHnLf5&6E|}7s&_Ax1JHh_Bul;)#>la`S)r;MQx8*MnHPBRuEEkaD
zClX-U`;#OBIYRRH)FmPVZ6m&?F_rS}A@i785;fKP9))lkxmrq8&F_nRgWP3R*3xtS
z+9)vrgLVomK|I|k;-QupP2-{XF-(c;BJ(b|$}_)BWceewduL?xMHL6&^?0}+uWiW>
zS0iyj`mxQ-Z>bv=_fKr3$2#s$p!L{Cnf~&o0w()jEM!DQjn~-%Bh%eDk~=Cv#{7`!
zhZk^pJuqZ=Y<5qGDoF7?&TWm5iBwNP;FF7vprdf}bG$xLj3|5249wqRUDNV+ycED+
z>09|~9ITCPI9gkBn{+JPxcUf_cpiO~ONTua?JvZ`1be4aYeW9RcCzTUUQHX3*%HHI
zPRqIhlLew#Fz(0%CQ*~obMS_=^z~l4X~{pt=`E!=vvY{5;M|<tnnjwhA9Og*5(K0p
z6C__C-QkMwGXpR&iLDjVZ6Bs@fno@9K)+qB3h?~y`J)-EI!8lQzunvRE>xxPlClVx
zA(ofYKQ<Wx+v@cTHhibxi=x5dL-~hvl33952$L9P=cVf<@CKSXyst%WtE{~tv!C9O
zMR5RKX)GuogXnjL+`=qMNAGFzYae=1vm0A<uL4YkR!RAX_J<3S+g`(Z`{zI9KJ!0Z
zp)5SeBRm~!^R7h1pkeG#D>-MVi3tBQ0F_0%oWH3yOh8@Ku<AR9LOFj4n1bDnG58?i
z`DT-EY&(rlihfg{@qgPdy29$^YEcP>E3=dY=J3pM4q=_fATGR|J4WlmLaigg|8!j{
z>qR%Ns~0brFT5{mBJdyr{X@Vaa87~XMw<e;KuHUJ3(oywpVSz)2~YlGv}nnG!3gG@
zgVEooFxOoU{-<*{l;N3xI)@+gIVL@+D$Dsh)_AN<R}Z|jzxG8c^TzIa;|<NgPE;m;
zz$_m&hNscF?+<t$nRHO|0Fx5W9Pb<r8_TzeS!Y%q0B+3qH*Mi`-2;4!`2Uy1oDM%H
z$*^Q%mO8he$}EAiYQOk()Xc=<fJZR^_tFHEPOv?aQZK&s>+iEJ+V^Cg_rEu^&17M2
zDAC!vkJ<JB=aIWC!JQ5Td>ba*NT}c}yt`3KTT$(^wfmkmDyM!{0~am)?kwBm_v4bG
z1jCYzT>%$3ON0+5a2d?Ch%I0%<oU>xlz*`G%D!`Mb$fqqE#L5j!`{DR`7d6V{J-~w
z)8Cs53jg`w&3XQ@ck(lH#g%ed)tpwH0T(R47)_0EvzUJ)x_~Xv(qg7XuYt`?QMWw>
zC(dtPXZ7XriO$+5xA)GQ@x+`5xQK00&wgPGhm!lR)zyC0#q6H`YEkIEgC1wqofwZ?
zj}*T+b3^Tm<J%TaH}0Iw!QIi@kuLBsflW|kSKGh3!XvMxZXSMcp^lAJ>iXjarylyh
zIvH43UvcTZ>aOQs1^wUO?l@Z!-D&!(*Tw%Ymw~|-qd%W3Wc|JcIRibr<;pj4k<Nq*
zW{>{2*RS<pX{mJHZ{B^Qo?+`=j^MU``@LE^Sg-8o{lu`L?}lx>%D(bD-Zopm^ZuO~
zdc@U&`N*w5a!LX`Jbx`JPI!x6f4TI^pZb)Y5{=e{22+3sx2Tr5MwFx^mZVxG7o`Fz
z1|tJQOI-s)T?4ZaLlY|_11lqAZ39Cq1A}>|_K2fs$jwj5OsmAL;r(=$)j$p5RUr{2
zL5bxG1x5L3nK`KnC6xuK3Yi5Z$qWn?a~^-<;V2B#&^YCP`i$q(AO>b-ZoOn~VP#?O
z$s)|c3N8&Mhf|o9H-{*kzH#NmkuyhRj<BC@@L1rb$M8yAu;i1I=~SQ<44$rjF6*2U
FngFZC&Y1uJ

diff --git a/core/nginx/static/apple-touch-icon.png b/core/nginx/static/apple-touch-icon.png
index b4f92f33c5ee09e6b74fd27eb2cb2ae44d523c5d..d1b17a63d7ef82bee0ea19331c9c00d5581683ea 100644
GIT binary patch
delta 4390
zcmV+>5!vplEw&_(gntm%Nkl<Zc-rlq33L_J8OI-B!X}_70^)`XwJI)XQR-1~w|W#8
zj*5y)OV#6ELF$TDpjNF`+fzVmwN%uqEXo#8LBV2?giS!g64?X-k-Y4Ca{GPneaR%e
z_wu$`?#%q>oSz)UWaiENy*qdA_ucOX0yq*srWG=6h>pZz#D59Ixx^6SPGTf6j(ClD
zhj=drZ_EGlJn=i?4&rKJ5OKWx?hbN3+;<$Nh|6RWJ&6Itb;M)DBw`McLu@4qh*F}K
zXdqM)GzhiwJN6P=<af^^CJ>|K+^37^84w*uq5^j&`bm%b2Vy$0hWLr7Nm5obsgW-Z
zU&~bDS>hVvIDdIsKyXMLlHdU1Na9KvDtu1tAgUddH&OT+w-NJX=yC<ohiC`6{Uvdx
zjD2q>CKI_tr3(a(M+Nb{jL&Z+`pOp;?e0N|+Y(0*!{num$G&wQkhrxW%4Ye(-XuMD
zTgdJHG4X-KV3|=^=kPe#$)U+w;uYdNq7%m4?weNYEq~K!bBQ7!N*s$IF`F1Jvo{c1
zbCLP2e>Abur@e79Ly{bsH}5O=4jySFG6y5Z5F3bk2%9kV@=`oT?jgi>c#M3kG{(jh
zf*PP@fQRql)5Osjir6nQN6a3UX)1_pZja5un+J$PA-44*^Bek5Vu^%{A)$3+?5`x`
zj+_#U#(&9Y5L1XU2xl9dU-B>FRE)39>y^6`k4i8Ek~u>j@epwkdh7I}d%q;IFa@Vg
zfQB;w2cox5zE|!ldBQ(JB<<jYs0Sqqi{3f`nNKAC<C2UwzfwiKE2*}SI)=>cWYxxM
z2;&-7Na`(8R`-*+3-P!l(nAz?u~%N&JNsK|V}FRjsf}-8h~fGn$V8%-KZhWO%>8AR
z2%>%7h%)k8%b)v8YC~quQ(grTJV%bKg!h5eM%3?G;s-RoXW>MrtGqp5ZOmlwTE1Oq
zbkD;vgd4rN^vhUb{cBl{j|TS#1+sF;LsExj&XDL*5RL3Rcq;ZTZ%A$AWQ@StK1l6u
zsecWb??k`^$nayBJ6{xysks}7d^9Eyc1j5|7ftCIGG8K@S!hVGe{S{p?vUD$d4Lo*
zK?8zVNlpFrmpXib$H;m#G#qG+&m@mWYni*rx<51+NQ8e%rlq!X&Cg-E6i9Me*Asf>
zQyb&vVVG+MDX>q<C1^07He^0S%5b59Kz}Om1j5O>2z>}K6O97WWNK5H1c$Tdp7nU~
zaA04xrqRws5{;q8rLv|B4Fb$ymn{6Sc|09HA+H}>ghl`+^Mw@Sv_0u)EY<=7i`FJS
zZO_od7;0QV?7__k7Or*~WS7wVCOR889azjXYomxp?|d(6XaJjPecWl?3!<?F#D5yx
zY+w`11L2*1Eh|4T9yb}-2v0gZV}37fgtxcjCIbf+1e{`?&_)S@iMYAIA^u|C0^6|A
zXJc(3aF87`LNKj&o`jnU9Okw3d+D&y1JOGJO?v6mQy1C@alek62{hrQ)I;K7p}E%Y
z7Tidn37d%%k{8;D3O<FK2sE3Q9)Femyma^ndQ1HT+(@7kO9PGjkS8hhEy&pb8d4bu
zmzYaR=JvA23pWtx$P_7?kyMx)Q*}V+eCY(j;l|70lelR>a~_TVa%hzET8tY8G>5kX
zJTMWVc}uP!ZWz#<eG<ivJKPxK<b}2Yw%`$|ACEok2>(S_r%Dram{F)keScS>-rQ29
zCj9`c<R5g8Z&_C61);elZ|By8J}cnRekff&4XVXI)hZnJ94vNVs_TX3nYdG16Z#>i
zE)GIN=oCZYBO--1>N|f3p&_)(m>h_xFC7;82qG6kLui+=n&=r#=!=Om2o0fKMlo?-
zG@(a3d0`M5LZ`ulhS0{k!G8}RG=z33?-=V1!$Na@=_&{fp<T+i#KFyl=Ea8v5E??e
zl-+@*JzBy-4<%|LG=z33yb$H;=0ZE3E()O`befE86uONJsv$Ilb~A4@3e5>g3m`Ov
zb~#z0L?!yiQBFn(AvA<GF=E)eF~ct3>q6HyD7C4qUac*zQ|n4JhJUVaJ^fi(*8riD
zUuW2#g&snb`a$TwZLU&B&Mi{iX9d+E8p79g*zBNsVr_*gt%cA@!u!l$#zNm6&|oK6
zJBA!p^-8_6u~HpG=hCh*>3TA!7pjrpRj8tx1`Iiphj*eK-nitd!7pQI?)Z4c2KR*8
zG$>t1=TCy_`Sq2mtbeWnW9Za#qaS0TC+KiNcD@wWlQSRfs16N39B))Q|G_hZ>UA0p
z@e>3ug=z5$3;mJbgl;^t@@rJT`3_1==jA8GJ6o$&ZG){J-K#=R4oH0i<=1Ju#RawM
zv@eS7Z(KUxQS^kE`eSwIiGgW5Q<xc$YL3d!^U%wKb!yO;C4crcFrBC0{9-kqo)8Vn
znZu((e;LrFWUkYJmE4j#b=lXY);BW!etse>aX5(NQK7S0=uHqhd~7YRSJ(fq)Ve|}
zB+$8Em8exkb%+#NLk<g_2ceB4zp7r{kyEDHS@0Pz|8J?<Q0lzQ9u|5%gpP9Tt8P#a
zt||`&I?VWNZGVXymX@jQ74=G&!=pmyLFgDqNo|9AYF&lu_(?FW&vgKODej^ke@|6|
z(&>QEnhVXj4;3ay**HPyr45y;Yl@-r_A?6A!>h|x(Bx2d4R!Pj_SUMsX?#gc5qfHx
znD5ah&j`&y5-XB=Se}X0_?$eHa3e@4`)TUo%?@Q((|`4FRPn3@CF+N=dPjxsJFh4-
z-FZ%u@Xzo}PsR+>JzB{^uknJ=(|6W{Dwy84vOF{fHuGR7-``%X4xf`iRFVF^8-13S
zH&&V+$}Xo18J}CJI?<QqSdwW=xr0K}&%U~;GSq<-)+9$U@y)*4a6XL%vmDu85t?7V
zcy{8pWq)OASEac&@mFNl?wXKDF-4&N-h+DbH%S(=L)n~xH+oG)=u6AzIZgwi`FEsx
za9(;(?jX$dXbB7bm1l&WZWK+w=9|*A9?7weFKO(0^5;=P<@E1;<`$_Bc9<W^E}$pQ
zy(`K?FPM$zg3wW!9|*<2JtlPH4Zmn{iTb|8{C|1hWrekB;KF91a{BXl5^Og0;AS5?
z=}E)I$=mKH6NHY+hXEZ{d|M*4+;kQ%yU={8d8yRk#bK%YQ;)r<!2Bu4JbJ=h{Y{j}
zC4`Q}1Qz;5&k8L!{uGOZ<28!B!sOdR^M5xt_=SsOBuqi*SPA~mvCxlrVZ};Jp_>W7
zLw^FZ!y8tle)1RO7Yj>TeffmY5%4m?dsyh3i7HPE-T2Zr$C{TmGmnL_UOFLkJh-;`
zbu9E?+4IfYLQ5kYD${B;nn}%<Gjms*X+a3x8hePdS?GSmR$mA$4Z)%8KX0tGy!J&h
zftx9b25um9EH)Fzu+Tkp2(H*Bw7^M6V}I6JU;iR*Xq`?!AusvRI)skk>rjno`bQ=)
z&2K_8oF2-_Lxt7ONL@*T`4>}3euB`^_#m_!mXy<d*^fdq?IgW3zslZRWqvX|xwayd
zmywE05ITZ!&Fe#t@T<^`q4J?i%ha}Vd!#N*cL4!}jy4B<TXUf=AWHlybYlbY5`U@O
z5^I-8@sr^8>@p)S145fYkQmfl=%by^i*{V-W{X%?1g(*JI|+E58H;cs^!{);=);=}
z-6@o*<aeQ^q0U@TY<f6*Q)#`rlAZu&tsYNX=sXho<1|*A(9iPk&_rlXuxsC3Xvbd+
zwGmo`Iq9?FP}I(hV|7uTI&YDQg@0^J5SokYaB;}7DZ)RyJdG!r$wH5fwv+5lPVR)I
zmCzzh->f3_>8|whKX_%vfCVO(8Z$v?rw<c_t_g*_qX^CWyzPR}Eyd|gH=Uz+sRR{2
z-&3Pb{LF&7c@Vle+lik=6S_;NHW-ACkcXpq9L=jq(4Pjmo@25ss%#3O_kZ6ks8ckd
znHL~*bb<K#{<NVoZm9(R>&e@yRj=6=mg$Ai&3U%T-xf#sKVC&tK<F6xA2WiX=w3;T
z{0}ZM!27s#pK0;#01&!)%IGDLG8;noA-;#ut>=H-AEi_R_uS*?&A*Es`?o;oMph9$
zTNAo1@fL)Rlm9^s&n{EDrGHcc_t;G(25hP?4WVTXVR$FxK=dOl_02LB0-@vNe{kvD
zoM2t3xJ`zQ=Z4TBDv4`j%N%GC2G51iiB%QlX}t`a&kLbLtd${hT%mc`@g{^$qF~`P
z2<?E-e{FrZ(NgLmcF%UWR_JLE+5w??=i|%c%WMeE%d(b1Xb7#T(0@xp%dL_Snt297
zLuf07?v=XGqoW5?T9^7XJ99gD(JB`gpO;^w=I%}o-X4u>F}IoKAEEhWlsD|mO5uJv
z4PW!bysFR+x+#4AZNy25%WMdp5!#v4#)jgG_bhfQWX|x3%+00^JIn~Ce7~HgJzaZ>
z9nc%0#jr^UZAkqq8GnE)05qVOxF~s<TV~+R!;J)*@M&abU2;M*x9Cv&4)`9PMjo1)
z%q^wvu1l4F;A?oK(9H~?nc?WAffl`UT0*0j2A=7iBYWv#P9^^XUsFz8Z%*&rQtGb6
zY}{aAGh9ftvw1SNl=^ZhyM!AJ?4W?S(0rK<p);LGEd{=XQ-4GcutsP@>i$wK9XA|U
z2`@4^(K?x1z92s0#4;`58>)%>%zY7zKaH1#8xJfDad)#`=9azm`9wZ$J}?<B?RAbl
zy>sN+LtX?>heiM<!No#H*(-BPsShFMq9K4ue3JOmD(i+G1BoqY43H+9hyl*X94Ym0
z5f%q&)~LI~nSY^1bg4T^S*8Xw4oDJq=G8#cmJ&J~VX1l3mM_piAW7!LF1YCY(Bn*E
z0~!e=QO@ghJ%$>wrRD;9d(c=Q4!emf^^`ese)<6!=%e94G)iP5p^d&Wx0IR(_~Vi9
z0b=B7jFGx80e2k6f`ExcJsJ@R994eZnuL9Oq&}2*4}a5nKpc46xk#XSQuCC|R5YmX
zWqx13>ABQrK90hAM98f7j7IWOA1%oz7*j)L&q&=%J|Lv_#|z-Uy(e>|)IDUOZ7mwz
z(^GSQZ+ZdroXnA8^YWS(k)h|=%(=0|f!-E5QtA%Gqr^T);2HK3_v@88XRp*;iTy?*
z4>GtOPJc=pBB>7ne;&rTdJyq70x+(f$yg|vmI43D9DS~uBS|RR>mK+WXcBP*WR5O1
z$M_#6c0v|clpEk;Fr6TB{Pfcch((yM))H=$1;n}TNdMHQx9%-ddxell8-60jc{f;M
zz1SJDs$mIwYsaI0yo1A~)>Z@cS8x4Xz{Z_zL4OlFh$o4|&?}oiXU#RwJ_>}lDS&L&
zQYyLZXZm|?*`Aq@8)e=a`5@*~Bg2d9n`ST|vu#OEycl;S#@D8ela~{BOU*)v?2y<z
zsXtn3JfIS4Y9g;79+F}~5LpAUc|P<=X_RcNHcvRkbE!P#AhO0ic26n%H&5z6K;D)V
z$$xUVTV>b=kzFD-=i^>1iRO7eACB;6-xvt*DmA#Ni~vM-?R4L9^0G5aa(4ZY)yJQa
zw+!L^N=6WUG5zMfUb~|d)gCEBl6;TNkkm`fxViEfPm|A#-q;6n^Bn7`#683mV!cc2
z@$ogUBi@yIas4rW48b`+p^uEYe@}cYl79p>>%r?KS&OGAKa}apizPJxITko#_TCv%
za)Cqbw-YY}!kegPOKwB4#Zk&ynT_Cc<w)hJKN7bE!h72Eg1|V^l{{0XxlSUkAbvwU
zFRN^L6Vh*GUEOYxu`bT6Ly;s~<;r|8SF(RglCb!9Unb}3A?L;rB7x)o?*8r?Ap^BL
g9h2D=fdUAblUx=)5LTcvsQ>@~07*qoM6N<$f^~^q8vp<R

delta 5538
zcmV;T6<zAKB&sctgnt!FNkl<Zc-rlqd6-;PmB4?my1Ki%I-RA-N<tEnkg$b>j-rCh
zfDA5!GC*|36@?f?AOdbMhz_ebj0QwR77+ym+#MJc9R)u`V1OhfWFa95Az_k`&Ytet
zx~iUkoT|J^r<Yn@z58C(`F&q~`Fg9m@8wsg&O7(q`z(~=`G3_;01Jo!ZNM;KG%ykv
z0UVP1cS!DMP5nGm64;x2>;iV?9@~M=f}bS-nA>jp$OD6AdH}ve#03#@1TY?$1WW^_
z0*3)(5RqFE!6QHerJYkd_iqM~Hx6_IJAf^~CSX0V4tO2djJyGQ02RFtRA?v^xD}E2
zD4+wF2^;~81Am4BjfO_p1MC5|0;_>nfF-~RMDjSGf>X~zi^O3>)|tSGz&n5=ku;*I
z?C17|6e9R4;054WMD(pdre5W)FQG-^CM11$7jPOP@gyW=2r_YC1MocXXGHK#K)Rmf
zu6?0J;t+5sa5C^g;3QxIlJnLgJ-|lbZ@}+>XONscTYu|v*QU@;PCNv78*mnII+72Y
z%7aaj0$v0D0Q?qM1jK-v%(-hzXs4_;7I+`<uSjk@%=FNF!fqsL{|xve@D@;0V%LVy
zj>uDhxxmMOW2nDqTr54nGT>q0*GTSd*Miu=7TOVcD)4dO6G*K%WO`@;A&aCV59J=~
z2)Nk66o1;uk*5Hk%sr+B_IS)=18af%fd_y$fIy}q!4kj`c{Gw%d=9A_2kSWeOBPrO
z+yy*>OvMLE>|luCh#Up}8Mquc0ht(4+@}YrV}BR;Jpt+|@xRbco;(})5>kR|H9f34
zp$qsGun?Jr^nHHqU!k3-+zxyO_yRJcr+CkLB!61pkCgs=8?F5*v@^T+PT=dv6t$M%
z%#uQC*Vh9t;?rpDFQJ{NJQSFRq!{B(4@)_Kjlj2o`;e5xSJB!(LOU`a30wo5jsH8|
z>Xjt$3nW^v0emC1KZF*U8;}ad4Zv}xholt665wj2PsA53tLB9kncIMifiEM=n3Ukq
z34eSGsa<!QmfD=qPKq%exEA;nnqmZ%B$88Ki!3lOmV%fO+L3uCQsX?$*jN;|$O2Cw
zpR%g}BT{=Wkt6ddz^%Y6&&QxtlSRO#NSmtXQhVE#=FIw?1^ft=xfYp&q#tJhRzU#s
z1n-1)DjA;w?f?$=^hgyiIRd#z{0I>8Qh#c1gmzX~e;W7>veH_qZN>xN2hPPqsjDxv
z97rSZc|_)so*bFt2Sy^Zil4?KsjGWY==5ZqpF1#J+gG3L0KNkJgetE*ub$A3%;zF9
z>x4;tvmNP}e1s}CHdRMx=c8pVl1GiH%IhdWV>6O^J_=N&r02fSj?DiA+zU*s(tpWO
zg2{T|Jm6`-b*bGI+L5^fX$C*0$|pw&CQFbD#a94VrLIPmV=^+Gtuib9aXeD-a=q8x
zJ)tE!4@25N|IwopqXd`Jf$M-aH_LhM2<_CGFGsfDQj}u&Byb7P;Fi>t3+)W#!@y<e
z+CQaunvm|iGXdO?x-y}i0UVDkn}5=Y6Qxwzk)>R&TywdRavXv*c275WQj}nG4C2u6
zN~3i7LOb1ammq5a6{Ql+1TLV$mecZtc3$v3$XdW!-3edujz;7fOe$n$N?l3HF&0_z
zJIeH#P-=#8h*P7>eS*@3cAAbZM($anC~k5p6{H@e3GKYV$@^baQQRd2Tz`mc16S4`
zm&$OYx3%n#1w|Qz@ko8T<XObxg?66!qsX+SqEwSJkoMz}E)YwN&{L4ySvQ1Hs!cPn
z0J*Pv(G(}Nv;Dw4;8@c~s?-g~BYT4v9i>Z&(6f;(2o%LDEJWy{gXrKwJ6jN3K#AdB
zQCwgOk{J}WYP{G8JqOvZS$|PX@L`JFWouxeo#=cXy3kcI#{`Pp+oPBW-GS^yrzj?w
zOA#C4_b;?F#r+91IxFUxfZYCiz$x*;BJ>RMs|ggvJm(;{!0wm6g?8Qn=OC-N6~zxs
z0saN(w=O+UgdRtJ>QPbrfrV5&`rYtzAfZo1_tsGS$1DceCgWhCC4ZDRBk6|rY$$#s
zg3O6D_LX+@7om>^-fep1iqa3KAO(wqI8bQE_z$3^I>o<?2i^-DbaB{MgdPUG-}HzT
zWe`394C(#NzJxv&xqqOd_?ZqQH9i1GXeV@^hAgu(f~5~n9yLHavW><8X-Bx%FAYV6
z_MAuvE}0r(dRvIBZGY$#)d>w2Jk^=zp-m~%L#dSa0N(?;^WW$#^mGi>o*P3JXCB(f
z$%lk1e==oIGB!N4F%|T1eH<_qSeE}r?;QF>^yWTFa2O4oQ1}fI+S%XvB-0~QloGIz
zJ!1CnFI^a+$DsG#R)WWD3VJ&Vg`R=*oGMC?m`uS|&V@qH0e@Oek4{laWGE7)0cVX?
z7}*0sQG!SZIhXShdN^>D=}{?4nH){-b|`tFCs2iZ#wm(NOau-EN9bu7obFbX3Ta1{
zXYChyItR}hDoRjjB3J1MA;sw<Opi!WDrCRVZAcEHC_!c-&>BK=XT2a)g3h79&@j^A
zG2HZMs!iI44S%sL$&8KV=MFO)LKaMphKMxyd7!@I5MX2&iOzK~L-@qj9&TQfpgUvx
zvTM=?!WPV%+{{%oBBqBEG=>1<!bnq6i|Nr+o3I7*4{s)wwYh#(g55o~zj}dfXbQoC
zX%ViN9$`q>PlF2tQD96Mxq+q|_x$!f%^~>0v<O2REq}hYBF?siPo%b?HEeOkj0j&m
zqM24rHOe6jj13_|*UcFWTX6oQW^SJq<*;Z-KIcth!-yt}ZywviSEol*=JK(~2|cpX
zX9^l23qCTTiMu<ZOm8zNwGE>q77LGya?zA#n(N|ovZ{;>0V7P0!W8cx)5s4yTA4Mx
z!F#D~n12`zamVZ^=T2-wQ)X8fk)K$pTTUJs=0|f{dDkIf@1(Y2dRqhcbVNC4d=nv+
z*)7^a=!T4R3~%7RIZ@s_rm^}`+c2x(_0(lo8B+HVI?s%@2JY^Na?bcFN@l}JBg6dU
zZLOTB+ci`JD@2`??22JhG{hapM>%&=6Ae{({(tw4ZRAIDqRbjrjb~TL^>Qc$jA;(B
zaAuT?rZ&^$Qm76AbH_JvPe+vLLsaG}(xgK7L3@+MjmNa`l^GFQDy$2KE%@}LChnLW
z<**h#-PNXM&Tv=SCZ2KcimokearKM{*B%vNXxJ+2VzD^{7f)?w;c-z$H@laa_hjM8
z&VMwWNyD>3c7+f3$=1x3$um3BJiR^5RWsb{gNQU(TsAF2TcgF*E8^@(7CBX(o65fY
zh-R*w;qL5TDhqeMp5%cyQvCcKt&DQ<jZ!Ly4+$~0IaIQn77)wWtlXEOC+q5vy23!r
z*cow=cm{5HEy121o9mBmq1~kfxG@CtCx16HENt=RSK@4rX9t$rhGC5sS05E&!PJPW
zvwyLS&8=&b-1usOu@TE`8>|frrZzKwax*<88r=Y_*q7m~=epSD?x##93?vMm7FS7S
z;jZ;b_V(D^JhO#y5qE5Au;8PIHPO~+ap}?+>%01q+J;fhl7F8!x!Kj(zdb!R-+x@4
z;I_315*e_3P{EEiSY>}24h>samW9i?M>0gg-nxOuf(-D}O(`y1665u5_dd@o;Dciu
zxwoU0V}|uHRc^!hXo%ZpN15lc%-d5oS1ymU@U;X9cR!+Qjjj-|*Yqgd#s(hU+{0%V
zce83=#?|LOWmK5^=0rK6y<n=`hJR^8LfmzHl#fnucPe{xBFm*qW8D3ElC<g0K>xEl
z1ne+9imG72liSjK=A{@f?Q&P@w~r91PZ=#z&m7jky>nVQV{D_Vud}{8%Y{o~JiIA|
z2IivJ5dyZE9!1r#;Dw!O&Rf*Y)7#UoKK0Q<8@Q*Vl`l<?@WVM#{$ZrM1%IOzdoz4?
zaW{``?lIo79T03_TL{>K`8N0JVZrh}8O~qS&Es3$m1A0Kh?|dX;e-+H%KXBvH0Ldf
z@zl0-9WA}6m@Kd*1Z)KYfA^RHv0z<Smd`DY@v}EmuHKZ$?bgqyI@6rLD8`FBRpt^&
zkc-e;sijIse^~JU@hl5oj(>6QhGfaL(`sV_k8P0)*%f;-Ds$;{1Div@W?-M`(RhLd
z+mkk5ekGo(=la9yj13RvN{#*2xRt@!2fP&mb^)EHN8=e5>`mKzePx21Rww8(Tnp>5
z;qKRyT)H$i_$;I{5L<vfAz%-%(e!A%CZ4hR*6IXTuZ*)RWk%{m)_>-f*AiU0yo5dx
zr9a*T_J)xQ!u6&{V}g_ox380_@|%urVT^~%uDjAUH?2-^>)Ir-jLPf+>&W$T0IW7W
z8dGF!`0*Pl_NC!FGh3J#t-jQ|Qa1mwD$ZT&lNkDNs5NZhRdD*DU!z_w4Es47zkD;r
z1xsSAc6qA2H*Y1gTz|GK#t&3xH`#+k=>0-(pq?%a`@(`hZ0%v*;uuSIS4Zkiu`Hio
z661l5DecQ}m$!g7z!AC=SZjJz#<AdU+tbWn+|3KS+?^_4+a-M&zwygdcBQLLs<-N-
z9M+KQNy_KYG31W+?=?L#<5;k0SBCRmigEkwD5s99d|G?io_`FNERFHkPXEmQy}dom
zb;q`pJsdmt96n(wkYsK<Vdl2yZ(jcrkVbDF1Qx8^n_=FfZf>0w<wN7j->c)fooOz4
zImY5${+j*k7~Vj~@S0eG-UBSoe^Gczznpr{qYJU%^<4YrLz_~RGpYEeZ9Sa7$bT}|
z7+Zmr`7a8E-hW6Pm+$(-f-P~U!M@l9oi^~B%{|Ot9OKo!Dsz=t0c^^DQ7H62;Ca)d
z^BorKNZMSnJkG+ki9xqY$k_0}#uOJViLs$ur?NfZc?uSKi_ml1^Ity$#7&RTcUZ75
zZFB9)1UI~zU|&Bqw^SB>us+G<OJi(JsLUSF4g3w*?|*RbX|b1)nzYgf@vP0a*ChD&
z<#BfQniYv>Z2oIaf~!{Kex@>e!CK&z!f*5zdJFKZ=~4Qblnr;TPjcC^Togv4_cf~$
z-0*5#qPNQI70=RZ385pjgzPNvC!`dj^g{-CaAS&#UyiY8cZMsM$GJtf81R||@JGNd
zNSXVrIe$Ngbl=S|Jz_s&1Hawe!*e?`Y)@u=w*saPSO>h=`<s2WmTdx_Ha*%PkVVRR
zDzg!uL{?iJz=1+LX~*MewWByRUp7G(;^+bC2K2w3?z70up`!SaWxxx4{h&XgJAubc
zk6Nj1D)?~wZ)7d(K^%Nh=rk)m3Va?I=f%OLZGU)vN19mLE_vUK1`8JNPGi?mE*s0h
zUpmu_jaY#@Zp(rV-C2_5t-9X`{0~6ybOZW(lZeobzz>0Qy*kk55QNIy^f+VNr0S?_
zW&zD1!+S(mK-Pv-)-I=|`flJNAXB{1keB)cz|VmprcZ#PAUoxr4LsSG%rN*pR-Pe0
zSAVW3=J^YQG|&wu^giHzAZhwYl)5JlJOIS{i_S2R(9Rz{fwq+@=6M?U-@$&Vm`x~l
z0{5a(S}{i)DNyVg>=y?X+KJMSqfuHhhZCI#NH?JP8*lCe?n0--74L~5rMf|*GZZ8A
zfl>NN(?_S&9Zvv%00xcDP;7*jC)x{q4}aKg`UsV}VLNa;&|QqoQ2M>Tp8|ei`Y4sU
z;bGvfrTjthLd!cOg+%FfrjJyqc~%2=0O?|*Gn5{oK^7(6jxN(usz(aAjocQwrBIsC
z&O7CP;LoOyTB%u{0DcM-bs<<txx0Js1a3mMF;x^d*@U=NRGF?fr3-!FrZnG27Jor2
ziW{VnR6{25N{r4>ZiIH$9^Qd0C07(TcpPc7C`)E2Kjp}?1Gom=ZAqz|wZL`2u5x9D
zN`!V^^abFX=(M;}KHb0#6zua{E|o=SN9qTGALFN+6evN#MtU_K0m@D_^0>1iO_pmN
zij?zCGk9{8;PE@)eBiB0WroUg=zl^s16Lq7a8Z<ESOI(u7t6oy2<^PH79mn^EC0!q
zI$<mDRb&h2ic^g|?nP*4K#u~~BZ<DE^u<2l8^G@Y*JK8FQ;x#=^gY0L(S8r*U{b)h
z$rlk^lo{L>8uC&nf&WB`<aM<Di!ulq;7;H>K#$upLpAr#l*-3QBvOB@s(-Jg1OXd~
z%3q?w$&-Pou4E$h7^LT8ZdG4P@iR73XTBVl%5(kUe#&t$ZvkIK=INFC<3O3KOm&5J
z-iaH5i;-<mHK(p04wku!(HXpm(9Qw80bB_D43)Yb$RI5dp2-Z}q#T6@vK6=#seYtA
zd2Pi6DP$j)OYu-<Fj0As3xCC7z*WEkpvChsDAlAJxCJTOc6lXo9y6shkvf8GT>Uk`
z+oM*hMJI4AvJYL-Ynj1hZCIpkK+1VH0aJ{PMR9{QNN>htK-PrJV0yAcqy~5wa5Hd{
z@i8f-Vj~-oe+6ky^DJNP3vVt8`@=c#=YUTjGfBE_Z*Yhs&H3lz1Am#pFVWD6)UCj0
zk&muJO%F>MkWIk1kRTK@Epi@z2%Sg74gn`43nt%<=}!@*H(4ab_y%%=R@Xb`D#2eu
zLt(TY2V4fs2S%74mIBBs|2vWW4Lz+d7mNRd&g0xG@pPoL_f9lgn<9g3EOaBX18qqg
zD0+#1g@)eI`g6bqcz<+fTV+3Q0zW`%%d)i2r!s@zh0f#Dtly4w?wtWdO%JQa=|Yy%
zEd-Weu(n(Z!4MjHS3=G}rp@0;U-v6lDxn9t*t-qc1vCcuIw}_u9HH|#Vvhp;4VVWU
zhvwInk^z<?O+~*#E&u}~a-QG`oyQS-0`PI9xPK&)nkdDS0e_Yu_2ge7`>O;_<UGL@
zI**8LA!45md<vL_R7jNmNg=uMgTSu|xX5{eFLWL!Vvhmdk1WhR5oj|#G@r2tDZxFA
zY=ztj1YYDkwIg&MN9-ZMJAiW#!6#9_=|~1xk6h&a8hDZXMnE+pa-P}~x)7(_HyPPP
z@<WK^BWwQHrGE=<8}NTfOXr`FWpIHgzm-d^|ECI0)NTQe0!~F{AZH`hl3J;dWD$v%
zAOimh=~I@yyK7kFJoO=TA&%TpU>eekeKIfyI1H(C2Z?SZ@-9Yh^8P$>AIU(~kKLmF
zgzk+99!4%Ej|AS9dmN3lunxsP5j=}r)NMw#qFt1Gtbar<?tI&0;T0-$Ax`ve1P(!R
z@99XIG98!*j721mQoUKqG!l9DAzf`7kknyi?%$2beX#3Z;NGavgW*WtgsfH{g@`>K
zshmte8m8KT;fU-lNR_3(s!9gwm52d*f!)Z=+!mx6XjAU-CK7q~Aa&!qOCd_-@8sP3
k^au2iW|L(RfdY7(ljspX5b{Dbl>h($07*qoM6N<$g2cdk2mk;8

diff --git a/core/nginx/static/favicon-16x16.png b/core/nginx/static/favicon-16x16.png
index ff35d4b0a7618b3b4df63d27c6d0793ced5735d1..6affc1f31df4cb428670cc8f6411d827946f7333 100644
GIT binary patch
delta 212
zcmV;_04x8}2b>4690Gr)Nkl<Z7#Rh@p-ux)5J1s;r;|Ql4WQ7Z-A&MZI3GcASVWhk
z0)a!)zNIjnlc1_poU4kIrV{}Bzv?6{-2lM&E<J7c003+_T;_F00HEOKB4Z2%P?s7%
zQr4=fE)W?2P1S`vKNGl7RfpT(G*>XFs!|adOsc*<DjFGI!+tQ@Nj1f%%=E<_1<wL$
z9=6|C08ns@IhnU78vwnpX0n(cJS$ae-->@i;xX6Q%u6(r0Rw>o2$_?F13nN|pfafd
O0000<MNUMnLSTaGf>xLS

delta 266
zcmV+l0rmcz2hs<y90GsbNkl<Z7}H~5U|?ioW?^MxV`XP%Vq^ev896w)48ee#lY^0w
zfsuoU*ANPL`8XIEnD`BmfPf%_5VxTb6o7OIGl&=(o0x)tnYjf}NQ6Pu(9+7<#@5c>
z!O;mQAjTjL5^#2Lb#wP{GV=72010^e`1<(=1O^3%1cpj7NEv2YhJ{B&Mn%WO#>K_P
zOEbtACL|^$r=%LCrDtShX2~+h$!ELf0BttR&CAa(P*7x0QZ_V#I11zx6;%dCHFbnT
zHPnE9VN}!9f^fBz)fmD4)z;C~)7RJ2HP8lf0bMOF-=5jEFq6vyfdY7(lTHIZ5b{Db
Ql>h($07*qoM6N<$f-bOhmjD0&

diff --git a/core/nginx/static/favicon-32x32.png b/core/nginx/static/favicon-32x32.png
index 2b6b749b92a5d0f19c470f28ae0cc8eb70efec23..3b9362452f4349cd82f468dfb034fdca9ccd6560 100644
GIT binary patch
delta 514
zcmV+d0{#8-3(E_z9|M2VNkl<ZI1zQh|4S2b9LMqJ>+W-RJ5UNjlUU1<DE<-^6=7LM
zQeZy_(%&freRCKTg6U6M`jbP7Wt19yA?2n{-`#dI9lFOuG^q(QbGv3nMl?t{NfTry
z&8%uhok)pJX`JJpNxv{afQVx~q16j%69a+h)?-eZvJDI$(c^zT;uL+W2Q}fN3*IQF
z>igt&amq`y(V;VI9?p%>#>npwU5xI~-fY#yA|=s6`!x6+&IxdmIL5p%q0X1{uLEH%
zpoR8nxUt|oQhp8aB~sE3M}9bQD3F9wI~+Oht#YUuMbY2QF#JP99LIoMflQaQ-lM#<
z)|FEQ;$kh(YEpl8IWnCR-(68F1JX9BiWNHGvJ;s~Sj=@Vl?kK8Yf<H@umw_q=g~B{
z^fS82t-eK4TS2fzo#(uje%Pn3T+on~lNczIDLdx`_`{V;f;VGQ0((6V1=xpyWhXa#
z54ax;N(sCqmGr(JqVBd5|DE(ed59t5znDz&RnwB<r?g)4ZQ4AuyX&;E;mkZJ?apzk
z`PwTGh%uexq`Cg*7(SqK{$ReBR&UQnB@9GLjO+6ij{8{LE@6OZ(1cPsGF55MCXG7L
zq=}hPeJRW^tONh`@T8IX2VK;QVqEyOyptjYfdUAblcfbd5LTcvsQ>@~07*qoM6N<$
Eg1{5@=>Px#

delta 555
zcmV+`0@VG>3-b%G9|M2-Nkl<ZILl*TfC5G)W)@a9b`B19Hdan%CPoHSz{teK&BGfH
z1-v}mTqsHy8Tt4H;!%Krpb#S?LY_-lBpwZjh>F2fFfxiu#A5*x;t&;#jFM9ESb+o=
zSOufBOgs)C%m-A!C@UwAOM$$CEF%M>qEb9gAfU|1AgdCO2dIC_GN`G87zv4}APK5K
zLz6*E8%QUoq^2Q*)btF90&N`zT@am_nuQ9op$g*l81z9@4oE?6UOosE6e25-VlaR!
zC@L-~EiEgrs6<v^$iNF%kX2P(laW|k2el$21Ek1^K^v-|zM(Ozskx=KEvvr01E?UQ
zv$d-`Bc7MR7^;7ur?;;$E3bb-*2GDZ!3wgoI;LdA8!(ta737snoi-h4c)^T}nX|HH
z&zUnDtiY7P45naiM$5eUSqr9QfE4sET-Xm*V9sD+2?+<Fg7`&?mn;Rk4yXVOfC{Xv
z8EkApCM@e%z5?jzm8(|A$7f7gvvwU2tgTz0VQ0_4<N$wEuzJJBO`G8{w55707;M`f
z@5sc!=;RC(gLoPSGN2&d#TA$yn7DDrwi_t%GrD`=lK1oir%6U9b?ovQuCQe7?SoBT
z-4~HDocu5nuDrh!a@Gn6G(?p*402~g$(_L=p<&@L+3<+SkYJ4b9V`|VZ5Jai9}^oL
tCx(y)015|@L0tyc0cMl>1c3s0oRfV8J`nOkHI)DW002ovPDHLkV1l>b>3;wK

diff --git a/core/nginx/static/mstile-150x150.png b/core/nginx/static/mstile-150x150.png
index 04c609f70489bd0c6579c3fb4723a217eb24168a..71c4702d19e1aff3ba8befca74cbfcff6431648e 100644
GIT binary patch
delta 3618
zcmb_fX*d+@*C#zvi6>cWP>g+-7)wmHF-FRkJ^SvVVUVq%$TH1f#u`F{gk;}$#$?|r
zLTC)5$1)ki$Wm|h<^SRR@V~D2dhbu?zV6?B{eI^@=iKKy^<phTsd2~)b5Q+TmJjE)
zK8L4ruL=&p<!_ztVX=I_%#&f``&wzy^{TIQDLd3eD+&Bky}!a-X-8y0nddJwtKPHc
z{9HS-j=T@d$f*|Kzw|EzvDJc`J-n!q`=ivE&h*4e&1s@Z*UhCnA9hm+fQ?RS-OZbU
zU7xE2nf|ko|1tm1R*Zv`^afBJ9MtY!NS46Pi=`M1K*gb+#%o)dYQRfkcjl2tnuE@R
zOoMRjNe6{>ISN{zg~+1gj={=EU0S<)k$Zlz!_-xuv~1aFSK(Z2`Wz+7G^oivRjxGP
zn2Skm=q0}RZGJl*SSOYXL~9TA1kxK+=kV!iSeRHsB=rK=f9T~CvJAFj3zB5D@7>)G
z+{0#IYp^o@Nr+{>Gvrr_`x#L%<pI-?0sag^mLR$^Rm*og1wr9EizJsSa-<zwD&IC=
z1>4qV8V_z@uVJ4Y5Kc{U4-{eTfiU204!(gG7+qdy!2TmcrXucvTi9G6Ol<V5^s~=+
zo%uHG6=27A0?UtcZo-ku@JGEE#W`b~qb5z1`ja{4**U!#r#$&^Gjn@zd`+b9=3J^p
z$4?0+JGl#vvEjMyNIho0f$d3xZ&&6fk%@UfDqX3iTRYP|_>@&vU%`Mgv$h;set+YG
z`MH;)l{HRFp)SjXsW81RC4ql*#x2-$O6+KgOYMbsVJoKxE3hgasUcJQ_~9LPAh)>>
zy~&SPGS+!A-i@MMc$ZD$*51&ElpK1IM+3QyT^`t=LYMxCtN`ZbY!-Rp9c76ToWLrT
zr_e^FLDAuR_9N+MxOR8+8AG#U<S}Tt!(gEvSF&Ey)_iaA*jHjEOyJ>z78TaoYMH?E
zgfTCsUcwZ}mZpsZ1=^C{WH1Ay(c0M8CX4M5zFEPMn7H#LMMvIRW5s9#x+(`UV{^1y
ze*xvzT#Up(ujH=35TCiOc#$#%O6gE>ZF@zuWxv~Bqe3^H`D!vX>zQ24$HD`bzThYj
z!D-z(@FRJy&Bitv!~;RL`KFz{OkLkn9Czs!;V7B3Fz+o!h!Ykazr|?r5%(|)kJ6$-
z73PcB9msVm^s#SLC4u~5*FhI{XL1F|Q1NWOBa%N<lZF4gBzgrXtaLViG-z;=-JRSD
z+V-HS7qs!ed*|T;5Va-r2Wtx(W8A@_)&%$!oV*f6BftYJ%2!eZ8(wmm5)(fUJfmEF
zF$C@)@8jGnCLXf5j{(P(Oxn^!aB^?~iLd=k5K96a+p!osm|3}gkIl&~MzoyNoB>5<
z&f<#u1eOzDs<h7Cl+E!T904}+>vI#}LF)`ic*{thPTSOR@ITSFJpFy12-KEom@?d4
ztPyed0bSJz^+mkI5R{+EwW9=Xqi3pz0s~-3cFCj}&42w#1}V`3?)_tRYmGI|5|Ch&
zX$DAAz?5JY*&oJP0VptODNH{f1ldCNXVvPJ#(YU*w@eldAh<N2Io~Ud-p5KvVjfFj
zl-MKU%m6ombyB}}935(=YOLCic@wrfYMzrMvq?6CLV|2~5UY_nH>8J~$U(jL0^CjF
zzx-*7Q&$@E6tQig;NuH*hp%s4s`6YG^@i&=HF+Bml-%rb-+w%o4&Fg7NbhciPf|p}
z^LqlVb2+7-<7@z}8V4M|X^0kZ1<c$U?{4>y#&opqP<`arX$o4Fb{uVNzV>PFLaBNV
z1n`{5f52u35Q8glln7sWkq({R$aw$ilGaPc(Fdv3wGVP=s5Y@kV7wbLL9$ubg_qT*
z6VG3{JmP{I?o;4IhIisht+HDRRK!lmWu6=?!naUvEi!~6`g9+86up)$buBYNYuxs_
z%qZ3}_*ztjYx{h}DQ1-08yKNxI&bUtn!dU&n}ZPT;5_BtbDoURcv?v1&i2Ha)3O*j
zdENv&SqPigP}<`qnzzDapr5hdRD3-~&tmAen%RGS;m9)1RU?<>yv<=eo;(*;KAL%m
zD5ffu5^CaOQ~J3RmI8J55?v;arKxNpI7Y+FfpYN5)Mbm0v!o3G>e0;wE)Tf-;fI=^
zOQZK#wYe++b&YB{Ddi`E%>Grd+@7G*lQn3@`-bL`h3`vt7OTOw>yHI*d%pkmoY|OC
z5Pf3}i7!ph6?O8{bPRDsEzOHD{c<hZA$f%{?0fs?r;J4+r%tF!efAgX$A=K^$Owfa
zQ<I!D<*yr2Rhv_;nm_i=?XJXs5Kw@OH-ZpF^H1mMZSAKc=xlygR&!Co80xO3-=FBn
zte68BQ8pWI7PMB-#&u;QPT}im{enUI$eOSn$`X;8mUT=Oo;hm$p)X7uS~H{?ftQw6
z1FgK;%T?w{6Uc(EdzxA8wyRB`Or>uZ>p{H4a?mCv?4&$oKNN|op(m0aeII@U;XibU
z7SD==y_?oH))U^%)7qcNM~&S#)rZTv|IR)Wlp}nWC?tpc0#iM*|M7-$6**A(TJ6<X
znIca0#-YYeIYc65*lZ}aO+NUJAv|62H`j|Kk6)KIoDL~!2by*hv{}on{k_?U@QE@<
zj9qB-owJgdSAU!ob+ZTTtJ8CzN<_aX_=dN;zh33hu&AaOd6>g>7r^)<JRntt*a+I(
zrKffsb5@mKM_zn8L;D!IP+vcQ5L!AMCqIO%K&#w-i**orog4z6rTlA`rz}b~Dr{AM
zuE*(Upi%s$;p#RYB%Untr$&;nKM9>6f4b3fCd1dHTxo%3V~tbQaY*g?*Mfn<TTZ3K
zrW6t;VYEgWLd~uQ&IMII`tk6=keh*3U6Uiy*$_8zLdsV7RPYA|rRDuf?A@V{!@T!$
z_8NLjBieI)RlU4|<KG++c7y}8(A7gL95cyol--TB-iqk^OD|{g^OQS8Hf9j*phtZ%
zkZcK~jeHr7qstM|utrVnozHXYj$tIqUhS{%!#i-Hm34RIuo3@Lej0Tg#S1~oNf=)A
zgadd6O`TgLIgT`5jg~2%53BFcccdI0pwXq&iq%dhnOst0@;J#xRQ)k?N_8?G<z8Dy
zaB-?wdVlVEwEf0v5$<G(W__}ZwJe;0H-nPJ@&&%J)oE=bT0xr|f;)CCIn_I;nbLLI
zF2s5!_e8wpRM*o!LeKXLamf3ClP%KKFjQaX+BLD&wXY!spYKA$HV;>VBK2PV{bFg7
zG;zdIFbamu65ugpIm$2K_KzU<ou(Umi)-3lCxssoQXEvTpnA|6bl<H|G?{i_A(GtJ
z89JUM6+Bis^v$?$i`1OOj44ZAd3;x=id+W@{d~|=wv5u#Da{*3{%#DDddk<$2xj_l
zqf+D6>)jVU!WU$H&iY|bOp^7~rhH_K-$sQLfe>}B`OP`U4rT^-4jy^kHzcHG9w*15
z%TOyeZFeQplS&y6JJz=TRmC@{PULD6TUGoIJMRTl4J~^mD_aklr8IH+&QrrOnz}g?
zn?Z9h!-NRTwOk~(IyTEKb!2hl3A-=3Tx%@dKiHEC_c3tK#&SP|RVBy@5D6Vn-pL!k
zwAgqS%rU&8H7H@C?N#?dGw3w!!TTNVOB0{8#wJ;5Rzgdu{;pgaSr@Pt0^RSd;fO?f
zrwp)sffB9BO0LmD;0hQy&&J%7iWOM+;F2jtSPgNHO(fo)<$hm`fkQGrmmDtcxrx`z
z4)f?1F<ph%l10V6{OcToPW|fsvMDau%i=zp=5hifOa=}px4=O+llQY8^-W(?{$8Ph
z9F$Rmmvc>UbQkB|cp6Br_Bk|{QArk2ZN4Xz1($=}$6G6Kx?b&VAWc}6sKIMh6kgLp
z_gq7ek^s3B`Ni!|1|Ano*76LfJCRLc7e$sIgs+pT6M(l({(U#?{8rF4jgQMrs8#cj
ze@K)z#lOmPBej}#a9!A5<mjQU&(%p``|UbDd!;XZNiU*0A+?+=>`)z-h>GH8P+`zv
z2m_5BW0&RD4M(IqT(cb}Gx9%#zA-t&%6;w)5<HgH4n6D6(}7w91cu1p?OvUn35Xam
z1n2zIzZ(~J^KWo?`j+VTlH&9r?;FCfDlatax9_wGd)N#4oNntzCz}GZ{wi{J7GGi&
zqq%31y=4OC7Eh*NqXqcEo_|e^SE+tBi;1uK9MBmo%fkGwQ;Qw|=QFxrYaJ!tp(qVR
zD$LIN1!dj1>Ku#6a1fDd#K|PZ7p*>2lF*6uK1bGV8~vGix{^3C?}f==FIJ3Mh>BA;
zpq+{IQqKAqvmWUP6mSWY>gf~!W6tY$^=@tblV)wXUwp#*QoGdpt$Y)zsZ-)BL4h+7
zl7y(%tn^FL60vnwI0d5=NlxuIP+&sHMh|#)7@8x-MmULHFYNVn_O0rx`SX24dW(0B
z3S>N}uCJOz4p3yfqq&=(7?&Qj86gx>@nS5%8K_V-qb=W0hveVr^j(!&1fX|W&Eawm
z)7%=PH&6CkSZ68QhGze5sQLexfBqZC|2nTa(y3Kl8RXgE`3tvlG4>Q&4$hNH`|o>&
R%CCQ8p$4Y<Rl3fP{|EoM$@TyM

delta 4517
zcmcIoc{tS3*B@rYBx9#A*6drdjmA>Mh$uz2QXxWRG#R@wC@~DmzE-1RXfpQQw-JLx
z2$OXzMcK)&dgu2(@89oV?|Ywn|2XH|=bn4+`J8*sz4ek+@+q-6euoR^&)El$E>DD{
zU3b9K*H;%KE<6>&$LiV%u(hY~p~lfEC+N!yh~dP}7iuvx%+8r;;=;MLg%>kVPD?=A
zljQOOtUP-?$2$y;RUEy*MG%md=J(KZGkr#xZ2XZtW`IyDd0o0cT>3Y%w*<3+YB(5i
z7;0@;Z8=y0UwC#B#~S}vy*>RS?1hiLB{HfxDgqDwH>bs$#ofc^1<t>8(9M5KaqZ+9
zq?~`Zt<bOrgzTE{aQ~N(gOe0Nm8uj$zwk;xB-kXNO<cjo<t8srhC=1-mJeP)64}j7
zv+qG9*&@N?+=d`STVs8`1E0$tP7?2mQfdS(_&!BBve7{VC@H>IIegwXQNTjl50Av>
z;)eh!mJSaSb22YMZt<v(_)9e+$0Vpp!U^=Kov7z?Jos3h@Gedn&0UTUe;|uJHPk!P
zNj5zr9(-a=A6VpylOEJ17Y`{-r~H@)wt)OOOrv|;l`S=5nR3x4UY|`-z(Tar9YyZ9
zW$H0GflHn9dURM(x3h$^oh2{mFATvE4E@57ypo^Dz5|*9|IH77V77EtrElgg_VFVV
zCWQHjmYuqdW2B0C=AkWqs4(N^Fs|;L1DHxgj)TlHc#=I2e0buWHciR<SRHs*W$or1
zrk#QReNhBe30>680MGL$ko2)dmI(k4AP-E;VP3POLIhH_&_FYO2jnd%@&Gyv&SZCd
z-giG4Zh>#_KUN@i=Q`w2SbM&_=n5%TS6cKLuJ2s}+(HBu{<umU0j-NFM_czT^D_s5
zz&T7CwXMff1a)ybu}hIFPBDTy>-iCcmPb>)-Dao=cjY2Y_7<)t$-4x&qK871Fc30_
z@$-nwj#ncdKl;;;OEA*f1JzZR4j9Z~YCpnG4?0N<DqoCl5#BvIJt|-`amF;H>?scJ
zsX#@%v93$lf-pY;hl~K1o+C^%ptXL|BQ*G)5!}=#&lF)u)%mpwV)_9{MO2{gDFUgV
zCcc*sh;q4ZmuPLvsa-XZ!KP#bGk2S6`C*rSbihu7mpH@YP4_bx=UnpJ8Z1<b=wQcL
z8s+CU7g}X+{JlG;kAnz`Bs74N2XtebwRQen1Fy;!9@s2Nzw0zhw@@lN5EKb=7F$;X
zw^+*Liy|#mD-gfbmq_c%G~*Wui#&j$a*+`=rb>)J`fDqf7wQlWy**zQM28Ld=FJwr
zHQo1Rx{O<szLjy>N*6X7VN<S6KP9=*(kY_uJ~||`C~oDV0)h8}1RP0{*8N2rKhi;b
zHUIkzGlHV_j+a0(cH?Q1D(v$bK5{6ymcTLs@Bh0*r3e$1EO1SoT))hlryn9}XoGLp
z3S5<55+vUXmP<*7%Py)BOO%S@KvFOER=<(oJ_38Qu$Txx`H96h;BXQ^#*%A}jbJav
zx7(GP?wc~_7&tBa=McnW)BR}1xr*+Y;)x5uD~61HWgA}5Bd$}0KoWWU`*QeTb@X$k
zB5oE(mO#?;=M<sCUMeH=%KM*@Jp=4j)zopQrQ>7*1c5hgxU?kg>=9tUiZFaWV3ooC
zJ{~UXr$+P@8qlE4yreMf?DdU+G3BDkg~p>Is6ZSHOiY5C1_nv=Iy<z_6!+fbqXb>{
zGvGrQW1p%~5h@OrVe2_**U~}ng9snGL#{j4w*&owe~9u3>=ew_z|+e%yGjwN{{a5I
zF*)fYk-c0Zn2kwU5H3fk>>L$C|2({1IcgAbJ7{T2J%@Uw#5uvk7=26xWo~F+a$e@X
zA}+52vr{}gbVLGKpPSpgc7fc}61(}w_dW`&ailb=-7dQw_&_x)o)(#TOb}-6rxJp0
ztRL3rM4V>ruN=`0ZFFz^82$sHf{pqQnQK#*a7DXqT4>-eLnbG`-EOiaHvMtV37A6D
zk5Mpz)MSQ!6QPhz2%1&>#BuApIu4W*x^U*S)*q8fNR{H3{!mrdeW;Yke@~qsoU1jd
z+l$v~X?gH;=J?6MwKzk&=#UAh6tXN%ZpSzI&*F%y=yaQD*sXxHk>72@j&q~+7+221
zy=A^e3+tpCQ!dee!USz^4AA*2T`4-!hGCR%%55`B{%%X4@4ssl!-E5Gy!DjW%~f&F
zMRZIz2}1CyU9Wx}(G=izm6!I$H*yK|xwor-gB4Mi<B1U4n_oWPu|7bQ*Q#GM{dyJZ
zcKU6;e`{6ikTv-9Mh@LGAWdHp8)a23zebE{sM}aDhUGiZH<Uhn+WE<B)Lfn)I_P<N
z&ezLr(@BlEak{$Rn!O3<6R9}mHrbbo8GY*}DZl$E1Rm}kBK4_Y<QYb+?~Nul%FCN&
zoH+8VIx%0|f{VU1Xom?o35>y(=5kRx7$-m5SmVqL6OmjNR-1Y#_K5wE<?yf&Df+5o
zL`W5Q)wqbDnz2QF;os40b6U4M@pebETt!(1zKy?ftUfdZXM&43>)p=7$Of|Gu$x1q
z{j8B26Rt&&W5mo~#`*_|Qdhc2*z7;$SsL2zZ%Q4;s{#|jVPj5TZ%#;UMz`ouoQCO3
zz2_)5OlZ53fBpT%!_fh}QYK|_&bn&c&2sQrM^`!`$c{IkXV)obEd5lY_DlP7TKB{>
zv=DArV|3baZcje<usnjmMos+n-c(`%c{btBkY-EH)L_SJ>;0_3RP=XJTcYuw)e=Z0
zQqVXgnAcls)aFvy*6a0FS9<UiS=RbTmHs`BMU)$(?E+_zR!y9-CD*65J|`m}DVOeh
z!o*49j+4Z9o(@>K>odS6myXz?$YyFTd+bdPrQ=W()oBcByTZ|%<|rxVes@P#L%uUm
zF?_qdxyk!>(9lR>T9mLj${@@p6%}NQ{<=9Tt~WgOR(1Nt<c3*xDs-Xr<)H$Pu2SSD
zG?CPFg9<)0fgYZL&wfn@v(BpQmuBHmD*D5;QTQ+O=AIQxh0K)N^)1pqg7jn{OX))(
zu2pI}qBOy<!S9uW7bms@_GO8MjR6K*feikjKw`cs9bCphxNK$aRI%V{$15uJ?Ndeb
z*j`74v8`bpp+@E30^JHdwED!r&nA^8M*XT7$kl`ME>;8;lIzYHd<|+?;TNraO}Kt#
zonL{R2VS}tqb-81oJp??-aPE?tHUkn8QRUL^6~^sHpdwD7yEh4`1Fo6#Uto;lTxe&
zY@zp#=P}C~2}=^{0WRrrV)^&WahJ9V;b0GWjY#xUO%udNCgj~UF_5@BODz%69d>Lx
z_=q+IQUlA}?QD(--<p<rBHmQeSJN*b)rw289=6S}SUe&3Ki2_ns{g$AwE_orq=of$
z^gq7Bh+8T6(P53WYM<a}UW)R=y@uNsVhuD^vaATonPt@?UeO~?NfrMgUZC(M@}uI4
zl;^?Sh<_C$qKd))e#uU$Rz{U^+yh5SA<tJ<BD%*cpAbV(R_JeSZQ%<Avbk}KS0(*|
zk~Rw*%p-rt^>^Sj<o#jd=!aEmtngU|+Nfss9um8~9&%0pR@fp<+T))#)+S>{Z<t3?
zeX4{N&lP?)^Sm8<BD>v=Rf!!L7e`uDTb-R=x0`GvcQ)WhyJxo_B@SMLp~nPu)yI0t
zVO{esn9*9IA>1`vH`ec3g9m4c6}!n8qT8fQf_XD@8|P3hx2LI>{BU?8rfkAs^2-3?
z!IW*wzk$CAl>5pyE9ZyL#>9@eumGICr@n@wP4raC<8x~g1G;a3ueVesdprz_?6L-u
z^%Ebi<j5`(l5X-e6t^as|G7aed_D1(%kVhzyhw2Im24is-#xC_nZ2|o3G=I4wsm}C
ze55up6UPi&L?JL+KvkNBU_;zxNtL#l;`7G($HoPa9cd@m0AhgcO#^^OydVVY`G{Qu
z=b42W5&EX{^`UjAY9RMsUglRvV5WHdGeBg>yg7-dA5qw)51CV(O=v5D?lH6SEo)4^
z`6>O*?bH*lVq;zVacw#eiKK@+Y`h>%0^Ad4CBQ)Fd@%4!Sdvg(?~Q5LJ&ZBC-Vj#5
z-=oG8bpXXUlcVH_R^KtoYo8cezhv?E<>Y%?{ZnekYZglevc5%LFs?PiJ}oOpkT<m}
zBI_z#*)I{(>jD?EUh~7QMoJ>jXE;d=IrEeyz+X|kR$g`$HVBUR+p{vQg>fyot^jvt
zGQ0XbBl7(?xHz=3z{%=0+PC)ERH<F^`jwJb`Csr*X6Q!!k5So*E&~IX=0easNHc3A
z$covaPRa`(IlK2S2gq4Yy3y_|3LU4aFU5;(UiE2$_!X2b?746r>bQTsSb-q#oLVac
zzHRM#En;oTA2<qIbLKQ7xH6gVrEqtnzw@OVIqIkM8Hpi%hgq(A7fyj3f*4maS2OMR
zIum?x?=1|w#~{~54@$cKQ+||22~*APc0T|v^yfH9RCmr>;QiSyeI&lhxqpOGFs^sb
zp#tF>#5pZ!{q2!aIV(+<v1nlnxFd5Y&G|QCjRz%OU5R+(CBOEEA%nB8UInqrw$wW!
zbo*HK9~9{rSMJ_hrT9{XK4OUli}_d=bh87Q=lwx?O@5<(iyGs}%IZ=kkVpw+Z1=v*
z8i^s}axNo7NVnFs0ipyVxTE?jLqVO-`|bpBcPh-Vs=kf-uqd3&xasB3cR;&kukB1k
zP!Tt{!}YOTMs2uSt~h0~Ag{x(cPWyP>)^wXB_(!dEB<-c{B{4UC=ryL&_E`?Ml4bX
zn|5O59CMY$mvQlyB<q+O@Axr2g4L}rx<)0th$Y<)(COU*%n{CFZ5qt00PZ7ffUHKe
zfR<XlhqQ3%e4yxQcbr-aVdhd`_az9VR2rPw0t&~$*P_WC;%pl7WiWUW{7t&EL{df{
z52)}+3;uh*Wux`%;2b7~+E#Uj;Bh8)qQ8%`<w=}+(y5C|NdyIg3(t?AjGy+F2YB2O
z<72-&h=Z~Tv27o$JLmJB7AT0&AE_2i0NDTsFv)s5j0*yff%M5ck)h5KT0#R@ra!)q
z4ae<4?<x+Atv)?+so=waP6fhUrRY6GgU#&((&|ZCR4zXGqDIwKh%K=rt#9IJ9@q6G
zaW)5czPg0+#PNZro%|?mrJ@L+D>i<RgF35Ig2EH<eufibh3)-nM}64UIE|rA{0j;2
zk_(A^59;?$Y}5}?+my-?IW{sA+`*z~oJKhUo7Xuku#IWX2!G(cbSgBVy}#_}&uM^@
z3nN|62zc}D8m$JBnc8P0giI{xnz`%sxav8&<2x7-k8-BU=`vtUMc@vwJb9`lg!TBl
zY#D|hVPEASa&EJ<_F_RMig{Xl>CX#4_sw)ZyDa^leUhh1GD{RWAe0uB1mOC(g4!BC
z(>h@UIRZ_lhk&nT^XDLfLfz@)FMMc|=_eEVpw=yc-6blbLM@M$Z=J;%qP-?Y6WCs1
z^cQ$#mBVHgZgHSh_r`}AFYS>8l7rBI9uq`!Ntunx6ttaR`TYAmUje9wUyr*5UYClF
zSxK71%u)+gZ1UUt6KFU~Pfg|?U<dTan&m!@<+n2VV)wRC&w??FQC&mQZg;9MC22|?
zajv`7k^~P0F7p9Y*2NoV>+ZL`>cUAumbiOl@>Z5PMhmy$9nb@}CH4Y{9$1{qocds6
z{dhT4$wlaY|6joU@8bU_>6MH>Qls+dSSvsF<+|s0VR-i7yyuHBW4;Yj-E<JET`;#j
JPcgj}{a--EhI;@2


From 103918ba57454a639c087498b991f136339ca352 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 2 Sep 2021 20:46:56 +0200
Subject: [PATCH 027/222] pre-compress assets (*.ico for now)

---
 core/nginx/Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/core/nginx/Dockerfile b/core/nginx/Dockerfile
index 1906ed31..8b5be4f8 100644
--- a/core/nginx/Dockerfile
+++ b/core/nginx/Dockerfile
@@ -16,6 +16,8 @@ COPY conf /conf
 COPY static /static
 COPY *.py /
 
+RUN gzip -k9 /static/*.ico
+
 EXPOSE 80/tcp 443/tcp 110/tcp 143/tcp 465/tcp 587/tcp 993/tcp 995/tcp 25/tcp 10025/tcp 10143/tcp
 VOLUME ["/certs"]
 VOLUME ["/overrides"]

From f4e7ce099052486d64eafdfb112f4a4f4a68b358 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 2 Sep 2021 20:48:44 +0200
Subject: [PATCH 028/222] enabled caching, gzip and robots.txt

---
 core/nginx/conf/nginx.conf | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 9ce12980..616ddcc1 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -33,6 +33,17 @@ http {
       default $http_x_forwarded_proto;
       ''      $scheme;
     }
+    map $uri $expires {
+      default off;
+      ~*\.(ico|css|js|gif|jpeg|jpg|png|woff|ttf|otf|svg|woff2|eot)$ 97d;
+    }
+
+    # compression
+    gzip on;
+    gzip_static on;
+    gzip_types text/plain text/css application/xml application/javascript
+    gzip_min_length 1024;
+    # TODO: figure out how to server pre-compressed assets from admin container
 
     {% if KUBERNETES_INGRESS != 'true' and TLS_FLAVOR in [ 'letsencrypt', 'cert' ] %}
     # Enable the proxy for certbot if the flavor is letsencrypt and not on kubernetes
@@ -46,10 +57,16 @@ http {
           proxy_pass http://127.0.0.1:8008;
       }
       {% endif %}
+      # robots.txt
+      location = /robots.txt {
+        add_header Content-Type text/plain;
+        return 200 "User-agent: *\nDisallow: /\n";
+      }
       # redirect to https
       location / {
         return 301 https://$host$request_uri;
       }
+
     }
     {% endif %}
 
@@ -95,6 +112,8 @@ http {
       proxy_hide_header X-XSS-Protection;
       proxy_hide_header X-Powered-By;
       
+      expires $expires;
+
       add_header X-Frame-Options 'SAMEORIGIN';
       add_header X-Content-Type-Options 'nosniff';
       add_header X-Permitted-Cross-Domain-Policies 'none';
@@ -114,6 +133,12 @@ http {
       }
       {% else %}
 
+      # robots.txt
+      location = /robots.txt {
+        add_header Content-Type text/plain;
+        return 200 "User-agent: *\nDisallow: /\n";
+      }
+
       include /overrides/*.conf;
 
       # Actual logic

From 34df8b316832b43a2962c74ff7fd53c5ae725745 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 2 Sep 2021 22:49:36 +0200
Subject: [PATCH 029/222] AdminLTE3 optimizations & compression and caching

- fixed copy of qemu-arm-static for alpine
- added 'set -eu' safeguard
- silenced npm update notification
- added color to webpack call
- changed Admin-LTE default blue
  (core/admin/Dockerfile)

- AdminLTE 3 style tweaks
  (core/admin/assets/app.css)
  (core/admin/mailu/ui/templates/base.html)
  (core/admin/mailu/ui/templates/sidebar.html)

- localized datatables
  (core/admin/Dockerfile)
  (core/admin/assets/app.js)
  (core/admin/package.json)

- moved external javascript code to vendor.js
  (core/admin/assets/app.js)
  (core/admin/assets/vendor.js)
  (core/admin/webpack.config.js)

- added mailu logo
  (core/admin/assets/app.js)
  (core/admin/assets/app.css)
  (core/admin/assets/mailu.png)

- moved all inline javascript to app.js
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/templates/domain/create.html)
  (core/admin/mailu/ui/templates/user/create.html)

- added iframe display of rspamd page
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/views/base.py)
  (core/admin/mailu/ui/templates/sidebar.html)
  (core/admin/mailu/ui/templates/antispam.html)

- updated language-selector to display full language names and use post
  (core/admin/assets/app.js)
  (core/admin/mailu/__init__.py)
  (core/admin/mailu/utils.py)
  (core/admin/mailu/ui/views/languages.py)

- added fieldset to group and en/disable input fields
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/templates/macros.html)
  (core/admin/mailu/ui/templates/user/settings.html)
  (core/admin/mailu/ui/templates/user/reply.html)

- added clipboard copy buttons
  (core/admin/assets/app.js)
  (core/admin/assets/vendor.js)
  (core/admin/mailu/ui/templates/macros.html)
  (core/admin/mailu/ui/templates/domain/details.html)

- cleaned external javascript imports
  (core/admin/assets/vendor.js)

- pre-split first hostname for further use
  (core/admin/mailu/__init__.py)
  (core/admin/mailu/models.py)
  (core/admin/mailu/ui/templates/client.html)
  (core/admin/mailu/ui/templates/domain/signup.html)

- cache dns_* properties of domain object (immutable during runtime)
  (core/admin/mailu/models.py)
  (core/admin/mailu/ui/templates/domain/details.html)

- fixed and splitted dns_dkim property of domain object (space missing)
- added autoconfig and tlsa properties to domain object
  (core/admin/mailu/models.py)

- suppressed extra vertical spacing in jinja2 templates
- improved accessibility for screen reader
  (core/admin/mailu/ui/templates/**.html)

- deleted unused/broken /user/forward route
  (core/admin/mailu/ui/templates/user/forward.html)
  (core/admin/mailu/ui/views/users.py)

- updated gunicorn to 20.1.0 to get rid of buffering error at startup
  (core/admin/requirements-prod.txt)

- switched webpack to production mode
  (core/admin/webpack.config.js)

- added css and javascript minimization
- added pre-compression of assets (gzip)
  (core/admin/webpack.config.js)
  (core/admin/package.json)

- removed obsolte dependencies
- switched from node-sass to dart-sass
  (core/admin/package.json)

- changed startup cleaning message from error to info
  (core/admin/mailu/utils.py)

- move client config to "my account" section when logged in
  (core/admin/mailu/ui/templates/sidebar.html)
---
 core/admin/Dockerfile                         |  35 +--
 core/admin/assets/app.css                     |  54 +++--
 core/admin/assets/app.js                      |  73 +++++-
 core/admin/assets/mailu.png                   | Bin 0 -> 4935 bytes
 core/admin/assets/vendor.js                   |  40 ++--
 core/admin/mailu/__init__.py                  |  16 +-
 core/admin/mailu/configuration.py             |   1 +
 core/admin/mailu/models.py                    |  47 +++-
 core/admin/mailu/ui/forms.py                  |   2 +-
 .../mailu/ui/templates/admin/create.html      |  14 +-
 core/admin/mailu/ui/templates/admin/list.html |  22 +-
 .../mailu/ui/templates/alias/create.html      |  18 +-
 core/admin/mailu/ui/templates/alias/edit.html |  10 +-
 core/admin/mailu/ui/templates/alias/list.html |  26 +--
 .../ui/templates/alternative/create.html      |  10 +-
 .../mailu/ui/templates/alternative/list.html  |  26 +--
 .../mailu/ui/templates/announcement.html      |  14 +-
 core/admin/mailu/ui/templates/antispam.html   |  15 ++
 core/admin/mailu/ui/templates/base.html       |  70 +++---
 core/admin/mailu/ui/templates/client.html     |  38 ++--
 core/admin/mailu/ui/templates/confirm.html    |  18 +-
 .../mailu/ui/templates/docker-error.html      |  16 +-
 .../mailu/ui/templates/domain/create.html     |  19 +-
 .../mailu/ui/templates/domain/details.html    |  71 +++---
 .../admin/mailu/ui/templates/domain/edit.html |  10 +-
 .../admin/mailu/ui/templates/domain/list.html |  34 +--
 .../mailu/ui/templates/domain/signup.html     |  26 +--
 .../mailu/ui/templates/fetch/create.html      |  26 +--
 core/admin/mailu/ui/templates/fetch/edit.html |  10 +-
 core/admin/mailu/ui/templates/fetch/list.html |  26 +--
 core/admin/mailu/ui/templates/form.html       |  10 +-
 core/admin/mailu/ui/templates/login.html      |  10 +-
 core/admin/mailu/ui/templates/macros.html     | 141 +++++++-----
 .../mailu/ui/templates/manager/create.html    |  18 +-
 .../mailu/ui/templates/manager/list.html      |  26 +--
 .../mailu/ui/templates/relay/create.html      |   6 +-
 core/admin/mailu/ui/templates/relay/edit.html |  10 +-
 core/admin/mailu/ui/templates/relay/list.html |  26 +--
 core/admin/mailu/ui/templates/sidebar.html    | 210 +++++++++---------
 .../mailu/ui/templates/token/create.html      |  10 +-
 core/admin/mailu/ui/templates/token/list.html |  26 +--
 .../admin/mailu/ui/templates/user/create.html |  27 ++-
 core/admin/mailu/ui/templates/user/edit.html  |  10 +-
 .../mailu/ui/templates/user/forward.html      |  25 ---
 core/admin/mailu/ui/templates/user/list.html  |  28 +--
 .../mailu/ui/templates/user/password.html     |  10 +-
 core/admin/mailu/ui/templates/user/reply.html |  35 ++-
 .../mailu/ui/templates/user/settings.html     |  46 ++--
 .../admin/mailu/ui/templates/user/signup.html |  22 +-
 .../ui/templates/user/signup_domain.html      |  22 +-
 core/admin/mailu/ui/templates/working.html    |   6 +-
 core/admin/mailu/ui/views/base.py             |   5 +
 core/admin/mailu/ui/views/languages.py        |   6 +-
 core/admin/mailu/ui/views/users.py            |  17 --
 core/admin/mailu/utils.py                     |  13 +-
 core/admin/package.json                       |  17 +-
 core/admin/requirements-prod.txt              |   2 +-
 core/admin/webpack.config.js                  | 101 +++++----
 58 files changed, 912 insertions(+), 760 deletions(-)
 create mode 100644 core/admin/assets/mailu.png
 create mode 100644 core/admin/mailu/ui/templates/antispam.html
 delete mode 100644 core/admin/mailu/ui/templates/user/forward.html

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index fa75e8dc..edb8c1fd 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -3,33 +3,40 @@ ARG DISTRO=alpine:3.14
 ARG ARCH=""
 
 FROM ${ARCH}node:16 as assets
-COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
 
 COPY package.json ./
-RUN npm install
+RUN set -eu \
+ && npm config set update-notifier false \
+ && npm install --no-fund
 
-COPY ./webpack.config.js ./
-COPY ./assets ./assets
-RUN mkdir static \
- && ./node_modules/.bin/webpack-cli
+COPY webpack.config.js ./
+COPY assets ./assets
+RUN set -eu \
+ && sed -i 's/#007bff/#367fa9/' node_modules/admin-lte/build/scss/_bootstrap-variables.scss \
+ && for l in ca da de:de_de en:en-gb es:es_es eu fr:fr_fr he hu is it:it_it ja nb_NO:no_nb nl:nl_nl pl pt:pt_pt ru sv:sv_se zh_CN:zh; do \
+      cp node_modules/datatables.net-plugins/i18n/${l#*:}.json assets/${l%:*}.json; \
+    done \
+ && node_modules/.bin/webpack-cli --color
 
 
 # Actual application
 FROM $DISTRO
+COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
+
 # python3 shared with most images
-RUN apk add --no-cache \
-    python3 py3-pip git bash \
-  && pip3 install --upgrade pip
+RUN set -eu \
+ && apk add --no-cache python3 py3-pip git bash \
+ && pip3 install --upgrade pip
 
 RUN mkdir -p /app
 WORKDIR /app
 
 COPY requirements-prod.txt requirements.txt
-RUN apk add --no-cache openssl curl postgresql-libs mariadb-connector-c \
-  && apk add --no-cache --virtual build-dep \
-  openssl-dev libffi-dev python3-dev build-base postgresql-dev mariadb-connector-c-dev cargo \
-  && pip3 install -r requirements.txt \
-  && apk del --no-cache build-dep
+RUN set -eu \
+ && apk add --no-cache openssl curl postgresql-libs mariadb-connector-c \
+ && apk add --no-cache --virtual build-dep openssl-dev libffi-dev python3-dev build-base postgresql-dev mariadb-connector-c-dev cargo \
+ && pip3 install -r requirements.txt \
+ && apk del --no-cache build-dep
 
 COPY --from=assets static ./mailu/ui/static
 COPY mailu ./mailu
diff --git a/core/admin/assets/app.css b/core/admin/assets/app.css
index 8351eed8..12df605c 100644
--- a/core/admin/assets/app.css
+++ b/core/admin/assets/app.css
@@ -1,23 +1,51 @@
-.select2-search--inline .select2-search__field:focus {
-  border: none;
+/* mailu logo */
+.mailu-logo {
+  opacity: .8;
 }
 
-.sidebar h4 {
-  padding-left: 5px;
-  padding-right: 5px;
-  overflow: hidden;
-  text-overflow: ellipsis;
+/* user image */
+.div-circle {
+  position: relative;
+  width: 2.1rem;
+  height: 2.1rem;
+  opacity: .8;
+  background-color: white;
+  border-radius: 50%;
+}
+.div-circle > i {
+  display: block;
+  position: absolute;
+  top: 50%;
+  left: 50%;
+  transform: translate(-50%, -50%)
 }
 
-.sidebar-collapse .sidebar h4 {
-  display: none !important;
+/* nice round preformatted configuration display */
+.pre-config {
+  padding: 9px;
+  margin: 0;
+  white-space: pre-wrap;
+  word-wrap: anywhere;
+  border-radius: 4px;
 }
 
-.logo a {
-  color: #fff;
+/* fieldset */
+legend {
+  font-size: inherit;
+}
+fieldset:disabled :not(legend) label {
+  opacity: .5;
+}
+fieldset:disabled .form-control:disabled {
+  color: gray;
 }
 
-.sidebar-toggle {
-  padding: unset !important;
+/* fix animation for icons in menu text */
+.sidebar .nav-link p i {
+  transition: margin-left .3s linear,opacity .3s ease,visibility .3s ease;
 }
 
+/* fix select2 text color */
+.select2-container--default .select2-selection--multiple .select2-selection__choice {
+  color: black;
+}
diff --git a/core/admin/assets/app.js b/core/admin/assets/app.js
index 364f8429..dc3414f2 100644
--- a/core/admin/assets/app.js
+++ b/core/admin/assets/app.js
@@ -1,17 +1,70 @@
 require('./app.css');
 
-import 'admin-lte/plugins/select2/js/select2.js';
-import 'admin-lte/plugins/datatables/jquery.dataTables.js';
-import 'admin-lte/plugins/datatables-bs4/js/dataTables.bootstrap4.js';
-import 'admin-lte/plugins/datatables-responsive/js/dataTables.responsive.js';
-import 'admin-lte/plugins/datatables-responsive/js/responsive.bootstrap4.js';
+import logo from './mailu.png';
+import modules from "./*.json";
 
-jQuery("document").ready(function() {
-    jQuery(".mailselect").select2({
+// TODO: conditionally (or lazy) load select2 and dataTable
+$('document').ready(function() {
+
+    // intercept anchors with data-clicked attribute and open alternate location instead
+    $('[data-clicked]').click(function(e) {
+        e.preventDefault();
+        window.location.href = $(this).data('clicked');
+    });
+
+    // use post for language selection
+    $('#mailu-languages > a').click(function(e) {
+        e.preventDefault();
+        $.post({
+            url: $(this).attr('href'),
+            success: function() {
+                location.reload();
+            },
+        });
+    });
+
+    // allow en-/disabling of inputs in fieldset with checkbox in legend
+    $('fieldset legend input[type=checkbox]').change(function() {
+        var fieldset = $(this).parents('fieldset');
+        if (this.checked) {
+            fieldset.removeAttr('disabled');
+            fieldset.find('input').not(this).removeAttr('disabled');
+        } else {
+            fieldset.attr('disabled', '');
+            fieldset.find('input').not(this).attr('disabled', '');
+        }
+    });
+
+    // display of range input value
+    $('input[type=range]').each(function() {
+        var value_element = $('#'+this.id+'_value');
+        if (value_element.length) {
+            value_element = $(value_element[0]);
+            var infinity = $(this).data('infinity');
+            var step = $(this).attr('step');
+            $(this).on('input', function() {
+                value_element.text((infinity && this.value == 0) ? '∞' : this.value/step);
+            }).trigger('input');
+        }
+    });
+
+    // init select2
+    $('.mailselect').select2({
         tags: true,
-        tokenSeparators: [',', ' ']
+        tokenSeparators: [',', ' '],
     });
-    jQuery(".dataTable").DataTable({
-        "responsive": true,
+
+    // init dataTable
+    var d = $(document.documentElement);
+    $('.dataTable').DataTable({
+        'responsive': true,
+        language: {
+            url: d.data('static') + d.attr('lang') + '.json',
+        },
     });
+
+    // init clipboard.js
+    new ClipboardJS('.btn-clip');
+
 });
+
diff --git a/core/admin/assets/mailu.png b/core/admin/assets/mailu.png
new file mode 100644
index 0000000000000000000000000000000000000000..e4f5021f4665bf509f6bbbb5deedc399a7e65b1c
GIT binary patch
literal 4935
zcmV-N6S(Y&P)<h;3K|Lk000e1NJLTq00961009691ONa4_IqIM000vXNkl<Zc-rlq
zdvFz1p2vTQA-rEI<N+jsAa6}j*9E~5bVLM_fI3c<h&rW+kKJ)ynHg$as@U-nU0t=-
z1!rnz)L|Fdp|pmFLa75p<uNE*yUw_>z>JG1pdd*w<^g$p_K$R4aFcZR?e2TJ@9*3H
zP+ht7z32Nm=lss^oIXb+vSJX~WHX!}Q%WhNJi&+9(T6-?ed5OqC!1^ri7F(f_aTQ7
ze4mx9;v*_3r<_LIs*!Taso*14v6AmIf*ks2DVu0~CZl<tS1F^4Do*2vPE$n{WxUGs
zj3!e{J@K}ukk4PSj!hh<jv!UXVK(to#&LoAkO=Dsa0v_9!8e>CacblY2ieX-E@6PW
z5=@=%$K`BbKaFwp?cRgX$bL3(IsHgcm;A9lm3~a+We#Gp4)QWn=|`$M=51_0gQq!Q
zP@V6(JvhMA%+T?I7uNSChuiodp*_7jo#6v+BS*W0c+4+m7he))eaRyf(_7tiYJLuX
z$9vQg1=aE%C7iFW+Bg4EJ||kL<#Qe-N8Rn-{HOVXsOk%zRtP#be>g92gsAHXFECu)
zKHL0Ztl}8SqGPOLn7ZC#em2i0k@;;9JWIBk--GG=g=E!Vm`;!6HUB)WVmI|9v+CK+
zn50Y=F`Q*S&D)2sGgy{nVIjSl&By9|JAKUTBxwgoA&=b=$?<ucD*7pTk%xf3Eas@X
z-HDE}IMN7^#a6BRU8;(IA}gx)-@-0+*oJm-OZ3bi!Y`>*Z*8iQUos?0_K#t!y6R9{
z850%zucKW3bfI#t3%~gT*`Q5-99=<isF#~Fh%$9CE;UgW+BXv^(4OC;XrLgRJ^$D0
zok#jQbkP8FIHA6Is1wWyQ_sJY<La5mI?g<Lg(L1?t#0|EYF0DQeEZj^Q$A{q(Fibr
zb?TANT4!u#fc~ske*(~Y`kOh^zgfKrNSo<vn*IIQqP_&EE%Y<1@!zDL1guTQbOa3G
zHT5F_dd-M%kls4*OPHQ90e~B*Q700X9h{YT`@d2j5~#1ZA(8f9ul5^&!1al;{|dF=
z2pwc-V&?odYS|m2*8^WQ#6Y#*C~XXQl86#5bHh{;r2W%$p|^1=XIfD9k5>DQ)V@F>
z0S2>8%i2(F3t)ag7knA4dKUPf`P1g#>`1`R%pgP9sby@qcKY~UG0$oFhCt8xW&Z*y
zv~)wD3SS}tGI(FhHY9qV4DSJ0uH_mcE%!e9|3*tSMEb_l(Eyq3)iMp4cF@y103Oit
z44rDY)hqjlNB9hnDC-MP&Nn8F_p~fSsvml=?<iArZ_m)GmMQVqe;xgYJ0p-59{>;O
zp8lcMY5qFC?B8K6!;ouV99cnD(4-|8ay7BSefsA!Ex!opGnd0bp3?dskv8BdclBTU
z|ETD&i#C8#t^W~f14^CRpT!|9w+QKw!}kYSuJu1ss$sel`+MnzZ;{h_2OG^YlWHxo
zh^d;H_Ur!!Ew2b_gUvR8Yqb7HQpXu)4}eFstRkwVIsi;={n^I;qTH(G6yZSdyWQEJ
zuIGG3T4khn*8v>SQi`ySbaOPdE&z|b=6Brz?9&p8xOUQ`tF0gFw1gtAqYT#<K$BZ@
zJF~whpZM{-25P9GmRf45p@tf&skZ*r**zzB!}0lglRAOa*Z^GW$G2=^6Z0vdh+>K<
zVF5RC6F0Je`4m$`5yi}JcejLMiYcPRy4(Dh;s5*#oG}G}<K)B!V3r?GYvS(_y_jRt
zu?n$I8DNKh01RP_b&YMk#<aV-zH9$4&HQ{W!aS2^*mlISKbMpK0Wh4&Nqmh(C^89v
zljNQYKmm>Z0Pt|q127Ju*dzcNDL5AZpALOh0Ga_P;aii2g6qyb`R`)|AZc0vc>inw
z#?#;z02%{~Gc5*y3i3JvaI=2^JfuOOX`=wBr?4XcZ~FD5<`!T?(gQHpw1t+hwzof(
zcN74>0Wj=*&3D=*gc(Vt0+3_?R5G#+fXV)C1f>8p12D%l0BXr^1K?%<o};4xBZEL_
z;3sVWtW^M#Diz$UwJr7!<^TKyKoda*CV~LASi1?6=Vz8u0WdNZ4DhX$3}Tc55Cj0#
z#sct!pHI;kz}POJj;osic+p<~G!<;*C;;HaW&l?C-vVeJV6KS(tP&CWvfXq5CXt`e
zYitxVfdDTx?+09IHUNbTPVj=xo?H@50FIF%WSS4a0LzG3EaG<V<WBD74sPc*7P64r
zxScz!ySKB*y1S_L?j79DBI_@meg1pabJIKkV2+6ZRFWxV1pz>OLEtD-5roI7<aA(H
zEo<q4AY@P&%^<LnEa7f{PXzD+fI>#m3qknj!0J&0>&Zh%XAA|=Oa(&)*+Qwm&+sY{
zG>QHQ!jplVVAH@xMk4fJe01{waEALs13()BkNb{5Bb&+f%zk52!2qQp0$?&1TL?VH
z*FJvZll&ti5z;-f-`G@e_yA~Y1!ns;fq9a@K@idz7xh$dPyl#47chzbq#(@U&%W6I
zw+O=d9@=kk5D2BhmLLG|G8J6F2vQK{alj}0hsGWEha?pYrQ-J!{Fn<UB!?7)BL3II
zZ(43O{zKzT`-CVH2wOu5z+?)^B?Y0FeV*)U(a489;FJAE13*XtXhYy~ejWGDR*h`s
zVgzA`5B3|J3Jx;>lPM&R6a?WHaUsyiI}{+KdEWPjAO;8u0Dl&Q6f%~+2*SU*Mxc@3
zQ;3kp*f=x(p&SJS0f4`20w-DsJm+dkqmk`a?H}jcH#9mA5PkqAGl@P3!ZVH$XySb?
z@!fu-Q^BSIFo}s=>>7b*DR=PAPEpE4tMPZ9ix|rJT*xE^z)Juol7`TiiLMct&*!%7
ze;7gN!5A0zUtld2$<r>t%OG%qRjmD7A<!HP+-U2-lT$235C+9%zg+;F2Z4>$JGdIn
z2VjIF0GbhS8k1kbFa+UdKDAl<FLW{LA8*;egqe;2a54<6=ij-D#oS|Ei@D3X?q)If
zu!MV9%-yYbe;>ywpT+?&fyb=bxID)Q6fzt^_+FO?oZ?3a!UZnuA4@ud@F2%o;s^jI
ziJ%(hI9jy2B#vyTaR6M+aej>;q>$?Zfe{G8EqofYP@4GfIP4!oI>Km{QbD~#0OmRZ
zU@k&7BW+w4Mh}20YI&EraUw8<HRlWqo7l-zYr5C1{TH#7ItTy&dt;Nl_yE{y)O2t&
z0N((xpE(FA<hVxQJbu$*hwdhJawWofaWwuHvEABEt-&z>_G5r*#{jtA;?1lDArlb3
zV*vmMnT?Rb2p0&9p*Mo?t5yV>*lpQ=k*oi&+5WQDqHf?`-$nt|6gdLmUb6vs*bx9%
zw*mm4G7BMvp)Qg`6Rd^gFH#RQ@c~m2&T}>F8$v3=XtuU1=mzfhEe}vlF=8`2nTK$H
zlmM8)sdk?}#I*>*02c^Mv=I0?RqSDkRr{UWe<6Y}lD9e(vr_;{905?G0JI^{yiTWo
z90=S@FNE_L?b`mue12BC#W?`>Q^DURGXU+ofR>oJ)IwmAYXpQI<hyG8o5$JbE<=w<
z7x0)-uZDFD0^1|-jMWjiK_H7PhPn7;0YfeOPsI3L4cuo;5O|+k08TN%sFy=yw*buu
zJntF-ch>~V{>3rvcRmc9=Lmp#!3+Z{$ujEo@RmeS>_Yh$1fdtB0@>B4CxUQSr|%%u
z`<@C8AQ4narcoP2bOk^g0;!Dj-Tqz(!}wt*wciZ@MrHz!kzv#pF<k=y)okNh3xPu4
z?SG?7%OU~5ONMO{)p-oirav(gA=SlPp)>p6?50p7kqTaA*fw#UjRHDqAK&o_fkLbA
z&*qJ8>y*<}u%AJo>s0WIhHVsSrv(5wz?BH8WVlEUb!C4BsR$Wtu+gMC83y{D2XHwI
zY~3i*n5|-CWddXCAXi#Tx-Rz2{-M@7f!A#Hs1Zm7w{8`i7d`-BKT8mVfu11HV*f%8
z*$k*6kP2=Ez?kjgo4bHhw!i-hj}Ryz13|czuWbLW2&95rwu?9CzzBOmV0#1}^PnRr
zAj`4+kw^uvHSWk5yFp-^s;r43_Xre_ZQ1{&qu&+!Q9y?yV+=Vos=Gu`Yy_UPIs!L4
z`i{4DAzjEZhrcWIso)NWM&*YW0I1?|YYkw&WBZ#IjxFMd<KN{x6L^vuYN&3#YT8{L
z@16`I6WHO{xIum$9UTM!P{k8Wc8tITdL#7XH;!w+8vulP%%g}B=CgqLlu*n(>nd({
zw}^SnL;MGz{lSr@93AUC258Y4{*x;Z(rnKaHrwBabuO1fI7tPMxAr=Aa;4hbrO<UM
z_*DZBk9Il==%|ml3?a={D=?AX2<iNX>(ww$g1|z?G1lQV&Ss+9We|AI;n7AMA0Hn8
z@TXP;3c7iLta+i>zs0c_%E>U$&&%a7uz~R%0qE~n6yRSXD3<=nWe6!<y!lgTjrxU`
zI=nXGyaewz1^^d{ppWS<9mTuhN(FbO|KbV+VQ@?YTI`>5)>}hK2f#WxTYNXJ*USxR
z0icO5S=I>xh1Lt?3pg70?+P^ljTD><KrSc49s{)K6pzF}pylQ9`7TEN5sLv%k}Kzm
z52FGAoZ=tOLST|r`){<piHvun0KWlnJPOz$vBdM?%>%?rbTzjEeHg=JCRiKD+{9-d
z{VpeoAin`{oCul~8-Pna*>*PpnZV9kfo0Y^LAjRwcX>GP9by3LximHaJ^3U`0Kh5U
zWMXS>?G+FI=THOiN$Wa*a}Zb_oi3o|>ARR@jr!|6{ap=40pKVGST3E3D?BcxKvTh;
zJ%11PdTxJ+gTOkj=p2A__C;e9(D55I_>kfV?J#g3>C(A)Anb{tpcL9f&;!zynCA7l
z20^ES6@V^vgsiRsNT*C&fCvLn)@27EBEqdvivj!sAe1q{t<s&yvbEc?!%@HxTZ<q@
zh6;dt5i%Vw^zi!1bTSG!)J+FqA@GRzEr9*&>d*kN#PKpOzb@N(fJelRxW>z^?VH$W
zEr2Ydh+^imfCa4!Ae*m}c6XojJ{94M8u@L^?_W$2MeP=Pwk-g)_xs&^{<rpqxz$`_
z4}e~5@V2hh#9RU$``#JCqK0mMlassgecopM-#{<1CuSOYyoJiWs+lQv#f5&pE~-k1
z*4wWCA|kAa;}8m!d1~rn3Mh!dpen(#HvsH_K&iF?5vu>C;#6dESW7M<I!vZG7f)#$
z5Rv--l(-R@o~@u%B~qWcs{c9`h)n%oA#O#6#sLxN|1-qB_=%QasCAl$Bpxx8|Itzm
zvEC<5;uBN++doL<vuc?l@rpFw(~=CS-iy2bi->Tg*9%2ef#?f{i#PIqvA8M#Js@6*
zY>(clRt2ZMuG2p;5m>0*K&Vv14dSKf#oJn{A=2B9mVeknAeS$+TtgH7<%;)Wk!A!!
zGWuU6eu%!jp`{xFy+L2`M~rf~slF<B?PQ4fCrT*SGB#M{9!LK%5Lm6HY_L{~-(oO-
z)N(dd+ZZhVi|N`87~1@gmSDuRknG}+OghCh2}-2$x|X<MdcDIDFuo%&kd0dA25BP$
zC0KC*2ejM`(E%=y;Kj9$j@nfDrLVYF5+klx1PrkMdP$u4kvfo2Rr{X#>oypCMO{ds
zUh#b1-!TFMSff59NNX4%i5CNSO}$8fUNgde>(s$b>PNuZbk50t2}PhEThx;PwS|6S
zmgvi7^(7!}_HE5ioE^b>^(FwVH>&YJD;!*>{`jnQ#)N*I<OOt4=<mR9pqMQN>Y_2<
zwAy(4MMM~+2>76HS<N5`hZw|toKVj^)CuNvdfcO-5M0OC>YGRUn(HKdVx~U_(kGqv
zJJ{&mFa*YXeFj+)sw^};e<x#tcYQdvGg(y0hET-)-Q)*Ls8BCms3Md-e@qBwvse9e
zsJ+aV=!hY_#c6fbrcU#gukZLKXu|kTj;Xgcbc{QVo9y)nf_%2Czg?=9t>jB|MHVag
zR(<Y7M_Fv-OuwfHq)^0e-EAmF-QP_fDUuALH$UL0dfuV#|A5|-JR*gW?9_3A74z?8
zWRleV4iKbs75g>Q&sC&LvWhHzmc)a@WBknVfsPS`Ae&z#VP|lRXUP_ohzLEIMp+U;
zaGEkMR^QJa8BFJG>LPD`9d9!|sUm(y5X@k6gg2(IU^6q+{O%x_#j_DSpyG2LB~Q(_
zi$M;{BeOkyEr(c6j=Jg;f)U)!u8=2<YuQC{=vVb5xI<VL%00@@aFAup(nddi2vW)A
zCiaBrO@kBcVK#jN-MTUI7^E?ZBK8=*zOaHl6fw$^0~=K_Cz0~Gfj>}b*jnR8D)|F9
zke`H;Itc+GpUe0i`#F<f5E}W09sG{VBE62sSPTX;jtAMqr_=_VL#(5Q?QG&ft@9>;
zFqF|uWesaNN|lc&)KSGz*0P4Fj85W7T!T@_B8L)IvXZ@2P(e8jaarC#ITci}mzAuf
zgdCl|4GRhb$s(I<mQqS7rEGI#{5I=TOUWjitmvk4{vR!ktfWD}Ajtp#002ovPDHLk
FV1ikCHQxXL

literal 0
HcmV?d00001

diff --git a/core/admin/assets/vendor.js b/core/admin/assets/vendor.js
index fd43d918..906448cf 100644
--- a/core/admin/assets/vendor.js
+++ b/core/admin/assets/vendor.js
@@ -1,22 +1,24 @@
-// jQuery
-import jQuery from 'jquery';
-import 'admin-lte/plugins/select2/css/select2.css';
-
-// bootstrap
-// import 'bootstrap/less/bootstrap.less';
-// import 'bootstrap';
-
-// FontAwesome
-import 'admin-lte/plugins/fontawesome-free/css/fontawesome.css';
-import 'admin-lte/plugins/fontawesome-free/css/regular.css';
-import 'admin-lte/plugins/fontawesome-free/css/solid.css';
-
 // AdminLTE
+import 'admin-lte/plugins/jquery/jquery.min.js';
+import 'admin-lte/plugins/bootstrap/js/bootstrap.bundle.min.js';
 import 'admin-lte/build/scss/adminlte.scss';
-import 'admin-lte/plugins/datatables-bs4/css/dataTables.bootstrap4.css';
-import 'admin-lte/plugins/datatables-responsive/css/responsive.bootstrap4.css';
-import 'admin-lte/plugins/bootstrap/js/bootstrap.js';
 import 'admin-lte/build/js/AdminLTE.js';
-import 'admin-lte/build/js/Layout.js';
-import 'admin-lte/build/js/ControlSidebar.js';
-import 'admin-lte/build/js/PushMenu.js';
+
+// fontawesome plugin
+import 'admin-lte/plugins/fontawesome-free/css/all.min.css';
+
+// select2 plugin
+import 'admin-lte/plugins/select2/css/select2.min.css';
+import 'admin-lte/plugins/select2/js/select2.min.js';
+
+// dataTables plugin
+import 'admin-lte/plugins/datatables-bs4/css/dataTables.bootstrap4.min.css';
+import 'admin-lte/plugins/datatables-responsive/css/responsive.bootstrap4.min.css';
+import 'admin-lte/plugins/datatables/jquery.dataTables.min.js';
+import 'admin-lte/plugins/datatables-bs4/js/dataTables.bootstrap4.min.js';
+import 'admin-lte/plugins/datatables-responsive/js/dataTables.responsive.min.js';
+import 'admin-lte/plugins/datatables-responsive/js/responsive.bootstrap4.min.js';
+
+// clipboard.js
+import 'clipboard/dist/clipboard.min.js';
+
diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
index 8ab8ed0e..9b712512 100644
--- a/core/admin/mailu/__init__.py
+++ b/core/admin/mailu/__init__.py
@@ -14,8 +14,7 @@ def create_app_from_config(config):
     app = flask.Flask(__name__)
     app.cli.add_command(manage.mailu)
 
-    # Bootstrap is used for basic JS and CSS loading
-    # TODO: remove this and use statically generated assets instead
+    # Bootstrap is used for error display and flash messages
     app.bootstrap = flask_bootstrap.Bootstrap(app)
 
     # Initialize application extensions
@@ -31,6 +30,15 @@ def create_app_from_config(config):
 
     app.temp_token_key = hmac.new(bytearray(app.secret_key, 'utf-8'), bytearray('WEBMAIL_TEMP_TOKEN_KEY', 'utf-8'), 'sha256').digest()
 
+    # Initialize list of translations
+    config.translations = {
+        str(locale): locale
+        for locale in sorted(
+            utils.babel.list_translations(),
+            key=lambda l: l.get_language_name().title()
+        )
+    }
+
     # Initialize debugging tools
     if app.config.get("DEBUG"):
         debug.toolbar.init_app(app)
@@ -43,8 +51,8 @@ def create_app_from_config(config):
     def inject_defaults():
         signup_domains = models.Domain.query.filter_by(signup_enabled=True).all()
         return dict(
-            signup_domains=signup_domains,
-            config=app.config
+            signup_domains= signup_domains,
+            config        = app.config,
         )
 
     # Import views
diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 7cd3a56b..419dc18d 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -143,6 +143,7 @@ class ConfigManager(dict):
         self.config['SESSION_COOKIE_SAMESITE'] = 'Strict'
         self.config['SESSION_COOKIE_HTTPONLY'] = True
         self.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=int(self.config['SESSION_LIFETIME']))
+        self.config['HOSTNAME'] = self.config['HOSTNAMES'].split(',', 1)[0].strip()
         # update the app config itself
         app.config = self
 
diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index 5760c27f..6b0791ad 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -209,16 +209,16 @@ class Domain(Base):
                 os.unlink(file_path)
             self._dkim_key_on_disk = self._dkim_key
 
-    @property
+    @cached_property
     def dns_mx(self):
         """ return MX record for domain """
-        hostname = app.config['HOSTNAMES'].split(',', 1)[0]
+        hostname = app.config['HOSTNAME']
         return f'{self.name}. 600 IN MX 10 {hostname}.'
 
-    @property
+    @cached_property
     def dns_spf(self):
         """ return SPF record for domain """
-        hostname = app.config['HOSTNAMES'].split(',', 1)[0]
+        hostname = app.config['HOSTNAME']
         return f'{self.name}. 600 IN TXT "v=spf1 mx a:{hostname} ~all"'
 
     @property
@@ -226,12 +226,11 @@ class Domain(Base):
         """ return DKIM record for domain """
         if self.dkim_key:
             selector = app.config['DKIM_SELECTOR']
-            return (
-                f'{selector}._domainkey.{self.name}. 600 IN TXT'
-                f'"v=DKIM1; k=rsa; p={self.dkim_publickey}"'
-            )
+            txt = f'v=DKIM1; k=rsa; p={self.dkim_publickey}'
+            record = ' '.join(f'"{txt[p:p+250]}"' for p in range(0, len(txt), 250))
+            return f'{selector}._domainkey.{self.name}. 600 IN TXT {record}'
 
-    @property
+    @cached_property
     def dns_dmarc(self):
         """ return DMARC record for domain """
         if self.dkim_key:
@@ -242,6 +241,34 @@ class Domain(Base):
             ruf = f' ruf=mailto:{ruf}@{domain};' if ruf else ''
             return f'_dmarc.{self.name}. 600 IN TXT "v=DMARC1; p=reject;{rua}{ruf} adkim=s; aspf=s"'
 
+    @cached_property
+    def dns_autoconfig(self):
+        """ return list of auto configuration records (RFC6186) """
+        hostname = app.config['HOSTNAME']
+        protocols = [
+            ('submission', 587),
+            ('imap', 143),
+            ('pop3', 110),
+        ]
+        if app.config['TLS_FLAVOR'] != 'notls':
+            protocols.extend([
+                ('imaps', 993),
+                ('pop3s', 995),
+            ])
+        return list([
+            f'_{proto}._tcp.{self.name}. 600 IN SRV 1 1 {port} {hostname}.'
+            for proto, port
+            in protocols
+        ])
+
+    @cached_property
+    def dns_tlsa(self):
+        """ return TLSA record for domain when using letsencrypt """
+        hostname = app.config['HOSTNAME']
+        if True: #app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'):
+            # current ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) @20210902
+            return f'_25._tcp.{hostname}. 600 IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3'
+
     @property
     def dkim_key(self):
         """ return private DKIM key """
@@ -285,7 +312,7 @@ class Domain(Base):
     def check_mx(self):
         """ checks if MX record for domain points to mailu host """
         try:
-            hostnames = set(app.config['HOSTNAMES'].split(','))
+            hostnames = set(fqdn.strip() for fqdn in app.config['HOSTNAMES'].split(','))
             return any(
                 rset.exchange.to_text().rstrip('.') in hostnames
                 for rset in dns.resolver.query(self.name, 'MX')
diff --git a/core/admin/mailu/ui/forms.py b/core/admin/mailu/ui/forms.py
index 32bb31ab..60be1699 100644
--- a/core/admin/mailu/ui/forms.py
+++ b/core/admin/mailu/ui/forms.py
@@ -88,7 +88,7 @@ class UserForm(flask_wtf.FlaskForm):
     localpart = fields.StringField(_('E-mail'), [validators.DataRequired(), validators.Regexp(LOCALPART_REGEX)])
     pw = fields.PasswordField(_('Password'))
     pw2 = fields.PasswordField(_('Confirm password'), [validators.EqualTo('pw')])
-    quota_bytes = fields_.IntegerSliderField(_('Quota'), default=1000000000)
+    quota_bytes = fields_.IntegerSliderField(_('Quota'), default=10**9)
     enable_imap = fields.BooleanField(_('Allow IMAP access'), default=True)
     enable_pop = fields.BooleanField(_('Allow POP3 access'), default=True)
     displayed_name = fields.StringField(_('Displayed name'))
diff --git a/core/admin/mailu/ui/templates/admin/create.html b/core/admin/mailu/ui/templates/admin/create.html
index 6c2413bc..071cb77f 100644
--- a/core/admin/mailu/ui/templates/admin/create.html
+++ b/core/admin/mailu/ui/templates/admin/create.html
@@ -1,15 +1,15 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Add a global administrator{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
   {{ macros.form_field(form.admin, class_='mailselect') }}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/admin/list.html b/core/admin/mailu/ui/templates/admin/list.html
index f2f5d229..84d954a0 100644
--- a/core/admin/mailu/ui/templates/admin/list.html
+++ b/core/admin/mailu/ui/templates/admin/list.html
@@ -1,17 +1,17 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Global administrators{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.admin_create') }}">
   {% trans %}Add administrator{% endtrans %}
 </a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -19,14 +19,14 @@
   </tr>
 </thead>
 <tbody>
-  {% for admin in admins %}
+  {%- for admin in admins %}
   <tr>
     <td>
       <a href="{{ url_for('.admin_delete', admin=admin.email) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>
     </td>
     <td>{{ admin }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/alias/create.html b/core/admin/mailu/ui/templates/alias/create.html
index 2079d191..ce9f8167 100644
--- a/core/admin/mailu/ui/templates/alias/create.html
+++ b/core/admin/mailu/ui/templates/alias/create.html
@@ -1,15 +1,15 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Create alias{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
   {{ macros.form_field(form.localpart, append='<span class="input-group-text">@'+domain.name+'</span>') }}
@@ -18,5 +18,5 @@
   {{ macros.form_field(form.comment) }}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/alias/edit.html b/core/admin/mailu/ui/templates/alias/edit.html
index b28ea170..4dc13cce 100644
--- a/core/admin/mailu/ui/templates/alias/edit.html
+++ b/core/admin/mailu/ui/templates/alias/edit.html
@@ -1,9 +1,9 @@
-{% extends "alias/create.html" %}
+{%- extends "alias/create.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Edit alias{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ alias }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/alias/list.html b/core/admin/mailu/ui/templates/alias/list.html
index e8ddc862..0b784d52 100644
--- a/core/admin/mailu/ui/templates/alias/list.html
+++ b/core/admin/mailu/ui/templates/alias/list.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Alias list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.alias_create', domain_name=domain.name) }}">{% trans %}Add alias{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -25,7 +25,7 @@
   </tr>
 </thead>
 <tbody>
-  {% for alias in domain.aliases %}
+  {%- for alias in domain.aliases %}
   <tr>
     <td>
       <a href="{{ url_for('.alias_edit', alias=alias.email) }}" title="{% trans %}Edit{% endtrans %}"><i class="fa fa-pencil"></i></a>&nbsp;
@@ -37,7 +37,7 @@
     <td>{{ alias.created_at }}</td>
     <td>{{ alias.updated_at or '' }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/alternative/create.html b/core/admin/mailu/ui/templates/alternative/create.html
index 75461c67..f10cb718 100644
--- a/core/admin/mailu/ui/templates/alternative/create.html
+++ b/core/admin/mailu/ui/templates/alternative/create.html
@@ -1,9 +1,9 @@
-{% extends "form.html" %}
+{%- extends "form.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Create alternative domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/alternative/list.html b/core/admin/mailu/ui/templates/alternative/list.html
index f123eb9f..b56cd751 100644
--- a/core/admin/mailu/ui/templates/alternative/list.html
+++ b/core/admin/mailu/ui/templates/alternative/list.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Alternative domain list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.alternative_create', domain_name=domain.name) }}">{% trans %}Add alternative{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -22,7 +22,7 @@
   </tr>
 </thead>
 <tbody>
-  {% for alternative in domain.alternatives %}
+  {%- for alternative in domain.alternatives %}
   <tr>
     <td>
       <a href="{{ url_for('.alternative_delete', alternative=alternative.name) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>
@@ -30,7 +30,7 @@
     <td>{{ alternative }}</td>
     <td>{{ alternative.created_at }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/announcement.html b/core/admin/mailu/ui/templates/announcement.html
index acdbde1a..ed7fe772 100644
--- a/core/admin/mailu/ui/templates/announcement.html
+++ b/core/admin/mailu/ui/templates/announcement.html
@@ -1,16 +1,16 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Public announcement{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
   {{ macros.form_field(form.announcement_subject) }}
   {{ macros.form_field(form.announcement_body, rows=10) }}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/antispam.html b/core/admin/mailu/ui/templates/antispam.html
new file mode 100644
index 00000000..0b2713b9
--- /dev/null
+++ b/core/admin/mailu/ui/templates/antispam.html
@@ -0,0 +1,15 @@
+{%- extends "base.html" %}
+
+{%- block title %}
+{% trans %}Antispam{% endtrans %}
+{%- endblock %}
+
+{%- block subtitle %}
+{% trans %}RSPAMD status page{% endtrans %}
+{%- endblock %}
+
+{%- block content %}
+<div class="embed-responsive embed-responsive-1by1">
+  <iframe class="embed-responsive-item" src="{{ config["WEB_ADMIN"] }}/antispam/"></iframe>
+</div>
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/base.html b/core/admin/mailu/ui/templates/base.html
index 89695e50..acef4b86 100644
--- a/core/admin/mailu/ui/templates/base.html
+++ b/core/admin/mailu/ui/templates/base.html
@@ -1,65 +1,83 @@
-{% import "macros.html" as macros %}
-{% import "bootstrap/utils.html" as utils %}
+{%- import "macros.html" as macros %}
+{%- import "bootstrap/utils.html" as utils %}
 <!doctype html>
-<html>
+<html lang="{{ session['language'] }}" data-static="{{ url_for('.static', filename='') }}">
   <head>
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta name="description" content="{% trans %}Admin page for{% endtrans %} {{ config["SITENAME"] }}">
+    <meta http-equiv="x-ua-compatible" content="ie=edge">
+    <title>Mailu-Admin | {{ config["SITENAME"] }}</title>
     <link rel="stylesheet" href="{{ url_for('.static', filename='vendor.css') }}">
     <link rel="stylesheet" href="{{ url_for('.static', filename='app.css') }}">
-    <title>Mailu-Admin - {{ config["SITENAME"] }}</title>
   </head>
   <body class="hold-transition sidebar-mini layout-fixed">
     <div class="wrapper">
       <nav class="main-header navbar navbar-expand navbar-white navbar-light">
         <ul class="navbar-nav">
           <li class="nav-item">
-            <a class="nav-link" data-widget="pushmenu" href="#" role="button"><i class="fas fa-bars"></i></a>
+            <a class="nav-link" data-widget="pushmenu" href="#" role="button"><i class="fas fa-bars" title="{% trans %}toggle sidebar{% endtrans %}" aria-expanded="false"></i><span class="sr-only">{% trans %}toggle sidebar{% endtrans %}</span></a>
+          </li>
+          <li class="nav-item">
+            {%- for page, url in path %}
+            {%- if loop.index > 1 %}
+            <i class="fas fa-greater-than text-xs text-gray" aria-hidden="true"></i>
+            {%- endif %}
+            {%- if url %}
+            <a class="nav-link d-inline-block" href="{{ url }}" role="button">{{ page }}</a>
+            {%- else %}
+            <span class="nav-link d-inline-block">{{ page }}</span>
+            {%- endif %}
+            {%- endfor %}
           </li>
         </ul>
         <ul class="navbar-nav ml-auto">
           <li class="nav-item dropdown">
-            <a class="nav-link" data-toggle="dropdown" href="#" aria-expanded="false">{{ session['language'] }}</a>
-            <div class="dropdown-menu dropdown-menu-right p-0">
-                {% for language in session['available_languages'] %}
-                    <a class="dropdown-item {% if language == session['language'] %}active{% endif %} " href="{{ url_for('.set_language', language=language) }}">{{ language }}</a>
-                {% endfor %}
+            <a class="nav-link" data-toggle="dropdown" href="#" aria-expanded="false">
+                <i class="fas fa-language text-xl" aria-hidden="true" title="{% trans %}change language{% endtrans %}"></i><span class="sr-only">Language</span>
+                <span class="badge badge-primary navbar-badge">{{ session['language'] }}</span></a>
+            <div class="dropdown-menu dropdown-menu-right p-0" id="mailu-languages">
+              {%- for locale in config.translations.values() %}
+                <a class="dropdown-item{% if locale.language == session['language'] %} active{% endif %}" href="{{ url_for('.set_language', language=locale.language) }}">{{ locale.get_language_name().title() }}</a>
+              {%- endfor %}
             </div>
           </li>
         </ul>
       </nav>
-      <aside class="main-sidebar sidebar-dark-primary">
-        <a href="{{ config["WEB_ADMIN"] }}" class="brand-link">
-         <span class="brand-text font-weight-light">{{ config["SITENAME"] }}</span>
+      <aside class="main-sidebar sidebar-dark-primary nav-compact elevation-4">
+        <a href="{{ url_for('.domain_list') }}" class="brand-link bg-primary">
+          <img src="{{ url_for('.static', filename='mailu.png') }}" width="33" height="33" alt="Mailu" class="brand-image mailu-logo img-circle elevation-3">
+          <span class="brand-text font-weight-light">{{ config["SITENAME"] }}</span>
         </a>
-        {% block sidebar %}
-        {% include "sidebar.html" %}
-        {% endblock %}
+        {%- include "sidebar.html" %}
       </aside>
-      <div class="content-wrapper">
+      <div class="content-wrapper text-sm">
         <section class="content-header">
           <div class="container-fluid">
             <div class="row mb-2">
               <div class="col-sm-6">
-                <h1 class="m-0">{% block title %}{% endblock %}</h1>
+                <h1 class="m-0">{%- block title %}{%- endblock %}</h1>
                 <small>{% block subtitle %}{% endblock %}</small>
               </div>
               <div class="col-sm-6">
-                {% block main_action %}
-                {% endblock %}
+                {%- block main_action %}{%- endblock %}
               </div>
             </div>
           </div>
         </section>
-
         <div class="content">
           {{ utils.flashed_messages(container=False) }}
-          {% block content %}{% endblock %}
+          {%- block content %}{%- endblock %}
         </div>
       </div>
       <footer class="main-footer">
-        Built with <i class="fa fa-heart"></i> using <a class="white-text" href="http://flask.pocoo.org/">Flask</a> and
-        <a class="white-text" href="https://adminlte.io/themes/v3/index3.html">AdminLTE</a>
-        <span class="pull-right"><i class="fa fa-code-fork"></i>on <a class="white-text" href="https://github.com/Mailu/Mailu">Github</a></a></span>
+        Built with <i class="fa fa-heart text-danger" aria-hidden="true"></i><span class="sr-only">love</span>
+        using <a href="https://flask.palletsprojects.com/">Flask</a>
+        and <a href="https://adminlte.io/themes/v3/index3.html">AdminLTE</a>.
+        <span class="fa-pull-right">
+          <i class="fa fa-code-branch" aria-hidden="true"></i><span class="sr-only">fork</span>
+          on <a href="https://github.com/Mailu/Mailu">Github</a>
+        </span>
       </footer>
     </div>
     <script src="{{ url_for('.static', filename='vendor.js') }}"></script>
diff --git a/core/admin/mailu/ui/templates/client.html b/core/admin/mailu/ui/templates/client.html
index 668621af..cc4517ad 100644
--- a/core/admin/mailu/ui/templates/client.html
+++ b/core/admin/mailu/ui/templates/client.html
@@ -1,17 +1,15 @@
-<!--TODO add translations for: configure your client, Incoming mail and Outgoing mail-->
+{%- extends "base.html" %}
 
-{% extends "base.html" %}
-
-{% block title %}
+{%- block title %}
 {% trans %}Client setup{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
-configure your email client
-{% endblock %}
+{%- block subtitle %}
+{% trans %}configure your email client{% endtrans %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table(title="Incoming mail", datatable=False) %}
+{%- block content %}
+{%- call macros.table(title=_("Incoming mail"), datatable=False) %}
   <tbody>
     <tr>
       <th>{% trans %}Mail protocol{% endtrans %}</th>
@@ -23,20 +21,20 @@ configure your email client
     </tr>
     <tr>
       <th>{% trans %}Server name{% endtrans %}</th>
-      <td><pre>{{ config["HOSTNAMES"].split(',')[0] }}</pre></td>
+      <td><pre class="pre-config border bg-light">{{ config["HOSTNAMES"] }}</pre></td>
     </tr>
     <tr>
       <th>{% trans %}Username{% endtrans %}</th>
-      <td><pre>{{ current_user if current_user.is_authenticated else "******" }}</pre></td>
+      <td><pre class="pre-config border bg-light">{{ current_user if current_user.is_authenticated else "******" }}</pre></td>
     </tr>
     <tr>
       <th>{% trans %}Password{% endtrans %}</th>
-      <td><pre>*******</pre></td>
+      <td><pre class="pre-config border bg-light">*******</pre></td>
     </tr>
   </tbody>
-{% endcall %}
+{%- endcall %}
 
-{% call macros.table(title="Outgoing mail", datatable=False) %}
+{%- call macros.table(title=_("Outgoing mail"), datatable=False) %}
   <tbody>
     <tr>
       <th>{% trans %}Mail protocol{% endtrans %}</th>
@@ -48,16 +46,16 @@ configure your email client
     </tr>
     <tr>
       <th>{% trans %}Server name{% endtrans %}</th>
-      <td><pre>{{ config["HOSTNAMES"].split(',')[0] }}</pre></td>
+      <td><pre class="pre-config border bg-light">{{ config["HOSTNAMES"] }}</pre></td>
     </tr>
     <tr>
       <th>{% trans %}Username{% endtrans %}</th>
-      <td><pre>{{ current_user if current_user.is_authenticated else "******" }}</pre></td>
+      <td><pre class="pre-config border bg-light">{{ current_user if current_user.is_authenticated else "******" }}</pre></td>
     </tr>
     <tr>
       <th>{% trans %}Password{% endtrans %}</th>
-      <td><pre>*******</pre></td>
+      <td><pre class="pre-config border bg-light">*******</pre></td>
     </tr>
   </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/confirm.html b/core/admin/mailu/ui/templates/confirm.html
index d0f6acf3..ac1d4f98 100644
--- a/core/admin/mailu/ui/templates/confirm.html
+++ b/core/admin/mailu/ui/templates/confirm.html
@@ -1,16 +1,16 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Confirm action{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ action }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card(theme="warning") %}
+{%- block content %}
+{%- call macros.card(theme="warning") %}
 <p>{% trans action %}You are about to {{ action }}. Please confirm your action.{% endtrans %}</p>
 {{ macros.form(form) }}
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/docker-error.html b/core/admin/mailu/ui/templates/docker-error.html
index 248e8b27..10742b99 100644
--- a/core/admin/mailu/ui/templates/docker-error.html
+++ b/core/admin/mailu/ui/templates/docker-error.html
@@ -1,14 +1,14 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Docker error{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ action }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 <p>{% trans action %}An error occurred while talking to the Docker server.{% endtrans %}</p>
-<pre>{{ error }}</pre>
-{% endblock %}
+<pre class="pre-config border bg-light">{{ error }}</pre>
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/domain/create.html b/core/admin/mailu/ui/templates/domain/create.html
index 3fdd262a..bc407d27 100644
--- a/core/admin/mailu/ui/templates/domain/create.html
+++ b/core/admin/mailu/ui/templates/domain/create.html
@@ -1,21 +1,20 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}New domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
   {{ macros.form_field(form.name) }}
   {{ macros.form_fields((form.max_users, form.max_aliases)) }}
-  {{ macros.form_field(form.max_quota_bytes, step=1000000000, max=50000000000,
-      prepend='<span class="input-group-text"><span id="quota">'+((form.max_quota_bytes.data//1000000000).__str__() if form.max_quota_bytes.data else '∞')+'</span> GiB</span>',
-      oninput='$("#quota").text(this.value == 0  ? "∞" : this.value/1000000000);') }}
+  {{ macros.form_field(form.max_quota_bytes, step=10**9, max=50*10**9, data_infinity="true",
+      prepend='<span class="input-group-text"><span id="max_quota_bytes_value"></span>&nbsp;GB</span>') }}
   {{ macros.form_field(form.signup_enabled) }}
   {{ macros.form_field(form.comment) }}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/domain/details.html b/core/admin/mailu/ui/templates/domain/details.html
index 0560d5e0..b90ea3de 100644
--- a/core/admin/mailu/ui/templates/domain/details.html
+++ b/core/admin/mailu/ui/templates/domain/details.html
@@ -1,66 +1,69 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Domain details{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
-{% if current_user.global_admin %}
+{%- block main_action %}
+{%- if current_user.global_admin %}
 <a class="btn btn-primary float-right" href="{{ url_for(".domain_genkeys", domain_name=domain.name) }}">
-  {% if domain.dkim_publickey %}
+  {%- if domain.dkim_publickey %}
   {% trans %}Regenerate keys{% endtrans %}
-  {% else %}
+  {%- else %}
   {% trans %}Generate keys{% endtrans %}
-  {% endif %}
+  {%- endif %}
 </a>
-{% endif %}
-{% endblock %}
+{%- endif %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table(datatable=False) %}
-{% set hostname = config["HOSTNAMES"].split(",")[0] %}
+{%- block content %}
+{%- call macros.table(datatable=False) %}
 <tr>
   <th>{% trans %}Domain name{% endtrans %}</th>
   <td>{{ domain.name }}</td>
 </tr>
 <tr>
-  <th>{% trans %}DNS MX entry{% endtrans %} <i class="fa {{ 'fa-check-circle' if domain.check_mx() else 'fa-exclamation-circle' }}"></i></th>
-  <td><pre>{{ domain.name }}. 600 IN MX 10 {{ hostname }}.</pre></td>
+  <th>{% trans %}DNS MX entry{% endtrans %} <i class="fa {{ 'fa-check-circle text-success' if domain.check_mx() else 'fa-exclamation-circle text-danger' }}"></i></th>
+  <td>{{ macros.clip("dns_mx") }}<pre id="dns_mx" class="pre-config border bg-light">{{ domain.dns_mx }}</pre></td>
 </tr>
 <tr>
   <th>{% trans %}DNS SPF entries{% endtrans %}</th>
-  <td><pre>
-{{ domain.name }}. 600 IN TXT "v=spf1 mx a:{{ hostname }} -all"</pre></td>
+  <td>{{ macros.clip("dns_spf") }}<pre id="dns_spf" class="pre-config border bg-light">{{ domain.dns_spf }}</pre>
+  </td>
 </tr>
-{% if domain.dkim_publickey %}
+{%- if domain.dkim_publickey %}
 <tr>
   <th>{% trans %}DKIM public key{% endtrans %}</th>
-  <td><pre style="white-space: pre-wrap; word-wrap: break-word;">{{ domain.dkim_publickey }}</pre></td>
+  <td>{{ macros.clip("dkim_key") }}<pre id="dkim_key" class="pre-config border bg-light">{{ domain.dkim_publickey }}</pre></td>
 </tr>
 <tr>
   <th>{% trans %}DNS DKIM entry{% endtrans %}</th>
-  <td><pre style="white-space: pre-wrap; word-wrap: break-word;">{{ config["DKIM_SELECTOR"] }}._domainkey.{{ domain.name }}. 600 IN TXT "v=DKIM1; k=rsa; p={{ domain.dkim_publickey }}"</pre></td>
+  <td>{{ macros.clip("dns_dkim") }}<pre id="dns_dkim" class="pre-config border bg-light">{{ domain.dns_dkim }}</pre></td>
 </tr>
 <tr>
   <th>{% trans %}DNS DMARC entry{% endtrans %}</th>
-  <td><pre>_dmarc.{{ domain.name }}. 600 IN TXT "v=DMARC1; p=reject;{% if config["DMARC_RUA"] %} rua=mailto:{{ config["DMARC_RUA"] }}@{{ config["DOMAIN"] }};{% endif %}{% if config["DMARC_RUF"] %} ruf=mailto:{{ config["DMARC_RUF"] }}@{{ config["DOMAIN"] }};{% endif %} adkim=s; aspf=s"</pre></td>
+  <td>{{ macros.clip("dns_dmark") }}<pre id="dns_dmark" class="pre-config border bg-light">{{ domain.dns_dmarc }}</pre></td>
 </tr>
-{% endif %}
+{%- endif %}
+{%- set tlsa_record=domain.dns_tlsa %}
+{%- if tlsa_record %}
+<tr>
+  <th>{% trans %}DNS TLSA entry{% endtrans %}</br><span class="text-secondary text-xs font-weight-normal">Let's Encrypt</br>ISRG Root X1</span></th>
+  <td>{{ macros.clip("dns_tlsa") }}<pre id="dns_tlsa" class="pre-config border bg-light">{{ tlsa_record }}</pre></td>
+</tr>
+{%- endif %}
 <tr>
   <th>{% trans %}DNS client auto-configuration (RFC6186) entries{% endtrans %}</th>
   <td>
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_submission._tcp.{{ domain.name }}. 600 IN SRV 1 1 587 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_imap._tcp.{{ domain.name }}. 600 IN SRV 100 1 143 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_pop3._tcp.{{ domain.name }}. 600 IN SRV 100 1 110 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-{% if config["TLS_FLAVOR"] != "notls" %}
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_submissions._tcp.{{ domain.name }}. 600 IN SRV 10 1 465 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_imaps._tcp.{{ domain.name }}. 600 IN SRV 10 1 993 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_pop3s._tcp.{{ domain.name }}. 600 IN SRV 10 1 995 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-{% endif %}</td>
+    {{ macros.clip("dns_autoconfig") }}<pre id="dns_autoconfig" class="pre-config border bg-light">
+{%- for line in domain.dns_autoconfig %}
+{{ line }}
+{%- endfor -%}
+    </pre></td>
 </tr>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/domain/edit.html b/core/admin/mailu/ui/templates/domain/edit.html
index 13af23a5..736e43eb 100644
--- a/core/admin/mailu/ui/templates/domain/edit.html
+++ b/core/admin/mailu/ui/templates/domain/edit.html
@@ -1,9 +1,9 @@
-{% extends "domain/create.html" %}
+{%- extends "domain/create.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Edit domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/domain/list.html b/core/admin/mailu/ui/templates/domain/list.html
index c82647df..6f6bc467 100644
--- a/core/admin/mailu/ui/templates/domain/list.html
+++ b/core/admin/mailu/ui/templates/domain/list.html
@@ -1,17 +1,17 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Domain list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
-{% if current_user.global_admin %}
+{%- block main_action %}
+{%- if current_user.global_admin %}
 <a class="btn btn-primary float-right" href="{{ url_for('.domain_create') }}">{% trans %}New domain{% endtrans %}</a>
-{% endif %}
-{% endblock %}
+{%- endif %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -25,22 +25,22 @@
   </tr>
 </thead>
 <tbody>
-  {% for domain in current_user.get_managed_domains() %}
+  {%- for domain in current_user.get_managed_domains() %}
   <tr>
     <td>
       <a href="{{ url_for('.domain_details', domain_name=domain.name) }}" title="{% trans %}Details{% endtrans %}"><i class="fa fa-list"></i></a>&nbsp;
-      {% if current_user.global_admin %}
+      {%- if current_user.global_admin %}
       <a href="{{ url_for('.domain_edit', domain_name=domain.name) }}" title="{% trans %}Edit{% endtrans %}"><i class="fas fa-pencil-alt"></i></a>&nbsp;
       <a href="{{ url_for('.domain_delete', domain_name=domain.name) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>&nbsp;
-      {% endif %}
+      {%- endif %}
     </td>
     <td>
       <a href="{{ url_for('.user_list', domain_name=domain.name) }}" title="{% trans %}Users{% endtrans %}"><i class="far fa-envelope"></i></a>&nbsp;
       <a href="{{ url_for('.alias_list', domain_name=domain.name) }}" title="{% trans %}Aliases{% endtrans %}"><i class="fa fa-at"></i></a>&nbsp;
       <a href="{{ url_for('.manager_list', domain_name=domain.name) }}" title="{% trans %}Managers{% endtrans %}"><i class="fa fa-user"></i></a>&nbsp;
-      {% if current_user.global_admin %}
+      {%- if current_user.global_admin %}
       <a href="{{ url_for('.alternative_list', domain_name=domain.name) }}" title="{% trans %}Alternatives{% endtrans %}"><i class="fa fa-asterisk"></i></a>&nbsp;
-      {% endif %}
+      {%- endif %}
     </td>
     <td>{{ domain.name }}</td>
     <td>{{ domain.users | count }} / {{ '∞' if domain.max_users == -1 else domain.max_users }}</td>
@@ -49,7 +49,7 @@
     <td>{{ domain.created_at }}</td>
     <td>{{ domain.updated_at or '' }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/domain/signup.html b/core/admin/mailu/ui/templates/domain/signup.html
index e9dbd75f..083242e4 100644
--- a/core/admin/mailu/ui/templates/domain/signup.html
+++ b/core/admin/mailu/ui/templates/domain/signup.html
@@ -1,18 +1,18 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Register a domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
 
-  {% call macros.card(title="Requirements") %}
+  {%- call macros.card(title="Requirements") %}
   <p>{% trans %}In order to register a new domain, you must first setup the
     domain zone so that the domain <code>MX</code> points to this server{% endtrans %}
-    (<code>{{ config["HOSTNAMES"].split(",")[0] }}</code>).
+    (<code>{{ config["HOSTNAME"] }}</code>).
   </p>
   <p>
     {% trans %}If you do not know how to setup an <code>MX</code> record for your DNS zone,
@@ -20,17 +20,17 @@
     couple minutes after the <code>MX</code> is set so the local server cache
     expires.{% endtrans %}
   </p>
-  {% endcall %}
+  {%- endcall %}
 
-  {% call macros.card() %}
-  {% if form.localpart %}
+  {%- call macros.card() %}
+  {%- if form.localpart %}
   {{ macros.form_fields((form.localpart, form.name), append='<span class="input-group-text">@</span>') }}
   {{ macros.form_fields((form.pw, form.pw2)) }}
-  {% else %}
+  {%- else %}
   {{ macros.form_field(form.name) }}
-  {% endif %}
+  {%- endif %}
   {{ macros.form_field(form.captcha) }}
   {{ macros.form_field(form.submit) }}
-  {% endcall %}
+  {%- endcall %}
 </form>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/fetch/create.html b/core/admin/mailu/ui/templates/fetch/create.html
index 1b5bc194..00698329 100644
--- a/core/admin/mailu/ui/templates/fetch/create.html
+++ b/core/admin/mailu/ui/templates/fetch/create.html
@@ -1,31 +1,31 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Add a fetched account{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
-  {% call macros.card(title="Remote server") %}
+  {%- call macros.card(title="Remote server") %}
   {{ macros.form_field(form.protocol) }}
   {{ macros.form_fields((form.host, form.port)) }}
   {{ macros.form_field(form.tls) }}
-  {% endcall %}
+  {%- endcall %}
 
-  {% call macros.card(title="Authentication") %}
+  {%- call macros.card(title="Authentication") %}
   {{ macros.form_field(form.username) }}
   {{ macros.form_field(form.password) }}
-  {% endcall %}
+  {%- endcall %}
 
-  {% call macros.card(title="Settings") %}
+  {%- call macros.card(title="Settings") %}
   {{ macros.form_field(form.keep) }}
-  {% endcall %}
+  {%- endcall %}
 
   {{ macros.form_field(form.submit) }}
 </form>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/fetch/edit.html b/core/admin/mailu/ui/templates/fetch/edit.html
index 9d0f3918..62af51a9 100644
--- a/core/admin/mailu/ui/templates/fetch/edit.html
+++ b/core/admin/mailu/ui/templates/fetch/edit.html
@@ -1,9 +1,9 @@
-{% extends "fetch/create.html" %}
+{%- extends "fetch/create.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Update a fetched account{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/fetch/list.html b/core/admin/mailu/ui/templates/fetch/list.html
index 77f66bb1..d9374fc6 100644
--- a/core/admin/mailu/ui/templates/fetch/list.html
+++ b/core/admin/mailu/ui/templates/fetch/list.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Fetched accounts{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.fetch_create', user_email=user.email) }}">{% trans %}Add an account{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -27,7 +27,7 @@
   </tr>
 </thead>
 <tbody>
-  {% for fetch in user.fetches %}
+  {%- for fetch in user.fetches %}
   <tr>
     <td>
       <a href="{{ url_for('.fetch_edit', fetch_id=fetch.id) }}" title="{% trans %}Edit{% endtrans %}"><i class="fa fa-pencil"></i></a>&nbsp;
@@ -41,7 +41,7 @@
     <td>{{ fetch.created_at }}</td>
     <td>{{ fetch.updated_at or '' }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/form.html b/core/admin/mailu/ui/templates/form.html
index 0e65ce33..2c635aac 100644
--- a/core/admin/mailu/ui/templates/form.html
+++ b/core/admin/mailu/ui/templates/form.html
@@ -1,7 +1,7 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 {{ macros.form(form) }}
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/login.html b/core/admin/mailu/ui/templates/login.html
index 26c47c08..fb8e5bd4 100644
--- a/core/admin/mailu/ui/templates/login.html
+++ b/core/admin/mailu/ui/templates/login.html
@@ -1,9 +1,9 @@
-{% extends "form.html" %}
+{%- extends "form.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Sign in{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {% trans %}to access the administration tools{% endtrans %}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/macros.html b/core/admin/mailu/ui/templates/macros.html
index d1715c7a..4080c1e4 100644
--- a/core/admin/mailu/ui/templates/macros.html
+++ b/core/admin/mailu/ui/templates/macros.html
@@ -1,104 +1,127 @@
-{% macro form_errors(form) %}
-  {% if form.errors %}
-    {% for fieldname, errors in form.errors.items() %}
-      {% if bootstrap_is_hidden_field(form[fieldname]) %}
-        {% for error in errors %}
+{%- macro form_errors(form) %}
+  {%- if form.errors %}
+    {%- for fieldname, errors in form.errors.items() %}
+      {%- if bootstrap_is_hidden_field(form[fieldname]) %}
+        {%- for error in errors %}
           <p class="error">{{error}}</p>
-        {% endfor %}
-      {% endif %}
-    {% endfor %}
-  {% endif %}
-{% endmacro %}
+        {%- endfor %}
+      {%- endif %}
+    {%- endfor %}
+  {%- endif %}
+{%- endmacro %}
 
-{% macro form_field_errors(field) %}
-  {% if field.errors %}
-    {% for error in field.errors %}
+{%- macro form_field_errors(field) %}
+  {%- if field.errors %}
+    {%- for error in field.errors %}
       <p class="help-block inline">{{ error }}</p>
-    {% endfor %}
-  {% endif %}
-{% endmacro %}
+    {%- endfor %}
+  {%- endif %}
+{%- endmacro %}
 
-{% macro form_fields(fields, prepend='', append='', label=True) %}
-  {% set width = (12 / fields|length)|int %}
+{%- macro form_fields(fields, prepend='', append='', label=True) %}
+  {%- set width = (12 / fields|length)|int %}
   <div class="form-group">
     <div class="row">
-      {% for field in fields %}
+      {%- for field in fields %}
       <div class="col-lg-{{ width }} col-xs-12 {{ 'has-error' if field.errors else '' }}">
         {{ form_individual_field(field, prepend=prepend, append=append, label=label, **kwargs) }}
       </div>
-      {% endfor %}
+      {%- endfor %}
     </div>
   </div>
-{% endmacro %}
+{%- endmacro %}
 
-{% macro form_individual_field(field, prepend='', append='', label=True, class_="") %}
-  {% if field.type == "BooleanField" %}
-    {{ field(**kwargs) }}<span>&nbsp;&nbsp;</span>
-    {{ field.label if label else '' }}
-  {% else %}
+{%- macro form_individual_field(field, prepend='', append='', label=True, class_="") %}
+  {%- if field.type == "BooleanField" %}
+    {{ field(**kwargs) }}<span>&nbsp;&nbsp;</span>{{ field.label if label else '' }}
+  {%- else %}
     {{ field.label if label else '' }}{{ form_field_errors(field) }}
-      {% if prepend %}<div class="input-group-prepend">{% endif %}
-      {% if append %}<div class="input-group-append">{% endif %}
-        {{ prepend|safe }}{{ field(class_="form-control " + class_, **kwargs) }}{{ append|safe }}
-      {% if prepend or append %}</div>{% endif %}
-  {% endif %}
-{% endmacro %}
+    {%- if prepend %}<div class="input-group-prepend">{%- elif append %}<div class="input-group-append">{%- endif %}
+      {{ prepend|safe }}{{ field(class_=("form-control " + class_) if class_ else "form-control", **kwargs) }}{{ append|safe }}
+    {%- if prepend or append %}</div>{%- endif %}
+  {%- endif %}
+{%- endmacro %}
 
-{% macro form_field(field) %}
-  {% if field.type == 'SubmitField' %}
-  {{ form_fields((field,), label=False, class="btn btn-default", **kwargs) }}
-  {% else %}
-  {{ form_fields((field,), **kwargs) }}
-  {% endif %}
-{% endmacro %}
+{%- macro form_field(field) %}
+  {%- if field.type == 'SubmitField' %}
+  {{- form_fields((field,), label=False, class="btn btn-default", **kwargs) }}
+  {%- else %}
+  {{- form_fields((field,), **kwargs) }}
+  {%- endif %}
+{%- endmacro %}
 
-{% macro form(form) %}
+{%- macro form(form) %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
-  {% for field in form %}
-    {% if  bootstrap_is_hidden_field(field) %}
+  {%- for field in form %}
+    {%- if  bootstrap_is_hidden_field(field) %}
       {{ field() }}
-    {% else %}
+    {%- else %}
       {{ form_field(field) }}
-    {% endif %}
-  {% endfor %}
+    {%- endif %}
+  {%- endfor %}
 </form>
-{% endmacro %}
+{%- endmacro %}
 
-{% macro card(title=None, theme="primary", header=True) %}
+{%- macro card(title=None, theme="primary", header=True) %}
 <div class="row">
   <div class="col-lg-12">
     <div class="card card-outline card-{{ theme }}">
-      {% if header %}
+      {%- if header %}
       <div class="card-header border-0">
-        {% if title %}
+        {%- if title %}
         <h3 class="card-title">{{ title }}</h3>
-        {% endif %}
+        {%- endif %}
       </div>
-      {% endif %}
+      {%- endif %}
       <div class="card-body">
-       {{ caller() }}
+       {{- caller() }}
       </div>
     </div>
   </div>
 </div>
-{% endmacro %}
+{%- endmacro %}
 
-{% macro table(title=None, theme="primary", datatable=True) %}
+{%- macro table(title=None, theme="primary", datatable=True) %}
 <div class="row">
   <div class="col-lg-12">
     <div class="card card-outline card-{{ theme }}">
+      {%- if title %}
       <div class="card-header border-0">
-        {% if title %}
         <h3 class="card-title">{{ title }}</h3>
-        {% endif %}
       </div>
+      {%- endif %}
       <div class="card-body">
-        <table class="table table-bordered {% if datatable %} dataTable {% endif %}">
-          {{ caller() }}
+        <table class="table table-bordered{% if datatable %} dataTable{% endif %}">
+          {{- caller() }}
         </table>
       </div>
     </div>
   </div>
 </div>
-{% endmacro %}
+{%- endmacro %}
+
+{%- macro fieldset(title=None, field=None, enabled=None, fields=None) %}
+{%- if field or title %}
+<fieldset{% if not enabled %} disabled{% endif %}>
+{%- if field %}
+<legend>{{ form_individual_field(field) }}</legend>
+{%- else %}
+<legend>{{ title }}</legend>
+{%- endif %}
+{%- endif %}
+{{- caller() }}
+{%- if fields %}
+  {%- set kwargs = {"enabled" if enabled else "disabled": ""} %}
+  {%- for field in fields %}
+    {{ form_field(field, **kwargs) }}
+  {%- endfor %}
+{%- endif %}
+</fieldset>
+{%- endmacro %}
+
+{%- macro clip(target, title=_("copy to clipboard"), icon="copy", color="primary", action="copy") %}
+<button class="btn btn-{{ color }} btn-xs btn-clip float-right ml-2 mt-1" data-clipboard-action="{{ action }}" data-clipboard-target="#{{ target }}">
+<i class="fas fa-{{ icon }}" title="{{ title }}" aria-expanded="false"></i><span class="sr-only">{{ title }}</span>
+</button>
+{%- endmacro %}
diff --git a/core/admin/mailu/ui/templates/manager/create.html b/core/admin/mailu/ui/templates/manager/create.html
index bc5e6ca9..e5812b74 100644
--- a/core/admin/mailu/ui/templates/manager/create.html
+++ b/core/admin/mailu/ui/templates/manager/create.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Add a manager{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
   {{ macros.form_field(form.manager, class_='mailselect') }}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/manager/list.html b/core/admin/mailu/ui/templates/manager/list.html
index 9a78e3ca..706594c4 100644
--- a/core/admin/mailu/ui/templates/manager/list.html
+++ b/core/admin/mailu/ui/templates/manager/list.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Manager list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.manager_create', domain_name=domain.name) }}">{% trans %}Add manager{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -21,14 +21,14 @@
   </tr>
 </thead>
 <tbody>
-{% for manager in domain.managers %}
+{%- for manager in domain.managers %}
 <tr>
   <td>
     <a href="{{ url_for('.manager_delete', domain_name=domain.name, user_email=manager.email) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>
   </td>
   <td>{{ manager }}</td>
 </tr>
-{% endfor %}
+{%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/relay/create.html b/core/admin/mailu/ui/templates/relay/create.html
index b22cb001..b1e4e8e5 100644
--- a/core/admin/mailu/ui/templates/relay/create.html
+++ b/core/admin/mailu/ui/templates/relay/create.html
@@ -1,5 +1,5 @@
-{% extends "form.html" %}
+{%- extends "form.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}New relay domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/relay/edit.html b/core/admin/mailu/ui/templates/relay/edit.html
index 83dafcba..df2418a4 100644
--- a/core/admin/mailu/ui/templates/relay/edit.html
+++ b/core/admin/mailu/ui/templates/relay/edit.html
@@ -1,9 +1,9 @@
-{% extends "form.html" %}
+{%- extends "form.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Edit relayd domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ relay }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/relay/list.html b/core/admin/mailu/ui/templates/relay/list.html
index 6c8c9196..07838273 100644
--- a/core/admin/mailu/ui/templates/relay/list.html
+++ b/core/admin/mailu/ui/templates/relay/list.html
@@ -1,17 +1,17 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Relayed domain list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
-{% if current_user.global_admin %}
+{%- block main_action %}
+{%- if current_user.global_admin %}
 <a class="btn btn-primary float-right" href="{{ url_for('.relay_create') }}">{% trans %}New relayed domain{% endtrans %}</a>
-{% endif %}
-{% endblock %}
+{%- endif %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -23,7 +23,7 @@
   </tr>
 </thead>
 <tbody>
-  {% for relay in relays %}
+  {%- for relay in relays %}
   <tr>
     <td>
       <a href="{{ url_for('.relay_edit', relay_name=relay.name) }}" title="{% trans %}Edit{% endtrans %}"><i class="fa fa-pencil"></i></a>&nbsp;
@@ -35,7 +35,7 @@
     <td>{{ relay.created_at }}</td>
     <td>{{ relay.updated_at or '' }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/sidebar.html b/core/admin/mailu/ui/templates/sidebar.html
index 0fdae9db..1a597a5f 100644
--- a/core/admin/mailu/ui/templates/sidebar.html
+++ b/core/admin/mailu/ui/templates/sidebar.html
@@ -1,144 +1,156 @@
-<div class="sidebar">
-  {% if current_user.is_authenticated %}
+<div class="sidebar text-sm">
+  {%- if current_user.is_authenticated %}
   <div class="user-panel mt-3 pb-3 mb-3 d-flex">
+    <div class="image">
+      <div class="div-circle elevation-2"><i class="fa fa-user text-lg text-dark"></i></div>
+    </div>
     <div class="info">
-      <span class="text-center text-primary">{{ current_user }}</span>
+      <a href="{{ url_for('.user_settings') }}" class="d-block">{{ current_user }}</a>
     </div>
   </div>
-  {% endif %}
-
+  {%- endif %}
   <nav class="mt-2">
     <ul class="nav nav-pills nav-sidebar flex-column" role="menu">
-      {% if current_user.is_authenticated %}
-      <li class="nav-header">{% trans %}My account{% endtrans %}</li>
-      <li class="nav-item">
-        <a href="{{ url_for('.user_settings') }}" class="nav-link">
+      {%- if current_user.is_authenticated %}
+      <li class="nav-header text-uppercase text-primary" role="none">{% trans %}My account{% endtrans %}</li>
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.user_settings') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-wrench"></i>
-          <p class="text">{% trans %}Settings{% endtrans %}</p>
+          <p>{% trans %}Settings{% endtrans %}</p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.user_password') }}" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.user_password') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-lock"></i>
-          <p class="text">{% trans %}Update password{% endtrans %}</p>
+          <p>{% trans %}Update password{% endtrans %}</p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.user_reply') }}" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.user_reply') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-plane"></i>
-          <p class="text">{% trans %}Auto-reply{% endtrans %}</p>
+          <p>{% trans %}Auto-reply{% endtrans %}</p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.fetch_list') }}" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.fetch_list') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fas fa-download"></i>
-          <p class="text">{% trans %}Fetched accounts{% endtrans %}</p>
+          <p>{% trans %}Fetched accounts{% endtrans %}</p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.token_list') }}" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.token_list') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fas fa-ticket-alt"></i>
-          <p class="text">{% trans %}Authentication tokens{% endtrans %}</p>
+          <p>{% trans %}Authentication tokens{% endtrans %}</p>
         </a>
       </li>
-
-      {% if current_user.manager_of or current_user.global_admin %}
-      <li class="nav-header">{% trans %}Administration{% endtrans %}</li>
-      {% endif %}
-      {% if current_user.global_admin %}
-      <li class="nav-item">
-        <a href="{{ url_for('.announcement') }}" class="nav-link">
-          <i class="nav-icon fa fa-bullhorn"></i>
-          <p class="text">{% trans %}Announcement{% endtrans %}</p>
-        </a>
-      </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.admin_list') }}" class="nav-link">
-          <i class="nav-icon fa fa-user"></i>
-          <p class="text">{% trans %}Administrators{% endtrans %}</p>
-        </a>
-      </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.relay_list') }}" class="nav-link">
-          <i class="nav-icon fa fa-reply-all"></i>
-          <p class="text">{% trans %}Relayed domains{% endtrans %}</p>
-        </a>
-      </li>
-      <li class="nav-item">
-        <a href="{{ config["WEB_ADMIN"] }}/antispam/" target="_blank" class="nav-link">
-        <i class="nav-icon fas fa-trash-alt"></i>
-        <p class="text">{% trans %}Antispam{% endtrans %}</p>
-        </a>
-      </li>
-      {% endif %}
-      {% if current_user.manager_of or current_user.global_admin %}
-      <li class="nav-item">
-        <a href="{{ url_for('.domain_list') }}" class="nav-link">
-          <i class="nav-icon fa fa-envelope"></i>
-          <p class="text">{% trans %}Mail domains{% endtrans %}</p>
-        </a>
-      </li>
-      {% endif %}
-      {% endif %}
-
-      <li class="nav-header">{% trans %}Go to{% endtrans %}</li>
-      {% if config["WEBMAIL"] != "none" %}
-      <li class="nav-item">
-        <a href="{{ config["WEB_WEBMAIL"] }}" target="_blank" class="nav-link">
-        <i class="nav-icon far fa-envelope"></i>
-        <p class="text">{% trans %}Webmail{% endtrans %}</p>
-        </a>
-      </li>
-      {% endif %}
-      <li class="nav-item">
-        <a href="{{ url_for('.client') }}" class="nav-link">
+      {%- if current_user.is_authenticated %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.client') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-laptop"></i>
-          <p class="text">{% trans %}Client setup{% endtrans %}</p>
+          <p>{% trans %}Client setup{% endtrans %}</p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="{{ config["WEBSITE"] }}" target="_blank" class="nav-link">
+      {%- endif %}
+
+      {%- if current_user.manager_of or current_user.global_admin %}
+      <li class="nav-header text-uppercase text-primary" role="none">{% trans %}Administration{% endtrans %}</li>
+      {%- endif %}
+      {%- if current_user.global_admin %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.announcement') }}" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-bullhorn"></i>
+          <p>{% trans %}Announcement{% endtrans %}</p>
+        </a>
+      </li>
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.admin_list') }}" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-user"></i>
+          <p>{% trans %}Administrators{% endtrans %}</p>
+        </a>
+      </li>
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.relay_list') }}" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-reply-all"></i>
+          <p>{% trans %}Relayed domains{% endtrans %}</p>
+        </a>
+      </li>
+      <li class="nav-item" role="none">
+        <a href="{{ config["WEB_ADMIN"] }}/antispam/" data-clicked="{{ url_for('.antispam') }}" target="_blank" class="nav-link" role="menuitem">
+        <i class="nav-icon fas fa-trash-alt"></i>
+        <p>{% trans %}Antispam{% endtrans %}</p>
+        </a>
+      </li>
+      {%- endif %}
+      {%- if current_user.manager_of or current_user.global_admin %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.domain_list') }}" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-envelope"></i>
+          <p>{% trans %}Mail domains{% endtrans %}</p>
+        </a>
+      </li>
+      {%- endif %}
+      {%- endif %}
+
+      <li class="nav-header text-uppercase text-primary" role="none">{% trans %}Go to{% endtrans %}</li>
+      {%- if config["WEBMAIL"] != "none" %}
+      <li class="nav-item" role="none">
+        <a href="{{ config["WEB_WEBMAIL"] }}" target="_blank" class="nav-link" role="menuitem">
+        <i class="nav-icon far fa-envelope"></i>
+        <p>{% trans %}Webmail{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
+        </a>
+      </li>
+      {%- endif %}
+      {%- if not current_user.is_authenticated %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.client') }}" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-laptop"></i>
+          <p>{% trans %}Client setup{% endtrans %}</p>
+        </a>
+      </li>
+      {%- endif %}
+      <li class="nav-item" role="none">
+        <a href="{{ config["WEBSITE"] }}" target="_blank" class="nav-link" role="menuitem" rel="noreferrer">
         <i class="nav-icon fa fa-globe"></i>
-        <p class="text">{% trans %}Website{% endtrans %}</p>
+        <p>{% trans %}Website{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="https://mailu.io" target="_blank" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="https://mailu.io" target="_blank" class="nav-link" role="menuitem" rel="noreferrer">
           <i class="nav-icon fa fa-life-ring"></i>
-          <p class="text">{% trans %}Help{% endtrans %}</p>
+          <p>{% trans %}Help{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
         </a>
       </li>
-      {% if config['DOMAIN_REGISTRATION'] %}
-      <li class="nav-item">
-        <a href="{{ url_for('.domain_signup') }}" class="nav-link">
+      {%- if config['DOMAIN_REGISTRATION'] %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.domain_signup') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-plus-square"></i>
-          <p class="text">{% trans %}Register a domain{% endtrans %}</p>
+          <p>{% trans %}Register a domain{% endtrans %}</p>
         </a>
       </li>
-      {% endif %}
-      {% if current_user.is_authenticated %}
-      <li class="nav-item">
-        <a href="{{ url_for('.logout') }}" class="nav-link">
+      {%- endif %}
+      {%- if current_user.is_authenticated %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.logout') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fas fa-sign-out-alt"></i>
-          <p class="text">{% trans %}Sign out{% endtrans %}</p>
+          <p>{% trans %}Sign out{% endtrans %}</p>
         </a>
       </li>
-      {% else %}
-      <li class="nav-item">
-        <a href="{{ url_for('.login') }}" class="nav-link">
+      {%- else %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.login') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fas fa-sign-in-alt"></i>
-          <p class="text">{% trans %}Sign in{% endtrans %}</p>
+          <p>{% trans %}Sign in{% endtrans %}</p>
         </a>
       </li>
-      {% if signup_domains %}
-      <li class="nav-item">
-        <a href="{{ url_for('.user_signup') }}" class="nav-link">
+      {%- if signup_domains %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.user_signup') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-user-plus"></i>
-          <p class="text">{% trans %}Sign up{% endtrans %}</p>
+          <p>{% trans %}Sign up{% endtrans %}</p>
         </a>
       </li>
-      {% endif %}
-      {% endif %}
+      {%- endif %}
+      {%- endif %}
     </ul>
   </nav>
 </div>
diff --git a/core/admin/mailu/ui/templates/token/create.html b/core/admin/mailu/ui/templates/token/create.html
index a64e662c..ab9286d5 100644
--- a/core/admin/mailu/ui/templates/token/create.html
+++ b/core/admin/mailu/ui/templates/token/create.html
@@ -1,9 +1,9 @@
-{% extends "form.html" %}
+{%- extends "form.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Create an authentication token{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/token/list.html b/core/admin/mailu/ui/templates/token/list.html
index 09d0fe76..c3cc9b5c 100644
--- a/core/admin/mailu/ui/templates/token/list.html
+++ b/core/admin/mailu/ui/templates/token/list.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Authentication tokens{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.token_create', user_email=user.email) }}">{% trans %}New token{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -23,7 +23,7 @@
   </tr>
 </thead>
 <tbody>
-  {% for token in user.tokens %}
+  {%- for token in user.tokens %}
   <tr>
     <td>
       <a href="{{ url_for('.token_delete', token_id=token.id) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>
@@ -32,7 +32,7 @@
     <td>{{ token.ip or "any" }}</td>
     <td>{{ token.created_at }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/create.html b/core/admin/mailu/ui/templates/user/create.html
index 886cbb88..9a32243d 100644
--- a/core/admin/mailu/ui/templates/user/create.html
+++ b/core/admin/mailu/ui/templates/user/create.html
@@ -1,33 +1,32 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}New user{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
 
-  {% call macros.card(_("General")) %}
+  {%- call macros.card(_("General")) %}
   {{ macros.form_field(form.localpart, append='<span class="input-group-text">@'+domain.name+'</span>') }}
   {{ macros.form_fields((form.pw, form.pw2)) }}
   {{ macros.form_field(form.displayed_name) }}
   {{ macros.form_field(form.comment) }}
   {{ macros.form_field(form.enabled) }}
-  {% endcall %}
+  {%- endcall %}
 
-  {% call macros.card(_("Features and quotas"), theme="success") %}
-  {{ macros.form_field(form.quota_bytes, step=1000000000, max=(max_quota_bytes or domain.max_quota_bytes or 50000000000),
-      prepend='<span class="input-group-text"><span id="quota">'+((form.quota_bytes.data//1000000000).__str__() if form.quota_bytes.data else '∞')+'</span> GiB</span>',
-      oninput='$("#quota").text(this.value == 0  ? "∞" : this.value/1000000000);') }}
+  {%- call macros.card(_("Features and quotas"), theme="success") %}
+  {{ macros.form_field(form.quota_bytes, step=1000000000, max=(max_quota_bytes or domain.max_quota_bytes or 50*10**9), data_infinity="true",
+      prepend='<span class="input-group-text"><span id="quota_bytes_value"></span>&nbsp;GB</span>') }}
   {{ macros.form_field(form.enable_imap) }}
   {{ macros.form_field(form.enable_pop) }}
-  {% endcall %}
+  {%- endcall %}
 
   {{ macros.form_field(form.submit) }}
 </form>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/edit.html b/core/admin/mailu/ui/templates/user/edit.html
index 25da5486..1a0b2150 100644
--- a/core/admin/mailu/ui/templates/user/edit.html
+++ b/core/admin/mailu/ui/templates/user/edit.html
@@ -1,9 +1,9 @@
-{% extends "user/create.html" %}
+{%- extends "user/create.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Edit user{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/forward.html b/core/admin/mailu/ui/templates/user/forward.html
deleted file mode 100644
index 6059f0ed..00000000
--- a/core/admin/mailu/ui/templates/user/forward.html
+++ /dev/null
@@ -1,25 +0,0 @@
-{% extends "base.html" %}
-
-{% block title %}
-{% trans %}Forward emails{% endtrans %}
-{% endblock %}
-
-{% block subtitle %}
-{{ user }}
-{% endblock %}
-
-{% block content %}
-{% call macros.card() %}
-<form class="form" method="post" role="form">
-  {{ form.hidden_tag() }}
-  {{ macros.form_field(form.forward_enabled,
-      onchange="if(this.checked){$('#forward_destination,#forward_keep').removeAttr('disabled')}
-                else{$('#forward_destination,#forward_keep').attr('disabled', '')}") }}
-  {{ macros.form_field(form.forward_keep,
-      **{("enabled" if user.forward_enabled else "disabled"): ""}) }}
-  {{ macros.form_field(form.forward_destination,
-      **{("enabled" if user.forward_enabled else "disabled"): ""}) }}
-  {{ macros.form_field(form.submit) }}
-</form>
-{% endcall %}
-{% endblock %}
diff --git a/core/admin/mailu/ui/templates/user/list.html b/core/admin/mailu/ui/templates/user/list.html
index cfec6276..59a06ea7 100644
--- a/core/admin/mailu/ui/templates/user/list.html
+++ b/core/admin/mailu/ui/templates/user/list.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}User list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.user_create', domain_name=domain.name) }}">{% trans %}Add user{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -27,8 +27,8 @@
   </tr>
 </thead>
 <tbody>
-  {% for user in domain.users %}
-  <tr {% if not user.enabled %}class="warning"{% endif %}>
+  {%- for user in domain.users %}
+  <tr{% if not user.enabled %} class="warning"{% endif %}>
     <td>
       <a href="{{ url_for('.user_edit', user_email=user.email) }}" title="{% trans %}Edit{% endtrans %}"><i class="fas fa-pencil-alt"></i></a>&nbsp;
       <a href="{{ url_for('.user_delete', user_email=user.email) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>
@@ -48,7 +48,7 @@
     <td>{{ user.created_at }}</td>
     <td>{{ user.updated_at or '' }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/password.html b/core/admin/mailu/ui/templates/user/password.html
index 0ccf8fe3..e7209f96 100644
--- a/core/admin/mailu/ui/templates/user/password.html
+++ b/core/admin/mailu/ui/templates/user/password.html
@@ -1,9 +1,9 @@
-{% extends "form.html" %}
+{%- extends "form.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Password update{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/reply.html b/core/admin/mailu/ui/templates/user/reply.html
index 74c604fa..44d09cb1 100644
--- a/core/admin/mailu/ui/templates/user/reply.html
+++ b/core/admin/mailu/ui/templates/user/reply.html
@@ -1,30 +1,23 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Automatic reply{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
-  {{ macros.form_field(form.reply_enabled,
-      onchange="if(this.checked){$('#reply_subject,#reply_body,#reply_enddate,#reply_startdate').removeAttr('readonly')}
-                else{$('#reply_subject,#reply_body,#reply_enddate,#reply_startdate').attr('readonly', '')}") }}
-  {{ macros.form_field(form.reply_subject,
-      **{("rw" if user.reply_enabled else "readonly"): ""}) }}
-    {{ macros.form_field(form.reply_body, rows=10,
-        **{("rw" if user.reply_enabled else "readonly"): ""}) }}
-  {{ macros.form_field(form.reply_enddate,
-        **{("rw" if user.reply_enabled else "readonly"): ""}) }}
-  {{ macros.form_field(form.reply_startdate,
-        **{("rw" if user.reply_enabled else "readonly"): ""}) }}
-
+  {%- call macros.fieldset(
+      field=form.reply_enabled,
+      enabled=user.reply_enabled,
+      fields=[form.reply_subject, form.reply_body, form.reply_enddate, form.reply_startdate]) %}
+  {%- endcall %}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/settings.html b/core/admin/mailu/ui/templates/user/settings.html
index 9aa672ca..c1eb47f3 100644
--- a/core/admin/mailu/ui/templates/user/settings.html
+++ b/core/admin/mailu/ui/templates/user/settings.html
@@ -1,38 +1,36 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}User settings{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
-  
-  {% call macros.card(title=_("Displayed name")) %}
+
+  {%- call macros.card(title=_("Displayed name")) %}
   {{ macros.form_field(form.displayed_name) }}
-  {% endcall %}
+  {%- endcall %}
 
-  {% call macros.card(title=_("Antispam")) %}
-  {{ macros.form_field(form.spam_enabled) }}
+  {%- call macros.card(title=_("Antispam")) %}
+  {%- call macros.fieldset(field=form.spam_enabled, enabled=user.spam_enabled) %}
   {{ macros.form_field(form.spam_threshold, step=1, max=100,
-      prepend='<span class="input-group-text"><span id="threshold">'+form.spam_threshold.data.__str__()+'</span>&nbsp;/&nbsp;100</span>',
-      oninput='$("#threshold").text(this.value);') }}
-  {% endcall %}
+     prepend='<span class="input-group-text"><span id="spam_threshold_value"></span>&nbsp;/&nbsp;100</span>') }}
+  {%- endcall %}
+  {%- endcall %}
 
-  {% call macros.card(title=_("Auto-forward")) %}
-  {{ macros.form_field(form.forward_enabled,
-      onchange="if(this.checked){$('#forward_destination,#forward_keep').removeAttr('disabled')}
-                else{$('#forward_destination,#forward_keep').attr('disabled', '')}") }}
-  {{ macros.form_field(form.forward_keep,
-      **{("enabled" if user.forward_enabled else "disabled"): ""}) }}
-  {{ macros.form_field(form.forward_destination,
-      **{("enabled" if user.forward_enabled else "disabled"): ""}) }}
-  {% endcall %}
+  {%- call macros.card(title=_("Auto-forward")) %}
+  {%- call macros.fieldset(
+      field=form.forward_enabled,
+      enabled=user.forward_enabled,
+      fields=[form.forward_keep, form.forward_destination]) %}
+  {%- endcall %}
+  {%- endcall %}
 
   {{ macros.form_field(form.submit) }}
 </form>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/signup.html b/core/admin/mailu/ui/templates/user/signup.html
index 1157cfa3..51f89686 100644
--- a/core/admin/mailu/ui/templates/user/signup.html
+++ b/core/admin/mailu/ui/templates/user/signup.html
@@ -1,23 +1,23 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Sign up{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
-  {% call macros.card() %}
+  {%- call macros.card() %}
   {{ macros.form_field(form.localpart, append='<span class="input-group-text">@'+domain.name+'</span>') }}
   {{ macros.form_fields((form.pw, form.pw2)) }}
-  {% if form.captcha %}
+  {%- if form.captcha %}
     {{ macros.form_field(form.captcha) }}
-  {% endif %}
+  {%- endif %}
   {{ macros.form_field(form.submit) }}
-  {% endcall %}
+  {%- endcall %}
 </form>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/signup_domain.html b/core/admin/mailu/ui/templates/user/signup_domain.html
index 1cb65ae8..a7db4c97 100644
--- a/core/admin/mailu/ui/templates/user/signup_domain.html
+++ b/core/admin/mailu/ui/templates/user/signup_domain.html
@@ -1,26 +1,26 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Sign up{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {% trans %}pick a domain for the new account{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <tr>
   <th>{% trans %}Domain{% endtrans %}</th>
   <th>{% trans %}Available slots{% endtrans %}</th>
   <th>{% trans %}Quota{% endtrans %}</th>
 </tr>
-{% for domain_name, domain in available_domains.items() %}
+{%- for domain_name, domain in available_domains.items() %}
 <tr>
   <td><a href="{{ url_for('.user_signup', domain_name=domain_name) }}">{{ domain_name }}</a></td>
   <td>{{ '∞' if domain.max_users == -1 else domain.max_users - (domain.users | count)}}</td>
   <td>{{ domain.max_quota_bytes or config['DEFAULT_QUOTA'] | filesizeformat }}</td>
 </tr>
-{% endfor %}
-{% endcall %}
-{% endblock %}
+{%- endfor %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/working.html b/core/admin/mailu/ui/templates/working.html
index 29243e20..65c26530 100644
--- a/core/admin/mailu/ui/templates/working.html
+++ b/core/admin/mailu/ui/templates/working.html
@@ -1,5 +1,5 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block content %}
+{%- block content %}
 <div class="alert alert-warning" role="alert">{% trans %}We are still working on this feature!{% endtrans %}</div>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/views/base.py b/core/admin/mailu/ui/views/base.py
index eb5490bc..ecd3089a 100644
--- a/core/admin/mailu/ui/views/base.py
+++ b/core/admin/mailu/ui/views/base.py
@@ -57,3 +57,8 @@ def webmail():
 @ui.route('/client', methods=['GET'])
 def client():
     return flask.render_template('client.html')
+
+@ui.route('/antispam', methods=['GET'])
+def antispam():
+    return flask.render_template('antispam.html')
+
diff --git a/core/admin/mailu/ui/views/languages.py b/core/admin/mailu/ui/views/languages.py
index 9fb87d5c..121431b4 100644
--- a/core/admin/mailu/ui/views/languages.py
+++ b/core/admin/mailu/ui/views/languages.py
@@ -2,8 +2,8 @@ from mailu.ui import ui, forms, access
 
 import flask
 
-
-@ui.route('/language/<language>', methods=['GET'])
+@ui.route('/language/<language>', methods=['POST'])
 def set_language(language=None):
     flask.session['language'] = language
-    return flask.redirect(flask.url_for('.user_settings'))
+    return flask.Response(status=200)
+
diff --git a/core/admin/mailu/ui/views/users.py b/core/admin/mailu/ui/views/users.py
index 2784fe53..8790977b 100644
--- a/core/admin/mailu/ui/views/users.py
+++ b/core/admin/mailu/ui/views/users.py
@@ -129,23 +129,6 @@ def user_password(user_email):
     return flask.render_template('user/password.html', form=form, user=user)
 
 
-@ui.route('/user/forward', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/user/forward/<path:user_email>', methods=['GET', 'POST'])
-@access.owner(models.User, 'user_email')
-def user_forward(user_email):
-    user_email_or_current = user_email or flask_login.current_user.email
-    user = models.User.query.get(user_email_or_current) or flask.abort(404)
-    form = forms.UserForwardForm(obj=user)
-    if form.validate_on_submit():
-        form.populate_obj(user)
-        models.db.session.commit()
-        flask.flash('Forward destination updated for %s' % user)
-        if user_email:
-            return flask.redirect(
-                flask.url_for('.user_list', domain_name=user.domain.name))
-    return flask.render_template('user/forward.html', form=form, user=user)
-
-
 @ui.route('/user/reply', methods=['GET', 'POST'], defaults={'user_email': None})
 @ui.route('/user/reply/<path:user_email>', methods=['GET', 'POST'])
 @access.owner(models.User, 'user_email')
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index b1279d9e..766a7abb 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -46,15 +46,10 @@ babel = flask_babel.Babel()
 @babel.localeselector
 def get_locale():
     """ selects locale for translation """
-    translations = list(map(str, babel.list_translations()))
-    flask.session['available_languages'] = translations
-
-    try:
-        language = flask.session['language']
-    except KeyError:
-        language = flask.request.accept_languages.best_match(translations)
+    language = flask.session.get('language')
+    if not language in flask.current_app.config.translations:
+        language = flask.request.accept_languages.best_match(flask.current_app.config.translations.keys())
         flask.session['language'] = language
-
     return language
 
 
@@ -450,7 +445,7 @@ class MailuSessionExtension:
                 with cleaned.get_lock():
                     if not cleaned.value:
                         cleaned.value = True
-                        flask.current_app.logger.error('cleaning')
+                        flask.current_app.logger.info('cleaning')
                         MailuSessionExtension.cleanup_sessions(app)
 
             app.before_first_request(cleaner)
diff --git a/core/admin/package.json b/core/admin/package.json
index d45dcb94..741482ab 100644
--- a/core/admin/package.json
+++ b/core/admin/package.json
@@ -12,20 +12,19 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
-    "@babel/core": "^7.15.0",
-    "@babel/preset-env": "^7.15.0",
     "admin-lte": "^3.1.0",
     "babel-loader": "^8.2.2",
+    "clipboard": "^2.0.8",
+    "compression-webpack-plugin": "^8.0.1",
     "css-loader": "^6.2.0",
-    "expose-loader": "^3.0.0",
-    "jquery": "^3.6.0",
-    "less": "^4.1.1",
+    "css-minimizer-webpack-plugin": "^3.0.2",
+    "datatables.net-plugins": "^1.10.24",
+    "import-glob": "^1.5.0",
     "less-loader": "^10.0.1",
     "mini-css-extract-plugin": "^2.2.0",
-    "node-sass": "^6.0.1",
+    "sass": "<1.33.0",
     "sass-loader": "^12.1.0",
-    "select2": "^4.0.13",
-    "webpack": "^5.50.0",
-    "webpack-cli": "^4.7.2"
+    "terser-webpack-plugin": "^5.2.0",
+    "webpack-cli": "^4.8.0"
   }
 }
diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 88ff2981..3406122d 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -20,7 +20,7 @@ Flask-Migrate==2.4.0
 Flask-Script==2.0.6
 Flask-SQLAlchemy==2.4.0
 Flask-WTF==0.14.2
-gunicorn==19.9.0
+gunicorn==20.1.0
 idna==2.8
 infinity==1.4
 intervals==0.8.1
diff --git a/core/admin/webpack.config.js b/core/admin/webpack.config.js
index 3e823fa9..25c966c1 100644
--- a/core/admin/webpack.config.js
+++ b/core/admin/webpack.config.js
@@ -1,65 +1,76 @@
-var path = require("path");
-var webpack = require("webpack");
-var css = require("mini-css-extract-plugin");
+const path = require('path');
+const webpack = require('webpack');
+const css = require('mini-css-extract-plugin');
+const mini = require('css-minimizer-webpack-plugin');
+const terse = require('terser-webpack-plugin');
+const compress = require('compression-webpack-plugin');
 
 module.exports = {
-    mode: "development",
+    mode: 'production',
     entry: {
-        app: "./assets/app.js",
-        vendor: "./assets/vendor.js"
+        app: {
+            import: './assets/app.js',
+            dependOn: 'vendor',
+        },
+        vendor: './assets/vendor.js',
     },
     output: {
-        path: path.resolve(__dirname, "static/"),
-        filename: "[name].js"
+        path: path.resolve(__dirname, 'static/'),
+        filename: '[name].js',
+        assetModuleFilename: '[name][ext]',
     },
     module: {
         rules: [
             {
                 test: /\.js$/,
-                use: ['babel-loader']
+                use: ['babel-loader', 'import-glob'],
             },
             {
-                test: /\.scss$/,
-                use: [css.loader, 'css-loader', 'sass-loader']
+                test: /\.s?css$/i,
+                use: [css.loader, 'css-loader', 'sass-loader'],
             },
             {
-                test: /\.less$/,
-                use: [css.loader, 'css-loader', 'less-loader']
+                test: /\.less$/i,
+                use: [css.loader, 'css-loader', 'less-loader'],
             },
             {
-                test: /\.css$/,
-                use: [css.loader, 'css-loader']
+                test: /\.(json|png|svg|jpg|jpeg|gif)$/i,
+                type: 'asset/resource',
             },
-            {
-                // Exposes jQuery for use outside Webpack build
-                test: require.resolve('jquery'),
-                use: [{
-                    loader: 'expose-loader',
-                    options: {
-                      exposes: [
-                        {
-                          globalName: '$',
-                          override: true,
-                        },
-                        {
-                          globalName: 'jQuery',
-                          override: true,
-                        },
-                      ] 
-                    },               
-                }]
-            }
-        ]
+        ],
     },
     plugins: [
-	      new css({
-	          filename: "[name].css",
-	          chunkFilename: "[id].css"
-	      }),
+        new css({
+            filename: '[name].css',
+            chunkFilename: '[id].css',
+        }),
         new webpack.ProvidePlugin({
-            $: "jquery",
-            jQuery: "jquery"
-        })
-    ]
-}
-
+            $: 'jquery',
+            jQuery: 'jquery',
+            ClipboardJS: 'clipboard',
+        }),
+        new compress({
+            filename: '[path][base].gz',
+            algorithm: "gzip",
+            exclude: /\.(png|gif|jpe?g)$/,
+            threshold: 5120,
+            minRatio: 0.8,
+            deleteOriginalAssets: false,
+        }),
+    ],
+    optimization: {
+        minimize: true,
+        minimizer: [
+            new terse(),
+            new mini({
+                minimizerOptions: {
+                    preset: [
+                        'default', {
+                            discardComments: { removeAll: true },
+                        },
+                    ],
+                },
+            }),
+        ],
+    },
+};

From 8cdd7e911d79ba941931c54f1ef4b3eb803de1e1 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 2 Sep 2021 23:36:49 +0200
Subject: [PATCH 030/222] duh. removed debug

---
 core/admin/mailu/models.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index 6b0791ad..86e285d0 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -265,7 +265,7 @@ class Domain(Base):
     def dns_tlsa(self):
         """ return TLSA record for domain when using letsencrypt """
         hostname = app.config['HOSTNAME']
-        if True: #app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'):
+        if app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'):
             # current ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) @20210902
             return f'_25._tcp.{hostname}. 600 IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3'
 

From b148e41d9bd11de3c67e727e2942b427d9e9fee5 Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Fri, 3 Sep 2021 13:01:09 +0200
Subject: [PATCH 031/222] Fix nginx config

---
 core/admin/mailu/sso/views/base.py | 10 +++++++---
 core/nginx/conf/nginx.conf         | 28 ++++++++++++++++++++--------
 2 files changed, 27 insertions(+), 11 deletions(-)

diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index 702b1582..9013fb0c 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -10,13 +10,17 @@ import flask_login
 def login():
     form = forms.LoginForm()
     endpoint = flask.request.args.get('next', 'ui.index')
+    
+    if endpoint == 'ui.webmail':
+        endpoint = 'ui.webmail'
+    else:
+        endpoint = 'ui.index'
     if form.validate_on_submit():
         user = models.User.login(form.email.data, form.pw.data)
         if user:
             flask.session.regenerate()
-            flask_login.login_user(user)
-            return flask.redirect(flask.url_for(endpoint)
-                or flask.url_for('ui.index'))
+            flask_login.login_user(user)           
+            return flask.redirect(flask.url_for(endpoint))
         else:
             flask.flash('Wrong e-mail or password', 'error')
     return flask.render_template('login.html', form=form, endpoint=endpoint)
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index d428b0d0..2ae3bcfb 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -1,7 +1,7 @@
 #  Basic configuration
 user nginx;
 worker_processes auto;
-error_log /dev/stderr info;
+error_log /dev/stderr debug;
 pid /var/run/nginx.pid;
 load_module "modules/ngx_mail_module.so";
 
@@ -117,17 +117,29 @@ http {
       include /overrides/*.conf;
 
       # Actual logic
-      location ^~ /sso {
-        include /etc/nginx/proxy.conf;
-        proxy_set_header   Host $host;
-        proxy_pass http://$admin;
-      }
       location ^~ {{ WEB_ADMIN }}/sso {
         include /etc/nginx/proxy.conf;
-        rewrite ^{{ WEB_ADMIN }}/(.*)$ /$1 break;
-        proxy_set_header   Host $host;
+        rewrite ^{{ WEB_ADMIN }}/(.*) /$1 redirect;
+      }
+      location ^~ /ui/webmail {
+        include /etc/nginx/proxy.conf;
+        return 302 {{ WEB_WEBMAIL }};
+      }
+      location ^~ /ui {
+        include /etc/nginx/proxy.conf;
+        #rewrite ^/sso/(.*) {{ WEB_ADMIN }}/$1 redirect;
+        return 302 {{ WEB_ADMIN }}/ui/;
+      }
+      location ^~ /sso {
+        include /etc/nginx/proxy.conf;
         proxy_pass http://$admin;
       }
+#    location ^~ /(ui|static) {
+#      rewrite ^{{ WEB_ADMIN }}/(.*) /$1 break;
+#      include /etc/nginx/proxy.conf;
+#       proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
+#       proxy_pass http://$admin;
+#      }
 
       {% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %}
       location / {

From 7fd605cc21394fd05f8c21b6adb80095a4e05c97 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Fri, 3 Sep 2021 13:41:33 +0200
Subject: [PATCH 032/222] fixed brand link target for normal users

---
 core/admin/mailu/ui/templates/base.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/ui/templates/base.html b/core/admin/mailu/ui/templates/base.html
index acef4b86..8571467d 100644
--- a/core/admin/mailu/ui/templates/base.html
+++ b/core/admin/mailu/ui/templates/base.html
@@ -45,7 +45,7 @@
         </ul>
       </nav>
       <aside class="main-sidebar sidebar-dark-primary nav-compact elevation-4">
-        <a href="{{ url_for('.domain_list') }}" class="brand-link bg-primary">
+        <a href="{{ url_for('.domain_list' if current_user.manager_of or current_user.global_admin else '.user_settings') }}" class="brand-link bg-primary">
           <img src="{{ url_for('.static', filename='mailu.png') }}" width="33" height="33" alt="Mailu" class="brand-image mailu-logo img-circle elevation-3">
           <span class="brand-text font-weight-light">{{ config["SITENAME"] }}</span>
         </a>

From 72ba5ca3f96d065957a2b1dafff92a86e6c76e59 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Fri, 3 Sep 2021 21:59:53 +0200
Subject: [PATCH 033/222] fix 1789: ensure that nginx resolves ipv4 addresses

---
 core/nginx/conf/nginx.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 9ce12980..76f88f21 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -18,7 +18,7 @@ http {
     keepalive_timeout  65;
     server_tokens off;
     absolute_redirect off;
-    resolver {{ RESOLVER }} valid=30s;
+    resolver {{ RESOLVER }} ipv6=off valid=30s;
 
     {% if REAL_IP_HEADER %}
     real_ip_header {{ REAL_IP_HEADER }};
@@ -233,7 +233,7 @@ mail {
     server_name {{ HOSTNAMES.split(",")[0] }};
     auth_http http://127.0.0.1:8000/auth/email;
     proxy_pass_error_message on;
-    resolver {{ RESOLVER }} valid=30s;
+    resolver {{ RESOLVER }} ipv6=off valid=30s;
 
     {% if TLS and not TLS_ERROR %}
     include /etc/nginx/tls.conf;

From a9a1b3e55e36f9dc90713c7bff1b24252da307c2 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 5 Sep 2021 15:28:59 +0200
Subject: [PATCH 034/222] Reduce the EDNS0 size to 1232

@see
https://github.com/dns-violations/dnsflagday/issues/125
---
 core/admin/mailu/utils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index e8e58100..b6495a53 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -41,7 +41,7 @@ def handle_needs_login():
 
 # DNS stub configured to do DNSSEC enabled queries
 resolver = dns.resolver.Resolver()
-resolver.use_edns(0, 0, 1500)
+resolver.use_edns(0, 0, 1232)
 resolver.flags = dns.flags.AD | dns.flags.RD
 
 def has_dane_record(domain, timeout=10):

From 4c4031ab7457205fac1075b58a05bed62839b2da Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Sun, 5 Sep 2021 17:48:02 +0200
Subject: [PATCH 035/222] added feature file

---
 towncrier/newsfragments/1966.feature | 33 ++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 towncrier/newsfragments/1966.feature

diff --git a/towncrier/newsfragments/1966.feature b/towncrier/newsfragments/1966.feature
new file mode 100644
index 00000000..e379df0b
--- /dev/null
+++ b/towncrier/newsfragments/1966.feature
@@ -0,0 +1,33 @@
+AdminLTE3 design optimizations, asset compression and caching
+
+- fixed copy of qemu-arm-static for alpine
+- added 'set -eu' safeguard
+- silenced npm update notification
+- added color to webpack call
+- changed Admin-LTE default blue
+- AdminLTE 3 style tweaks
+- localized datatables
+- moved external javascript code to vendor.js
+- added mailu logo
+- moved all inline javascript to app.js
+- added iframe display of rspamd page
+- updated language-selector to display full language names and use post
+- added fieldset to group and en/disable input fields
+- added clipboard copy buttons
+- cleaned external javascript imports
+- pre-split first hostname for further use
+- cache dns_* properties of domain object (immutable during runtime)
+- fixed and splitted dns_dkim property of domain object (space missing)
+- added autoconfig and tlsa properties to domain object
+- suppressed extra vertical spacing in jinja2 templates
+- improved accessibility for screen reader
+- deleted unused/broken /user/forward route
+- updated gunicorn to 20.1.0 to get rid of buffering error at startup
+- switched webpack to production mode
+- added css and javascript minimization
+- added pre-compression of assets (gzip)
+- removed obsolete dependencies
+- switched from node-sass to dart-sass
+- changed startup cleaning message from error to info
+- move client config to "my account" section when logged in
+

From 7bede55fce7bb7661987a3768f93becf1fe9e9bf Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Sun, 5 Sep 2021 17:48:20 +0200
Subject: [PATCH 036/222] more verbose cleaning message

---
 core/admin/mailu/utils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 766a7abb..ebb55e3b 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -445,7 +445,7 @@ class MailuSessionExtension:
                 with cleaned.get_lock():
                     if not cleaned.value:
                         cleaned.value = True
-                        flask.current_app.logger.info('cleaning')
+                        flask.current_app.logger.info('cleaning session store')
                         MailuSessionExtension.cleanup_sessions(app)
 
             app.before_first_request(cleaner)

From 9888efe55dddbb789e40be1bb7da5412361653fe Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 5 Sep 2021 18:23:08 +0200
Subject: [PATCH 037/222] Document as suggested on #mailu-dev

---
 core/postfix/start.py |  5 ++---
 docs/faq.rst          | 16 ++++++++++++++++
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/core/postfix/start.py b/core/postfix/start.py
index 19c23c19..9f35cf73 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -80,9 +80,8 @@ if os.path.exists("/overrides/mta-sts-daemon.yml"):
 conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
 
 if not os.path.exists("/etc/postfix/tls_policy.map.lmdb"):
-    with open("/etc/postfix/tls_policy.map", "w") as f:
-        for domain in ['example.com']:
-            f.write(f'{domain}\tsecure\n')
+    with open("/etc/postfix/tls_policy.map", "a") as f:
+        pass
     os.system("postmap /etc/postfix/tls_policy.map")
 
 if "RELAYUSER" in os.environ:
diff --git a/docs/faq.rst b/docs/faq.rst
index 43fb8606..01557237 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -422,6 +422,22 @@ Any mail related connection is proxied by nginx. Therefore the SMTP Banner is al
 
 .. _`1368`: https://github.com/Mailu/Mailu/issues/1368
 
+My emails are getting defered, what can I do?
+`````````````````````````````````````````````
+
+Emails are asynchronous and it's not abnormal for them to be defered sometimes. That being said, Mailu enforces secure connections where possible using DANE and MTA-STS, both of which have the potential to delay indefinitely delivery if something is misconfigured.
+
+If delivery to a specific domain fails because their DANE records are invalid or their TLS configuration inadequate (expired certificate, ...), you can assist delivery by downgrading the security level for that domain by creating an override at ``overrides/postfix/tls_policy.map`` as follow:
+
+.. code-block:: bash
+
+   domain.example.com   may
+   domain.example.org   encrypt
+
+The syntax and options are as described in `postfix's documentation`_. Re-creating the smtp container will be required for changes to take effect.
+
+.. _`postfix's documentation`: http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
+
 403 - Access Denied Errors
 ---------------------------
 

From 0f0459e9b2e445e27fead761d90460e68b3ea96c Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 5 Sep 2021 18:49:07 +0200
Subject: [PATCH 038/222] suggestions from @ghostwheel42

---
 core/admin/mailu/utils.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index b6495a53..96368b57 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -47,7 +47,7 @@ resolver.flags = dns.flags.AD | dns.flags.RD
 def has_dane_record(domain, timeout=10):
     try:
         result = resolver.query(f'_25._tcp.{domain}', dns.rdatatype.TLSA,dns.rdataclass.IN, lifetime=timeout)
-        if (result.response.flags & dns.flags.AD) == dns.flags.AD:
+        if result.response.flags & dns.flags.AD):
             for record in result:
                 if isinstance(record, dns.rdtypes.ANY.TLSA.TLSA):
                     record.validate()
@@ -57,8 +57,14 @@ def has_dane_record(domain, timeout=10):
         # If the DNSSEC data is invalid and the DNS resolver is DNSSEC enabled
         # we will receive this non-specific exception. The safe behaviour is to
         # accept to defer the email.
+        flask.current_app.logger.warn(f'Unable to lookup the TLSA record for {domain}. Is the DNSSEC zone okay on https://dnsviz.net/d/{domain}/dnssec/?')
         return app.config['DEFER_ON_TLS_ERROR']
-    except:
+    except dns.exception.Timeout:
+        flask.current_app.logger.warn(f'Timeout while resolving the TLSA record for {domain} ({timeout}s).')
+    except dns.resolver.NXDOMAIN:
+        pass # this is expected, not TLSA record is fine
+    except Exception as e:
+        flask.current_app.logger.error(f'Error while looking up the TLSA record for {domain} {e}')
         pass
 
 # Rate limiter

From 0ee52ba65b867b70fce9e2e276564823deb14de9 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 5 Sep 2021 19:03:54 +0200
Subject: [PATCH 039/222] Doh

---
 core/admin/mailu/utils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 96368b57..506b3e7e 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -47,7 +47,7 @@ resolver.flags = dns.flags.AD | dns.flags.RD
 def has_dane_record(domain, timeout=10):
     try:
         result = resolver.query(f'_25._tcp.{domain}', dns.rdatatype.TLSA,dns.rdataclass.IN, lifetime=timeout)
-        if result.response.flags & dns.flags.AD):
+        if result.response.flags & dns.flags.AD:
             for record in result:
                 if isinstance(record, dns.rdtypes.ANY.TLSA.TLSA):
                     record.validate()

From 7aa403573d61ed8a2492089d0bbeae8da7859bdd Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 5 Sep 2021 19:06:20 +0200
Subject: [PATCH 040/222] no with here

---
 core/postfix/start.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/core/postfix/start.py b/core/postfix/start.py
index 9f35cf73..3de83a63 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -80,8 +80,7 @@ if os.path.exists("/overrides/mta-sts-daemon.yml"):
 conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
 
 if not os.path.exists("/etc/postfix/tls_policy.map.lmdb"):
-    with open("/etc/postfix/tls_policy.map", "a") as f:
-        pass
+    open("/etc/postfix/tls_policy.map", "a").close()
     os.system("postmap /etc/postfix/tls_policy.map")
 
 if "RELAYUSER" in os.environ:

From 90c96bdddc5377d9fc2216ef47bc2e09836d9a7b Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Sun, 5 Sep 2021 19:47:10 +0200
Subject: [PATCH 041/222] optimize handle_authentication

- catch decoding of nginx headers (utf-8 exception)
- re-ordered function
---
 core/admin/mailu/internal/nginx.py | 49 ++++++++++++++++--------------
 1 file changed, 26 insertions(+), 23 deletions(-)

diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index 5e60cd0c..167341e2 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -71,16 +71,6 @@ def handle_authentication(headers):
             }
     # Authenticated user
     elif method == "plain":
-        server, port = get_server(headers["Auth-Protocol"], True)
-        # According to RFC2616 section 3.7.1 and PEP 3333, HTTP headers should
-        # be ASCII and are generally considered ISO8859-1. However when passing
-        # the password, nginx does not transcode the input UTF string, thus
-        # we need to manually decode.
-        raw_user_email = urllib.parse.unquote(headers["Auth-User"])
-        user_email = raw_user_email.encode("iso8859-1").decode("utf8")
-        raw_password = urllib.parse.unquote(headers["Auth-Pass"])
-        password = raw_password.encode("iso8859-1").decode("utf8")
-        ip = urllib.parse.unquote(headers["Client-Ip"])
         service_port = int(urllib.parse.unquote(headers["Auth-Port"]))
         if service_port == 25:
             return {
@@ -88,20 +78,33 @@ def handle_authentication(headers):
                 "Auth-Error-Code": "502 5.5.1",
                 "Auth-Wait": 0
             }
-        user = models.User.query.get(user_email)
-        if check_credentials(user, password, ip, protocol):
-            return {
-                "Auth-Status": "OK",
-                "Auth-Server": server,
-                "Auth-Port": port
-            }
+        # According to RFC2616 section 3.7.1 and PEP 3333, HTTP headers should
+        # be ASCII and are generally considered ISO8859-1. However when passing
+        # the password, nginx does not transcode the input UTF string, thus
+        # we need to manually decode.
+        raw_user_email = urllib.parse.unquote(headers["Auth-User"])
+        raw_password = urllib.parse.unquote(headers["Auth-Pass"])
+        try:
+            user_email = raw_user_email.encode("iso8859-1").decode("utf8")
+            password = raw_password.encode("iso8859-1").decode("utf8")
+        except:
+            app.logger.warn(f'Received undecodable user/password from nginx: {raw_user_email!r}/{raw_password!r}')
         else:
-            status, code = get_status(protocol, "authentication")
-            return {
-                "Auth-Status": status,
-                "Auth-Error-Code": code,
-                "Auth-Wait": 0
-            }
+            user = models.User.query.get(user_email)
+            ip = urllib.parse.unquote(headers["Client-Ip"])
+            if check_credentials(user, password, ip, protocol):
+                server, port = get_server(headers["Auth-Protocol"], True)
+                return {
+                    "Auth-Status": "OK",
+                    "Auth-Server": server,
+                    "Auth-Port": port
+                }
+        status, code = get_status(protocol, "authentication")
+        return {
+            "Auth-Status": status,
+            "Auth-Error-Code": code,
+            "Auth-Wait": 0
+        }
     # Unexpected
     return {}
 

From d8b4a016af54bca227c929bf1745e6a9525191f2 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 6 Sep 2021 08:41:49 +0200
Subject: [PATCH 042/222] use blue color from https://mailu.io/

---
 core/admin/Dockerfile     | 2 +-
 core/admin/assets/app.css | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index edb8c1fd..3ac4fcd4 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -12,7 +12,7 @@ RUN set -eu \
 COPY webpack.config.js ./
 COPY assets ./assets
 RUN set -eu \
- && sed -i 's/#007bff/#367fa9/' node_modules/admin-lte/build/scss/_bootstrap-variables.scss \
+ && sed -i 's/#007bff/#55a5d9/' node_modules/admin-lte/build/scss/_bootstrap-variables.scss \
  && for l in ca da de:de_de en:en-gb es:es_es eu fr:fr_fr he hu is it:it_it ja nb_NO:no_nb nl:nl_nl pl pt:pt_pt ru sv:sv_se zh_CN:zh; do \
       cp node_modules/datatables.net-plugins/i18n/${l#*:}.json assets/${l%:*}.json; \
     done \
diff --git a/core/admin/assets/app.css b/core/admin/assets/app.css
index 12df605c..3886b5c1 100644
--- a/core/admin/assets/app.css
+++ b/core/admin/assets/app.css
@@ -2,6 +2,9 @@
 .mailu-logo {
   opacity: .8;
 }
+.bg-mailu-logo {
+  background-color: #2980b9!important;
+}
 
 /* user image */
 .div-circle {

From 0094268410ceeca3bfec7f04afb925215d58a22a Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 6 Sep 2021 09:08:51 +0200
Subject: [PATCH 043/222] allow to change logo. default color for flash msg

- two new environment variables allow to change logo background color
  and graphic
- flash messages are now green (not cyan)
---
 core/admin/mailu/configuration.py       |  2 ++
 core/admin/mailu/ui/templates/base.html | 20 ++++++++++----------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 419dc18d..1f13f896 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -56,6 +56,8 @@ DEFAULT_CONFIG = {
     'WEBMAIL': 'none',
     'RECAPTCHA_PUBLIC_KEY': '',
     'RECAPTCHA_PRIVATE_KEY': '',
+    'LOGO_URL': None,
+    'LOGO_BACKGROUND': None,
     # Advanced settings
     'LOG_LEVEL': 'WARNING',
     'SESSION_KEY_BITS': 128,
diff --git a/core/admin/mailu/ui/templates/base.html b/core/admin/mailu/ui/templates/base.html
index 8571467d..fc27d12b 100644
--- a/core/admin/mailu/ui/templates/base.html
+++ b/core/admin/mailu/ui/templates/base.html
@@ -19,7 +19,7 @@
             <a class="nav-link" data-widget="pushmenu" href="#" role="button"><i class="fas fa-bars" title="{% trans %}toggle sidebar{% endtrans %}" aria-expanded="false"></i><span class="sr-only">{% trans %}toggle sidebar{% endtrans %}</span></a>
           </li>
           <li class="nav-item">
-            {%- for page, url in path %}
+          {%- for page, url in path %}
             {%- if loop.index > 1 %}
             <i class="fas fa-greater-than text-xs text-gray" aria-hidden="true"></i>
             {%- endif %}
@@ -28,25 +28,25 @@
             {%- else %}
             <span class="nav-link d-inline-block">{{ page }}</span>
             {%- endif %}
-            {%- endfor %}
+          {%- endfor %}
           </li>
         </ul>
         <ul class="navbar-nav ml-auto">
           <li class="nav-item dropdown">
             <a class="nav-link" data-toggle="dropdown" href="#" aria-expanded="false">
-                <i class="fas fa-language text-xl" aria-hidden="true" title="{% trans %}change language{% endtrans %}"></i><span class="sr-only">Language</span>
-                <span class="badge badge-primary navbar-badge">{{ session['language'] }}</span></a>
+              <i class="fas fa-language text-xl" aria-hidden="true" title="{% trans %}change language{% endtrans %}"></i><span class="sr-only">Language</span>
+              <span class="badge badge-primary navbar-badge">{{ session['language'] }}</span></a>
             <div class="dropdown-menu dropdown-menu-right p-0" id="mailu-languages">
-              {%- for locale in config.translations.values() %}
-                <a class="dropdown-item{% if locale.language == session['language'] %} active{% endif %}" href="{{ url_for('.set_language', language=locale.language) }}">{{ locale.get_language_name().title() }}</a>
-              {%- endfor %}
+            {%- for locale in config.translations.values() %}
+              <a class="dropdown-item{% if locale.language == session['language'] %} active{% endif %}" href="{{ url_for('.set_language', language=locale.language) }}">{{ locale.get_language_name().title() }}</a>
+            {%- endfor %}
             </div>
           </li>
         </ul>
       </nav>
       <aside class="main-sidebar sidebar-dark-primary nav-compact elevation-4">
-        <a href="{{ url_for('.domain_list' if current_user.manager_of or current_user.global_admin else '.user_settings') }}" class="brand-link bg-primary">
-          <img src="{{ url_for('.static', filename='mailu.png') }}" width="33" height="33" alt="Mailu" class="brand-image mailu-logo img-circle elevation-3">
+        <a href="{{ url_for('.domain_list' if current_user.manager_of or current_user.global_admin else '.user_settings') }}" class="brand-link bg-mailu-logo"{% if config["LOGO_BACKGROUND"] %} style="background-color:{{ config["LOGO_BACKGROUND"] }}!important;"{% endif %}>
+          <img src="{{ config["LOGO_URL"] if config["LOGO_URL"] else url_for('.static', filename='mailu.png') }}" width="33" height="33" alt="Mailu" class="brand-image mailu-logo img-circle elevation-3">
           <span class="brand-text font-weight-light">{{ config["SITENAME"] }}</span>
         </a>
         {%- include "sidebar.html" %}
@@ -66,7 +66,7 @@
           </div>
         </section>
         <div class="content">
-          {{ utils.flashed_messages(container=False) }}
+          {{ utils.flashed_messages(container=False, default_category='success') }}
           {%- block content %}{%- endblock %}
         </div>
       </div>

From 698ee4e5211fe7f0d1c1b3ac24714023c2bc59e0 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 6 Sep 2021 09:10:59 +0200
Subject: [PATCH 044/222] added tiff and webp to list of cached content

---
 core/nginx/conf/nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 616ddcc1..5a86c34a 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -35,7 +35,7 @@ http {
     }
     map $uri $expires {
       default off;
-      ~*\.(ico|css|js|gif|jpeg|jpg|png|woff|ttf|otf|svg|woff2|eot)$ 97d;
+      ~*\.(ico|css|js|gif|jpeg|jpg|png|woff2?|ttf|otf|svg|tiff|eot|webp)$ 97d;
     }
 
     # compression

From b445d9ddd168948ccacb760ab96fd27c33033042 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 6 Sep 2021 13:45:48 +0200
Subject: [PATCH 045/222] set expire headers only for mailu content

also moved robots.txt from config to static folder.
---
 core/nginx/conf/nginx.conf   | 16 ++--------------
 core/nginx/static/robots.txt |  2 ++
 2 files changed, 4 insertions(+), 14 deletions(-)
 create mode 100644 core/nginx/static/robots.txt

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 5a86c34a..4c31674c 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -57,11 +57,6 @@ http {
           proxy_pass http://127.0.0.1:8008;
       }
       {% endif %}
-      # robots.txt
-      location = /robots.txt {
-        add_header Content-Type text/plain;
-        return 200 "User-agent: *\nDisallow: /\n";
-      }
       # redirect to https
       location / {
         return 301 https://$host$request_uri;
@@ -111,8 +106,6 @@ http {
       # Remove headers to prevent duplication and information disclosure
       proxy_hide_header X-XSS-Protection;
       proxy_hide_header X-Powered-By;
-      
-      expires $expires;
 
       add_header X-Frame-Options 'SAMEORIGIN';
       add_header X-Content-Type-Options 'nosniff';
@@ -132,18 +125,12 @@ http {
         return 403;
       }
       {% else %}
-
-      # robots.txt
-      location = /robots.txt {
-        add_header Content-Type text/plain;
-        return 200 "User-agent: *\nDisallow: /\n";
-      }
-
       include /overrides/*.conf;
 
       # Actual logic
       {% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %}
       location / {
+        expires $expires;
       {% if WEBROOT_REDIRECT %}
         try_files $uri {{ WEBROOT_REDIRECT }};
       {% else %}
@@ -198,6 +185,7 @@ http {
         include /etc/nginx/proxy.conf;
         proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
         proxy_pass http://$admin;
+        expires $expires;
       }
 
       location {{ WEB_ADMIN }}/antispam {
diff --git a/core/nginx/static/robots.txt b/core/nginx/static/robots.txt
new file mode 100644
index 00000000..1f53798b
--- /dev/null
+++ b/core/nginx/static/robots.txt
@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /

From 6c510e2e86bbb1ff782c0355d9671058f74805e3 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 6 Sep 2021 13:48:13 +0200
Subject: [PATCH 046/222] enabled caching via .htaccess

---
 webmails/roundcube/Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/webmails/roundcube/Dockerfile b/webmails/roundcube/Dockerfile
index 4d3e36df..f4399f70 100644
--- a/webmails/roundcube/Dockerfile
+++ b/webmails/roundcube/Dockerfile
@@ -38,7 +38,8 @@ RUN apt-get update && apt-get install -y \
  && sed -i 's,^php_value.*post_max_size,#&,g' .htaccess \
  && sed -i 's,^php_value.*upload_max_filesize,#&,g' .htaccess \
  && chown -R www-data: logs temp \
- && rm -rf /var/lib/apt/lists
+ && rm -rf /var/lib/apt/lists \
+ && a2enmod rewrite deflate expires headers
 
 COPY php.ini /php.ini
 COPY config.inc.php /var/www/html/config/

From a319ecde297c8840c26f43a35bd027a1802ee52d Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 6 Sep 2021 13:52:35 +0200
Subject: [PATCH 047/222] also precompress static txt files

---
 core/nginx/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/nginx/Dockerfile b/core/nginx/Dockerfile
index 8b5be4f8..3b10b8b8 100644
--- a/core/nginx/Dockerfile
+++ b/core/nginx/Dockerfile
@@ -16,7 +16,7 @@ COPY conf /conf
 COPY static /static
 COPY *.py /
 
-RUN gzip -k9 /static/*.ico
+RUN gzip -k9 /static/*.ico /static/*.txt
 
 EXPOSE 80/tcp 443/tcp 110/tcp 143/tcp 465/tcp 587/tcp 993/tcp 995/tcp 25/tcp 10025/tcp 10143/tcp
 VOLUME ["/certs"]

From 45a2be37663c3208cab131cc69a682c0596d5444 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 6 Sep 2021 18:42:50 +0200
Subject: [PATCH 048/222] Updated Polish translation.

Used pl/LC_MESSAGES/messages.po from PR#1751 created by martys71
---
 .../translations/pl/LC_MESSAGES/messages.po   | 680 +++++++++---------
 1 file changed, 347 insertions(+), 333 deletions(-)

diff --git a/core/admin/mailu/translations/pl/LC_MESSAGES/messages.po b/core/admin/mailu/translations/pl/LC_MESSAGES/messages.po
index cec7a4a0..664ff571 100644
--- a/core/admin/mailu/translations/pl/LC_MESSAGES/messages.po
+++ b/core/admin/mailu/translations/pl/LC_MESSAGES/messages.po
@@ -1,188 +1,287 @@
 msgid ""
 msgstr ""
-"Project-Id-Version: Mailu\n"
+"Project-Id-Version:  Mailu\n"
+"POT-Creation-Date: 2021-02-05 16:34+0100\n"
 "PO-Revision-Date: 2020-02-17 20:23+0000\n"
-"Last-Translator: NeroPcStation <dareknowacki2001@gmail.com>\n"
-"Language-Team: Polish <https://translate.tedomum.net/projects/mailu/admin/pl/"
-">\n"
+"Last-Translator: Marcin Siennicki <marcin@siennicki.eu>\n"
 "Language: pl\n"
+"Language-Team: Polish "
+"<https://translate.tedomum.net/projects/mailu/admin/pl/>\n"
+"Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && "
+"(n%100<10 || n%100>=20) ? 1 : 2\n"
 "MIME-Version: 1.0\n"
-"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 "
-"|| n%100>=20) ? 1 : 2;\n"
-"X-Generator: Weblate 3.3\n"
+"Generated-By: Babel 2.9.0\n"
 
-#: mailu/ui/forms.py:32
+#: mailu/ui/forms.py:33 mailu/ui/forms.py:36
 msgid "Invalid email address."
 msgstr "Nieprawidłowy adres e-mail."
 
-#: mailu/ui/forms.py:36
+#: mailu/ui/forms.py:45
 msgid "Confirm"
 msgstr "Zatwierdź"
 
-#: mailu/ui/forms.py:40 mailu/ui/forms.py:77
+#: mailu/ui/forms.py:49 mailu/ui/forms.py:86
 msgid "E-mail"
 msgstr "E-mail"
 
-#: mailu/ui/forms.py:41 mailu/ui/forms.py:78 mailu/ui/forms.py:90
-#: mailu/ui/forms.py:109 mailu/ui/forms.py:162
+#: mailu/ui/forms.py:50 mailu/ui/forms.py:87 mailu/ui/forms.py:100
+#: mailu/ui/forms.py:118 mailu/ui/forms.py:172
 #: mailu/ui/templates/client.html:32 mailu/ui/templates/client.html:59
 msgid "Password"
 msgstr "Hasło"
 
-#: mailu/ui/forms.py:42 mailu/ui/templates/login.html:4
-#: mailu/ui/templates/sidebar.html:111
+#: mailu/ui/forms.py:51 mailu/ui/templates/login.html:4
+#: mailu/ui/templates/sidebar.html:108
 msgid "Sign in"
 msgstr "Zaloguj"
 
-#: mailu/ui/forms.py:46 mailu/ui/forms.py:56
+#: mailu/ui/forms.py:55 mailu/ui/forms.py:65
 #: mailu/ui/templates/domain/details.html:27
 #: mailu/ui/templates/domain/list.html:18 mailu/ui/templates/relay/list.html:17
 msgid "Domain name"
 msgstr "Nazwa domeny"
 
-#: mailu/ui/forms.py:47
+#: mailu/ui/forms.py:56
 msgid "Maximum user count"
 msgstr "Maksymalna liczba użytkowników"
 
-#: mailu/ui/forms.py:48
+#: mailu/ui/forms.py:57
 msgid "Maximum alias count"
 msgstr "Maksymalna liczba aliasów"
 
-#. Needs more context - is that a verb or a noun?
-#: mailu/ui/forms.py:51 mailu/ui/forms.py:72 mailu/ui/forms.py:83
-#: mailu/ui/forms.py:128 mailu/ui/forms.py:140
+#: mailu/ui/forms.py:58
+msgid "Maximum user quota"
+msgstr "Maksymalny przydział użytkownika"
+
+#: mailu/ui/forms.py:59
+msgid "Enable sign-up"
+msgstr "Włącz rejestrację"
+
+#: mailu/ui/forms.py:60 mailu/ui/forms.py:81 mailu/ui/forms.py:93
+#: mailu/ui/forms.py:138 mailu/ui/forms.py:150
 #: mailu/ui/templates/alias/list.html:21 mailu/ui/templates/domain/list.html:21
 #: mailu/ui/templates/relay/list.html:19 mailu/ui/templates/token/list.html:19
 #: mailu/ui/templates/user/list.html:23
 msgid "Comment"
 msgstr "Komentarz"
 
-#: mailu/ui/forms.py:52 mailu/ui/forms.py:61 mailu/ui/forms.py:66
-#: mailu/ui/forms.py:73 mailu/ui/forms.py:132 mailu/ui/forms.py:141
-msgid "Create"
-msgstr "Utwórz"
+#: mailu/ui/forms.py:61 mailu/ui/forms.py:75 mailu/ui/forms.py:82
+#: mailu/ui/forms.py:95 mailu/ui/forms.py:142 mailu/ui/forms.py:151
+msgid "Save"
+msgstr "Zapisz"
 
-#: mailu/ui/forms.py:59 mailu/ui/forms.py:79 mailu/ui/forms.py:91
+#: mailu/ui/forms.py:66
+msgid "Initial admin"
+msgstr "Początkowy administrator"
+
+#: mailu/ui/forms.py:67
+msgid "Admin password"
+msgstr "Hasło administratora"
+
+#: mailu/ui/forms.py:68 mailu/ui/forms.py:88 mailu/ui/forms.py:101
 msgid "Confirm password"
 msgstr "Potwierdź hasło"
 
-#: mailu/ui/forms.py:80 mailu/ui/templates/user/list.html:22
+#: mailu/ui/forms.py:70
+msgid "Create"
+msgstr "Utwórz"
+
+#: mailu/ui/forms.py:74
+msgid "Alternative name"
+msgstr "Alternatywna nazwa"
+
+#: mailu/ui/forms.py:79
+msgid "Relayed domain name"
+msgstr "Domeny przekierowywane"
+
+#: mailu/ui/forms.py:80 mailu/ui/templates/relay/list.html:18
+msgid "Remote host"
+msgstr "Zdalny host"
+
+#: mailu/ui/forms.py:89 mailu/ui/templates/user/list.html:22
 #: mailu/ui/templates/user/signup_domain.html:16
 msgid "Quota"
 msgstr "Maksymalna przestrzeń na dysku"
 
-#: mailu/ui/forms.py:81
+#: mailu/ui/forms.py:90
 msgid "Allow IMAP access"
 msgstr "Zezwalaj na dostęp przez protokół IMAP"
 
-#: mailu/ui/forms.py:82
+#: mailu/ui/forms.py:91
 msgid "Allow POP3 access"
 msgstr "Zezwalaj na dostęp przez protokół POP3"
 
-#: mailu/ui/forms.py:85
-msgid "Save"
-msgstr "Zapisz"
-
-#: mailu/ui/forms.py:97
+#: mailu/ui/forms.py:92 mailu/ui/forms.py:108
+#: mailu/ui/templates/user/settings.html:15
 msgid "Displayed name"
 msgstr "Nazwa wyświetlana"
 
-#: mailu/ui/forms.py:98
+#: mailu/ui/forms.py:94
+msgid "Enabled"
+msgstr "Włączone"
+
+#: mailu/ui/forms.py:99
+msgid "Email address"
+msgstr "Adres e-mail"
+
+#: mailu/ui/forms.py:102 mailu/ui/templates/sidebar.html:114
+#: mailu/ui/templates/user/signup.html:4
+#: mailu/ui/templates/user/signup_domain.html:4
+msgid "Sign up"
+msgstr "Utwórz konto"
+
+#: mailu/ui/forms.py:109
 msgid "Enable spam filter"
 msgstr "Włącz filtr antyspamowy"
 
-#: mailu/ui/forms.py:80
-msgid "Spam filter threshold"
-msgstr "Próg filtra antyspamowego"
-
-#: mailu/ui/forms.py:105
-msgid "Save settings"
-msgstr "Zapisz ustawienia"
-
 #: mailu/ui/forms.py:110
-msgid "Password check"
-msgstr ""
+msgid "Spam filter tolerance"
+msgstr "Tolerancja filtra spamu"
 
-#: mailu/ui/forms.py:111 mailu/ui/templates/sidebar.html:16
-msgid "Update password"
-msgstr "Zaktualizuj hasło"
-
-#: mailu/ui/forms.py:100
+#: mailu/ui/forms.py:111
 msgid "Enable forwarding"
 msgstr "Włącz przekierowanie poczty"
 
-#: mailu/ui/forms.py:103 mailu/ui/forms.py:139
+#: mailu/ui/forms.py:112
+msgid "Keep a copy of the emails"
+msgstr "Przechowuj kopię wiadomości"
+
+#: mailu/ui/forms.py:113 mailu/ui/forms.py:149
 #: mailu/ui/templates/alias/list.html:20
 msgid "Destination"
 msgstr "Adres docelowy"
 
-#: mailu/ui/forms.py:120
-msgid "Update"
-msgstr "Aktualizuj"
+#: mailu/ui/forms.py:114
+msgid "Save settings"
+msgstr "Zapisz ustawienia"
 
-#: mailu/ui/forms.py:115
+#: mailu/ui/forms.py:119
+msgid "Password check"
+msgstr "Powtórz hasło"
+
+#: mailu/ui/forms.py:120 mailu/ui/templates/sidebar.html:16
+msgid "Update password"
+msgstr "Zaktualizuj hasło"
+
+#: mailu/ui/forms.py:124
 msgid "Enable automatic reply"
 msgstr "Włącz automatyczną odpowiedź"
 
-#: mailu/ui/forms.py:116
+#: mailu/ui/forms.py:125
 msgid "Reply subject"
 msgstr "Temat odpowiedzi"
 
-#: mailu/ui/forms.py:117
+#: mailu/ui/forms.py:126
 msgid "Reply body"
 msgstr "Treść odpowiedzi"
 
-#: mailu/ui/forms.py:136
+#: mailu/ui/forms.py:128
+#, fuzzy
+msgid "Start of vacation"
+msgstr "Rozpoczęcie nieobecności"
+
+#: mailu/ui/forms.py:129
+msgid "End of vacation"
+msgstr "Koniec nieobecności"
+
+#: mailu/ui/forms.py:130
+msgid "Update"
+msgstr "Aktualizuj"
+
+#: mailu/ui/forms.py:135
+msgid "Your token (write it down, as it will never be displayed again)"
+msgstr "Twój token (zapisz go, ponieważ nigdy więcej nie będzie wyświetlany)"
+
+#: mailu/ui/forms.py:140 mailu/ui/templates/token/list.html:20
+msgid "Authorized IP"
+msgstr "Autoryzowany adres IP"
+
+#: mailu/ui/forms.py:146
 msgid "Alias"
 msgstr "Alias"
 
-#: mailu/ui/forms.py:138
+#: mailu/ui/forms.py:148
 msgid "Use SQL LIKE Syntax (e.g. for catch-all aliases)"
 msgstr "Używaj składni SQL LIKE (np. do adresów catch-all)"
 
-#: mailu/ui/forms.py:145
+#: mailu/ui/forms.py:155
 msgid "Admin email"
 msgstr "E-mail administratora"
 
-#: mailu/ui/forms.py:146 mailu/ui/forms.py:151 mailu/ui/forms.py:164
+#: mailu/ui/forms.py:156 mailu/ui/forms.py:161 mailu/ui/forms.py:174
 msgid "Submit"
 msgstr "Prześlij"
 
-#: mailu/ui/forms.py:150
+#: mailu/ui/forms.py:160
 msgid "Manager email"
 msgstr "E-mail menedżera"
 
-#: mailu/ui/forms.py:155
+#: mailu/ui/forms.py:165
 msgid "Protocol"
 msgstr "Protokół"
 
-#: mailu/ui/forms.py:158
+#: mailu/ui/forms.py:168
 msgid "Hostname or IP"
 msgstr "Nazwa hosta lub adres IP"
 
-#: mailu/ui/forms.py:159 mailu/ui/templates/client.html:20
+#: mailu/ui/forms.py:169 mailu/ui/templates/client.html:20
 #: mailu/ui/templates/client.html:47
 msgid "TCP port"
 msgstr "Port TCP"
 
-#: mailu/ui/forms.py:160
+#: mailu/ui/forms.py:170
 msgid "Enable TLS"
 msgstr "Włącz TLS"
 
-#: mailu/ui/forms.py:161 mailu/ui/templates/client.html:28
+#: mailu/ui/forms.py:171 mailu/ui/templates/client.html:28
 #: mailu/ui/templates/client.html:55 mailu/ui/templates/fetch/list.html:20
 msgid "Username"
 msgstr "Nazwa użytkownika"
 
+#: mailu/ui/forms.py:173
+msgid "Keep emails on the server"
+msgstr "Przechowuj wiadomości na serwerze"
+
+#: mailu/ui/forms.py:178
+msgid "Announcement subject"
+msgstr "Temat ogłoszenia"
+
+#: mailu/ui/forms.py:180
+msgid "Announcement body"
+msgstr "Treść ogłoszenia"
+
+#: mailu/ui/forms.py:182
+msgid "Send"
+msgstr "Wyślij"
+
+#: mailu/ui/templates/announcement.html:4
+msgid "Public announcement"
+msgstr "Publiczne ogłoszenie"
+
+#: mailu/ui/templates/client.html:4 mailu/ui/templates/sidebar.html:79
+msgid "Client setup"
+msgstr "Konfiguracja klienta"
+
+#: mailu/ui/templates/client.html:16 mailu/ui/templates/client.html:43
+msgid "Mail protocol"
+msgstr "Protokół poczty"
+
+#: mailu/ui/templates/client.html:24 mailu/ui/templates/client.html:51
+msgid "Server name"
+msgstr "Nazwa serwera"
+
 #: mailu/ui/templates/confirm.html:4
 msgid "Confirm action"
 msgstr "Potwierdź wykonanie czynności"
 
 #: mailu/ui/templates/confirm.html:13
+#, python-format
 msgid "You are about to %(action)s. Please confirm your action."
-msgstr "Zamierzasz wykonać następujące czynności: %(action)s. Potwierdź wykonanie czynności."
+msgstr ""
+"Zamierzasz wykonać następujące czynności: %(action)s. Potwierdź wykonanie"
+" czynności."
 
 #: mailu/ui/templates/docker-error.html:4
 msgid "Docker error"
@@ -192,54 +291,19 @@ msgstr "Błąd Dockera"
 msgid "An error occurred while talking to the Docker server."
 msgstr "Wystąpił błąd komunikacji z serwerem Dockera."
 
-#: mailu/admin/templates/login.html:6
-msgid "Your account"
-msgstr "Twoje konto"
-
 #: mailu/ui/templates/login.html:8
 msgid "to access the administration tools"
 msgstr "aby uzyskać dostęp do narzędzi administracyjnych"
 
-#: mailu/ui/templates/services.html:4 mailu/ui/templates/sidebar.html:39
-msgid "Services status"
-msgstr "Status usług"
-
-#: mailu/ui/templates/services.html:10
-msgid "Service"
-msgstr "Usługa"
-
-#: mailu/ui/templates/fetch/list.html:23 mailu/ui/templates/services.html:11
-msgid "Status"
-msgstr "Status"
-
-#: mailu/ui/templates/services.html:12
-msgid "PID"
-msgstr "PID"
-
-#: mailu/ui/templates/services.html:13
-msgid "Image"
-msgstr "Obraz"
-
-#: mailu/ui/templates/services.html:14
-msgid "Started"
-msgstr ""
-
-#: mailu/ui/templates/services.html:15
-msgid "Last update"
-msgstr "Ostatnia aktualizacja"
-
 #: mailu/ui/templates/sidebar.html:8
+#, fuzzy
 msgid "My account"
-msgstr "Moje konto"
+msgstr "Dodaj konto"
 
 #: mailu/ui/templates/sidebar.html:11 mailu/ui/templates/user/list.html:34
 msgid "Settings"
 msgstr "Ustawienia"
 
-#: mailu/ui/templates/user/settings.html:22
-msgid "Auto-forward"
-msgstr "Automatyczne przekierowanie"
-
 #: mailu/ui/templates/sidebar.html:21 mailu/ui/templates/user/list.html:35
 msgid "Auto-reply"
 msgstr "Automatyczna odpowiedź"
@@ -247,28 +311,60 @@ msgstr "Automatyczna odpowiedź"
 #: mailu/ui/templates/fetch/list.html:4 mailu/ui/templates/sidebar.html:26
 #: mailu/ui/templates/user/list.html:36
 msgid "Fetched accounts"
-msgstr ""
+msgstr "Zewnętrzne konta e-mail"
 
-#: mailu/ui/templates/sidebar.html:105
-msgid "Sign out"
-msgstr "Wyloguj"
+#: mailu/ui/templates/sidebar.html:31 mailu/ui/templates/token/list.html:4
+msgid "Authentication tokens"
+msgstr "Tokeny uwierzytelnienia"
 
-#: mailu/ui/templates/sidebar.html:35
+#: mailu/ui/templates/sidebar.html:36
 msgid "Administration"
 msgstr "Administracja"
 
-#: mailu/ui/templates/sidebar.html:49
+#: mailu/ui/templates/sidebar.html:41
+msgid "Announcement"
+msgstr "Ogłoszenie"
+
+#: mailu/ui/templates/sidebar.html:46
 msgid "Administrators"
 msgstr "Administratorzy"
 
-#: mailu/ui/templates/sidebar.html:66
+#: mailu/ui/templates/sidebar.html:51
+msgid "Relayed domains"
+msgstr "Domeny przekierowywane"
+
+#: mailu/ui/templates/sidebar.html:56 mailu/ui/templates/user/settings.html:19
+msgid "Antispam"
+msgstr "Filtr antyspamowy"
+
+#: mailu/ui/templates/sidebar.html:63
 msgid "Mail domains"
 msgstr "Domeny pocztowe"
 
-#: mailu/ui/templates/sidebar.html:92
+#: mailu/ui/templates/sidebar.html:69
+msgid "Go to"
+msgstr "Przejdź do"
+
+#: mailu/ui/templates/sidebar.html:73
+msgid "Webmail"
+msgstr "Twoja poczta"
+
+#: mailu/ui/templates/sidebar.html:84
+msgid "Website"
+msgstr "Strona internetowa"
+
+#: mailu/ui/templates/sidebar.html:89
 msgid "Help"
 msgstr "Pomoc"
 
+#: mailu/ui/templates/domain/signup.html:4 mailu/ui/templates/sidebar.html:95
+msgid "Register a domain"
+msgstr "Zarejestruj domenę"
+
+#: mailu/ui/templates/sidebar.html:102
+msgid "Sign out"
+msgstr "Wyloguj"
+
 #: mailu/ui/templates/working.html:4
 msgid "We are still working on this feature!"
 msgstr "Nadal pracujemy nad tą funkcją!"
@@ -344,6 +440,22 @@ msgstr "Ostatnia edycja"
 msgid "Edit"
 msgstr "Edytuj"
 
+#: mailu/ui/templates/alternative/create.html:4
+msgid "Create alternative domain"
+msgstr "Utwórz alternatywną domenę"
+
+#: mailu/ui/templates/alternative/list.html:4
+msgid "Alternative domain list"
+msgstr "Alternatywna lista domen"
+
+#: mailu/ui/templates/alternative/list.html:12
+msgid "Add alternative"
+msgstr "Dodaj alternatywę"
+
+#: mailu/ui/templates/alternative/list.html:19
+msgid "Name"
+msgstr "Nazwa"
+
 #: mailu/ui/templates/domain/create.html:4
 #: mailu/ui/templates/domain/list.html:9
 msgid "New domain"
@@ -357,6 +469,10 @@ msgstr "Szczegóły domeny"
 msgid "Regenerate keys"
 msgstr "Wygeneruj ponownie klucze"
 
+#: mailu/ui/templates/domain/details.html:17
+msgid "Generate keys"
+msgstr "Wygeneruj klucze"
+
 #: mailu/ui/templates/domain/details.html:31
 msgid "DNS MX entry"
 msgstr "Wpis MX DNS"
@@ -365,15 +481,15 @@ msgstr "Wpis MX DNS"
 msgid "DNS SPF entries"
 msgstr "Wpisy SPF DNS"
 
-#: mailu/ui/templates/domain/details.html:42
+#: mailu/ui/templates/domain/details.html:41
 msgid "DKIM public key"
 msgstr "Publiczny klucz DKIM"
 
-#: mailu/ui/templates/domain/details.html:46
+#: mailu/ui/templates/domain/details.html:45
 msgid "DNS DKIM entry"
 msgstr "Wpis DKIM DNS"
 
-#: mailu/ui/templates/domain/details.html:50
+#: mailu/ui/templates/domain/details.html:49
 msgid "DNS DMARC entry"
 msgstr "Wpis DMARC DNS"
 
@@ -413,13 +529,42 @@ msgstr "Aliasy"
 msgid "Managers"
 msgstr "Menedżerowie"
 
+#: mailu/ui/templates/domain/list.html:39
+msgid "Alternatives"
+msgstr "Alternatywy"
+
+#: mailu/ui/templates/domain/signup.html:13
+msgid ""
+"In order to register a new domain, you must first setup the\n"
+"    domain zone so that the domain <code>MX</code> points to this server"
+msgstr ""
+"Aby zarejestrować nową domenę, musisz najpierw skonfigurować strefę "
+"domeny, aby domena <code> MX </code> wskazywała na ten serwer"
+
+#: mailu/ui/templates/domain/signup.html:18
+msgid ""
+"If you do not know how to setup an <code>MX</code> record for your DNS "
+"zone,\n"
+"    please contact your DNS provider or administrator. Also, please wait "
+"a\n"
+"    couple minutes after the <code>MX</code> is set so the local server "
+"cache\n"
+"    expires."
+msgstr ""
+"Jeśli nie wiesz, jak skonfigurować rekord <code> MX </code>  dla swojej "
+"strefy DNS,\n"
+"skontaktuj się z dostawcą DNS lub administratorem. Proszę również "
+"poczekać\n"
+"kilka minut po ustawieniu <code> MX </code> , żeby pamięć podręczna "
+"serwera lokalnego wygasła."
+
 #: mailu/ui/templates/fetch/create.html:4
 msgid "Add a fetched account"
-msgstr ""
+msgstr "Dodaj zewnętrzne konto pocztowe"
 
 #: mailu/ui/templates/fetch/edit.html:4
 msgid "Update a fetched account"
-msgstr ""
+msgstr "Zaktualizuj konto"
 
 #: mailu/ui/templates/fetch/list.html:12
 msgid "Add an account"
@@ -427,12 +572,28 @@ msgstr "Dodaj konto"
 
 #: mailu/ui/templates/fetch/list.html:19
 msgid "Endpoint"
-msgstr ""
+msgstr "Serwer"
+
+#: mailu/ui/templates/fetch/list.html:21
+msgid "Keep emails"
+msgstr "Przechowuj wiadomości"
 
 #: mailu/ui/templates/fetch/list.html:22
 msgid "Last check"
 msgstr "Ostatnie sprawdzenie"
 
+#: mailu/ui/templates/fetch/list.html:23
+msgid "Status"
+msgstr "Stan"
+
+#: mailu/ui/templates/fetch/list.html:35
+msgid "yes"
+msgstr "Tak"
+
+#: mailu/ui/templates/fetch/list.html:35
+msgid "no"
+msgstr "Nie"
+
 #: mailu/ui/templates/manager/create.html:4
 msgid "Add a manager"
 msgstr "Dodaj menedżera"
@@ -445,34 +606,43 @@ msgstr "Lista menedżerów"
 msgid "Add manager"
 msgstr "Dodaj menedżera"
 
-#: mailu/ui/forms.py:168
-msgid "Announcement subject"
-msgstr "Temat ogłoszenia"
+#: mailu/ui/templates/relay/create.html:4
+msgid "New relay domain"
+msgstr "Nowa domena do przekierowania"
 
-#: mailu/ui/forms.py:170
-msgid "Announcement body"
-msgstr "Treść ogłoszenia"
+#: mailu/ui/templates/relay/edit.html:4
+#, fuzzy
+msgid "Edit relayd domain"
+msgstr "Edycja domeny"
 
-#: mailu/ui/forms.py:172
-msgid "Send"
-msgstr "Wyślij"
+#: mailu/ui/templates/relay/list.html:4
+msgid "Relayed domain list"
+msgstr "Lista domen przekierowywanych"
 
-#: mailu/ui/templates/announcement.html:4
-msgid "Public announcement"
-msgstr "Publiczne ogłoszenie"
+#: mailu/ui/templates/relay/list.html:9
+msgid "New relayed domain"
+msgstr "Nowa domena do przekierowania"
 
-#: mailu/ui/templates/announcement.html:8
-msgid "from"
-msgstr "od"
+#: mailu/ui/templates/token/create.html:4
+msgid "Create an authentication token"
+msgstr "Utwórz token uwierzytelniający"
 
-#: mailu/ui/templates/sidebar.html:44
-msgid "Announcement"
-msgstr "Ogłoszenie"
+#: mailu/ui/templates/token/list.html:12
+msgid "New token"
+msgstr "Nowy token"
 
 #: mailu/ui/templates/user/create.html:4
 msgid "New user"
 msgstr "Nowy użytkownik"
 
+#: mailu/ui/templates/user/create.html:15
+msgid "General"
+msgstr "Ogólne"
+
+#: mailu/ui/templates/user/create.html:23
+msgid "Features and quotas"
+msgstr "Funkcje i limity"
+
 #: mailu/ui/templates/user/edit.html:4
 msgid "Edit user"
 msgstr "Edytuj użytkownika"
@@ -505,202 +675,9 @@ msgstr "Zmiana hasła"
 msgid "Automatic reply"
 msgstr "Automatyczna odpowiedź"
 
-#: mailu/ui/forms.py:49
-msgid "Maximum user quota"
-msgstr "Maksymalny przydział użytkownika"
-
-#: mailu/ui/forms.py:101
-msgid "Keep a copy of the emails"
-msgstr "Przechowuj kopię wiadomości"
-
-#: mailu/ui/forms.py:163
-msgid "Keep emails on the server"
-msgstr "Przechowuj wiadomości na serwerze"
-
-#: mailu/ui/templates/fetch/list.html:21
-msgid "Keep emails"
-msgstr "Przechowuj wiadomości"
-
-#: mailu/ui/templates/fetch/list.html:35
-msgid "yes"
-msgstr "Tak"
-
-#: mailu/ui/templates/fetch/list.html:35
-msgid "no"
-msgstr "Nie"
-
-#: mailu/ui/forms.py:65
-msgid "Alternative name"
-msgstr "Alternatywna nazwa"
-
-#: mailu/ui/forms.py:70
-msgid "Relayed domain name"
-msgstr ""
-
-#: mailu/ui/forms.py:71 mailu/ui/templates/relay/list.html:18
-msgid "Remote host"
-msgstr "Zdalny host"
-
-#: mailu/ui/templates/sidebar.html:54
-msgid "Relayed domains"
-msgstr ""
-
-#: mailu/ui/templates/alternative/create.html:4
-msgid "Create alternative domain"
-msgstr "Utwórz alternatywną domenę"
-
-#: mailu/ui/templates/alternative/list.html:4
-msgid "Alternative domain list"
-msgstr "Alternatywna lista domen"
-
-#: mailu/ui/templates/alternative/list.html:12
-msgid "Add alternative"
-msgstr "Dodaj alternatywę"
-
-#: mailu/ui/templates/alternative/list.html:19
-msgid "Name"
-msgstr "Nazwa"
-
-#: mailu/ui/templates/domain/list.html:39
-msgid "Alternatives"
-msgstr "Alternatywy"
-
-#: mailu/ui/templates/relay/create.html:4
-msgid "New relay domain"
-msgstr ""
-
-#: mailu/ui/templates/relay/edit.html:4
-msgid "Edit relayd domain"
-msgstr ""
-
-#: mailu/ui/templates/relay/list.html:4
-msgid "Relayed domain list"
-msgstr ""
-
-#: mailu/ui/templates/relay/list.html:9
-msgid "New relayed domain"
-msgstr ""
-
-#: mailu/ui/forms.py:125
-msgid "Your token (write it down, as it will never be displayed again)"
-msgstr "Twój token (zapisz go, ponieważ nigdy więcej nie będzie wyświetlany)"
-
-#: mailu/ui/forms.py:130 mailu/ui/templates/token/list.html:20
-msgid "Authorized IP"
-msgstr "Autoryzowany adres IP"
-
-#: mailu/ui/templates/sidebar.html:31 mailu/ui/templates/token/list.html:4
-msgid "Authentication tokens"
-msgstr "Tokeny uwierzytelnienia"
-
-#: mailu/ui/templates/sidebar.html:72
-msgid "Go to"
-msgstr "Przejdź do"
-
-#: mailu/ui/templates/sidebar.html:76
-msgid "Webmail"
-msgstr ""
-
-#: mailu/ui/templates/sidebar.html:87
-msgid "Website"
-msgstr "Strona internetowa"
-
-#: mailu/ui/templates/token/create.html:4
-msgid "Create an authentication token"
-msgstr "Utwórz token uwierzytelniający"
-
-#: mailu/ui/templates/token/list.html:12
-msgid "New token"
-msgstr "Nowy token"
-
-#: mailu/ui/templates/user/create.html:15
-msgid "General"
-msgstr ""
-
-#: mailu/ui/templates/user/create.html:22
-msgid "Features and quotas"
-msgstr ""
-
-#: mailu/ui/templates/user/settings.html:14
-msgid "General settings"
-msgstr "Ustawienia ogólne"
-
-#: mailu/ui/templates/sidebar.html:59 mailu/ui/templates/user/settings.html:15
-msgid "Antispam"
-msgstr "Filtr antyspamowy"
-
-#: mailu/ui/forms.py:99
-msgid "Spam filter tolerance"
-msgstr "Tolerancja filtra spamu"
-
-#: mailu/ui/forms.py:50
-msgid "Enable sign-up"
-msgstr "Włącz rejestrację"
-
-#: mailu/ui/forms.py:57
-msgid "Initial admin"
-msgstr "Początkowy administrator"
-
-#: mailu/ui/forms.py:58
-msgid "Admin password"
-msgstr "hasło administratora"
-
-#: mailu/ui/forms.py:84
-msgid "Enabled"
-msgstr "Włączone"
-
-#: mailu/ui/forms.py:89
-msgid "Email address"
-msgstr "Adres e-mail"
-
-#: mailu/ui/forms.py:93 mailu/ui/templates/sidebar.html:117
-#: mailu/ui/templates/user/signup.html:4
-#: mailu/ui/templates/user/signup_domain.html:4
-msgid "Sign up"
-msgstr ""
-
-#: mailu/ui/forms.py:119
-msgid "End of vacation"
-msgstr "Koniec wakacji"
-
-#: mailu/ui/templates/client.html:4 mailu/ui/templates/sidebar.html:82
-msgid "Client setup"
-msgstr "Konfiguracja klienta"
-
-#: mailu/ui/templates/client.html:16 mailu/ui/templates/client.html:43
-msgid "Mail protocol"
-msgstr "Protokół poczty"
-
-#: mailu/ui/templates/client.html:24 mailu/ui/templates/client.html:51
-msgid "Server name"
-msgstr "Nazwa serwera"
-
-#: mailu/ui/templates/domain/signup.html:4 mailu/ui/templates/sidebar.html:98
-msgid "Register a domain"
-msgstr "Zarejestruj domenę"
-
-#: mailu/ui/templates/domain/details.html:17
-msgid "Generate keys"
-msgstr "Wygeneruj klucze"
-
-#: mailu/ui/templates/domain/signup.html:13
-msgid "In order to register a new domain, you must first setup the\n"
-"    domain zone so that the domain <code>MX</code> points to this server"
-msgstr ""
-"Aby zarejestrować nową domenę, musisz najpierw skonfigurować strefę domeny, "
-"aby domena <code> MX </code> wskazywała na ten serwer"
-
-#: mailu/ui/templates/domain/signup.html:18
-msgid "If you do not know how to setup an <code>MX</code> record for your DNS zone,\n"
-"    please contact your DNS provider or administrator. Also, please wait a\n"
-"    couple minutes after the <code>MX</code> is set so the local server cache\n"
-"    expires."
-msgstr ""
-"Jeśli nie wiesz, jak skonfigurować rekord <code> MX </code>  dla swojej "
-"strefy DNS,\n"
-"skontaktuj się z dostawcą DNS lub administratorem. Proszę również poczekać\n"
-"kilka minut po ustawieniu <code> MX </code> , żeby pamięć podręczna serwera "
-"lokalnego wygasła."
+#: mailu/ui/templates/user/settings.html:26
+msgid "Auto-forward"
+msgstr "Automatyczne przekierowanie"
 
 #: mailu/ui/templates/user/signup_domain.html:8
 msgid "pick a domain for the new account"
@@ -713,3 +690,40 @@ msgstr "Domena"
 #: mailu/ui/templates/user/signup_domain.html:15
 msgid "Available slots"
 msgstr "Dostępne miejsca"
+
+#~ msgid "Spam filter threshold"
+#~ msgstr "Próg filtra antyspamowego"
+
+#~ msgid "Your account"
+#~ msgstr "Twoje konto"
+
+#~ msgid "Services status"
+#~ msgstr "Status usług"
+
+#~ msgid "Service"
+#~ msgstr "Usługa"
+
+#~ msgid "Status"
+#~ msgstr "Status"
+
+#~ msgid "PID"
+#~ msgstr "PID"
+
+#~ msgid "Image"
+#~ msgstr "Obraz"
+
+#~ msgid "Started"
+#~ msgstr "Uruchomione"
+
+#~ msgid "Last update"
+#~ msgstr "Ostatnia aktualizacja"
+
+#~ msgid "My account"
+#~ msgstr "Moje konto"
+
+#~ msgid "from"
+#~ msgstr "od"
+
+#~ msgid "General settings"
+#~ msgstr "Ustawienia ogólne"
+

From 5a1e6dfb6125ad727d1ee4d08094ea80cb2f0d53 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Wed, 8 Sep 2021 12:30:28 +0000
Subject: [PATCH 049/222] Added documentation for new LOGO_BACKGROUND and
 LOGO_URL env variables.

---
 docs/configuration.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/configuration.rst b/docs/configuration.rst
index 3d536fd4..9da0a14c 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -124,6 +124,13 @@ Both ``SITENAME`` and ``WEBSITE`` are customization options for the panel menu
 in the admin interface, while ``SITENAME`` is a customization option for
 every Web interface.
 
+- ``LOGO_BACKGROUND`` sets a custom background colour for the brand logo in the topleft of the main admin interface.
+  For a list of colour codes refer to this page of `w3schools`_.
+
+- ``LOGO_URL`` sets a URL for a custom logo. This logo replaces the Mailu logo in the topleft of the main admin interface.
+
+.. _`w3schools`: https://www.w3schools.com/cssref/css_colors.asp
+
 .. _admin_account:
 
 Admin account - automatic creation

From bb40ccc4b0476b1152eeba185ec754c85c334bc1 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 9 Sep 2021 11:58:27 +0200
Subject: [PATCH 050/222] normalize HOSTNAMES

should be moved to python lib and normalized in start.py
---
 core/admin/mailu/configuration.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 1f13f896..7405d81f 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -145,7 +145,9 @@ class ConfigManager(dict):
         self.config['SESSION_COOKIE_SAMESITE'] = 'Strict'
         self.config['SESSION_COOKIE_HTTPONLY'] = True
         self.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=int(self.config['SESSION_LIFETIME']))
-        self.config['HOSTNAME'] = self.config['HOSTNAMES'].split(',', 1)[0].strip()
+        hostnames = [host.strip() for host in self.config['HOSTNAMES'].split(',', 1)]
+        self.config['HOSTNAMES'] = ','.join(hostnames)
+        self.config['HOSTNAME'] = hostnames[0]
         # update the app config itself
         app.config = self
 

From b883e3c4a6865592f0398fd0aa209edd2cfe66e6 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 9 Sep 2021 12:10:34 +0200
Subject: [PATCH 051/222] duh.

---
 core/admin/mailu/configuration.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 7405d81f..196b0197 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -145,7 +145,7 @@ class ConfigManager(dict):
         self.config['SESSION_COOKIE_SAMESITE'] = 'Strict'
         self.config['SESSION_COOKIE_HTTPONLY'] = True
         self.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=int(self.config['SESSION_LIFETIME']))
-        hostnames = [host.strip() for host in self.config['HOSTNAMES'].split(',', 1)]
+        hostnames = [host.strip() for host in self.config['HOSTNAMES'].split(',')]
         self.config['HOSTNAMES'] = ','.join(hostnames)
         self.config['HOSTNAME'] = hostnames[0]
         # update the app config itself

From b02ceab72f4a917cc8b543d20d31d634554dc9a9 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 9 Sep 2021 17:30:46 +0200
Subject: [PATCH 052/222] handle DEFER_ON_TLS_ERROR as bool

use /conf/mta-sts-daemon.yml when override is missing
---
 core/postfix/Dockerfile                    | 1 -
 core/postfix/conf/main.cf                  | 2 +-
 core/postfix/{ => conf}/mta-sts-daemon.yml | 2 +-
 core/postfix/start.py                      | 5 +++--
 4 files changed, 5 insertions(+), 5 deletions(-)
 rename core/postfix/{ => conf}/mta-sts-daemon.yml (68%)

diff --git a/core/postfix/Dockerfile b/core/postfix/Dockerfile
index e93a584c..bdf45e35 100644
--- a/core/postfix/Dockerfile
+++ b/core/postfix/Dockerfile
@@ -20,7 +20,6 @@ RUN apk add --no-cache postfix postfix-pcre cyrus-sasl-login
 
 COPY conf /conf
 COPY start.py /start.py
-COPY mta-sts-daemon.yml /etc/
 
 EXPOSE 25/tcp 10025/tcp
 VOLUME ["/queue"]
diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 6152388c..3f478ed5 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -59,7 +59,7 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
 smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
-smtp_tls_dane_insecure_mx_policy = {% if DEFER_ON_TLS_ERROR == 'false' %}may{% else %}dane{% endif %}
+smtp_tls_dane_insecure_mx_policy = {{ 'dane' if DEFER_ON_TLS_ERROR else 'may' }}
 smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy.map, ${podop}dane, socketmap:unix:/tmp/mta-sts.socket:postfix
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
diff --git a/core/postfix/mta-sts-daemon.yml b/core/postfix/conf/mta-sts-daemon.yml
similarity index 68%
rename from core/postfix/mta-sts-daemon.yml
rename to core/postfix/conf/mta-sts-daemon.yml
index 361bcbf9..1527b73f 100644
--- a/core/postfix/mta-sts-daemon.yml
+++ b/core/postfix/conf/mta-sts-daemon.yml
@@ -6,5 +6,5 @@ cache:
   options:
     cache_size: 10000
 default_zone:
-  strict_testing: {{ DEFER_ON_TLS_ERROR |default('true') }}
+  strict_testing: {{ 'true' if DEFER_ON_TLS_ERROR else 'false' }}
   timeout: 4
diff --git a/core/postfix/start.py b/core/postfix/start.py
index 3de83a63..361ef3ba 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -76,8 +76,9 @@ for map_file in glob.glob("/overrides/*.map"):
     os.remove(destination)
 
 if os.path.exists("/overrides/mta-sts-daemon.yml"):
-    shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml")
-conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
+	conf.jinja("/overrides/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
+else:
+	conf.jinja("/conf/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
 
 if not os.path.exists("/etc/postfix/tls_policy.map.lmdb"):
     open("/etc/postfix/tls_policy.map", "a").close()

From 05c79b0e3c31f3cdfbddc8f7ffe64d332eb6f128 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 9 Sep 2021 18:45:39 +0200
Subject: [PATCH 053/222] copy (and not parse) mta sts override config

---
 core/postfix/start.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/postfix/start.py b/core/postfix/start.py
index 361ef3ba..12610bd0 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -76,9 +76,9 @@ for map_file in glob.glob("/overrides/*.map"):
     os.remove(destination)
 
 if os.path.exists("/overrides/mta-sts-daemon.yml"):
-	conf.jinja("/overrides/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
+    shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml")
 else:
-	conf.jinja("/conf/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
+    conf.jinja("/conf/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
 
 if not os.path.exists("/etc/postfix/tls_policy.map.lmdb"):
     open("/etc/postfix/tls_policy.map", "a").close()

From 7bec8029a43a0d01ccd969d306d1146af8192e23 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 9 Sep 2021 21:41:03 +0200
Subject: [PATCH 054/222] strip not necessary anymore

---
 core/admin/mailu/models.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index 86e285d0..f93b158f 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -312,7 +312,7 @@ class Domain(Base):
     def check_mx(self):
         """ checks if MX record for domain points to mailu host """
         try:
-            hostnames = set(fqdn.strip() for fqdn in app.config['HOSTNAMES'].split(','))
+            hostnames = set(app.config['HOSTNAMES'].split(','))
             return any(
                 rset.exchange.to_text().rstrip('.') in hostnames
                 for rset in dns.resolver.query(self.name, 'MX')

From b63081cb48969603ad572f4960b79fd6251c79be Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 13 Sep 2021 14:49:49 +0200
Subject: [PATCH 055/222] display error (not exception) when creating admin

repleace misleading python exception (mailu broken)
with error message stating that the admin user is
already present
---
 core/admin/mailu/manage.py | 37 +++++++++++++++++++------------------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/core/admin/mailu/manage.py b/core/admin/mailu/manage.py
index 5708327e..d83efa9d 100644
--- a/core/admin/mailu/manage.py
+++ b/core/admin/mailu/manage.py
@@ -48,44 +48,45 @@ def advertise():
 @click.argument('localpart')
 @click.argument('domain_name')
 @click.argument('password')
-@click.option('-m', '--mode')
+@click.option('-m', '--mode', default='create')
 @with_appcontext
-def admin(localpart, domain_name, password, mode='create'):
+def admin(localpart, domain_name, password, mode):
     """ Create an admin user
         'mode' can be:
-            - 'create' (default) Will try to create user and will raise an exception if present
+            - 'create': (default) create user. it's an error if user already exists
             - 'ifmissing': if user exists, nothing happens, else it will be created
             - 'update': user is created or, if it exists, its password gets updated
     """
+
+    if not mode in ('create', 'update', 'ifmissing'):
+        raise click.ClickException(f'invalid mode: {mode!r}')
+
     domain = models.Domain.query.get(domain_name)
     if not domain:
         domain = models.Domain(name=domain_name)
         db.session.add(domain)
 
-    user = None
-    if mode == 'ifmissing' or mode == 'update':
-        email = f'{localpart}@{domain_name}'
-        user = models.User.query.get(email)
-
-        if user and mode == 'ifmissing':
-            print('user %s exists, not updating' % email)
+    email = f'{localpart}@{domain_name}'
+    if user := models.User.query.get(email):
+        if mode == 'ifmissing':
+            print(f'user {email!r} exists, not updating')
             return
-
-    if not user:
+        elif mode == 'update':
+            user.set_password(password)
+            db.session.commit()
+            print("updated admin password")
+        else:
+            raise click.ClickException(f'user {email!r} exists, not created')
+    else:
         user = models.User(
             localpart=localpart,
             domain=domain,
             global_admin=True
         )
-        user.set_password(password)
         db.session.add(user)
+        user.set_password(password)
         db.session.commit()
         print("created admin user")
-    elif mode == 'update':
-        user.set_password(password)
-        db.session.commit()
-        print("updated admin password")
-
 
 
 @mailu.command()

From 25cf8b53589a746e8ad45757dcb747c4ca7215ee Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 13 Sep 2021 15:13:29 +0200
Subject: [PATCH 056/222] better help formatting

---
 core/admin/mailu/manage.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/core/admin/mailu/manage.py b/core/admin/mailu/manage.py
index d83efa9d..54f4b826 100644
--- a/core/admin/mailu/manage.py
+++ b/core/admin/mailu/manage.py
@@ -48,14 +48,13 @@ def advertise():
 @click.argument('localpart')
 @click.argument('domain_name')
 @click.argument('password')
-@click.option('-m', '--mode', default='create')
+@click.option('-m', '--mode', default='create', metavar='MODE', help='''\b'create' (default): create user. it's an error if user already exists
+'ifmissing': only update password if user is missing
+'update': create user or update password if user exists
+''')
 @with_appcontext
 def admin(localpart, domain_name, password, mode):
     """ Create an admin user
-        'mode' can be:
-            - 'create': (default) create user. it's an error if user already exists
-            - 'ifmissing': if user exists, nothing happens, else it will be created
-            - 'update': user is created or, if it exists, its password gets updated
     """
 
     if not mode in ('create', 'update', 'ifmissing'):

From d31b1380e5127db145951c7264091438a46cdb8d Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 13 Sep 2021 15:23:05 +0200
Subject: [PATCH 057/222] fix spelling

---
 PULL_REQUEST_TEMPLATE.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md
index 8fb3265d..fc3b6b61 100644
--- a/PULL_REQUEST_TEMPLATE.md
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -8,7 +8,7 @@
 - Mention an issue like: #001
 - Auto close an issue like: closes #001
 
-## Prerequistes
+## Prerequisites
 Before we can consider review and merge, please make sure the following list is done and checked.
 If an entry in not applicable, you can check it or remove it from the list.
 

From 447b237ecb12510c51d9ec2805e6f887b79dd8e1 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 16 Sep 2021 09:03:44 +0200
Subject: [PATCH 058/222] fix freshclam startup

- create pid file in existing folder /run
- let freshclam log to stdout
- remove deprecated SafeBrowsing
---
 optional/clamav/conf/freshclam.conf | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/optional/clamav/conf/freshclam.conf b/optional/clamav/conf/freshclam.conf
index 88d12bef..828163a0 100644
--- a/optional/clamav/conf/freshclam.conf
+++ b/optional/clamav/conf/freshclam.conf
@@ -3,9 +3,9 @@
 ###############
 
 DatabaseDirectory /data
-LogSyslog yes
+UpdateLogFile /dev/stdout
 LogTime yes
-PidFile /run/clamav/freshclam.pid
+PidFile /run/freshclam.pid
 DatabaseOwner root
 
 ###############
@@ -15,5 +15,4 @@ DatabaseOwner root
 DatabaseMirror database.clamav.net
 ScriptedUpdates yes
 NotifyClamd /etc/clamav/clamd.conf
-SafeBrowsing yes
 Bytecode yes

From 1157868370d2767009fc587601fa71b0e2f7f7e9 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Thu, 23 Sep 2021 16:08:52 +0200
Subject: [PATCH 059/222] Document how to setup autoconfig

---
 docs/faq.rst                            | 52 +++++++++++++++++++++++++
 towncrier/newsfragments/224.enhancement |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 towncrier/newsfragments/224.enhancement

diff --git a/docs/faq.rst b/docs/faq.rst
index 01557237..177e65d7 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -394,6 +394,58 @@ Mailu can serve an `MTA-STS policy`_; To configure it you will need to:
 .. _`1798`: https://github.com/Mailu/Mailu/issues/1798
 .. _`MTA-STS policy`: https://datatracker.ietf.org/doc/html/rfc8461
 
+How do I setup client autoconfiguration?
+````````````````````````````````````````
+
+Mailu can serve an `XML file for autoconfiguration`_; To configure it you will need to:
+
+1. add ``autoconfig.example.com`` to the ``HOSTNAMES`` configuration variable (and ensure that a valid SSL certificate is available for it; this may mean restarting your smtp container)
+
+2. configure an override with the policy itself; for example, your ``overrides/nginx/autoconfiguration.conf`` could read:
+
+.. code-block:: bash
+
+   location ^~ /mail/config-v1.1.xml {
+   return 200 "<?xml version=\"1.0\"?>
+   <clientConfig version=\"1.1\">
+   <emailProvider id=\"%EMAILDOMAIN%\">
+   <domain>%EMAILDOMAIN%</domain>
+
+   <displayName>Email</displayName>
+   <displayShortName>Email</displayShortName>
+
+   <incomingServer type=\"imap\">
+   <hostname>mailu.example.com</hostname>
+   <port>993</port>
+   <socketType>SSL</socketType>
+   <username>%EMAILADDRESS%</username>
+   <authentication>password-cleartext</authentication>
+   </incomingServer>
+
+   <outgoingServer type=\"smtp\">
+   <hostname>mailu.example.com</hostname>
+   <port>465</port>
+   <socketType>SSL</socketType>
+   <username>%EMAILADDRESS%</username>
+   <authentication>password-cleartext</authentication>
+   <addThisServer>true</addThisServer>
+   <useGlobalPreferredServer>true</useGlobalPreferredServer>
+   </outgoingServer>
+
+   <documentation url=\"https://mailu.example.com/admin/ui/client\">
+   <descr lang=\"en\">Configure your email client</descr>
+   </documentation>
+   </emailProvider>
+   </clientConfig>\r\n";
+   }
+
+3. setup the appropriate DNS/CNAME record (``autoconfig.example.com`` -> ``mailu.example.com``).
+
+*issue reference:* `224`_.
+
+.. _`224`: https://github.com/Mailu/Mailu/issues/224
+.. _`XML file for autoconfiguration`: https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat
+
 Technical issues
 ----------------
 
diff --git a/towncrier/newsfragments/224.enhancement b/towncrier/newsfragments/224.enhancement
new file mode 100644
index 00000000..9e4edccf
--- /dev/null
+++ b/towncrier/newsfragments/224.enhancement
@@ -0,0 +1 @@
+Document how to setup client autoconfig using an override

From 89ea51d5700e3b8a7cf88fd06b45144c8e1631eb Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Thu, 23 Sep 2021 18:40:49 +0200
Subject: [PATCH 060/222] Implement rate-limits

---
 core/admin/mailu/__init__.py            |  1 +
 core/admin/mailu/configuration.py       |  7 +++-
 core/admin/mailu/internal/nginx.py      | 13 +++++-
 core/admin/mailu/internal/views/auth.py | 49 ++++++++++++++++------
 core/admin/mailu/limiter.py             | 56 ++++++++++++++++++++++++-
 core/admin/mailu/ui/views/base.py       | 18 ++++++--
 core/admin/mailu/utils.py               | 11 +++++
 core/nginx/conf/nginx.conf              |  1 +
 docs/configuration.rst                  | 21 ++++++----
 docs/swarm/master/README.md             |  3 ++
 setup/flavors/compose/mailu.env         |  2 +-
 towncrier/newsfragments/116.feature     |  1 +
 towncrier/newsfragments/1194.bugfix     |  1 +
 towncrier/newsfragments/1612.feature    |  1 +
 14 files changed, 157 insertions(+), 28 deletions(-)
 create mode 100644 towncrier/newsfragments/116.feature
 create mode 100644 towncrier/newsfragments/1194.bugfix
 create mode 100644 towncrier/newsfragments/1612.feature

diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
index 9b712512..43e58171 100644
--- a/core/admin/mailu/__init__.py
+++ b/core/admin/mailu/__init__.py
@@ -28,6 +28,7 @@ def create_app_from_config(config):
     utils.proxy.init_app(app)
     utils.migrate.init_app(app, models.db)
 
+    app.device_cookie_key = hmac.new(bytearray(app.secret_key, 'utf-8'), bytearray('DEVICE_COOKIE_KEY', 'utf-8'), 'sha256').digest()
     app.temp_token_key = hmac.new(bytearray(app.secret_key, 'utf-8'), bytearray('WEBMAIL_TEMP_TOKEN_KEY', 'utf-8'), 'sha256').digest()
 
     # Initialize list of translations
diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 4401888a..b0a1bf7b 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -36,8 +36,11 @@ DEFAULT_CONFIG = {
     'TLS_FLAVOR': 'cert',
     'INBOUND_TLS_ENFORCE': False,
     'DEFER_ON_TLS_ERROR': True,
-    'AUTH_RATELIMIT': '1000/minute;10000/hour',
-    'AUTH_RATELIMIT_SUBNET': False,
+    'AUTH_RATELIMIT_IP': '10/hour',
+    'AUTH_RATELIMIT_IP_V4_MASK': 24,
+    'AUTH_RATELIMIT_IP_V6_MASK': 56,
+    'AUTH_RATELIMIT_USER': '100/day',
+    'AUTH_RATELIMIT_EXEMPTION_LENGTH': 86400,
     'DISABLE_STATISTICS': False,
     # Mail settings
     'DMARC_RUA': None,
diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index 167341e2..78f83e99 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -19,6 +19,11 @@ STATUSES = {
     "encryption": ("Must issue a STARTTLS command first", {
         "smtp": "530 5.7.0"
     }),
+    "ratelimit": ("Temporary authentication failure (rate-limit)", {
+        "imap": "LIMIT",
+        "smtp": "451 4.3.2",
+        "pop3": "-ERR [LOGIN-DELAY] Retry later"
+    }),
 }
 
 def check_credentials(user, password, ip, protocol=None):
@@ -71,8 +76,9 @@ def handle_authentication(headers):
             }
     # Authenticated user
     elif method == "plain":
+        is_valid_user = False
         service_port = int(urllib.parse.unquote(headers["Auth-Port"]))
-        if service_port == 25:
+        if 'Auth-Port' in headers and  service_port == 25:
             return {
                 "Auth-Status": "AUTH not supported",
                 "Auth-Error-Code": "502 5.5.1",
@@ -91,18 +97,23 @@ def handle_authentication(headers):
             app.logger.warn(f'Received undecodable user/password from nginx: {raw_user_email!r}/{raw_password!r}')
         else:
             user = models.User.query.get(user_email)
+            is_valid_user = True
             ip = urllib.parse.unquote(headers["Client-Ip"])
             if check_credentials(user, password, ip, protocol):
                 server, port = get_server(headers["Auth-Protocol"], True)
                 return {
                     "Auth-Status": "OK",
                     "Auth-Server": server,
+                    "Auth-User": user_email,
+                    "Auth-User-Exists": is_valid_user,
                     "Auth-Port": port
                 }
         status, code = get_status(protocol, "authentication")
         return {
             "Auth-Status": status,
             "Auth-Error-Code": code,
+            "Auth-User": user_email,
+            "Auth-User-Exists": is_valid_user,
             "Auth-Wait": 0
         }
     # Unexpected
diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py
index 1686e1cb..457efd4b 100644
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@@ -5,19 +5,17 @@ from flask import current_app as app
 import flask
 import flask_login
 import base64
-import ipaddress
-
 
 @internal.route("/auth/email")
 def nginx_authentication():
     """ Main authentication endpoint for Nginx email server
     """
-    limiter = utils.limiter.get_limiter(app.config["AUTH_RATELIMIT"], "auth-ip")
     client_ip = flask.request.headers["Client-Ip"]
-    if not limiter.test(client_ip):
+    if utils.limiter.should_rate_limit_ip(client_ip):
+        status, code = nginx.get_status(flask.request.headers['Auth-Protocol'], 'ratelimit')
         response = flask.Response()
-        response.headers['Auth-Status'] = 'Authentication rate limit from one source exceeded'
-        response.headers['Auth-Error-Code'] = '451 4.3.2'
+        response.headers['Auth-Status'] = status
+        response.headers['Auth-Error-Code'] = code
         if int(flask.request.headers['Auth-Login-Attempt']) < 10:
             response.headers['Auth-Wait'] = '3'
         return response
@@ -25,14 +23,25 @@ def nginx_authentication():
     response = flask.Response()
     for key, value in headers.items():
         response.headers[key] = str(value)
+    is_valid_user = False
+    if "Auth-User-Exists" in response.headers and response.headers["Auth-User-Exists"]:
+        username = response.headers["Auth-User"]
+        if utils.limiter.should_rate_limit_user(username, client_ip):
+            # FIXME could be done before handle_authentication()
+            status, code = nginx.get_status(flask.request.headers['Auth-Protocol'], 'ratelimit')
+            response = flask.Response()
+            response.headers['Auth-Status'] = status
+            response.headers['Auth-Error-Code'] = code
+            if int(flask.request.headers['Auth-Login-Attempt']) < 10:
+                response.headers['Auth-Wait'] = '3'
+            return response
+        is_valid_user = True
     if ("Auth-Status" not in headers) or (headers["Auth-Status"] != "OK"):
-        limit_subnet = str(app.config["AUTH_RATELIMIT_SUBNET"]) != 'False'
-        subnet = ipaddress.ip_network(app.config["SUBNET"])
-        if limit_subnet or ipaddress.ip_address(client_ip) not in subnet:
-            limiter.hit(flask.request.headers["Client-Ip"])
+        utils.limiter.rate_limit_user(username, client_ip) if is_valid_user else rate_limit_ip(client_ip)
+    elif ("Auth-Status" in headers) and (headers["Auth-Status"] == "OK"):
+        utils.limiter.exempt_ip_from_ratelimits(client_ip)
     return response
 
-
 @internal.route("/auth/admin")
 def admin_authentication():
     """ Fails if the user is not an authenticated admin.
@@ -60,15 +69,29 @@ def user_authentication():
 def basic_authentication():
     """ Tries to authenticate using the Authorization header.
     """
+    client_ip = flask.request.headers["X-Real-IP"] if 'X-Real-IP' in flask.request.headers else flask.request.remote_addr
+    if utils.limiter.should_rate_limit_ip(client_ip):
+        response = flask.Response(status=401)
+        response.headers["WWW-Authenticate"] = 'Basic realm="Authentication rate limit from one source exceeded"'
+        response.headers['Retry-After'] = '60'
+        return response
     authorization = flask.request.headers.get("Authorization")
     if authorization and authorization.startswith("Basic "):
         encoded = authorization.replace("Basic ", "")
         user_email, password = base64.b64decode(encoded).split(b":", 1)
-        user = models.User.query.get(user_email.decode("utf8"))
-        if nginx.check_credentials(user, password.decode('utf-8'), flask.request.remote_addr, "web"):
+        user_email = user_email.decode("utf8")
+        if utils.limiter.should_rate_limit_user(user_email, client_ip):
+            response = flask.Response(status=401)
+            response.headers["WWW-Authenticate"] = 'Basic realm="Authentication rate limit for this username exceeded"'
+            response.headers['Retry-After'] = '60'
+            return response
+        user = models.User.query.get(user_email)
+        if user and nginx.check_credentials(user, password.decode('utf-8'), flask.request.remote_addr, "web"):
             response = flask.Response()
             response.headers["X-User"] = models.IdnaEmail.process_bind_param(flask_login, user.email, "")
+            utils.limiter.exempt_ip_from_ratelimits(client_ip)
             return response
+        utils.limiter.rate_limit_user(user_email, client_ip) if user else utils.limiter.rate_limit_ip(client_ip)
     response = flask.Response(status=401)
     response.headers["WWW-Authenticate"] = 'Basic realm="Login Required"'
     return response
diff --git a/core/admin/mailu/limiter.py b/core/admin/mailu/limiter.py
index b5f99915..70b09f21 100644
--- a/core/admin/mailu/limiter.py
+++ b/core/admin/mailu/limiter.py
@@ -1,7 +1,12 @@
+from mailu import utils
+from flask import current_app as app
+import base64
 import limits
 import limits.storage
 import limits.strategies
 
+import hmac
+import secrets
 
 class LimitWrapper(object):
     """ Wraps a limit by providing the storage, item and identifiers
@@ -31,4 +36,53 @@ class LimitWraperFactory(object):
         self.limiter = limits.strategies.MovingWindowRateLimiter(self.storage)
 
     def get_limiter(self, limit, *args):
-        return LimitWrapper(self.limiter, limits.parse(limit), *args)
\ No newline at end of file
+        return LimitWrapper(self.limiter, limits.parse(limit), *args)
+
+    def is_subject_to_rate_limits(self, ip):
+        return not (self.storage.get(f'exempt-{ip}') > 0)
+
+    def exempt_ip_from_ratelimits(self, ip):
+        self.storage.incr(f'exempt-{ip}', app.config["AUTH_RATELIMIT_EXEMPTION_LENGTH"], True)
+
+    def should_rate_limit_ip(self, ip):
+        limiter = self.get_limiter(app.config["AUTH_RATELIMIT_IP"], 'auth-ip')
+        client_network = utils.extract_network_from_ip(ip)
+        return self.is_subject_to_rate_limits(ip) and not limiter.test(client_network)
+
+    def rate_limit_ip(self, ip):
+        if ip != app.config['WEBMAIL_ADDRESS']:
+            limiter = self.get_limiter(app.config["AUTH_RATELIMIT_IP"], 'auth-ip')
+            client_network = utils.extract_network_from_ip(ip)
+            if self.is_subject_to_rate_limits(ip):
+                limiter.hit(client_network)
+
+    def should_rate_limit_user(self, username, ip, device_cookie=None, device_cookie_name=None):
+        limiter = self.get_limiter(app.config["AUTH_RATELIMIT_USER"], 'auth-user')
+        return self.is_subject_to_rate_limits(ip) and not limiter.test(device_cookie if device_cookie_name == username else username)
+
+    def rate_limit_user(self, username, ip, device_cookie=None, device_cookie_name=None):
+        limiter = self.get_limiter(app.config["AUTH_RATELIMIT_USER"], 'auth-user')
+        if self.is_subject_to_rate_limits(ip):
+            limiter.hit(device_cookie if device_cookie_name == username else username)
+
+    """ Device cookies as described on:
+    https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies
+    """
+    def parse_device_cookie(self, cookie):
+        try:
+            login, nonce, _ = cookie.split('$')
+            if hmac.compare_digest(cookie, self.device_cookie(login, nonce)):
+                return nonce, login
+        except:
+            pass
+        return None, None
+
+    """ Device cookies don't require strong crypto:
+        72bits of nonce, 96bits of signature is more than enough
+        and these values avoid padding in most cases
+    """
+    def device_cookie(self, username, nonce=None):
+        if not nonce:
+            nonce = secrets.token_urlsafe(9)
+        sig = str(base64.urlsafe_b64encode(hmac.new(app.device_cookie_key, bytearray(f'device_cookie|{username}|{nonce}', 'utf-8'), 'sha256').digest()[20:]), 'utf-8')
+        return f'{username}${nonce}${sig}'
diff --git a/core/admin/mailu/ui/views/base.py b/core/admin/mailu/ui/views/base.py
index ecd3089a..30173acf 100644
--- a/core/admin/mailu/ui/views/base.py
+++ b/core/admin/mailu/ui/views/base.py
@@ -1,4 +1,4 @@
-from mailu import models
+from mailu import models, utils
 from mailu.ui import ui, forms, access
 
 from flask import current_app as app
@@ -14,16 +14,28 @@ def index():
 
 @ui.route('/login', methods=['GET', 'POST'])
 def login():
+    client_ip = flask.request.headers["X-Real-IP"] if 'X-Real-IP' in flask.request.headers else flask.request.remote_addr
     form = forms.LoginForm()
     if form.validate_on_submit():
-        user = models.User.login(form.email.data, form.pw.data)
+        device_cookie, device_cookie_username = utils.limiter.parse_device_cookie(flask.request.cookies.get('rate_limit'))
+        username = form.email.data
+        if username != device_cookie_username and utils.limiter.should_rate_limit_ip(client_ip):
+            flask.flash('Too many attempts from your IP (rate-limit)', 'error')
+            return flask.render_template('login.html', form=form)
+        if utils.limiter.should_rate_limit_user(username, client_ip, device_cookie, device_cookie_username):
+            flask.flash('Too many attempts for this user (rate-limit)', 'error')
+            return flask.render_template('login.html', form=form)
+        user = models.User.login(username, form.pw.data)
         if user:
             flask.session.regenerate()
             flask_login.login_user(user)
             endpoint = flask.request.args.get('next', '.index')
-            return flask.redirect(flask.url_for(endpoint)
+            response = flask.redirect(flask.url_for(endpoint)
                 or flask.url_for('.index'))
+            response.set_cookie('rate_limit', utils.limiter.device_cookie(username), max_age=31536000, path=flask.url_for('ui.login'))
+            return response
         else:
+            utils.limiter.rate_limit_user(username, client_ip, device_cookie, device_cookie_username) if models.User.get(username) else utils.limiter.rate_limit_ip(client_ip)
             flask.flash('Wrong e-mail or password', 'error')
     return flask.render_template('login.html', form=form)
 
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 34f52d8c..6fce17bc 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -17,10 +17,12 @@ from multiprocessing import Value
 
 from mailu import limiter
 
+from flask import current_app as app
 import flask
 import flask_login
 import flask_migrate
 import flask_babel
+import ipaddress
 import redis
 
 from flask.sessions import SessionMixin, SessionInterface
@@ -70,6 +72,15 @@ def has_dane_record(domain, timeout=10):
 # Rate limiter
 limiter = limiter.LimitWraperFactory()
 
+def extract_network_from_ip(ip):
+    n = ipaddress.ip_network(ip)
+    if isinstance(n, ipaddress.IPv4Network):
+        return str(n.supernet(prefixlen_diff=(32-int(app.config["AUTH_RATELIMIT_IP_V4_MASK"]))).network_address)
+    elif isinstance(n, ipaddress.IPv6Network):
+        return str(n.supernet(prefixlen_diff=(128-int(app.config["AUTH_RATELIMIT_IP_V6_MASK"]))).network_address)
+    else: # not sure what to do with it
+        return ip
+
 # Application translation
 babel = flask_babel.Babel()
 
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index bfd664de..f013176d 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -217,6 +217,7 @@ http {
       location /internal {
         internal;
 
+        proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header Authorization $http_authorization;
         proxy_pass_header Authorization;
         proxy_pass http://$admin;
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 5f17b57e..73b56204 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -39,14 +39,21 @@ address.
 
 The ``WILDCARD_SENDERS`` setting is a comma delimited list of user email addresses that are allowed to send emails from any existing address (spoofing the sender).
 
-The ``AUTH_RATELIMIT`` holds a security setting for fighting attackers that
-try to guess user passwords. The value is the limit of failed authentication attempts
-that a single IP address can perform against IMAP, POP and SMTP authentication endpoints.
+The ``AUTH_RATELIMIT_IP`` (default: 10/hour) holds a security setting for fighting
+attackers that waste server ressources by trying to guess user passwords (typically
+using a password spraying attack). The value defines the limit of authentication
+attempts that will be processed on non-existing accounts for a specific IP subnet
+(as defined in ``AUTH_RATELIMIT_IP_V4_MASK`` and ``AUTH_RATELIMIT_IP_V6_MASK`` below).
 
-If ``AUTH_RATELIMIT_SUBNET`` is ``True`` (default: False), the ``AUTH_RATELIMIT``
-rules does also apply to auth requests coming from ``SUBNET``, especially for the webmail.
-If you disable this, ensure that the rate limit on the webmail is enforced in a different
-way (e.g. roundcube plug-in), otherwise an attacker can simply bypass the limit using webmail.
+The ``AUTH_RATELIMIT_USER`` (default: 100/day) holds a security setting for fighting
+attackers that attempt to guess a user's password (typically using a password
+bruteforce attack). The value defines the limit of authentication attempts allowed
+for any given account within a specific timeframe.
+
+The ``AUTH_RATELIMIT_EXEMPTION_LENGTH`` (default: 86400) is the number of seconds
+after a successful login for which a specific IP address is exempted from rate limits.
+This ensures that users behind a NAT don't get locked out when a single client is
+misconfigured... but also potentially allow for users to attack each-other.
 
 The ``TLS_FLAVOR`` sets how Mailu handles TLS connections. Setting this value to
 ``notls`` will cause Mailu not to server any web content! More on :ref:`tls_flavor`.
diff --git a/docs/swarm/master/README.md b/docs/swarm/master/README.md
index 42e742da..0e933308 100644
--- a/docs/swarm/master/README.md
+++ b/docs/swarm/master/README.md
@@ -100,6 +100,9 @@ https://github.com/moby/moby/issues/25526#issuecomment-336363408
 ### Don't create an open relay !
 As a side effect of this ingress mode "feature", make sure that the ingress subnet is not in your RELAYHOST, otherwise you would create an smtp open relay :-(
 
+### Ratelimits
+
+When using ingress mode you probably want to disable rate limits, because all requests originate from the same ip address. Otherwise automatic login attempts can easily DoS the legitimate users.
 
 ## Scalability
 - smtp and imap are scalable
diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index 52f4ee04..0ba39019 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -29,7 +29,7 @@ POSTMASTER={{ postmaster }}
 # Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
 TLS_FLAVOR={{ tls_flavor }}
 
-# Authentication rate limit (per source IP address)
+# Authentication rate limit (per /24 on ipv4 and /56 on ipv6)
 {% if auth_ratelimit_pm > '0' %}
 AUTH_RATELIMIT={{ auth_ratelimit_pm }}/minute
 {% endif %}
diff --git a/towncrier/newsfragments/116.feature b/towncrier/newsfragments/116.feature
new file mode 100644
index 00000000..4f73e7a8
--- /dev/null
+++ b/towncrier/newsfragments/116.feature
@@ -0,0 +1 @@
+ Make the rate limit apply to a subnet rather than a specific IP (/24 for v4 and /56 for v6)
diff --git a/towncrier/newsfragments/1194.bugfix b/towncrier/newsfragments/1194.bugfix
new file mode 100644
index 00000000..866c6c3b
--- /dev/null
+++ b/towncrier/newsfragments/1194.bugfix
@@ -0,0 +1 @@
+Fix rate-limiting on /webdav/
diff --git a/towncrier/newsfragments/1612.feature b/towncrier/newsfragments/1612.feature
new file mode 100644
index 00000000..04d8d508
--- /dev/null
+++ b/towncrier/newsfragments/1612.feature
@@ -0,0 +1 @@
+Refactor the rate limiter to ensure that it performs as intented.

From a9340e61f538eccc8f8aaa7ae27eb9e303aaca42 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Thu, 23 Sep 2021 18:48:23 +0200
Subject: [PATCH 061/222] Log auth attempts on /admin

---
 core/admin/mailu/ui/views/base.py    | 2 ++
 towncrier/newsfragments/1926.feature | 1 +
 2 files changed, 3 insertions(+)
 create mode 100644 towncrier/newsfragments/1926.feature

diff --git a/core/admin/mailu/ui/views/base.py b/core/admin/mailu/ui/views/base.py
index 30173acf..05211804 100644
--- a/core/admin/mailu/ui/views/base.py
+++ b/core/admin/mailu/ui/views/base.py
@@ -33,9 +33,11 @@ def login():
             response = flask.redirect(flask.url_for(endpoint)
                 or flask.url_for('.index'))
             response.set_cookie('rate_limit', utils.limiter.device_cookie(username), max_age=31536000, path=flask.url_for('ui.login'))
+            flask.current_app.logger.info(f'Login succeeded for {username} from {client_ip}.')
             return response
         else:
             utils.limiter.rate_limit_user(username, client_ip, device_cookie, device_cookie_username) if models.User.get(username) else utils.limiter.rate_limit_ip(client_ip)
+            flask.current_app.logger.warn(f'Login failed for {username} from {client_ip}.')
             flask.flash('Wrong e-mail or password', 'error')
     return flask.render_template('login.html', form=form)
 
diff --git a/towncrier/newsfragments/1926.feature b/towncrier/newsfragments/1926.feature
new file mode 100644
index 00000000..fdd4ae87
--- /dev/null
+++ b/towncrier/newsfragments/1926.feature
@@ -0,0 +1 @@
+Log authentication attempts on the admin portal

From cab0ce2017c10828944a71100210e70a959a54fe Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Thu, 23 Sep 2021 19:01:09 +0200
Subject: [PATCH 062/222] doh

---
 core/admin/mailu/internal/nginx.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index 78f83e99..ff7070ab 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -77,8 +77,7 @@ def handle_authentication(headers):
     # Authenticated user
     elif method == "plain":
         is_valid_user = False
-        service_port = int(urllib.parse.unquote(headers["Auth-Port"]))
-        if 'Auth-Port' in headers and  service_port == 25:
+        if 'Auth-Port' in headers and int(urllib.parse.unquote(headers["Auth-Port"])) == 25:
             return {
                 "Auth-Status": "AUTH not supported",
                 "Auth-Error-Code": "502 5.5.1",

From 64bc7972cc41ad0cf42eb23a7fb8fefb3f97cd2d Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Fri, 24 Sep 2021 09:57:28 +0200
Subject: [PATCH 063/222] Make AUTH_RATELIMIT_IP 60/hour as discussed

---
 core/admin/mailu/configuration.py | 2 +-
 docs/configuration.rst            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index b0a1bf7b..fa6723f1 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -36,7 +36,7 @@ DEFAULT_CONFIG = {
     'TLS_FLAVOR': 'cert',
     'INBOUND_TLS_ENFORCE': False,
     'DEFER_ON_TLS_ERROR': True,
-    'AUTH_RATELIMIT_IP': '10/hour',
+    'AUTH_RATELIMIT_IP': '60/hour',
     'AUTH_RATELIMIT_IP_V4_MASK': 24,
     'AUTH_RATELIMIT_IP_V6_MASK': 56,
     'AUTH_RATELIMIT_USER': '100/day',
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 73b56204..c736f30b 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -39,7 +39,7 @@ address.
 
 The ``WILDCARD_SENDERS`` setting is a comma delimited list of user email addresses that are allowed to send emails from any existing address (spoofing the sender).
 
-The ``AUTH_RATELIMIT_IP`` (default: 10/hour) holds a security setting for fighting
+The ``AUTH_RATELIMIT_IP`` (default: 60/hour) holds a security setting for fighting
 attackers that waste server ressources by trying to guess user passwords (typically
 using a password spraying attack). The value defines the limit of authentication
 attempts that will be processed on non-existing accounts for a specific IP subnet

From 24aadf2f520eca1d61f8bd98550b64cccf736a9e Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Fri, 24 Sep 2021 10:07:41 +0200
Subject: [PATCH 064/222] ensure we log when the rate limiter hits

---
 core/admin/mailu/limiter.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/limiter.py b/core/admin/mailu/limiter.py
index 70b09f21..88319012 100644
--- a/core/admin/mailu/limiter.py
+++ b/core/admin/mailu/limiter.py
@@ -47,7 +47,10 @@ class LimitWraperFactory(object):
     def should_rate_limit_ip(self, ip):
         limiter = self.get_limiter(app.config["AUTH_RATELIMIT_IP"], 'auth-ip')
         client_network = utils.extract_network_from_ip(ip)
-        return self.is_subject_to_rate_limits(ip) and not limiter.test(client_network)
+        is_rate_limited = self.is_subject_to_rate_limits(ip) and not limiter.test(client_network)
+        if is_rate_limited:
+            app.logger.warn(f'Authentication attempt from {ip} has been rate-limited.')
+        return is_rate_limited
 
     def rate_limit_ip(self, ip):
         if ip != app.config['WEBMAIL_ADDRESS']:
@@ -58,7 +61,10 @@ class LimitWraperFactory(object):
 
     def should_rate_limit_user(self, username, ip, device_cookie=None, device_cookie_name=None):
         limiter = self.get_limiter(app.config["AUTH_RATELIMIT_USER"], 'auth-user')
-        return self.is_subject_to_rate_limits(ip) and not limiter.test(device_cookie if device_cookie_name == username else username)
+        is_rate_limited = self.is_subject_to_rate_limits(ip) and not limiter.test(device_cookie if device_cookie_name == username else username)
+        if is_rate_limited:
+            app.logger.warn(f'Authentication attempt from {ip} for {username} has been rate-limited.')
+        return is_rate_limited
 
     def rate_limit_user(self, username, ip, device_cookie=None, device_cookie_name=None):
         limiter = self.get_limiter(app.config["AUTH_RATELIMIT_USER"], 'auth-user')

From 9894b49cbd2c41a8ec139381774de7b0cc238631 Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Fri, 24 Sep 2021 10:07:52 +0200
Subject: [PATCH 065/222] Merge/Update with changes from master

---
 core/admin/mailu/sso/forms.py                 |  2 +
 core/admin/mailu/sso/templates/base_sso.html  | 72 +++++++++++++------
 core/admin/mailu/sso/templates/form_sso.html  | 10 +--
 core/admin/mailu/sso/templates/login.html     | 16 ++---
 .../mailu/sso/templates/sidebar_sso.html      | 43 ++++++-----
 core/admin/mailu/sso/views/base.py            | 20 ++++--
 core/nginx/conf/nginx.conf                    |  4 +-
 7 files changed, 109 insertions(+), 58 deletions(-)

diff --git a/core/admin/mailu/sso/forms.py b/core/admin/mailu/sso/forms.py
index bc2b5363..8b5f4cba 100644
--- a/core/admin/mailu/sso/forms.py
+++ b/core/admin/mailu/sso/forms.py
@@ -11,6 +11,8 @@ LOCALPART_REGEX = "^[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-zA-Z0-9!#$%&'*+/=?^_`
 class LoginForm(flask_wtf.FlaskForm):
     class Meta:
         csrf = False
+    target = fields.SelectField( u'Go to' )
     email = fields.StringField(_('E-mail'), [validators.Email()])
     pw = fields.PasswordField(_('Password'), [validators.DataRequired()])
     submit = fields.SubmitField(_('Sign in'))
+
diff --git a/core/admin/mailu/sso/templates/base_sso.html b/core/admin/mailu/sso/templates/base_sso.html
index 0edd692c..062adf36 100644
--- a/core/admin/mailu/sso/templates/base_sso.html
+++ b/core/admin/mailu/sso/templates/base_sso.html
@@ -1,55 +1,83 @@
-{% import "macros.html" as macros %}
-{% import "bootstrap/utils.html" as utils %}
+{%- import "macros.html" as macros %}
+{%- import "bootstrap/utils.html" as utils %}
 <!doctype html>
-<html>
+<html lang="{{ session['language'] }}" data-static="{{ url_for('.static', filename='') }}">
   <head>
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta name="description" content="{% trans %}Admin page for{% endtrans %} {{ config["SITENAME"] }}">
+    <meta http-equiv="x-ua-compatible" content="ie=edge">
+    <title>Mailu-Admin | {{ config["SITENAME"] }}</title>
     <link rel="stylesheet" href="{{ url_for('.static', filename='vendor.css') }}">
     <link rel="stylesheet" href="{{ url_for('.static', filename='app.css') }}">
-    <title>Mailu - {{ config["SITENAME"] }}</title>
   </head>
   <body class="hold-transition sidebar-mini layout-fixed">
     <div class="wrapper">
       <nav class="main-header navbar navbar-expand navbar-white navbar-light">
         <ul class="navbar-nav">
           <li class="nav-item">
-            <a class="nav-link" data-widget="pushmenu" href="#" role="button"><i class="fas fa-bars"></i></a>
+            <a class="nav-link" data-widget="pushmenu" href="#" role="button"><i class="fas fa-bars" title="{% trans %}toggle sidebar{% endtrans %}" aria-expanded="false"></i><span class="sr-only">{% trans %}toggle sidebar{% endtrans %}</span></a>
+          </li>
+          <li class="nav-item">
+          {%- for page, url in path %}
+            {%- if loop.index > 1 %}
+            <i class="fas fa-greater-than text-xs text-gray" aria-hidden="true"></i>
+            {%- endif %}
+            {%- if url %}
+            <a class="nav-link d-inline-block" href="{{ url }}" role="button">{{ page }}</a>
+            {%- else %}
+            <span class="nav-link d-inline-block">{{ page }}</span>
+            {%- endif %}
+          {%- endfor %}
+          </li>
+        </ul>
+        <ul class="navbar-nav ml-auto">
+          <li class="nav-item dropdown">
+            <a class="nav-link" data-toggle="dropdown" href="#" aria-expanded="false">
+              <i class="fas fa-language text-xl" aria-hidden="true" title="{% trans %}change language{% endtrans %}"></i><span class="sr-only">Language</span>
+              <span class="badge badge-primary navbar-badge">{{ session['language'] }}</span></a>
+            <div class="dropdown-menu dropdown-menu-right p-0" id="mailu-languages">
+            {%- for locale in config.translations.values() %}
+              <a class="dropdown-item{% if locale.language == session['language'] %} active{% endif %}" href="{{ url_for('ui.set_language', language=locale.language) }}">{{ locale.get_language_name().title() }}</a>
+            {%- endfor %}
+            </div>
           </li>
         </ul>
       </nav>
-      <aside class="main-sidebar sidebar-dark-primary">
-        <a class="brand-link">
-         <span class="brand-text font-weight-light">{{ config["SITENAME"] }}</span>
+      <aside class="main-sidebar sidebar-dark-primary nav-compact elevation-4">
+        <a class="brand-link bg-mailu-logo"{% if config["LOGO_BACKGROUND"] %} style="background-color:{{ config["LOGO_BACKGROUND"] }}!important;"{% endif %}>
+          <img src="{{ config["LOGO_URL"] if config["LOGO_URL"] else url_for('.static', filename='mailu.png') }}" width="33" height="33" alt="Mailu" class="brand-image mailu-logo img-circle elevation-3">
+          <span class="brand-text font-weight-light">{{ config["SITENAME"] }}</span>
         </a>
-        {% block sidebar %}
-        {% include "sidebar_sso.html" %}
-        {% endblock %}
+        {%- include "sidebar_sso.html" %}
       </aside>
-      <div class="content-wrapper">
+      <div class="content-wrapper text-sm">
         <section class="content-header">
           <div class="container-fluid">
             <div class="row mb-2">
               <div class="col-sm-6">
-                <h1 class="m-0">{% block title %}{% endblock %}</h1>
+                <h1 class="m-0">{%- block title %}{%- endblock %}</h1>
                 <small>{% block subtitle %}{% endblock %}</small>
               </div>
               <div class="col-sm-6">
-                {% block main_action %}
-                {% endblock %}
+                {%- block main_action %}{%- endblock %}
               </div>
             </div>
           </div>
         </section>
-
         <div class="content">
-          {{ utils.flashed_messages(container=False) }}
-          {% block content %}{% endblock %}
+          {{ utils.flashed_messages(container=False, default_category='success') }}
+          {%- block content %}{%- endblock %}
         </div>
       </div>
       <footer class="main-footer">
-        Built with <i class="fa fa-heart"></i> using <a class="white-text" href="http://flask.pocoo.org/">Flask</a> and
-        <a class="white-text" href="https://adminlte.io/themes/v3/index3.html">AdminLTE</a>
-        <span class="pull-right"><i class="fa fa-code-fork"></i>on <a class="white-text" href="https://github.com/Mailu/Mailu">Github</a></a></span>
+        Built with <i class="fa fa-heart text-danger" aria-hidden="true"></i><span class="sr-only">love</span>
+        using <a href="https://flask.palletsprojects.com/">Flask</a>
+        and <a href="https://adminlte.io/themes/v3/index3.html">AdminLTE</a>.
+        <span class="fa-pull-right">
+          <i class="fa fa-code-branch" aria-hidden="true"></i><span class="sr-only">fork</span>
+          on <a href="https://github.com/Mailu/Mailu">Github</a>
+        </span>
       </footer>
     </div>
     <script src="{{ url_for('.static', filename='vendor.js') }}"></script>
diff --git a/core/admin/mailu/sso/templates/form_sso.html b/core/admin/mailu/sso/templates/form_sso.html
index d28b82bf..7759ae3f 100644
--- a/core/admin/mailu/sso/templates/form_sso.html
+++ b/core/admin/mailu/sso/templates/form_sso.html
@@ -1,7 +1,7 @@
-{% extends "base_sso.html" %}
+{%- extends "base_sso.html" %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 {{ macros.form(form) }}
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/sso/templates/login.html b/core/admin/mailu/sso/templates/login.html
index 81d83a46..e1ad6045 100644
--- a/core/admin/mailu/sso/templates/login.html
+++ b/core/admin/mailu/sso/templates/login.html
@@ -1,13 +1,13 @@
-{% extends "form_sso.html" %}
+{%- extends "form_sso.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Sign in{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
-{% if endpoint == 'ui.index' %}
+{%- block subtitle %}
+{%- if endpoint == 'ui.index' %}
 {% trans %}to access the configuration page{% endtrans %}
-{% elif endpoint == 'ui.webmail' %}
+{%- elif endpoint == 'ui.webmail' %}
 {% trans %}to access the webmail page{% endtrans %}
-{% endif %}
-{% endblock %}
+{%- endif %}
+{%- endblock %}
diff --git a/core/admin/mailu/sso/templates/sidebar_sso.html b/core/admin/mailu/sso/templates/sidebar_sso.html
index 6e919731..79e5832b 100644
--- a/core/admin/mailu/sso/templates/sidebar_sso.html
+++ b/core/admin/mailu/sso/templates/sidebar_sso.html
@@ -1,8 +1,15 @@
-<div class="sidebar">
-
-
-  <nav class="mt-2">
+<div class="sidebar text-sm">
+  <nav class="mt-2">    
     <ul class="nav nav-pills nav-sidebar flex-column" role="menu">
+    <li class="nav-header text-uppercase text-primary" role="none">{% trans %}Go to{% endtrans %}</li>   
+      {%- if config["WEBMAIL"] != "none" %}
+      <li class="nav-item" role="none">
+        <a href="{{ config["WEB_WEBMAIL"] }}" target="_blank" class="nav-link" role="menuitem">
+        <i class="nav-icon far fa-envelope"></i>
+        <p>{% trans %}Webmail{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
+        </a>
+      </li>
+      {% endif %}
       {% if config['ADMIN'] %} 
       <li class="nav-item">
         <a href="{{ url_for('ui.client') }}" class="nav-link">
@@ -10,20 +17,25 @@
           <p class="text">{% trans %}Client setup{% endtrans %}</p>
         </a>
       </li>
+      {% endif %}
+      <li class="nav-item" role="none">
+        <a href="{{ config["WEBSITE"] }}" target="_blank" class="nav-link" role="menuitem" rel="noreferrer">
+        <i class="nav-icon fa fa-globe"></i>
+        <p>{% trans %}Website{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
+        </a>
+      </li>
       <li class="nav-item">
         <a href="https://mailu.io" target="_blank" class="nav-link">
           <i class="nav-icon fa fa-life-ring"></i>
           <p class="text">{% trans %}Help{% endtrans %}</p>
         </a>
-      </li>
-      {% endif %}
-      {% if False %}
-      <!-- Domain self-registration is only available when
+      </li>      
+      {#
+          Domain self-registration is only available when
            - Admin is available
            - Domain Self-registration is enabled 
-           - The current user is not logged on
-      -->
-      {% endif %}
+           - The current user is not logged on      
+      #}
       {% if config['DOMAIN_REGISTRATION'] %}
       {% if not current_user.is_authenticated %}
       {% if config['ADMIN'] %} 
@@ -36,13 +48,12 @@
       {% endif %}
       {% endif %}
       {% endif %}
-      {% if False %}
-      <!-- User self-registration is only available when
+      {#
+          User self-registration is only available when
            - Admin is available
            - Self-registration is enabled 
-           - The current user is not logged on
-      -->
-      {% endif %}
+           - The current user is not logged on      
+      #}
       {% if not current_user.is_authenticated %}
       {% if signup_domains %}
       {% if config['ADMIN'] %} 
diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index 9013fb0c..9f4c1904 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -10,12 +10,22 @@ import flask_login
 def login():
     form = forms.LoginForm()
     endpoint = flask.request.args.get('next', 'ui.index')
-    
-    if endpoint == 'ui.webmail':
-        endpoint = 'ui.webmail'
-    else:
-        endpoint = 'ui.index'
+
+    if str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper != 'NONE' and endpoint != 'ui.webmail':
+        form.target.choices = [('Configuration page', 'Configuration page'), ('Webmail', 'Webmail')]
+    elif str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper != 'NONE' and endpoint == 'ui.webmail':
+        form.target.choices = [('Webmail', 'Webmail'), ('Configuration page', 'Configuration page')]
+    elif str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper == 'NONE':
+        form.target.choices = [('Webmail', 'Webmail')]
+    elif str(app.config['WEBMAIL']).upper == 'NONE' and str(app.config['ADMIN']).upper != 'NONE':
+        form.target.choices = [('Configuration page', 'Configuration page')]
+
     if form.validate_on_submit():
+        if form.target.data == 'Configuration page':
+            endpoint = 'ui.index'
+        elif form.target.data == 'webmail':
+            endpoint = 'ui.webmail'
+
         user = models.User.login(form.email.data, form.pw.data)
         if user:
             flask.session.regenerate()
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index acb53456..7fa6d788 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -138,8 +138,8 @@ http {
       }
       location ^~ /ui {
         include /etc/nginx/proxy.conf;
-        #rewrite ^/sso/(.*) {{ WEB_ADMIN }}/$1 redirect;
-        return 302 {{ WEB_ADMIN }}/ui/;
+        rewrite ^/ui/(.*) {{ WEB_ADMIN }}/ui/$1 redirect;
+        #return 302 {{ WEB_ADMIN }}/ui/;
       }
       location ^~ /sso {
         include /etc/nginx/proxy.conf;

From 1e07b85fa132a22da11aa5603764f4fc3df729d4 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Fri, 24 Sep 2021 10:20:21 +0200
Subject: [PATCH 066/222] doh

---
 core/admin/mailu/utils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 34f52d8c..a77cef47 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -58,7 +58,7 @@ def has_dane_record(domain, timeout=10):
         # we will receive this non-specific exception. The safe behaviour is to
         # accept to defer the email.
         flask.current_app.logger.warn(f'Unable to lookup the TLSA record for {domain}. Is the DNSSEC zone okay on https://dnsviz.net/d/{domain}/dnssec/?')
-        return app.config['DEFER_ON_TLS_ERROR']
+        return flask.current_app.config['DEFER_ON_TLS_ERROR']
     except dns.exception.Timeout:
         flask.current_app.logger.warn(f'Timeout while resolving the TLSA record for {domain} ({timeout}s).')
     except dns.resolver.NXDOMAIN:

From 7083b3f7c61c398e5fa41e8bd966014f9919ce3f Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Fri, 24 Sep 2021 12:10:21 +0200
Subject: [PATCH 067/222] Fix roundcube sso header issue Removed apache rewrite
 module.

---
 webmails/roundcube/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webmails/roundcube/Dockerfile b/webmails/roundcube/Dockerfile
index f4399f70..df83bc83 100644
--- a/webmails/roundcube/Dockerfile
+++ b/webmails/roundcube/Dockerfile
@@ -39,7 +39,7 @@ RUN apt-get update && apt-get install -y \
  && sed -i 's,^php_value.*upload_max_filesize,#&,g' .htaccess \
  && chown -R www-data: logs temp \
  && rm -rf /var/lib/apt/lists \
- && a2enmod rewrite deflate expires headers
+ && a2enmod deflate expires headers
 
 COPY php.ini /php.ini
 COPY config.inc.php /var/www/html/config/

From e3fa74768ab94881e99187b0eb5c87d9d6add332 Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Fri, 24 Sep 2021 12:16:42 +0200
Subject: [PATCH 068/222] Add newsfragment.

---
 towncrier/newsfragments/1990.bugfix | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 towncrier/newsfragments/1990.bugfix

diff --git a/towncrier/newsfragments/1990.bugfix b/towncrier/newsfragments/1990.bugfix
new file mode 100644
index 00000000..394fc05b
--- /dev/null
+++ b/towncrier/newsfragments/1990.bugfix
@@ -0,0 +1 @@
+Fixed roundcube sso login not working.

From ac496eed19955effbd262eaeb71f043a523061c4 Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Fri, 24 Sep 2021 12:57:17 +0200
Subject: [PATCH 069/222] Update setup with new rate limit config vars.

---
 setup/flavors/compose/mailu.env   | 11 ++++++++---
 setup/templates/steps/config.html | 14 +++++++++++---
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index 0ba39019..fd95b725 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -29,9 +29,14 @@ POSTMASTER={{ postmaster }}
 # Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
 TLS_FLAVOR={{ tls_flavor }}
 
-# Authentication rate limit (per /24 on ipv4 and /56 on ipv6)
-{% if auth_ratelimit_pm > '0' %}
-AUTH_RATELIMIT={{ auth_ratelimit_pm }}/minute
+# Authentication rate limit per IP (per /24 on ipv4 and /56 on ipv6)
+{% if auth_ratelimit_ip > '0' %}
+AUTH_RATELIMIT_IP={{ auth_ratelimit_ip }}/hour
+{% endif %}
+
+# Authentication rate limit per user (per /24 on ipv4 and /56 on ipv6)
+{% if auth_ratelimit_user > '0' %}
+AUTH_RATELIMIT_USER={{ auth_ratelimit_user }}/day
 {% endif %}
 
 # Opt-out of statistics, replace with "True" to opt out
diff --git a/setup/templates/steps/config.html b/setup/templates/steps/config.html
index f532f757..4b4bb281 100644
--- a/setup/templates/steps/config.html
+++ b/setup/templates/steps/config.html
@@ -48,10 +48,18 @@ Or in plain english: if receivers start to classify your mail as spam, this post
 </div>
 
 <div class="form-group">
-  <label>Authentication rate limit (per source IP address)</label>
+  <label>Authentication rate limit per IP for failed login attempts for non-existing accounts</label>
   <!--   Validates number input only -->
-  <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_pm"
-  		value="10000" required > / minute
+  <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_ip"
+  		value="60" required > / hour
+  </p>
+</div>
+
+<div class="form-group">
+  <label>Authentication rate limit per user for failed login attempts for existing accounts</label>
+  <!--   Validates number input only -->
+  <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_user"
+  		value="100" required > / day
   </p>
 </div>
 

From 862fdda55b9f13f4e5bc82f525441a7716210bf6 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Fri, 24 Sep 2021 13:35:41 +0200
Subject: [PATCH 070/222] Tweak the wording

---
 setup/flavors/compose/mailu.env   | 2 +-
 setup/templates/steps/config.html | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index fd95b725..60516013 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -34,7 +34,7 @@ TLS_FLAVOR={{ tls_flavor }}
 AUTH_RATELIMIT_IP={{ auth_ratelimit_ip }}/hour
 {% endif %}
 
-# Authentication rate limit per user (per /24 on ipv4 and /56 on ipv6)
+# Authentication rate limit per user (regardless of the source-IP)
 {% if auth_ratelimit_user > '0' %}
 AUTH_RATELIMIT_USER={{ auth_ratelimit_user }}/day
 {% endif %}
diff --git a/setup/templates/steps/config.html b/setup/templates/steps/config.html
index 4b4bb281..74a45800 100644
--- a/setup/templates/steps/config.html
+++ b/setup/templates/steps/config.html
@@ -48,7 +48,7 @@ Or in plain english: if receivers start to classify your mail as spam, this post
 </div>
 
 <div class="form-group">
-  <label>Authentication rate limit per IP for failed login attempts for non-existing accounts</label>
+  <label>Authentication rate limit per IP for failed login attempts or non-existing accounts</label>
   <!--   Validates number input only -->
   <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_ip"
   		value="60" required > / hour
@@ -56,7 +56,7 @@ Or in plain english: if receivers start to classify your mail as spam, this post
 </div>
 
 <div class="form-group">
-  <label>Authentication rate limit per user for failed login attempts for existing accounts</label>
+  <label>Authentication rate limit per user</label>
   <!--   Validates number input only -->
   <p><input class="form-control" style="width: 9%; display: inline;" type="number" name="auth_ratelimit_user"
   		value="100" required > / day

From 464a117e9f19f42af01a47f19c7cd488a88db959 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Fri, 24 Sep 2021 13:37:00 +0200
Subject: [PATCH 071/222] this should be changed too

---
 setup/flavors/compose/mailu.env | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index 60516013..3e53e7d2 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -155,9 +155,8 @@ DOMAIN_REGISTRATION=true
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME={{ compose_project_name or 'mailu' }}
 
-# Default password scheme used for newly created accounts and changed passwords
-# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME={{ password_scheme or 'PBKDF2' }}
+# Number of rounds used by the password hashing scheme
+CREDENTIAL_ROUNDS=12
 
 # Header to take the real ip from
 REAL_IP_HEADER={{ real_ip_header }}

From f4cde611481b320a2cda3a7b6fecc9dd2b012998 Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Fri, 24 Sep 2021 15:29:28 +0200
Subject: [PATCH 072/222] Make header translatable. More finishing touches.

---
 core/admin/mailu/sso/forms.py             |  2 +-
 core/admin/mailu/sso/templates/login.html |  8 --------
 core/admin/mailu/sso/views/base.py        | 12 +++++++-----
 core/nginx/conf/nginx.conf                | 19 ++++++++++++-------
 4 files changed, 20 insertions(+), 21 deletions(-)

diff --git a/core/admin/mailu/sso/forms.py b/core/admin/mailu/sso/forms.py
index 8b5f4cba..d5124804 100644
--- a/core/admin/mailu/sso/forms.py
+++ b/core/admin/mailu/sso/forms.py
@@ -11,7 +11,7 @@ LOCALPART_REGEX = "^[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-zA-Z0-9!#$%&'*+/=?^_`
 class LoginForm(flask_wtf.FlaskForm):
     class Meta:
         csrf = False
-    target = fields.SelectField( u'Go to' )
+    target = fields.SelectField( _('Go to') )
     email = fields.StringField(_('E-mail'), [validators.Email()])
     pw = fields.PasswordField(_('Password'), [validators.DataRequired()])
     submit = fields.SubmitField(_('Sign in'))
diff --git a/core/admin/mailu/sso/templates/login.html b/core/admin/mailu/sso/templates/login.html
index e1ad6045..c727e01e 100644
--- a/core/admin/mailu/sso/templates/login.html
+++ b/core/admin/mailu/sso/templates/login.html
@@ -3,11 +3,3 @@
 {%- block title %}
 {% trans %}Sign in{% endtrans %}
 {%- endblock %}
-
-{%- block subtitle %}
-{%- if endpoint == 'ui.index' %}
-{% trans %}to access the configuration page{% endtrans %}
-{%- elif endpoint == 'ui.webmail' %}
-{% trans %}to access the webmail page{% endtrans %}
-{%- endif %}
-{%- endblock %}
diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index 9f4c1904..f3d60fd0 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -12,18 +12,18 @@ def login():
     endpoint = flask.request.args.get('next', 'ui.index')
 
     if str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper != 'NONE' and endpoint != 'ui.webmail':
-        form.target.choices = [('Configuration page', 'Configuration page'), ('Webmail', 'Webmail')]
+        form.target.choices = [('Admin', 'Admin'), ('Webmail', 'Webmail')]
     elif str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper != 'NONE' and endpoint == 'ui.webmail':
-        form.target.choices = [('Webmail', 'Webmail'), ('Configuration page', 'Configuration page')]
+        form.target.choices = [('Webmail', 'Webmail'), ('Admin', 'Admin')]
     elif str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper == 'NONE':
         form.target.choices = [('Webmail', 'Webmail')]
     elif str(app.config['WEBMAIL']).upper == 'NONE' and str(app.config['ADMIN']).upper != 'NONE':
-        form.target.choices = [('Configuration page', 'Configuration page')]
+        form.target.choices = [('Admin', 'Admin')]
 
     if form.validate_on_submit():
-        if form.target.data == 'Configuration page':
+        if str(form.target.data) == 'Admin':
             endpoint = 'ui.index'
-        elif form.target.data == 'webmail':
+        elif str(form.target.data) == 'Webmail':
             endpoint = 'ui.webmail'
 
         user = models.User.login(form.email.data, form.pw.data)
@@ -33,5 +33,7 @@ def login():
             return flask.redirect(flask.url_for(endpoint))
         else:
             flask.flash('Wrong e-mail or password', 'error')
+            client_ip = flask.request.headers["X-Real-IP"] if 'X-Real-IP' in flask.request.headers else flask.request.remote_addr
+            flask.current_app.logger.warn(f'Login failed for {str(form.email.data)} from {client_ip}.')
     return flask.render_template('login.html', form=form, endpoint=endpoint)
     
\ No newline at end of file
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 7fa6d788..a5e1a51a 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -136,21 +136,26 @@ http {
         include /etc/nginx/proxy.conf;
         return 302 {{ WEB_WEBMAIL }};
       }
+
+      {% if ADMIN == 'true' %}
       location ^~ /ui {
         include /etc/nginx/proxy.conf;
         rewrite ^/ui/(.*) {{ WEB_ADMIN }}/ui/$1 redirect;
-        #return 302 {{ WEB_ADMIN }}/ui/;
       }
+      {% endif %}
+
+      {% if ADMIN == 'true' or WEBMAIL != 'none' %}
       location ^~ /sso {
         include /etc/nginx/proxy.conf;
         proxy_pass http://$admin;
       }
-#    location ^~ /(ui|static) {
-#      rewrite ^{{ WEB_ADMIN }}/(.*) /$1 break;
-#      include /etc/nginx/proxy.conf;
-#       proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
-#       proxy_pass http://$admin;
-#      }
+      location ^~ /ui/language {
+        include /etc/nginx/proxy.conf;
+        proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
+        proxy_pass http://$admin;
+        expires $expires;
+      }
+      {% endif %}
 
       {% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %}
       location / {

From 41f5b43b387070cc7d85fd23cc9112223ef3aac0 Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Fri, 24 Sep 2021 15:33:16 +0200
Subject: [PATCH 073/222] Set nginx logging to level info again.

---
 core/nginx/conf/nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index a5e1a51a..ce80a6ae 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -1,7 +1,7 @@
 #  Basic configuration
 user nginx;
 worker_processes auto;
-error_log /dev/stderr debug;
+error_log /dev/stderr info;
 pid /var/run/nginx.pid;
 load_module "modules/ngx_mail_module.so";
 

From c1beee8fd7094bc5886ac6563efc7f6874f63100 Mon Sep 17 00:00:00 2001
From: Diman0 <diman@huisman.xyz>
Date: Fri, 24 Sep 2021 15:36:01 +0200
Subject: [PATCH 074/222] Added newsfragment

---
 towncrier/newsfragments/1929.enhancement | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 towncrier/newsfragments/1929.enhancement

diff --git a/towncrier/newsfragments/1929.enhancement b/towncrier/newsfragments/1929.enhancement
new file mode 100644
index 00000000..b21118f7
--- /dev/null
+++ b/towncrier/newsfragments/1929.enhancement
@@ -0,0 +1,5 @@
+Improved the SSO page.
+ - Now shows the login target.
+ - Added toggle to choose login target.
+ - Made SSO page available separately. SSO page can now be used without Admin.
+

From 16691e83adcdcae01948cfa3b6601dd9f0450894 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Fri, 24 Sep 2021 18:15:00 +0200
Subject: [PATCH 075/222] re-enable mod_rewrite in roundcube

moved chown/mkdir/symlink from start.py to Dockerfile
---
 webmails/roundcube/Dockerfile | 10 +++++++---
 webmails/roundcube/start.py   |  6 +-----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/webmails/roundcube/Dockerfile b/webmails/roundcube/Dockerfile
index df83bc83..32f71ea5 100644
--- a/webmails/roundcube/Dockerfile
+++ b/webmails/roundcube/Dockerfile
@@ -33,13 +33,17 @@ RUN apt-get update && apt-get install -y \
  && mv roundcubemail-* html \
  && mv carddav html/plugins/ \
  && cd html \
- && rm -rf CHANGELOG INSTALL LICENSE README.md UPGRADING composer.json-dist installer \
+ && rm -rf CHANGELOG INSTALL LICENSE README.md UPGRADING composer.json-dist installer composer.* \
  && sed -i 's,mod_php5.c,mod_php7.c,g' .htaccess \
  && sed -i 's,^php_value.*post_max_size,#&,g' .htaccess \
  && sed -i 's,^php_value.*upload_max_filesize,#&,g' .htaccess \
- && chown -R www-data: logs temp \
+ && ln -sf index.php /var/www/html/sso.php \
+ && chown -R root:root . \
+ && touch logs/errors.log \
+ && chown -R www-data:www-data logs temp \
+ && chmod -R a+rX . \
  && rm -rf /var/lib/apt/lists \
- && a2enmod deflate expires headers
+ && a2enmod rewrite deflate expires headers
 
 COPY php.ini /php.ini
 COPY config.inc.php /var/www/html/config/
diff --git a/webmails/roundcube/start.py b/webmails/roundcube/start.py
index cd42ba06..82c4c26f 100755
--- a/webmails/roundcube/start.py
+++ b/webmails/roundcube/start.py
@@ -34,11 +34,7 @@ else:
 conf.jinja("/php.ini", os.environ, "/usr/local/etc/php/conf.d/roundcube.ini")
 
 # Create dirs, setup permissions
-os.system("mkdir -p /data/gpg /var/www/html/logs")
-os.system("touch /var/www/html/logs/errors.log")
-os.system("chown -R www-data:www-data /var/www/html/logs")
-os.system("chmod -R a+rX /var/www/html/")
-os.system("ln -sf /var/www/html/index.php /var/www/html/sso.php")
+os.system("mkdir -p /data/gpg")
 
 try:
     print("Initializing database")

From e9f84d7d994656162e41136e375d6cdfa86446ed Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 25 Sep 2021 16:25:59 +0200
Subject: [PATCH 076/222] Improve the unbound configuration

---
 optional/unbound/unbound.conf | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/optional/unbound/unbound.conf b/optional/unbound/unbound.conf
index 6c8fc64d..42b2d4d8 100644
--- a/optional/unbound/unbound.conf
+++ b/optional/unbound/unbound.conf
@@ -1,19 +1,21 @@
 server:
   verbosity: 1
   interface: 0.0.0.0
-  interface: ::0
+  {{ 'interface: ::0' if SUBNET6 }}
   logfile: ""
   do-ip4: yes
-  do-ip6: yes
+  do-ip6: {{ 'yes' if SUBNET6 else 'no' }}
   do-udp: yes
   do-tcp: yes
   do-daemonize: no
   access-control: {{ SUBNET }} allow
+  {{ 'access-control: {{ SUBNET6 }} allow' if SUBNET6 }}
   directory: "/etc/unbound"
   username: unbound
   auto-trust-anchor-file: trusted-key.key
   root-hints: "/etc/unbound/root.hints"
   hide-identity: yes
   hide-version: yes
-  max-udp-size: 4096
-  msg-buffer-size: 65552
+  cache-min-ttl: 300
+  qname-minimisation: yes
+

From 739702a0349d099bf70cb71f18a2bd12180897ab Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 25 Sep 2021 16:31:11 +0200
Subject: [PATCH 077/222] doc

---
 towncrier/newsfragments/1992.enhancement | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 towncrier/newsfragments/1992.enhancement

diff --git a/towncrier/newsfragments/1992.enhancement b/towncrier/newsfragments/1992.enhancement
new file mode 100644
index 00000000..56a11538
--- /dev/null
+++ b/towncrier/newsfragments/1992.enhancement
@@ -0,0 +1,3 @@
+Make unbound work with ipv6
+Add a cache-min-ttl of 5minutes
+Enable qname minimisation (privacy)

From 1cf0f76b529389b47eff0c7e9800c53263e073af Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 27 Sep 2021 09:04:15 +0200
Subject: [PATCH 078/222] not required anymore

---
 optional/unbound/unbound.conf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/optional/unbound/unbound.conf b/optional/unbound/unbound.conf
index 42b2d4d8..df0c76ff 100644
--- a/optional/unbound/unbound.conf
+++ b/optional/unbound/unbound.conf
@@ -17,5 +17,4 @@ server:
   hide-identity: yes
   hide-version: yes
   cache-min-ttl: 300
-  qname-minimisation: yes
 

From 65133a960af543687c00c09068cdbdf10c2f7ff1 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 28 Sep 2021 10:38:37 +0200
Subject: [PATCH 079/222] Prevent traceback when using non-email in login

There's a traceback when the username used to log via SMTPAUTH
in is not an email address:

=== before ===
```
[...] ERROR in app: Exception on /internal/auth/email [GET]
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/base.py", line 1179, in _execute_context
    context = constructor(dialect, self, conn, *args)
  File "/usr/lib/python3.9/site-packages/sqlalchemy/engine/default.py", line 719, in _init_compiled
    param.append(processors[key](compiled_params[key]))
  File "/usr/lib/python3.9/site-packages/sqlalchemy/sql/type_api.py", line 1201, in process
    return process_param(value, dialect)
  File "/app/mailu/models.py", line 60, in process_bind_param
    localpart, domain_name = value.lower().rsplit('@', 1)
ValueError: not enough values to unpack (expected 2, got 1)
[...]
[parameters: [{'%(140657157923216 param)s': 'foobar'}]]
```

=== after ===
```
[...] WARNING in nginx: Invalid user 'foobar': (builtins.ValueError) invalid email address (no "@")
```
---
 core/admin/mailu/internal/nginx.py | 23 ++++++++++++++---------
 core/admin/mailu/models.py         |  2 ++
 2 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index 167341e2..f011bf5a 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -5,6 +5,7 @@ import re
 import urllib
 import ipaddress
 import socket
+import sqlalchemy.exc
 import tenacity
 
 SUPPORTED_AUTH_METHODS = ["none", "plain"]
@@ -90,15 +91,19 @@ def handle_authentication(headers):
         except:
             app.logger.warn(f'Received undecodable user/password from nginx: {raw_user_email!r}/{raw_password!r}')
         else:
-            user = models.User.query.get(user_email)
-            ip = urllib.parse.unquote(headers["Client-Ip"])
-            if check_credentials(user, password, ip, protocol):
-                server, port = get_server(headers["Auth-Protocol"], True)
-                return {
-                    "Auth-Status": "OK",
-                    "Auth-Server": server,
-                    "Auth-Port": port
-                }
+            try:
+                user = models.User.query.get(user_email)
+            except sqlalchemy.exc.StatementError as exc:
+                exc = str(exc).split('\n', 1)[0]
+                app.logger.warn(f'Invalid user {user_email!r}: {exc}')
+            else:
+                if check_credentials(user, password, urllib.parse.unquote(headers["Client-Ip"]), protocol):
+                    server, port = get_server(headers["Auth-Protocol"], True)
+                    return {
+                        "Auth-Status": "OK",
+                        "Auth-Server": server,
+                        "Auth-Port": port
+                    }
         status, code = get_status(protocol, "authentication")
         return {
             "Auth-Status": status,
diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index f93b158f..01711a60 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -57,6 +57,8 @@ class IdnaEmail(db.TypeDecorator):
 
     def process_bind_param(self, value, dialect):
         """ encode unicode domain part of email address to punycode """
+        if not '@' in value:
+            raise ValueError('invalid email address (no "@")')
         localpart, domain_name = value.lower().rsplit('@', 1)
         if '@' in localpart:
             raise ValueError('email local part must not contain "@"')

From cd17aa0c43f33821a36fbc6fca50bf9cd059a3ff Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 28 Sep 2021 11:06:59 +0200
Subject: [PATCH 080/222] repair failing health-check

---
 webmails/roundcube/Dockerfile | 2 +-
 webmails/roundcube/mailu.php  | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/webmails/roundcube/Dockerfile b/webmails/roundcube/Dockerfile
index 32f71ea5..2905d30e 100644
--- a/webmails/roundcube/Dockerfile
+++ b/webmails/roundcube/Dockerfile
@@ -55,4 +55,4 @@ VOLUME ["/data"]
 
 CMD /start.py
 
-HEALTHCHECK CMD curl -f -L http://localhost/ || exit 1
+HEALTHCHECK CMD curl -f -L -H 'User-Agent: health' http://localhost/ || exit 1
diff --git a/webmails/roundcube/mailu.php b/webmails/roundcube/mailu.php
index bb4d65e9..f5079e98 100644
--- a/webmails/roundcube/mailu.php
+++ b/webmails/roundcube/mailu.php
@@ -52,6 +52,12 @@ class mailu extends rcube_plugin
   }
   function login_failed($args)
   {
+      $ua = $_SERVER['HTTP_USER_AGENT'];
+      $ra = $_SERVER['REMOTE_ADDR'];
+      if ($ua == 'health' and ($ra == '127.0.0.1' or $ra == '::1')) {
+        echo "OK";
+        exit;
+      }
       header('Location: sso.php');
       exit();
   }

From 7380b248cf9cca970f7cb26e2cc54ff8d2553888 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 28 Sep 2021 11:16:40 +0200
Subject: [PATCH 081/222] direct logging of php errors to stderr

---
 webmails/roundcube/Dockerfile | 4 ++--
 webmails/roundcube/start.py   | 3 ---
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/webmails/roundcube/Dockerfile b/webmails/roundcube/Dockerfile
index 2905d30e..c751b6bf 100644
--- a/webmails/roundcube/Dockerfile
+++ b/webmails/roundcube/Dockerfile
@@ -38,9 +38,9 @@ RUN apt-get update && apt-get install -y \
  && sed -i 's,^php_value.*post_max_size,#&,g' .htaccess \
  && sed -i 's,^php_value.*upload_max_filesize,#&,g' .htaccess \
  && ln -sf index.php /var/www/html/sso.php \
+ && ln -sf /dev/stderr /var/www/html/logs/errors.log \
  && chown -R root:root . \
- && touch logs/errors.log \
- && chown -R www-data:www-data logs temp \
+ && chown www-data:www-data logs temp \
  && chmod -R a+rX . \
  && rm -rf /var/lib/apt/lists \
  && a2enmod rewrite deflate expires headers
diff --git a/webmails/roundcube/start.py b/webmails/roundcube/start.py
index 82c4c26f..efaac357 100755
--- a/webmails/roundcube/start.py
+++ b/webmails/roundcube/start.py
@@ -57,8 +57,5 @@ except subprocess.CalledProcessError as e:
 # Setup database permissions
 os.system("chown -R www-data:www-data /data")
 
-# Tail roundcube logs
-subprocess.Popen(["tail", "-f", "-n", "0", "/var/www/html/logs/errors.log"])
-
 # Run apache
 os.execv("/usr/local/bin/apache2-foreground", ["apache2-foreground"])

From ef9e1ac27997128ee982fb92c5183ade34accf4c Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 28 Sep 2021 12:29:57 +0200
Subject: [PATCH 082/222] remove health check from log

---
 webmails/roundcube/Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/webmails/roundcube/Dockerfile b/webmails/roundcube/Dockerfile
index c751b6bf..1f788918 100644
--- a/webmails/roundcube/Dockerfile
+++ b/webmails/roundcube/Dockerfile
@@ -11,7 +11,8 @@ FROM build_${QEMU}
 RUN apt-get update && apt-get install -y \
   python3 curl python3-pip git python3-multidict \
   && rm -rf /var/lib/apt/lists \
-  && echo "ServerSignature Off" >> /etc/apache2/apache2.conf
+  && echo "ServerSignature Off\nServerName roundcube" >> /etc/apache2/apache2.conf \
+  && sed -i 's,CustomLog.*combined$,\0 "'"expr=!(%{HTTP_USER_AGENT}=='health'\&\&(-R '127.0.0.1/8' || -R '::1'))"'",' /etc/apache2/sites-available/000-default.conf
 
 # Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube
 RUN pip3 install socrate

From 995ce8d4374e501e3733ea2cf2f1d96070b172ef Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Fri, 1 Oct 2021 14:54:04 +0200
Subject: [PATCH 083/222] Remove OUTCLEAN_ADDRESS

I believe that this isn't relevant anymore as we don't use OpenDKIM
anymore

Background on:
https://bofhskull.wordpress.com/2014/03/25/postfix-opendkim-and-missing-from-header/
---
 core/postfix/conf/outclean_header_filter.cf | 5 +----
 core/postfix/start.py                       | 9 ---------
 towncrier/newsfragments/446.feature         | 1 +
 3 files changed, 2 insertions(+), 13 deletions(-)
 create mode 100644 towncrier/newsfragments/446.feature

diff --git a/core/postfix/conf/outclean_header_filter.cf b/core/postfix/conf/outclean_header_filter.cf
index 7e0e92d3..6a5d6b5b 100644
--- a/core/postfix/conf/outclean_header_filter.cf
+++ b/core/postfix/conf/outclean_header_filter.cf
@@ -1,10 +1,7 @@
 # This configuration was copied from Mailinabox. The original version is available at:
 # https://raw.githubusercontent.com/mail-in-a-box/mailinabox/master/conf/postfix_outgoing_mail_header_filters
 
-# Remove the first line of the Received: header. Note that we cannot fully remove the Received: header
-# because OpenDKIM requires that a header be present when signing outbound mail. The first line is
-# where the user's home IP address would be.
-/^\s*Received:[^\n]*(.*)/         REPLACE Received: from authenticated-user ({{OUTCLEAN}} [{{OUTCLEAN_ADDRESS}}])$1
+/^\s*Received:[^\n]*(.*)/	IGNORE
 
 # Remove other typically private information.
 /^\s*User-Agent:/        IGNORE
diff --git a/core/postfix/start.py b/core/postfix/start.py
index 12610bd0..c889dce1 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -46,15 +46,6 @@ os.environ["FRONT_ADDRESS"] = system.get_host_address_from_environment("FRONT",
 os.environ["ADMIN_ADDRESS"] = system.get_host_address_from_environment("ADMIN", "admin")
 os.environ["ANTISPAM_MILTER_ADDRESS"] = system.get_host_address_from_environment("ANTISPAM_MILTER", "antispam:11332")
 os.environ["LMTP_ADDRESS"] = system.get_host_address_from_environment("LMTP", "imap:2525")
-os.environ["OUTCLEAN"] = os.environ["HOSTNAMES"].split(",")[0]
-try:
-    _to_lookup = os.environ["OUTCLEAN"]
-    # Ensure we lookup a FQDN: @see #1884
-    if not _to_lookup.endswith('.'):
-        _to_lookup += '.'
-    os.environ["OUTCLEAN_ADDRESS"] = system.resolve_hostname(_to_lookup)
-except:
-    os.environ["OUTCLEAN_ADDRESS"] = "10.10.10.10"
 
 for postfix_file in glob.glob("/conf/*.cf"):
     conf.jinja(postfix_file, os.environ, os.path.join("/etc/postfix", os.path.basename(postfix_file)))
diff --git a/towncrier/newsfragments/446.feature b/towncrier/newsfragments/446.feature
new file mode 100644
index 00000000..12049b94
--- /dev/null
+++ b/towncrier/newsfragments/446.feature
@@ -0,0 +1 @@
+Remove the Received header with PRIMARY_HOSTNAME [PUBLIC_IP]

From 10d78a888bf4a509e36bb96cd0548cd11ee2b585 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Fri, 1 Oct 2021 15:00:10 +0200
Subject: [PATCH 084/222] Derive a new subkey for SRS

---
 core/admin/mailu/__init__.py               | 1 +
 core/admin/mailu/internal/views/postfix.py | 4 ++--
 towncrier/newsfragments/1999.enhancement   | 1 +
 3 files changed, 4 insertions(+), 2 deletions(-)
 create mode 100644 towncrier/newsfragments/1999.enhancement

diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
index 9b712512..51532968 100644
--- a/core/admin/mailu/__init__.py
+++ b/core/admin/mailu/__init__.py
@@ -29,6 +29,7 @@ def create_app_from_config(config):
     utils.migrate.init_app(app, models.db)
 
     app.temp_token_key = hmac.new(bytearray(app.secret_key, 'utf-8'), bytearray('WEBMAIL_TEMP_TOKEN_KEY', 'utf-8'), 'sha256').digest()
+    app.srs_key = hmac.new(bytearray(app.secret_key, 'utf-8'), bytearray('SRS_KEY', 'utf-8'), 'sha256').digest()
 
     # Initialize list of translations
     config.translations = {
diff --git a/core/admin/mailu/internal/views/postfix.py b/core/admin/mailu/internal/views/postfix.py
index 330fed5b..928f4faf 100644
--- a/core/admin/mailu/internal/views/postfix.py
+++ b/core/admin/mailu/internal/views/postfix.py
@@ -108,7 +108,7 @@ def postfix_recipient_map(recipient):
 
     This is meant for bounces to go back to the original sender.
     """
-    srs = srslib.SRS(flask.current_app.config["SECRET_KEY"])
+    srs = srslib.SRS(flask.current_app.srs_key)
     if srslib.SRS.is_srs_address(recipient):
         try:
             return flask.jsonify(srs.reverse(recipient))
@@ -123,7 +123,7 @@ def postfix_sender_map(sender):
 
     This is for bounces to come back the reverse path properly.
     """
-    srs = srslib.SRS(flask.current_app.config["SECRET_KEY"])
+    srs = srslib.SRS(flask.current_app.srs_key)
     domain = flask.current_app.config["DOMAIN"]
     try:
         localpart, domain_name = models.Email.resolve_domain(sender)
diff --git a/towncrier/newsfragments/1999.enhancement b/towncrier/newsfragments/1999.enhancement
new file mode 100644
index 00000000..bd025141
--- /dev/null
+++ b/towncrier/newsfragments/1999.enhancement
@@ -0,0 +1 @@
+Derive a new subkey (from SECRET_KEY) for SRS

From 65ee1c1ef27eb7fe3e8c6c6f8b116180c6fcd7bc Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Fri, 1 Oct 2021 15:04:45 +0200
Subject: [PATCH 085/222] doh

---
 towncrier/newsfragments/{446.feature => 466.feature} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename towncrier/newsfragments/{446.feature => 466.feature} (100%)

diff --git a/towncrier/newsfragments/446.feature b/towncrier/newsfragments/466.feature
similarity index 100%
rename from towncrier/newsfragments/446.feature
rename to towncrier/newsfragments/466.feature

From 4a78d646db1648a0277c4ffe4684cdc435da0391 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Fri, 1 Oct 2021 15:05:38 +0200
Subject: [PATCH 086/222] doh

---
 towncrier/newsfragments/{1999.enhancement => 2002.enhancement} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename towncrier/newsfragments/{1999.enhancement => 2002.enhancement} (100%)

diff --git a/towncrier/newsfragments/1999.enhancement b/towncrier/newsfragments/2002.enhancement
similarity index 100%
rename from towncrier/newsfragments/1999.enhancement
rename to towncrier/newsfragments/2002.enhancement

From a349190e5232fddd927b460215f71325caf76b05 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 2 Oct 2021 10:19:57 +0200
Subject: [PATCH 087/222] simplify

---
 core/postfix/conf/outclean_header_filter.cf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/postfix/conf/outclean_header_filter.cf b/core/postfix/conf/outclean_header_filter.cf
index 6a5d6b5b..35b90ff5 100644
--- a/core/postfix/conf/outclean_header_filter.cf
+++ b/core/postfix/conf/outclean_header_filter.cf
@@ -1,7 +1,7 @@
 # This configuration was copied from Mailinabox. The original version is available at:
 # https://raw.githubusercontent.com/mail-in-a-box/mailinabox/master/conf/postfix_outgoing_mail_header_filters
 
-/^\s*Received:[^\n]*(.*)/	IGNORE
+/^\s*Received:[^\n]*/	IGNORE
 
 # Remove other typically private information.
 /^\s*User-Agent:/        IGNORE

From 502affbe66eafb6a8eba4f8d36ab8fef94e5eeb7 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 3 Oct 2021 10:14:49 +0200
Subject: [PATCH 088/222] Use the regexp engine since we have one

---
 core/postfix/conf/outclean_header_filter.cf | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/core/postfix/conf/outclean_header_filter.cf b/core/postfix/conf/outclean_header_filter.cf
index 35b90ff5..9c880843 100644
--- a/core/postfix/conf/outclean_header_filter.cf
+++ b/core/postfix/conf/outclean_header_filter.cf
@@ -1,14 +1,8 @@
 # This configuration was copied from Mailinabox. The original version is available at:
 # https://raw.githubusercontent.com/mail-in-a-box/mailinabox/master/conf/postfix_outgoing_mail_header_filters
 
-/^\s*Received:[^\n]*/	IGNORE
-
-# Remove other typically private information.
-/^\s*User-Agent:/        IGNORE
-/^\s*X-Enigmail:/        IGNORE
-/^\s*X-Mailer:/          IGNORE
-/^\s*X-Originating-IP:/  IGNORE
-/^\s*X-Pgp-Agent:/       IGNORE
+# Remove typically private information.
+/^\s*(Received|User-Agent|X-(Enigmail|Mailer|Originating-IP|Pgp-Agent)):/	IGNORE
 
 # The Mime-Version header can leak the user agent too, e.g. in Mime-Version: 1.0 (Mac OS X Mail 8.1 \(2010.6\)).
 /^\s*(Mime-Version:\s*[0-9\.]+)\s.+/  REPLACE $1

From b48779ea7084278d494e436386d06fd5e55161d6 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Fri, 8 Oct 2021 10:17:03 +0200
Subject: [PATCH 089/222] SESSION_COOKIE_SECURE and HTTP won't work

---
 core/admin/mailu/ui/templates/login.html | 12 ++++++++++++
 towncrier/newsfragments/1996.enhancement |  1 +
 2 files changed, 13 insertions(+)
 create mode 100644 towncrier/newsfragments/1996.enhancement

diff --git a/core/admin/mailu/ui/templates/login.html b/core/admin/mailu/ui/templates/login.html
index fb8e5bd4..118173cb 100644
--- a/core/admin/mailu/ui/templates/login.html
+++ b/core/admin/mailu/ui/templates/login.html
@@ -7,3 +7,15 @@
 {%- block subtitle %}
 {% trans %}to access the administration tools{% endtrans %}
 {%- endblock %}
+
+{%+ block content %}
+{% if config["SESSION_COOKIE_SECURE"] %}
+<script language="javascript">
+	if(window.location.protocol != "https:") {
+		document.write('<div class="alert alert-danger" role="alert">The login form has been disabled as <b>SESSION_COOKIE_SECURE</b> is on but you are accessing Mailu over HTTP</div>');
+		window.stop();
+	}
+</script>
+{% endif %}
+{{ super() }}
+{%+ endblock %}
diff --git a/towncrier/newsfragments/1996.enhancement b/towncrier/newsfragments/1996.enhancement
new file mode 100644
index 00000000..d1bc2ccf
--- /dev/null
+++ b/towncrier/newsfragments/1996.enhancement
@@ -0,0 +1 @@
+Disable the login page if SESSION_COOKIE_SECURE is incompatible with how Mailu is accessed as this seems to be a common misconfiguration.

From aaf3ddd002b87dfccd09e82a00830364a19aeed1 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Fri, 8 Oct 2021 19:54:31 +0200
Subject: [PATCH 090/222] moved javascript to app.js

---
 core/admin/assets/app.js                 |  7 +++++++
 core/admin/mailu/ui/templates/login.html | 15 ++++++---------
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/core/admin/assets/app.js b/core/admin/assets/app.js
index dc3414f2..5df8052c 100644
--- a/core/admin/assets/app.js
+++ b/core/admin/assets/app.js
@@ -66,5 +66,12 @@ $('document').ready(function() {
     // init clipboard.js
     new ClipboardJS('.btn-clip');
 
+    // disable login if not possible
+    var l = $('#login_needs_https');
+    if (l.length && window.location.protocol != 'https:') {
+        l.removeClass("d-none");
+        $('form :input').prop('disabled', true);
+    }
+
 });
 
diff --git a/core/admin/mailu/ui/templates/login.html b/core/admin/mailu/ui/templates/login.html
index 118173cb..4c38d134 100644
--- a/core/admin/mailu/ui/templates/login.html
+++ b/core/admin/mailu/ui/templates/login.html
@@ -8,14 +8,11 @@
 {% trans %}to access the administration tools{% endtrans %}
 {%- endblock %}
 
-{%+ block content %}
 {% if config["SESSION_COOKIE_SECURE"] %}
-<script language="javascript">
-	if(window.location.protocol != "https:") {
-		document.write('<div class="alert alert-danger" role="alert">The login form has been disabled as <b>SESSION_COOKIE_SECURE</b> is on but you are accessing Mailu over HTTP</div>');
-		window.stop();
-	}
-</script>
-{% endif %}
+{%- block content %}
+<div id="login_needs_https" class="alert alert-danger d-none" role="alert">
+{% trans %}The login form has been disabled as <b>SESSION_COOKIE_SECURE</b> is on but you are accessing Mailu over HTTP.{% endtrans %}
+</div>
 {{ super() }}
-{%+ endblock %}
+{%- endblock %}
+{% endif %}

From d131d863baca9616bb2251aa44dd658167888966 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 9 Oct 2021 15:44:56 +0200
Subject: [PATCH 091/222] The if needs to be inside the block

---
 core/admin/mailu/ui/templates/login.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/ui/templates/login.html b/core/admin/mailu/ui/templates/login.html
index 4c38d134..d4d115db 100644
--- a/core/admin/mailu/ui/templates/login.html
+++ b/core/admin/mailu/ui/templates/login.html
@@ -8,11 +8,11 @@
 {% trans %}to access the administration tools{% endtrans %}
 {%- endblock %}
 
-{% if config["SESSION_COOKIE_SECURE"] %}
 {%- block content %}
+{% if config["SESSION_COOKIE_SECURE"] %}
 <div id="login_needs_https" class="alert alert-danger d-none" role="alert">
 {% trans %}The login form has been disabled as <b>SESSION_COOKIE_SECURE</b> is on but you are accessing Mailu over HTTP.{% endtrans %}
 </div>
+{% endif %}
 {{ super() }}
 {%- endblock %}
-{% endif %}

From 1d571dedfc5df67dd9b47d1f235edbc1198afbca Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Sat, 9 Oct 2021 17:11:12 +0200
Subject: [PATCH 092/222] split localpart into user and tag

---
 core/admin/mailu/internal/views/postfix.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/admin/mailu/internal/views/postfix.py b/core/admin/mailu/internal/views/postfix.py
index 928f4faf..d2c9f877 100644
--- a/core/admin/mailu/internal/views/postfix.py
+++ b/core/admin/mailu/internal/views/postfix.py
@@ -140,7 +140,8 @@ def postfix_sender_login(sender):
     localpart, domain_name = models.Email.resolve_domain(sender)
     if localpart is None:
         return flask.jsonify(",".join(wildcard_senders)) if wildcard_senders else flask.abort(404)
-    destination = models.Email.resolve_destination(localpart, domain_name, True)
+    user, plus = localpart.split("+", 1)
+    destination = models.Email.resolve_destination(user, domain_name, True)
     destination = [*destination, *wildcard_senders] if destination else [*wildcard_senders]
     return flask.jsonify(",".join(destination)) if destination else flask.abort(404)
 

From 22ed2b7f904271d2a7b524b390ccbbc00536fdfd Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Sat, 9 Oct 2021 17:17:40 +0200
Subject: [PATCH 093/222] add newsfragment

---
 towncrier/newsfragments/2006.enhancement | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 towncrier/newsfragments/2006.enhancement

diff --git a/towncrier/newsfragments/2006.enhancement b/towncrier/newsfragments/2006.enhancement
new file mode 100644
index 00000000..802e6d36
--- /dev/null
+++ b/towncrier/newsfragments/2006.enhancement
@@ -0,0 +1 @@
+allow sending emails as user+detail@domain.tld

From 6a8066c0ae1597fc0b85d9130978ff1af778d70f Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Sat, 9 Oct 2021 17:18:53 +0200
Subject: [PATCH 094/222] renamed newsfragment

---
 towncrier/newsfragments/{2006.enhancement => 2007.enhancement} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename towncrier/newsfragments/{2006.enhancement => 2007.enhancement} (100%)

diff --git a/towncrier/newsfragments/2006.enhancement b/towncrier/newsfragments/2007.enhancement
similarity index 100%
rename from towncrier/newsfragments/2006.enhancement
rename to towncrier/newsfragments/2007.enhancement

From 8c59f3569760513774ad8a48d1a30d336ce2f259 Mon Sep 17 00:00:00 2001
From: root <ghostwheel42@users.noreply.github.com>
Date: Sat, 9 Oct 2021 17:43:09 +0200
Subject: [PATCH 095/222] use RECIPIENT_DELIMITER for splitting

---
 core/admin/mailu/configuration.py          | 1 +
 core/admin/mailu/internal/views/postfix.py | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 4401888a..8d4d334a 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -49,6 +49,7 @@ DEFAULT_CONFIG = {
     'DKIM_PATH': '/dkim/{domain}.{selector}.key',
     'DEFAULT_QUOTA': 1000000000,
     'MESSAGE_RATELIMIT': '200/day',
+    'RECIPIENT_DELIMITER': None,
     # Web settings
     'SITENAME': 'Mailu',
     'WEBSITE': 'https://mailu.io',
diff --git a/core/admin/mailu/internal/views/postfix.py b/core/admin/mailu/internal/views/postfix.py
index d2c9f877..44a685c9 100644
--- a/core/admin/mailu/internal/views/postfix.py
+++ b/core/admin/mailu/internal/views/postfix.py
@@ -140,8 +140,9 @@ def postfix_sender_login(sender):
     localpart, domain_name = models.Email.resolve_domain(sender)
     if localpart is None:
         return flask.jsonify(",".join(wildcard_senders)) if wildcard_senders else flask.abort(404)
-    user, plus = localpart.split("+", 1)
-    destination = models.Email.resolve_destination(user, domain_name, True)
+    if delim := flask.current_app.config.get('RECIPIENT_DELIMITER'):
+        localpart = localpart.split(delim, 1)[0]
+    destination = models.Email.resolve_destination(localpart, domain_name, True)
     destination = [*destination, *wildcard_senders] if destination else [*wildcard_senders]
     return flask.jsonify(",".join(destination)) if destination else flask.abort(404)
 

From 14360f8926461c62c019c62338fef1be2308f133 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 9 Oct 2021 18:28:50 +0200
Subject: [PATCH 096/222] RECIPIENT_DELIMITER can have several characters

---
 core/admin/mailu/configuration.py          | 2 +-
 core/admin/mailu/internal/views/postfix.py | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 8d4d334a..1f2a9239 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -49,7 +49,7 @@ DEFAULT_CONFIG = {
     'DKIM_PATH': '/dkim/{domain}.{selector}.key',
     'DEFAULT_QUOTA': 1000000000,
     'MESSAGE_RATELIMIT': '200/day',
-    'RECIPIENT_DELIMITER': None,
+    'RECIPIENT_DELIMITER': '',
     # Web settings
     'SITENAME': 'Mailu',
     'WEBSITE': 'https://mailu.io',
diff --git a/core/admin/mailu/internal/views/postfix.py b/core/admin/mailu/internal/views/postfix.py
index 44a685c9..ab965967 100644
--- a/core/admin/mailu/internal/views/postfix.py
+++ b/core/admin/mailu/internal/views/postfix.py
@@ -140,8 +140,7 @@ def postfix_sender_login(sender):
     localpart, domain_name = models.Email.resolve_domain(sender)
     if localpart is None:
         return flask.jsonify(",".join(wildcard_senders)) if wildcard_senders else flask.abort(404)
-    if delim := flask.current_app.config.get('RECIPIENT_DELIMITER'):
-        localpart = localpart.split(delim, 1)[0]
+    localpart = localpart[:next((i for i, ch in enumerate(localpart) if ch in flask.current_app.config.get('RECIPIENT_DELIMITER')), None)]
     destination = models.Email.resolve_destination(localpart, domain_name, True)
     destination = [*destination, *wildcard_senders] if destination else [*wildcard_senders]
     return flask.jsonify(",".join(destination)) if destination else flask.abort(404)

From e127e6b32f8cf83123a5bcfa9431f4caeab80e22 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 9 Oct 2021 18:58:51 +0200
Subject: [PATCH 097/222] clarify the documentation

---
 docs/configuration.rst | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/docs/configuration.rst b/docs/configuration.rst
index 5f17b57e..5d8e87b1 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -93,9 +93,10 @@ go and fetch new email if available. Do not use too short delays if you do not
 want to be blacklisted by external services, but not too long delays if you
 want to receive your email in time.
 
-The ``RECIPIENT_DELIMITER`` is a character used to delimit localpart from a
-custom address part. For instance, if set to ``+``, users can use addresses
-like ``localpart+custom@domain.tld`` to deliver mail to ``localpart@domain.tld``.
+The ``RECIPIENT_DELIMITER`` is a list of characters used to delimit localpart
+from a custom address part. For instance, if set to ``+-``, users can use
+addresses like ``localpart+custom@example.com`` or ``localpart-custom@example.com``
+to deliver mail to ``localpart@example.com``.
 This is useful to provide external parties with different email addresses and
 later classify incoming mail based on the custom part.
 

From 251eea55539856eeb984fa6ac93e601b5017f1a2 Mon Sep 17 00:00:00 2001
From: qy117121 <mixuan121@gmail.com>
Date: Thu, 14 Oct 2021 15:03:23 +0800
Subject: [PATCH 098/222] Update messages.po

Updated translation
---
 .../zh_CN/LC_MESSAGES/messages.po             | 546 +++++++++---------
 1 file changed, 261 insertions(+), 285 deletions(-)

diff --git a/core/admin/mailu/translations/zh_CN/LC_MESSAGES/messages.po b/core/admin/mailu/translations/zh_CN/LC_MESSAGES/messages.po
index ee204fec..a3363169 100644
--- a/core/admin/mailu/translations/zh_CN/LC_MESSAGES/messages.po
+++ b/core/admin/mailu/translations/zh_CN/LC_MESSAGES/messages.po
@@ -3,9 +3,11 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Generator: POEditor.com\n"
+"X-Generator: Poedit 1.5.7\n"
 "Project-Id-Version: Mailu\n"
-"Language: zh-CN\n"
+"Language: zh\n"
+"Last-Translator: Chris Chuan <Chris.chuan@gmail.com>\n"
+"Language-Team: \n"
 
 #: mailu/ui/forms.py:32
 msgid "Invalid email address."
@@ -28,7 +30,7 @@ msgstr "密码"
 #: mailu/ui/forms.py:42 mailu/ui/templates/login.html:4
 #: mailu/ui/templates/sidebar.html:111
 msgid "Sign in"
-msgstr "注册"
+msgstr "登录"
 
 #: mailu/ui/forms.py:46 mailu/ui/forms.py:56
 #: mailu/ui/templates/domain/details.html:27
@@ -44,6 +46,14 @@ msgstr "最大用户数"
 msgid "Maximum alias count"
 msgstr "最大别名数"
 
+#: mailu/ui/forms.py:49
+msgid "Maximum user quota"
+msgstr "最大用户配额"
+
+#: mailu/ui/forms.py:50
+msgid "Enable sign-up"
+msgstr "启用注册"
+
 #: mailu/ui/forms.py:51 mailu/ui/forms.py:72 mailu/ui/forms.py:83
 #: mailu/ui/forms.py:128 mailu/ui/forms.py:140
 #: mailu/ui/templates/alias/list.html:21 mailu/ui/templates/domain/list.html:21
@@ -57,10 +67,30 @@ msgstr "说明"
 msgid "Create"
 msgstr "创建"
 
+#: mailu/ui/forms.py:57
+msgid "Initial admin"
+msgstr "初始管理员"
+
+#: mailu/ui/forms.py:58
+msgid "Admin password"
+msgstr "管理员密码"
+
 #: mailu/ui/forms.py:59 mailu/ui/forms.py:79 mailu/ui/forms.py:91
 msgid "Confirm password"
 msgstr "确认密码"
 
+#: mailu/ui/forms.py:65
+msgid "Alternative name"
+msgstr "备用名称"
+
+#: mailu/ui/forms.py:70
+msgid "Relayed domain name"
+msgstr "中继域域名"
+
+#: mailu/ui/forms.py:71 mailu/ui/templates/relay/list.html:18
+msgid "Remote host"
+msgstr "远程主机"
+
 #: mailu/ui/forms.py:80 mailu/ui/templates/user/list.html:22
 #: mailu/ui/templates/user/signup_domain.html:16
 msgid "Quota"
@@ -68,16 +98,30 @@ msgstr "配额"
 
 #: mailu/ui/forms.py:81
 msgid "Allow IMAP access"
-msgstr "允许IMAP访问"
+msgstr "允许 IMAP 访问"
 
 #: mailu/ui/forms.py:82
 msgid "Allow POP3 access"
-msgstr "允许POP3访问"
+msgstr "允许 POP3 访问"
+
+#: mailu/ui/forms.py:84
+msgid "Enabled"
+msgstr "启用"
 
 #: mailu/ui/forms.py:85
 msgid "Save"
 msgstr "保存"
 
+#: mailu/ui/forms.py:89
+msgid "Email address"
+msgstr "邮件地址"
+
+#: mailu/ui/forms.py:93 mailu/ui/templates/sidebar.html:117
+#: mailu/ui/templates/user/signup.html:4
+#: mailu/ui/templates/user/signup_domain.html:4
+msgid "Sign up"
+msgstr "注册"
+
 #: mailu/ui/forms.py:97
 msgid "Displayed name"
 msgstr "显示名称"
@@ -86,10 +130,23 @@ msgstr "显示名称"
 msgid "Enable spam filter"
 msgstr "启用垃圾邮件过滤"
 
-#: mailu/ui/forms.py:80
-msgid "Spam filter threshold"
+#: mailu/ui/forms.py:99
+msgid "Spam filter tolerance"
 msgstr "垃圾邮件过滤器阈值"
 
+#: mailu/ui/forms.py:100
+msgid "Enable forwarding"
+msgstr "启用转发"
+
+#: mailu/ui/forms.py:101
+msgid "Keep a copy of the emails"
+msgstr "保留电子邮件副本"
+
+#: mailu/ui/forms.py:103 mailu/ui/forms.py:139
+#: mailu/ui/templates/alias/list.html:20
+msgid "Destination"
+msgstr "目的地址"
+
 #: mailu/ui/forms.py:105
 msgid "Save settings"
 msgstr "保存设置"
@@ -102,19 +159,6 @@ msgstr "检查密码"
 msgid "Update password"
 msgstr "更新密码"
 
-#: mailu/ui/forms.py:100
-msgid "Enable forwarding"
-msgstr "启用转发"
-
-#: mailu/ui/forms.py:103 mailu/ui/forms.py:139
-#: mailu/ui/templates/alias/list.html:20
-msgid "Destination"
-msgstr "目的地址"
-
-#: mailu/ui/forms.py:120
-msgid "Update"
-msgstr "更新"
-
 #: mailu/ui/forms.py:115
 msgid "Enable automatic reply"
 msgstr "启用自动回复"
@@ -127,6 +171,22 @@ msgstr "回复主题"
 msgid "Reply body"
 msgstr "回复正文"
 
+#: mailu/ui/forms.py:119
+msgid "End of vacation"
+msgstr "假期结束"
+
+#: mailu/ui/forms.py:120
+msgid "Update"
+msgstr "更新"
+
+#: mailu/ui/forms.py:125
+msgid "Your token (write it down, as it will never be displayed again)"
+msgstr "您的令牌（请记录，它只显示这一次）"
+
+#: mailu/ui/forms.py:130 mailu/ui/templates/token/list.html:20
+msgid "Authorized IP"
+msgstr "授权 IP"
+
 #: mailu/ui/forms.py:136
 msgid "Alias"
 msgstr "别名"
@@ -169,70 +229,67 @@ msgstr "启用TLS"
 msgid "Username"
 msgstr "用户名"
 
+#: mailu/ui/forms.py:163
+msgid "Keep emails on the server"
+msgstr "在服务器上保留电子邮件"
+
+#: mailu/ui/forms.py:168
+msgid "Announcement subject"
+msgstr "公告主题"
+
+#: mailu/ui/forms.py:170
+msgid "Announcement body"
+msgstr "公告正文"
+
+#: mailu/ui/forms.py:172
+msgid "Send"
+msgstr "发送"
+
+#: mailu/ui/templates/announcement.html:4
+msgid "Public announcement"
+msgstr "公开公告"
+
+#: mailu/ui/templates/client.html:4 mailu/ui/templates/sidebar.html:82
+msgid "Client setup"
+msgstr "客户端设置"
+
+#: mailu/ui/templates/client.html:16 mailu/ui/templates/client.html:43
+msgid "Mail protocol"
+msgstr "邮件协议"
+
+#: mailu/ui/templates/client.html:24 mailu/ui/templates/client.html:51
+msgid "Server name"
+msgstr "服务器名称"
+
 #: mailu/ui/templates/confirm.html:4
 msgid "Confirm action"
 msgstr "确认操作"
 
 #: mailu/ui/templates/confirm.html:13
+#, python-format
 msgid "You are about to %(action)s. Please confirm your action."
 msgstr "即将%(action)s，请确认您的操作。"
 
 #: mailu/ui/templates/docker-error.html:4
 msgid "Docker error"
-msgstr "Docker错误"
+msgstr "Docker 错误"
 
 #: mailu/ui/templates/docker-error.html:12
 msgid "An error occurred while talking to the Docker server."
 msgstr "Docker服务器通信出错"
 
-#: mailu/admin/templates/login.html:6
-msgid "Your account"
-msgstr "你的帐户"
-
 #: mailu/ui/templates/login.html:8
 msgid "to access the administration tools"
-msgstr "访问管理员工具"
-
-#: mailu/ui/templates/services.html:4 mailu/ui/templates/sidebar.html:39
-msgid "Services status"
-msgstr "服务状态"
-
-#: mailu/ui/templates/services.html:10
-msgid "Service"
-msgstr "服务"
-
-#: mailu/ui/templates/fetch/list.html:23 mailu/ui/templates/services.html:11
-msgid "Status"
-msgstr "状态"
-
-#: mailu/ui/templates/services.html:12
-msgid "PID"
-msgstr "进程ID"
-
-#: mailu/ui/templates/services.html:13
-msgid "Image"
-msgstr "镜像"
-
-#: mailu/ui/templates/services.html:14
-msgid "Started"
-msgstr "已开始"
-
-#: mailu/ui/templates/services.html:15
-msgid "Last update"
-msgstr "最后更新"
+msgstr "访问管理工具"
 
 #: mailu/ui/templates/sidebar.html:8
 msgid "My account"
-msgstr "我的帐户"
+msgstr "我的账户"
 
 #: mailu/ui/templates/sidebar.html:11 mailu/ui/templates/user/list.html:34
 msgid "Settings"
 msgstr "设置"
 
-#: mailu/ui/templates/user/settings.html:22
-msgid "Auto-forward"
-msgstr "自动转发"
-
 #: mailu/ui/templates/sidebar.html:21 mailu/ui/templates/user/list.html:35
 msgid "Auto-reply"
 msgstr "自动回复"
@@ -240,39 +297,71 @@ msgstr "自动回复"
 #: mailu/ui/templates/fetch/list.html:4 mailu/ui/templates/sidebar.html:26
 #: mailu/ui/templates/user/list.html:36
 msgid "Fetched accounts"
-msgstr "代收帐户"
+msgstr "代收账户"
 
-#: mailu/ui/templates/sidebar.html:105
-msgid "Sign out"
-msgstr "登出"
+#: mailu/ui/templates/sidebar.html:31 mailu/ui/templates/token/list.html:4
+msgid "Authentication tokens"
+msgstr "认证令牌"
 
 #: mailu/ui/templates/sidebar.html:35
 msgid "Administration"
 msgstr "管理"
 
+#: mailu/ui/templates/sidebar.html:44
+msgid "Announcement"
+msgstr "公告"
+
 #: mailu/ui/templates/sidebar.html:49
 msgid "Administrators"
 msgstr "管理员"
 
+#: mailu/ui/templates/sidebar.html:54
+msgid "Relayed domains"
+msgstr "中继域"
+
+#: mailu/ui/templates/sidebar.html:59 mailu/ui/templates/user/settings.html:15
+msgid "Antispam"
+msgstr "发垃圾邮件"
+
 #: mailu/ui/templates/sidebar.html:66
 msgid "Mail domains"
 msgstr "邮件域"
 
+#: mailu/ui/templates/sidebar.html:72
+msgid "Go to"
+msgstr "转到"
+
+#: mailu/ui/templates/sidebar.html:76
+msgid "Webmail"
+msgstr "网页邮箱"
+
+#: mailu/ui/templates/sidebar.html:87
+msgid "Website"
+msgstr "网站"
+
 #: mailu/ui/templates/sidebar.html:92
 msgid "Help"
 msgstr "帮助"
 
+#: mailu/ui/templates/domain/signup.html:4 mailu/ui/templates/sidebar.html:98
+msgid "Register a domain"
+msgstr "注册域名"
+
+#: mailu/ui/templates/sidebar.html:105
+msgid "Sign out"
+msgstr "登出"
+
 #: mailu/ui/templates/working.html:4
 msgid "We are still working on this feature!"
 msgstr "该功能开发中……"
 
 #: mailu/ui/templates/admin/create.html:4
 msgid "Add a global administrator"
-msgstr "添加超级管理员"
+msgstr "添加全局管理员"
 
 #: mailu/ui/templates/admin/list.html:4
 msgid "Global administrators"
-msgstr "超级管理员"
+msgstr "全局管理员"
 
 #: mailu/ui/templates/admin/list.html:9
 msgid "Add administrator"
@@ -323,7 +412,7 @@ msgstr "添加别名"
 #: mailu/ui/templates/relay/list.html:20 mailu/ui/templates/token/list.html:21
 #: mailu/ui/templates/user/list.html:24
 msgid "Created"
-msgstr "创建"
+msgstr "已创建"
 
 #: mailu/ui/templates/alias/list.html:23 mailu/ui/templates/domain/list.html:23
 #: mailu/ui/templates/fetch/list.html:25 mailu/ui/templates/relay/list.html:21
@@ -337,6 +426,22 @@ msgstr "上次编辑"
 msgid "Edit"
 msgstr "编辑"
 
+#: mailu/ui/templates/alternative/create.html:4
+msgid "Create alternative domain"
+msgstr "创建替代域"
+
+#: mailu/ui/templates/alternative/list.html:4
+msgid "Alternative domain list"
+msgstr "替代域名列表"
+
+#: mailu/ui/templates/alternative/list.html:12
+msgid "Add alternative"
+msgstr "添加替代"
+
+#: mailu/ui/templates/alternative/list.html:19
+msgid "Name"
+msgstr "名称"
+
 #: mailu/ui/templates/domain/create.html:4
 #: mailu/ui/templates/domain/list.html:9
 msgid "New domain"
@@ -344,11 +449,15 @@ msgstr "新域"
 
 #: mailu/ui/templates/domain/details.html:4
 msgid "Domain details"
-msgstr "域详情"
+msgstr "域详细信息"
 
 #: mailu/ui/templates/domain/details.html:15
 msgid "Regenerate keys"
-msgstr "重新生成密钥"
+msgstr "重新生成秘钥"
+
+#: mailu/ui/templates/domain/details.html:17
+msgid "Generate keys"
+msgstr "生成秘钥"
 
 #: mailu/ui/templates/domain/details.html:31
 msgid "DNS MX entry"
@@ -356,19 +465,19 @@ msgstr "DNS MX条目"
 
 #: mailu/ui/templates/domain/details.html:35
 msgid "DNS SPF entries"
-msgstr "DNS SPF条目"
+msgstr "DNS SPF 条目"
 
 #: mailu/ui/templates/domain/details.html:42
 msgid "DKIM public key"
-msgstr "DKIM公钥"
+msgstr "DKIM 公钥"
 
 #: mailu/ui/templates/domain/details.html:46
 msgid "DNS DKIM entry"
-msgstr "DNS DKIM条目"
+msgstr "DNS DKIM 条目"
 
 #: mailu/ui/templates/domain/details.html:50
 msgid "DNS DMARC entry"
-msgstr "DNS DMARC条目"
+msgstr "DNS DMARC 条目"
 
 #: mailu/ui/templates/domain/edit.html:4
 msgid "Edit domain"
@@ -392,7 +501,7 @@ msgstr "别名数量"
 
 #: mailu/ui/templates/domain/list.html:28
 msgid "Details"
-msgstr "详情"
+msgstr "详细信息"
 
 #: mailu/ui/templates/domain/list.html:35
 msgid "Users"
@@ -406,26 +515,60 @@ msgstr "别名"
 msgid "Managers"
 msgstr "管理员"
 
+#: mailu/ui/templates/domain/list.html:39
+msgid "Alternatives"
+msgstr "备选方案"
+
+#: mailu/ui/templates/domain/signup.html:13
+msgid ""
+"In order to register a new domain, you must first setup the\n"
+"    domain zone so that the domain <code>MX</code> points to this server"
+msgstr "在注册一个新的域名前，您必须先为该域名设置 <code>MX</code> 记录，并使其指向本服务器"
+
+#: mailu/ui/templates/domain/signup.html:18
+msgid ""
+"If you do not know how to setup an <code>MX</code> record for your DNS "
+"zone,\n"
+"    please contact your DNS provider or administrator. Also, please wait "
+"a\n"
+"    couple minutes after the <code>MX</code> is set so the local server "
+"cache\n"
+"    expires."
+msgstr "如果您不知道如何为域名设置 <code>MX</code> 记录，请联系你的DNS提供商或者系统管理员。在设置完成 <code>MX</code> 记录后，请等待本地域名服务器的缓存过期。"
+
+
 #: mailu/ui/templates/fetch/create.html:4
 msgid "Add a fetched account"
-msgstr "添加一个代收帐户"
+msgstr "添加一个代收账户"
 
 #: mailu/ui/templates/fetch/edit.html:4
 msgid "Update a fetched account"
-msgstr "更新代收帐户"
+msgstr "更新代收账户"
 
 #: mailu/ui/templates/fetch/list.html:12
 msgid "Add an account"
-msgstr "添加一个帐户"
+msgstr "添加一个账户"
 
 #: mailu/ui/templates/fetch/list.html:19
 msgid "Endpoint"
 msgstr "端点"
 
+#: mailu/ui/templates/fetch/list.html:21
+msgid "Keep emails"
+msgstr "保留电子邮件"
+
 #: mailu/ui/templates/fetch/list.html:22
 msgid "Last check"
 msgstr "上次检查"
 
+#: mailu/ui/templates/fetch/list.html:35
+msgid "yes"
+msgstr "是"
+
+#: mailu/ui/templates/fetch/list.html:35
+msgid "no"
+msgstr "否"
+
 #: mailu/ui/templates/manager/create.html:4
 msgid "Add a manager"
 msgstr "添加一个管理员"
@@ -438,41 +581,49 @@ msgstr "管理员列表"
 msgid "Add manager"
 msgstr "添加管理员"
 
-#: mailu/ui/forms.py:168
-msgid "Announcement subject"
-msgstr "公告主题"
+#: mailu/ui/templates/relay/create.html:4
+msgid "New relay domain"
+msgstr "新的中继域"
 
-#: mailu/ui/forms.py:170
-msgid "Announcement body"
-msgstr "公告正文"
+#: mailu/ui/templates/relay/edit.html:4
+msgid "Edit relayd domain"
+msgstr "编辑中继域"
 
-#: mailu/ui/forms.py:172
-msgid "Send"
-msgstr "发送"
+#: mailu/ui/templates/relay/list.html:4
+msgid "Relayed domain list"
+msgstr "中继域列表"
 
-#: mailu/ui/templates/announcement.html:4
-msgid "Public announcement"
-msgstr "公告"
+#: mailu/ui/templates/relay/list.html:9
+msgid "New relayed domain"
+msgstr "新的中继域"
 
-#: mailu/ui/templates/announcement.html:8
-msgid "from"
-msgstr "来自"
+#: mailu/ui/templates/token/create.html:4
+msgid "Create an authentication token"
+msgstr "创建一个认证令牌"
 
-#: mailu/ui/templates/sidebar.html:44
-msgid "Announcement"
-msgstr "公告"
+#: mailu/ui/templates/token/list.html:12
+msgid "New token"
+msgstr "新令牌"
 
 #: mailu/ui/templates/user/create.html:4
 msgid "New user"
 msgstr "新用户"
 
+#: mailu/ui/templates/user/create.html:15
+msgid "General"
+msgstr "通用"
+
+#: mailu/ui/templates/user/create.html:22
+msgid "Features and quotas"
+msgstr "功能和配额"
+
 #: mailu/ui/templates/user/edit.html:4
 msgid "Edit user"
 msgstr "编辑用户"
 
 #: mailu/ui/templates/user/forward.html:4
 msgid "Forward emails"
-msgstr "转发电子邮件"
+msgstr "转发邮件"
 
 #: mailu/ui/templates/user/list.html:4
 msgid "User list"
@@ -492,201 +643,15 @@ msgstr "功能"
 
 #: mailu/ui/templates/user/password.html:4
 msgid "Password update"
-msgstr "密码更新"
+msgstr "更新密码"
 
 #: mailu/ui/templates/user/reply.html:4
 msgid "Automatic reply"
 msgstr "自动回复"
 
-#: mailu/ui/forms.py:49
-msgid "Maximum user quota"
-msgstr "最大用户容量"
-
-#: mailu/ui/forms.py:101
-msgid "Keep a copy of the emails"
-msgstr "保留电子邮件副本"
-
-#: mailu/ui/forms.py:163
-msgid "Keep emails on the server"
-msgstr "保留电子邮件在服务器上"
-
-#: mailu/ui/templates/fetch/list.html:21
-msgid "Keep emails"
-msgstr "保存电子邮件"
-
-#: mailu/ui/templates/fetch/list.html:35
-msgid "yes"
-msgstr "是"
-
-#: mailu/ui/templates/fetch/list.html:35
-msgid "no"
-msgstr "否"
-
-#: mailu/ui/forms.py:65
-msgid "Alternative name"
-msgstr "替代名称"
-
-#: mailu/ui/forms.py:70
-msgid "Relayed domain name"
-msgstr "中继域域名"
-
-#: mailu/ui/forms.py:71 mailu/ui/templates/relay/list.html:18
-msgid "Remote host"
-msgstr "远程主机"
-
-#: mailu/ui/templates/sidebar.html:54
-msgid "Relayed domains"
-msgstr "中继域"
-
-#: mailu/ui/templates/alternative/create.html:4
-msgid "Create alternative domain"
-msgstr "创建替代域"
-
-#: mailu/ui/templates/alternative/list.html:4
-msgid "Alternative domain list"
-msgstr "替代域名列表"
-
-#: mailu/ui/templates/alternative/list.html:12
-msgid "Add alternative"
-msgstr "添加替代"
-
-#: mailu/ui/templates/alternative/list.html:19
-msgid "Name"
-msgstr "名称"
-
-#: mailu/ui/templates/domain/list.html:39
-msgid "Alternatives"
-msgstr "备择方案"
-
-#: mailu/ui/templates/relay/create.html:4
-msgid "New relay domain"
-msgstr "新的中继域"
-
-#: mailu/ui/templates/relay/edit.html:4
-msgid "Edit relayd domain"
-msgstr "编辑中继域"
-
-#: mailu/ui/templates/relay/list.html:4
-msgid "Relayed domain list"
-msgstr "中继域列表"
-
-#: mailu/ui/templates/relay/list.html:9
-msgid "New relayed domain"
-msgstr "新的中继域"
-
-#: mailu/ui/forms.py:125
-msgid "Your token (write it down, as it will never be displayed again)"
-msgstr "您的令牌（请记录，它只显示这一次）"
-
-#: mailu/ui/forms.py:130 mailu/ui/templates/token/list.html:20
-msgid "Authorized IP"
-msgstr "授权IP"
-
-#: mailu/ui/templates/sidebar.html:31 mailu/ui/templates/token/list.html:4
-msgid "Authentication tokens"
-msgstr "认证令牌"
-
-#: mailu/ui/templates/sidebar.html:72
-msgid "Go to"
-msgstr "转到"
-
-#: mailu/ui/templates/sidebar.html:76
-msgid "Webmail"
-msgstr "网页邮箱"
-
-#: mailu/ui/templates/sidebar.html:87
-msgid "Website"
-msgstr "网站"
-
-#: mailu/ui/templates/token/create.html:4
-msgid "Create an authentication token"
-msgstr "创建一个认证令牌"
-
-#: mailu/ui/templates/token/list.html:12
-msgid "New token"
-msgstr "新的令牌"
-
-#: mailu/ui/templates/user/create.html:15
-msgid "General"
-msgstr "通用"
-
-#: mailu/ui/templates/user/create.html:22
-msgid "Features and quotas"
-msgstr "功能和配额"
-
-#: mailu/ui/templates/user/settings.html:14
-msgid "General settings"
-msgstr "常规设置"
-
-#: mailu/ui/templates/sidebar.html:59 mailu/ui/templates/user/settings.html:15
-msgid "Antispam"
-msgstr "反垃圾邮件"
-
-#: mailu/ui/forms.py:99
-msgid "Spam filter tolerance"
-msgstr "垃圾邮件过滤器容忍度"
-
-#: mailu/ui/forms.py:50
-msgid "Enable sign-up"
-msgstr "启用用户注册"
-
-#: mailu/ui/forms.py:57
-msgid "Initial admin"
-msgstr "初始管理员"
-
-#: mailu/ui/forms.py:58
-msgid "Admin password"
-msgstr "管理员密码"
-
-#: mailu/ui/forms.py:84
-msgid "Enabled"
-msgstr "启用"
-
-#: mailu/ui/forms.py:89
-msgid "Email address"
-msgstr "邮件地址"
-
-#: mailu/ui/forms.py:93 mailu/ui/templates/sidebar.html:117
-#: mailu/ui/templates/user/signup.html:4
-#: mailu/ui/templates/user/signup_domain.html:4
-msgid "Sign up"
-msgstr "注册"
-
-#: mailu/ui/forms.py:119
-msgid "End of vacation"
-msgstr "假期结束"
-
-#: mailu/ui/templates/client.html:4 mailu/ui/templates/sidebar.html:82
-msgid "Client setup"
-msgstr "客户端设置"
-
-#: mailu/ui/templates/client.html:16 mailu/ui/templates/client.html:43
-msgid "Mail protocol"
-msgstr "邮件协议"
-
-#: mailu/ui/templates/client.html:24 mailu/ui/templates/client.html:51
-msgid "Server name"
-msgstr "服务器名"
-
-#: mailu/ui/templates/domain/signup.html:4 mailu/ui/templates/sidebar.html:98
-msgid "Register a domain"
-msgstr "注册域名"
-
-#: mailu/ui/templates/domain/details.html:17
-msgid "Generate keys"
-msgstr "生成密钥"
-
-#: mailu/ui/templates/domain/signup.html:13
-msgid "In order to register a new domain, you must first setup the\n"
-"    domain zone so that the domain <code>MX</code> points to this server"
-msgstr "在注册一个新的域名前，您必须先为该域名设置 <code>MX</code> 记录，并使其指向本服务器"
-
-#: mailu/ui/templates/domain/signup.html:18
-msgid "If you do not know how to setup an <code>MX</code> record for your DNS zone,\n"
-"    please contact your DNS provider or administrator. Also, please wait a\n"
-"    couple minutes after the <code>MX</code> is set so the local server cache\n"
-"    expires."
-msgstr "如果您不知道如何为域名设置 <code>MX</code> 记录，请联系你的DNS提供商或者系统管理员。在设置完成 <code>MX</code> 记录后，请等待本地域名服务器的缓存过期。"
+#: mailu/ui/templates/user/settings.html:22
+msgid "Auto-forward"
+msgstr "自动转发"
 
 #: mailu/ui/templates/user/signup_domain.html:8
 msgid "pick a domain for the new account"
@@ -700,3 +665,14 @@ msgstr "域名"
 msgid "Available slots"
 msgstr "可用"
 
+#~ msgid "Your account"
+#~ msgstr ""
+
+#~ msgid "Spam filter threshold"
+#~ msgstr ""
+
+#~ msgid "from"
+#~ msgstr ""
+
+#~ msgid "General settings"
+#~ msgstr ""

From 866f784d06348b0328a17565203526c890c48564 Mon Sep 17 00:00:00 2001
From: qy117121 <mixuan121@gmail.com>
Date: Thu, 14 Oct 2021 15:05:32 +0800
Subject: [PATCH 099/222] Create messages.po

Update the translation
---
 .../translations/zh/LC_MESSAGES/messages.po   | 678 ++++++++++++++++++
 1 file changed, 678 insertions(+)
 create mode 100644 core/admin/mailu/translations/zh/LC_MESSAGES/messages.po

diff --git a/core/admin/mailu/translations/zh/LC_MESSAGES/messages.po b/core/admin/mailu/translations/zh/LC_MESSAGES/messages.po
new file mode 100644
index 00000000..a3363169
--- /dev/null
+++ b/core/admin/mailu/translations/zh/LC_MESSAGES/messages.po
@@ -0,0 +1,678 @@
+msgid ""
+msgstr ""
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Poedit 1.5.7\n"
+"Project-Id-Version: Mailu\n"
+"Language: zh\n"
+"Last-Translator: Chris Chuan <Chris.chuan@gmail.com>\n"
+"Language-Team: \n"
+
+#: mailu/ui/forms.py:32
+msgid "Invalid email address."
+msgstr "无效的邮件地址"
+
+#: mailu/ui/forms.py:36
+msgid "Confirm"
+msgstr "确认"
+
+#: mailu/ui/forms.py:40 mailu/ui/forms.py:77
+msgid "E-mail"
+msgstr "电子邮件"
+
+#: mailu/ui/forms.py:41 mailu/ui/forms.py:78 mailu/ui/forms.py:90
+#: mailu/ui/forms.py:109 mailu/ui/forms.py:162
+#: mailu/ui/templates/client.html:32 mailu/ui/templates/client.html:59
+msgid "Password"
+msgstr "密码"
+
+#: mailu/ui/forms.py:42 mailu/ui/templates/login.html:4
+#: mailu/ui/templates/sidebar.html:111
+msgid "Sign in"
+msgstr "登录"
+
+#: mailu/ui/forms.py:46 mailu/ui/forms.py:56
+#: mailu/ui/templates/domain/details.html:27
+#: mailu/ui/templates/domain/list.html:18 mailu/ui/templates/relay/list.html:17
+msgid "Domain name"
+msgstr "域名"
+
+#: mailu/ui/forms.py:47
+msgid "Maximum user count"
+msgstr "最大用户数"
+
+#: mailu/ui/forms.py:48
+msgid "Maximum alias count"
+msgstr "最大别名数"
+
+#: mailu/ui/forms.py:49
+msgid "Maximum user quota"
+msgstr "最大用户配额"
+
+#: mailu/ui/forms.py:50
+msgid "Enable sign-up"
+msgstr "启用注册"
+
+#: mailu/ui/forms.py:51 mailu/ui/forms.py:72 mailu/ui/forms.py:83
+#: mailu/ui/forms.py:128 mailu/ui/forms.py:140
+#: mailu/ui/templates/alias/list.html:21 mailu/ui/templates/domain/list.html:21
+#: mailu/ui/templates/relay/list.html:19 mailu/ui/templates/token/list.html:19
+#: mailu/ui/templates/user/list.html:23
+msgid "Comment"
+msgstr "说明"
+
+#: mailu/ui/forms.py:52 mailu/ui/forms.py:61 mailu/ui/forms.py:66
+#: mailu/ui/forms.py:73 mailu/ui/forms.py:132 mailu/ui/forms.py:141
+msgid "Create"
+msgstr "创建"
+
+#: mailu/ui/forms.py:57
+msgid "Initial admin"
+msgstr "初始管理员"
+
+#: mailu/ui/forms.py:58
+msgid "Admin password"
+msgstr "管理员密码"
+
+#: mailu/ui/forms.py:59 mailu/ui/forms.py:79 mailu/ui/forms.py:91
+msgid "Confirm password"
+msgstr "确认密码"
+
+#: mailu/ui/forms.py:65
+msgid "Alternative name"
+msgstr "备用名称"
+
+#: mailu/ui/forms.py:70
+msgid "Relayed domain name"
+msgstr "中继域域名"
+
+#: mailu/ui/forms.py:71 mailu/ui/templates/relay/list.html:18
+msgid "Remote host"
+msgstr "远程主机"
+
+#: mailu/ui/forms.py:80 mailu/ui/templates/user/list.html:22
+#: mailu/ui/templates/user/signup_domain.html:16
+msgid "Quota"
+msgstr "配额"
+
+#: mailu/ui/forms.py:81
+msgid "Allow IMAP access"
+msgstr "允许 IMAP 访问"
+
+#: mailu/ui/forms.py:82
+msgid "Allow POP3 access"
+msgstr "允许 POP3 访问"
+
+#: mailu/ui/forms.py:84
+msgid "Enabled"
+msgstr "启用"
+
+#: mailu/ui/forms.py:85
+msgid "Save"
+msgstr "保存"
+
+#: mailu/ui/forms.py:89
+msgid "Email address"
+msgstr "邮件地址"
+
+#: mailu/ui/forms.py:93 mailu/ui/templates/sidebar.html:117
+#: mailu/ui/templates/user/signup.html:4
+#: mailu/ui/templates/user/signup_domain.html:4
+msgid "Sign up"
+msgstr "注册"
+
+#: mailu/ui/forms.py:97
+msgid "Displayed name"
+msgstr "显示名称"
+
+#: mailu/ui/forms.py:98
+msgid "Enable spam filter"
+msgstr "启用垃圾邮件过滤"
+
+#: mailu/ui/forms.py:99
+msgid "Spam filter tolerance"
+msgstr "垃圾邮件过滤器阈值"
+
+#: mailu/ui/forms.py:100
+msgid "Enable forwarding"
+msgstr "启用转发"
+
+#: mailu/ui/forms.py:101
+msgid "Keep a copy of the emails"
+msgstr "保留电子邮件副本"
+
+#: mailu/ui/forms.py:103 mailu/ui/forms.py:139
+#: mailu/ui/templates/alias/list.html:20
+msgid "Destination"
+msgstr "目的地址"
+
+#: mailu/ui/forms.py:105
+msgid "Save settings"
+msgstr "保存设置"
+
+#: mailu/ui/forms.py:110
+msgid "Password check"
+msgstr "检查密码"
+
+#: mailu/ui/forms.py:111 mailu/ui/templates/sidebar.html:16
+msgid "Update password"
+msgstr "更新密码"
+
+#: mailu/ui/forms.py:115
+msgid "Enable automatic reply"
+msgstr "启用自动回复"
+
+#: mailu/ui/forms.py:116
+msgid "Reply subject"
+msgstr "回复主题"
+
+#: mailu/ui/forms.py:117
+msgid "Reply body"
+msgstr "回复正文"
+
+#: mailu/ui/forms.py:119
+msgid "End of vacation"
+msgstr "假期结束"
+
+#: mailu/ui/forms.py:120
+msgid "Update"
+msgstr "更新"
+
+#: mailu/ui/forms.py:125
+msgid "Your token (write it down, as it will never be displayed again)"
+msgstr "您的令牌（请记录，它只显示这一次）"
+
+#: mailu/ui/forms.py:130 mailu/ui/templates/token/list.html:20
+msgid "Authorized IP"
+msgstr "授权 IP"
+
+#: mailu/ui/forms.py:136
+msgid "Alias"
+msgstr "别名"
+
+#: mailu/ui/forms.py:138
+msgid "Use SQL LIKE Syntax (e.g. for catch-all aliases)"
+msgstr "使用SQL LIKE语法（例如，用于全部别名）"
+
+#: mailu/ui/forms.py:145
+msgid "Admin email"
+msgstr "管理员邮箱"
+
+#: mailu/ui/forms.py:146 mailu/ui/forms.py:151 mailu/ui/forms.py:164
+msgid "Submit"
+msgstr "提交"
+
+#: mailu/ui/forms.py:150
+msgid "Manager email"
+msgstr "管理员邮箱"
+
+#: mailu/ui/forms.py:155
+msgid "Protocol"
+msgstr "协议"
+
+#: mailu/ui/forms.py:158
+msgid "Hostname or IP"
+msgstr "主机名或IP"
+
+#: mailu/ui/forms.py:159 mailu/ui/templates/client.html:20
+#: mailu/ui/templates/client.html:47
+msgid "TCP port"
+msgstr "TCP端口"
+
+#: mailu/ui/forms.py:160
+msgid "Enable TLS"
+msgstr "启用TLS"
+
+#: mailu/ui/forms.py:161 mailu/ui/templates/client.html:28
+#: mailu/ui/templates/client.html:55 mailu/ui/templates/fetch/list.html:20
+msgid "Username"
+msgstr "用户名"
+
+#: mailu/ui/forms.py:163
+msgid "Keep emails on the server"
+msgstr "在服务器上保留电子邮件"
+
+#: mailu/ui/forms.py:168
+msgid "Announcement subject"
+msgstr "公告主题"
+
+#: mailu/ui/forms.py:170
+msgid "Announcement body"
+msgstr "公告正文"
+
+#: mailu/ui/forms.py:172
+msgid "Send"
+msgstr "发送"
+
+#: mailu/ui/templates/announcement.html:4
+msgid "Public announcement"
+msgstr "公开公告"
+
+#: mailu/ui/templates/client.html:4 mailu/ui/templates/sidebar.html:82
+msgid "Client setup"
+msgstr "客户端设置"
+
+#: mailu/ui/templates/client.html:16 mailu/ui/templates/client.html:43
+msgid "Mail protocol"
+msgstr "邮件协议"
+
+#: mailu/ui/templates/client.html:24 mailu/ui/templates/client.html:51
+msgid "Server name"
+msgstr "服务器名称"
+
+#: mailu/ui/templates/confirm.html:4
+msgid "Confirm action"
+msgstr "确认操作"
+
+#: mailu/ui/templates/confirm.html:13
+#, python-format
+msgid "You are about to %(action)s. Please confirm your action."
+msgstr "即将%(action)s，请确认您的操作。"
+
+#: mailu/ui/templates/docker-error.html:4
+msgid "Docker error"
+msgstr "Docker 错误"
+
+#: mailu/ui/templates/docker-error.html:12
+msgid "An error occurred while talking to the Docker server."
+msgstr "Docker服务器通信出错"
+
+#: mailu/ui/templates/login.html:8
+msgid "to access the administration tools"
+msgstr "访问管理工具"
+
+#: mailu/ui/templates/sidebar.html:8
+msgid "My account"
+msgstr "我的账户"
+
+#: mailu/ui/templates/sidebar.html:11 mailu/ui/templates/user/list.html:34
+msgid "Settings"
+msgstr "设置"
+
+#: mailu/ui/templates/sidebar.html:21 mailu/ui/templates/user/list.html:35
+msgid "Auto-reply"
+msgstr "自动回复"
+
+#: mailu/ui/templates/fetch/list.html:4 mailu/ui/templates/sidebar.html:26
+#: mailu/ui/templates/user/list.html:36
+msgid "Fetched accounts"
+msgstr "代收账户"
+
+#: mailu/ui/templates/sidebar.html:31 mailu/ui/templates/token/list.html:4
+msgid "Authentication tokens"
+msgstr "认证令牌"
+
+#: mailu/ui/templates/sidebar.html:35
+msgid "Administration"
+msgstr "管理"
+
+#: mailu/ui/templates/sidebar.html:44
+msgid "Announcement"
+msgstr "公告"
+
+#: mailu/ui/templates/sidebar.html:49
+msgid "Administrators"
+msgstr "管理员"
+
+#: mailu/ui/templates/sidebar.html:54
+msgid "Relayed domains"
+msgstr "中继域"
+
+#: mailu/ui/templates/sidebar.html:59 mailu/ui/templates/user/settings.html:15
+msgid "Antispam"
+msgstr "发垃圾邮件"
+
+#: mailu/ui/templates/sidebar.html:66
+msgid "Mail domains"
+msgstr "邮件域"
+
+#: mailu/ui/templates/sidebar.html:72
+msgid "Go to"
+msgstr "转到"
+
+#: mailu/ui/templates/sidebar.html:76
+msgid "Webmail"
+msgstr "网页邮箱"
+
+#: mailu/ui/templates/sidebar.html:87
+msgid "Website"
+msgstr "网站"
+
+#: mailu/ui/templates/sidebar.html:92
+msgid "Help"
+msgstr "帮助"
+
+#: mailu/ui/templates/domain/signup.html:4 mailu/ui/templates/sidebar.html:98
+msgid "Register a domain"
+msgstr "注册域名"
+
+#: mailu/ui/templates/sidebar.html:105
+msgid "Sign out"
+msgstr "登出"
+
+#: mailu/ui/templates/working.html:4
+msgid "We are still working on this feature!"
+msgstr "该功能开发中……"
+
+#: mailu/ui/templates/admin/create.html:4
+msgid "Add a global administrator"
+msgstr "添加全局管理员"
+
+#: mailu/ui/templates/admin/list.html:4
+msgid "Global administrators"
+msgstr "全局管理员"
+
+#: mailu/ui/templates/admin/list.html:9
+msgid "Add administrator"
+msgstr "添加管理员"
+
+#: mailu/ui/templates/admin/list.html:16 mailu/ui/templates/alias/list.html:18
+#: mailu/ui/templates/alternative/list.html:18
+#: mailu/ui/templates/domain/list.html:16 mailu/ui/templates/fetch/list.html:18
+#: mailu/ui/templates/manager/list.html:18
+#: mailu/ui/templates/relay/list.html:16 mailu/ui/templates/token/list.html:18
+#: mailu/ui/templates/user/list.html:18
+msgid "Actions"
+msgstr "操作"
+
+#: mailu/ui/templates/admin/list.html:17 mailu/ui/templates/alias/list.html:19
+#: mailu/ui/templates/manager/list.html:19 mailu/ui/templates/user/list.html:20
+msgid "Email"
+msgstr "电子邮件"
+
+#: mailu/ui/templates/admin/list.html:22 mailu/ui/templates/alias/list.html:29
+#: mailu/ui/templates/alternative/list.html:25
+#: mailu/ui/templates/domain/list.html:31 mailu/ui/templates/fetch/list.html:31
+#: mailu/ui/templates/manager/list.html:24
+#: mailu/ui/templates/relay/list.html:27 mailu/ui/templates/token/list.html:26
+#: mailu/ui/templates/user/list.html:31
+msgid "Delete"
+msgstr "删除"
+
+#: mailu/ui/templates/alias/create.html:4
+msgid "Create alias"
+msgstr "创建别名"
+
+#: mailu/ui/templates/alias/edit.html:4
+msgid "Edit alias"
+msgstr "编辑别名"
+
+#: mailu/ui/templates/alias/list.html:4
+msgid "Alias list"
+msgstr "别名列表"
+
+#: mailu/ui/templates/alias/list.html:12
+msgid "Add alias"
+msgstr "添加别名"
+
+#: mailu/ui/templates/alias/list.html:22
+#: mailu/ui/templates/alternative/list.html:20
+#: mailu/ui/templates/domain/list.html:22 mailu/ui/templates/fetch/list.html:24
+#: mailu/ui/templates/relay/list.html:20 mailu/ui/templates/token/list.html:21
+#: mailu/ui/templates/user/list.html:24
+msgid "Created"
+msgstr "已创建"
+
+#: mailu/ui/templates/alias/list.html:23 mailu/ui/templates/domain/list.html:23
+#: mailu/ui/templates/fetch/list.html:25 mailu/ui/templates/relay/list.html:21
+#: mailu/ui/templates/user/list.html:25
+msgid "Last edit"
+msgstr "上次编辑"
+
+#: mailu/ui/templates/alias/list.html:28 mailu/ui/templates/domain/list.html:30
+#: mailu/ui/templates/fetch/list.html:30 mailu/ui/templates/relay/list.html:26
+#: mailu/ui/templates/user/list.html:30
+msgid "Edit"
+msgstr "编辑"
+
+#: mailu/ui/templates/alternative/create.html:4
+msgid "Create alternative domain"
+msgstr "创建替代域"
+
+#: mailu/ui/templates/alternative/list.html:4
+msgid "Alternative domain list"
+msgstr "替代域名列表"
+
+#: mailu/ui/templates/alternative/list.html:12
+msgid "Add alternative"
+msgstr "添加替代"
+
+#: mailu/ui/templates/alternative/list.html:19
+msgid "Name"
+msgstr "名称"
+
+#: mailu/ui/templates/domain/create.html:4
+#: mailu/ui/templates/domain/list.html:9
+msgid "New domain"
+msgstr "新域"
+
+#: mailu/ui/templates/domain/details.html:4
+msgid "Domain details"
+msgstr "域详细信息"
+
+#: mailu/ui/templates/domain/details.html:15
+msgid "Regenerate keys"
+msgstr "重新生成秘钥"
+
+#: mailu/ui/templates/domain/details.html:17
+msgid "Generate keys"
+msgstr "生成秘钥"
+
+#: mailu/ui/templates/domain/details.html:31
+msgid "DNS MX entry"
+msgstr "DNS MX条目"
+
+#: mailu/ui/templates/domain/details.html:35
+msgid "DNS SPF entries"
+msgstr "DNS SPF 条目"
+
+#: mailu/ui/templates/domain/details.html:42
+msgid "DKIM public key"
+msgstr "DKIM 公钥"
+
+#: mailu/ui/templates/domain/details.html:46
+msgid "DNS DKIM entry"
+msgstr "DNS DKIM 条目"
+
+#: mailu/ui/templates/domain/details.html:50
+msgid "DNS DMARC entry"
+msgstr "DNS DMARC 条目"
+
+#: mailu/ui/templates/domain/edit.html:4
+msgid "Edit domain"
+msgstr "编辑域"
+
+#: mailu/ui/templates/domain/list.html:4
+msgid "Domain list"
+msgstr "域列表"
+
+#: mailu/ui/templates/domain/list.html:17
+msgid "Manage"
+msgstr "管理"
+
+#: mailu/ui/templates/domain/list.html:19
+msgid "Mailbox count"
+msgstr "邮箱数量"
+
+#: mailu/ui/templates/domain/list.html:20
+msgid "Alias count"
+msgstr "别名数量"
+
+#: mailu/ui/templates/domain/list.html:28
+msgid "Details"
+msgstr "详细信息"
+
+#: mailu/ui/templates/domain/list.html:35
+msgid "Users"
+msgstr "用户"
+
+#: mailu/ui/templates/domain/list.html:36
+msgid "Aliases"
+msgstr "别名"
+
+#: mailu/ui/templates/domain/list.html:37
+msgid "Managers"
+msgstr "管理员"
+
+#: mailu/ui/templates/domain/list.html:39
+msgid "Alternatives"
+msgstr "备选方案"
+
+#: mailu/ui/templates/domain/signup.html:13
+msgid ""
+"In order to register a new domain, you must first setup the\n"
+"    domain zone so that the domain <code>MX</code> points to this server"
+msgstr "在注册一个新的域名前，您必须先为该域名设置 <code>MX</code> 记录，并使其指向本服务器"
+
+#: mailu/ui/templates/domain/signup.html:18
+msgid ""
+"If you do not know how to setup an <code>MX</code> record for your DNS "
+"zone,\n"
+"    please contact your DNS provider or administrator. Also, please wait "
+"a\n"
+"    couple minutes after the <code>MX</code> is set so the local server "
+"cache\n"
+"    expires."
+msgstr "如果您不知道如何为域名设置 <code>MX</code> 记录，请联系你的DNS提供商或者系统管理员。在设置完成 <code>MX</code> 记录后，请等待本地域名服务器的缓存过期。"
+
+
+#: mailu/ui/templates/fetch/create.html:4
+msgid "Add a fetched account"
+msgstr "添加一个代收账户"
+
+#: mailu/ui/templates/fetch/edit.html:4
+msgid "Update a fetched account"
+msgstr "更新代收账户"
+
+#: mailu/ui/templates/fetch/list.html:12
+msgid "Add an account"
+msgstr "添加一个账户"
+
+#: mailu/ui/templates/fetch/list.html:19
+msgid "Endpoint"
+msgstr "端点"
+
+#: mailu/ui/templates/fetch/list.html:21
+msgid "Keep emails"
+msgstr "保留电子邮件"
+
+#: mailu/ui/templates/fetch/list.html:22
+msgid "Last check"
+msgstr "上次检查"
+
+#: mailu/ui/templates/fetch/list.html:35
+msgid "yes"
+msgstr "是"
+
+#: mailu/ui/templates/fetch/list.html:35
+msgid "no"
+msgstr "否"
+
+#: mailu/ui/templates/manager/create.html:4
+msgid "Add a manager"
+msgstr "添加一个管理员"
+
+#: mailu/ui/templates/manager/list.html:4
+msgid "Manager list"
+msgstr "管理员列表"
+
+#: mailu/ui/templates/manager/list.html:12
+msgid "Add manager"
+msgstr "添加管理员"
+
+#: mailu/ui/templates/relay/create.html:4
+msgid "New relay domain"
+msgstr "新的中继域"
+
+#: mailu/ui/templates/relay/edit.html:4
+msgid "Edit relayd domain"
+msgstr "编辑中继域"
+
+#: mailu/ui/templates/relay/list.html:4
+msgid "Relayed domain list"
+msgstr "中继域列表"
+
+#: mailu/ui/templates/relay/list.html:9
+msgid "New relayed domain"
+msgstr "新的中继域"
+
+#: mailu/ui/templates/token/create.html:4
+msgid "Create an authentication token"
+msgstr "创建一个认证令牌"
+
+#: mailu/ui/templates/token/list.html:12
+msgid "New token"
+msgstr "新令牌"
+
+#: mailu/ui/templates/user/create.html:4
+msgid "New user"
+msgstr "新用户"
+
+#: mailu/ui/templates/user/create.html:15
+msgid "General"
+msgstr "通用"
+
+#: mailu/ui/templates/user/create.html:22
+msgid "Features and quotas"
+msgstr "功能和配额"
+
+#: mailu/ui/templates/user/edit.html:4
+msgid "Edit user"
+msgstr "编辑用户"
+
+#: mailu/ui/templates/user/forward.html:4
+msgid "Forward emails"
+msgstr "转发邮件"
+
+#: mailu/ui/templates/user/list.html:4
+msgid "User list"
+msgstr "用户列表"
+
+#: mailu/ui/templates/user/list.html:12
+msgid "Add user"
+msgstr "添加用户"
+
+#: mailu/ui/templates/user/list.html:19 mailu/ui/templates/user/settings.html:4
+msgid "User settings"
+msgstr "用户设置"
+
+#: mailu/ui/templates/user/list.html:21
+msgid "Features"
+msgstr "功能"
+
+#: mailu/ui/templates/user/password.html:4
+msgid "Password update"
+msgstr "更新密码"
+
+#: mailu/ui/templates/user/reply.html:4
+msgid "Automatic reply"
+msgstr "自动回复"
+
+#: mailu/ui/templates/user/settings.html:22
+msgid "Auto-forward"
+msgstr "自动转发"
+
+#: mailu/ui/templates/user/signup_domain.html:8
+msgid "pick a domain for the new account"
+msgstr "为新用户选择一个域名"
+
+#: mailu/ui/templates/user/signup_domain.html:14
+msgid "Domain"
+msgstr "域名"
+
+#: mailu/ui/templates/user/signup_domain.html:15
+msgid "Available slots"
+msgstr "可用"
+
+#~ msgid "Your account"
+#~ msgstr ""
+
+#~ msgid "Spam filter threshold"
+#~ msgstr ""
+
+#~ msgid "from"
+#~ msgstr ""
+
+#~ msgid "General settings"
+#~ msgstr ""

From 632ce663ee41277e57ad56f522d29e213a030f81 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Thu, 14 Oct 2021 18:04:49 +0200
Subject: [PATCH 100/222] Prevent logins with no password

---
 core/admin/mailu/models.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index 01711a60..3c79e661 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -562,6 +562,8 @@ class User(Base, Email):
         """ verifies password against stored hash
             and updates hash if outdated
         """
+        if password == '':
+            return False
         cache_result = self._credential_cache.get(self.get_id())
         current_salt = self.password.split('$')[3] if len(self.password.split('$')) == 5 else None
         if cache_result and current_salt:

From 893705169e38bc9fbc82873f2f8fef0bad146d0d Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 14 Oct 2021 19:07:11 +0200
Subject: [PATCH 101/222] PoC rspamd use dkimkeys from admin using vault api

---
 core/admin/mailu/internal/views/__init__.py |  2 +-
 core/admin/mailu/internal/views/rspamd.py   | 30 +++++++++++++++++++++
 core/rspamd/conf/arc.conf                   |  8 +++---
 core/rspamd/conf/dkim_signing.conf          |  6 +++--
 core/rspamd/start.py                        |  1 +
 5 files changed, 41 insertions(+), 6 deletions(-)
 create mode 100644 core/admin/mailu/internal/views/rspamd.py

diff --git a/core/admin/mailu/internal/views/__init__.py b/core/admin/mailu/internal/views/__init__.py
index a32106c0..762b2a38 100644
--- a/core/admin/mailu/internal/views/__init__.py
+++ b/core/admin/mailu/internal/views/__init__.py
@@ -1,3 +1,3 @@
 __all__ = [
-    'auth', 'postfix', 'dovecot', 'fetch'
+    'auth', 'postfix', 'dovecot', 'fetch', 'rspamd'
 ]
diff --git a/core/admin/mailu/internal/views/rspamd.py b/core/admin/mailu/internal/views/rspamd.py
new file mode 100644
index 00000000..61e27a59
--- /dev/null
+++ b/core/admin/mailu/internal/views/rspamd.py
@@ -0,0 +1,30 @@
+from mailu import models, dkim
+from mailu.internal import internal
+
+import flask
+
+def vault_error(*messages, status=404):
+    return flask.make_response(flask.jsonify({'errors':messages}), status)
+
+# rspamd key format:
+# {"selectors":[{"pubkey":"...","domain":"...","valid_start":TS,"valid_end":TS,"key":"...","selector":"...","bits":...,"alg":"..."}]}
+
+# hashicorp vault answer format:
+# {"request_id":"...","lease_id":"","renewable":false,"lease_duration":2764800,"data":{...see above...},"wrap_info":null,"warnings":null,"auth":null}
+
+@internal.route("/rspamd/vault/v1/dkim/<domain_name>")
+def rspamd_dkim_key(domain_name):
+    domain = models.Domain.query.get(domain_name) or flask.abort(vault_error('unknown domain'))
+    key = domain.dkim_key or flask.abort(vault_error('no dkim key', status=400))
+    return flask.jsonify({
+        'data': {
+            'selectors': [
+                {
+                    'domain'  : domain.name,
+                    'key'     : key.decode('utf8'),
+                    'selector': 'dkim',
+                }
+            ]
+        }
+    })
+
diff --git a/core/rspamd/conf/arc.conf b/core/rspamd/conf/arc.conf
index 205d4284..93414a96 100644
--- a/core/rspamd/conf/arc.conf
+++ b/core/rspamd/conf/arc.conf
@@ -1,4 +1,6 @@
-try_fallback = true;
-path = "/dkim/$domain.$selector.key";
-selector = "dkim"
+try_fallback = false;
 use_esld = false;
+allow_username_mismatch = true;
+use_vault = true;
+vault_url = "http://{{ ADMIN_ADDRESS }}/internal/rspamd/vault";
+vault_token = "mailu";
diff --git a/core/rspamd/conf/dkim_signing.conf b/core/rspamd/conf/dkim_signing.conf
index e00e8d67..93414a96 100644
--- a/core/rspamd/conf/dkim_signing.conf
+++ b/core/rspamd/conf/dkim_signing.conf
@@ -1,4 +1,6 @@
-try_fallback = true;
-path = "/dkim/$domain.$selector.key";
+try_fallback = false;
 use_esld = false;
 allow_username_mismatch = true;
+use_vault = true;
+vault_url = "http://{{ ADMIN_ADDRESS }}/internal/rspamd/vault";
+vault_token = "mailu";
diff --git a/core/rspamd/start.py b/core/rspamd/start.py
index e2e72bcb..fcb33a97 100755
--- a/core/rspamd/start.py
+++ b/core/rspamd/start.py
@@ -11,6 +11,7 @@ log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING"))
 # Actual startup script
 
 os.environ["REDIS_ADDRESS"] = system.get_host_address_from_environment("REDIS", "redis")
+os.environ["ADMIN_ADDRESS"] = system.get_host_address_from_environment("ADMIN", "admin")
 
 if os.environ.get("ANTIVIRUS") == 'clamav':
     os.environ["ANTIVIRUS_ADDRESS"] = system.get_host_address_from_environment("ANTIVIRUS", "antivirus:3310")

From dc9f970a91b0aeb9ae8e710c9bfc328587056608 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 14 Oct 2021 23:15:42 +0200
Subject: [PATCH 102/222] removed zh_CN and updated locale-map for datatables

---
 core/admin/Dockerfile                         |   2 +-
 .../zh_CN/LC_MESSAGES/messages.po             | 678 ------------------
 2 files changed, 1 insertion(+), 679 deletions(-)
 delete mode 100644 core/admin/mailu/translations/zh_CN/LC_MESSAGES/messages.po

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index 083c0f39..cdc426c6 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -13,7 +13,7 @@ COPY webpack.config.js ./
 COPY assets ./assets
 RUN set -eu \
  && sed -i 's/#007bff/#55a5d9/' node_modules/admin-lte/build/scss/_bootstrap-variables.scss \
- && for l in ca da de:de_de en:en-gb es:es_es eu fr:fr_fr he hu is it:it_it ja nb_NO:no_nb nl:nl_nl pl pt:pt_pt ru sv:sv_se zh_CN:zh; do \
+ && for l in ca da de:de_de en:en-gb es:es_es eu fr:fr_fr he hu is it:it_it ja nb_NO:no_nb nl:nl_nl pl pt:pt_pt ru sv:sv_se zh; do \
       cp node_modules/datatables.net-plugins/i18n/${l#*:}.json assets/${l%:*}.json; \
     done \
  && node_modules/.bin/webpack-cli --color
diff --git a/core/admin/mailu/translations/zh_CN/LC_MESSAGES/messages.po b/core/admin/mailu/translations/zh_CN/LC_MESSAGES/messages.po
deleted file mode 100644
index a3363169..00000000
--- a/core/admin/mailu/translations/zh_CN/LC_MESSAGES/messages.po
+++ /dev/null
@@ -1,678 +0,0 @@
-msgid ""
-msgstr ""
-"MIME-Version: 1.0\n"
-"Content-Type: text/plain; charset=UTF-8\n"
-"Content-Transfer-Encoding: 8bit\n"
-"X-Generator: Poedit 1.5.7\n"
-"Project-Id-Version: Mailu\n"
-"Language: zh\n"
-"Last-Translator: Chris Chuan <Chris.chuan@gmail.com>\n"
-"Language-Team: \n"
-
-#: mailu/ui/forms.py:32
-msgid "Invalid email address."
-msgstr "无效的邮件地址"
-
-#: mailu/ui/forms.py:36
-msgid "Confirm"
-msgstr "确认"
-
-#: mailu/ui/forms.py:40 mailu/ui/forms.py:77
-msgid "E-mail"
-msgstr "电子邮件"
-
-#: mailu/ui/forms.py:41 mailu/ui/forms.py:78 mailu/ui/forms.py:90
-#: mailu/ui/forms.py:109 mailu/ui/forms.py:162
-#: mailu/ui/templates/client.html:32 mailu/ui/templates/client.html:59
-msgid "Password"
-msgstr "密码"
-
-#: mailu/ui/forms.py:42 mailu/ui/templates/login.html:4
-#: mailu/ui/templates/sidebar.html:111
-msgid "Sign in"
-msgstr "登录"
-
-#: mailu/ui/forms.py:46 mailu/ui/forms.py:56
-#: mailu/ui/templates/domain/details.html:27
-#: mailu/ui/templates/domain/list.html:18 mailu/ui/templates/relay/list.html:17
-msgid "Domain name"
-msgstr "域名"
-
-#: mailu/ui/forms.py:47
-msgid "Maximum user count"
-msgstr "最大用户数"
-
-#: mailu/ui/forms.py:48
-msgid "Maximum alias count"
-msgstr "最大别名数"
-
-#: mailu/ui/forms.py:49
-msgid "Maximum user quota"
-msgstr "最大用户配额"
-
-#: mailu/ui/forms.py:50
-msgid "Enable sign-up"
-msgstr "启用注册"
-
-#: mailu/ui/forms.py:51 mailu/ui/forms.py:72 mailu/ui/forms.py:83
-#: mailu/ui/forms.py:128 mailu/ui/forms.py:140
-#: mailu/ui/templates/alias/list.html:21 mailu/ui/templates/domain/list.html:21
-#: mailu/ui/templates/relay/list.html:19 mailu/ui/templates/token/list.html:19
-#: mailu/ui/templates/user/list.html:23
-msgid "Comment"
-msgstr "说明"
-
-#: mailu/ui/forms.py:52 mailu/ui/forms.py:61 mailu/ui/forms.py:66
-#: mailu/ui/forms.py:73 mailu/ui/forms.py:132 mailu/ui/forms.py:141
-msgid "Create"
-msgstr "创建"
-
-#: mailu/ui/forms.py:57
-msgid "Initial admin"
-msgstr "初始管理员"
-
-#: mailu/ui/forms.py:58
-msgid "Admin password"
-msgstr "管理员密码"
-
-#: mailu/ui/forms.py:59 mailu/ui/forms.py:79 mailu/ui/forms.py:91
-msgid "Confirm password"
-msgstr "确认密码"
-
-#: mailu/ui/forms.py:65
-msgid "Alternative name"
-msgstr "备用名称"
-
-#: mailu/ui/forms.py:70
-msgid "Relayed domain name"
-msgstr "中继域域名"
-
-#: mailu/ui/forms.py:71 mailu/ui/templates/relay/list.html:18
-msgid "Remote host"
-msgstr "远程主机"
-
-#: mailu/ui/forms.py:80 mailu/ui/templates/user/list.html:22
-#: mailu/ui/templates/user/signup_domain.html:16
-msgid "Quota"
-msgstr "配额"
-
-#: mailu/ui/forms.py:81
-msgid "Allow IMAP access"
-msgstr "允许 IMAP 访问"
-
-#: mailu/ui/forms.py:82
-msgid "Allow POP3 access"
-msgstr "允许 POP3 访问"
-
-#: mailu/ui/forms.py:84
-msgid "Enabled"
-msgstr "启用"
-
-#: mailu/ui/forms.py:85
-msgid "Save"
-msgstr "保存"
-
-#: mailu/ui/forms.py:89
-msgid "Email address"
-msgstr "邮件地址"
-
-#: mailu/ui/forms.py:93 mailu/ui/templates/sidebar.html:117
-#: mailu/ui/templates/user/signup.html:4
-#: mailu/ui/templates/user/signup_domain.html:4
-msgid "Sign up"
-msgstr "注册"
-
-#: mailu/ui/forms.py:97
-msgid "Displayed name"
-msgstr "显示名称"
-
-#: mailu/ui/forms.py:98
-msgid "Enable spam filter"
-msgstr "启用垃圾邮件过滤"
-
-#: mailu/ui/forms.py:99
-msgid "Spam filter tolerance"
-msgstr "垃圾邮件过滤器阈值"
-
-#: mailu/ui/forms.py:100
-msgid "Enable forwarding"
-msgstr "启用转发"
-
-#: mailu/ui/forms.py:101
-msgid "Keep a copy of the emails"
-msgstr "保留电子邮件副本"
-
-#: mailu/ui/forms.py:103 mailu/ui/forms.py:139
-#: mailu/ui/templates/alias/list.html:20
-msgid "Destination"
-msgstr "目的地址"
-
-#: mailu/ui/forms.py:105
-msgid "Save settings"
-msgstr "保存设置"
-
-#: mailu/ui/forms.py:110
-msgid "Password check"
-msgstr "检查密码"
-
-#: mailu/ui/forms.py:111 mailu/ui/templates/sidebar.html:16
-msgid "Update password"
-msgstr "更新密码"
-
-#: mailu/ui/forms.py:115
-msgid "Enable automatic reply"
-msgstr "启用自动回复"
-
-#: mailu/ui/forms.py:116
-msgid "Reply subject"
-msgstr "回复主题"
-
-#: mailu/ui/forms.py:117
-msgid "Reply body"
-msgstr "回复正文"
-
-#: mailu/ui/forms.py:119
-msgid "End of vacation"
-msgstr "假期结束"
-
-#: mailu/ui/forms.py:120
-msgid "Update"
-msgstr "更新"
-
-#: mailu/ui/forms.py:125
-msgid "Your token (write it down, as it will never be displayed again)"
-msgstr "您的令牌（请记录，它只显示这一次）"
-
-#: mailu/ui/forms.py:130 mailu/ui/templates/token/list.html:20
-msgid "Authorized IP"
-msgstr "授权 IP"
-
-#: mailu/ui/forms.py:136
-msgid "Alias"
-msgstr "别名"
-
-#: mailu/ui/forms.py:138
-msgid "Use SQL LIKE Syntax (e.g. for catch-all aliases)"
-msgstr "使用SQL LIKE语法（例如，用于全部别名）"
-
-#: mailu/ui/forms.py:145
-msgid "Admin email"
-msgstr "管理员邮箱"
-
-#: mailu/ui/forms.py:146 mailu/ui/forms.py:151 mailu/ui/forms.py:164
-msgid "Submit"
-msgstr "提交"
-
-#: mailu/ui/forms.py:150
-msgid "Manager email"
-msgstr "管理员邮箱"
-
-#: mailu/ui/forms.py:155
-msgid "Protocol"
-msgstr "协议"
-
-#: mailu/ui/forms.py:158
-msgid "Hostname or IP"
-msgstr "主机名或IP"
-
-#: mailu/ui/forms.py:159 mailu/ui/templates/client.html:20
-#: mailu/ui/templates/client.html:47
-msgid "TCP port"
-msgstr "TCP端口"
-
-#: mailu/ui/forms.py:160
-msgid "Enable TLS"
-msgstr "启用TLS"
-
-#: mailu/ui/forms.py:161 mailu/ui/templates/client.html:28
-#: mailu/ui/templates/client.html:55 mailu/ui/templates/fetch/list.html:20
-msgid "Username"
-msgstr "用户名"
-
-#: mailu/ui/forms.py:163
-msgid "Keep emails on the server"
-msgstr "在服务器上保留电子邮件"
-
-#: mailu/ui/forms.py:168
-msgid "Announcement subject"
-msgstr "公告主题"
-
-#: mailu/ui/forms.py:170
-msgid "Announcement body"
-msgstr "公告正文"
-
-#: mailu/ui/forms.py:172
-msgid "Send"
-msgstr "发送"
-
-#: mailu/ui/templates/announcement.html:4
-msgid "Public announcement"
-msgstr "公开公告"
-
-#: mailu/ui/templates/client.html:4 mailu/ui/templates/sidebar.html:82
-msgid "Client setup"
-msgstr "客户端设置"
-
-#: mailu/ui/templates/client.html:16 mailu/ui/templates/client.html:43
-msgid "Mail protocol"
-msgstr "邮件协议"
-
-#: mailu/ui/templates/client.html:24 mailu/ui/templates/client.html:51
-msgid "Server name"
-msgstr "服务器名称"
-
-#: mailu/ui/templates/confirm.html:4
-msgid "Confirm action"
-msgstr "确认操作"
-
-#: mailu/ui/templates/confirm.html:13
-#, python-format
-msgid "You are about to %(action)s. Please confirm your action."
-msgstr "即将%(action)s，请确认您的操作。"
-
-#: mailu/ui/templates/docker-error.html:4
-msgid "Docker error"
-msgstr "Docker 错误"
-
-#: mailu/ui/templates/docker-error.html:12
-msgid "An error occurred while talking to the Docker server."
-msgstr "Docker服务器通信出错"
-
-#: mailu/ui/templates/login.html:8
-msgid "to access the administration tools"
-msgstr "访问管理工具"
-
-#: mailu/ui/templates/sidebar.html:8
-msgid "My account"
-msgstr "我的账户"
-
-#: mailu/ui/templates/sidebar.html:11 mailu/ui/templates/user/list.html:34
-msgid "Settings"
-msgstr "设置"
-
-#: mailu/ui/templates/sidebar.html:21 mailu/ui/templates/user/list.html:35
-msgid "Auto-reply"
-msgstr "自动回复"
-
-#: mailu/ui/templates/fetch/list.html:4 mailu/ui/templates/sidebar.html:26
-#: mailu/ui/templates/user/list.html:36
-msgid "Fetched accounts"
-msgstr "代收账户"
-
-#: mailu/ui/templates/sidebar.html:31 mailu/ui/templates/token/list.html:4
-msgid "Authentication tokens"
-msgstr "认证令牌"
-
-#: mailu/ui/templates/sidebar.html:35
-msgid "Administration"
-msgstr "管理"
-
-#: mailu/ui/templates/sidebar.html:44
-msgid "Announcement"
-msgstr "公告"
-
-#: mailu/ui/templates/sidebar.html:49
-msgid "Administrators"
-msgstr "管理员"
-
-#: mailu/ui/templates/sidebar.html:54
-msgid "Relayed domains"
-msgstr "中继域"
-
-#: mailu/ui/templates/sidebar.html:59 mailu/ui/templates/user/settings.html:15
-msgid "Antispam"
-msgstr "发垃圾邮件"
-
-#: mailu/ui/templates/sidebar.html:66
-msgid "Mail domains"
-msgstr "邮件域"
-
-#: mailu/ui/templates/sidebar.html:72
-msgid "Go to"
-msgstr "转到"
-
-#: mailu/ui/templates/sidebar.html:76
-msgid "Webmail"
-msgstr "网页邮箱"
-
-#: mailu/ui/templates/sidebar.html:87
-msgid "Website"
-msgstr "网站"
-
-#: mailu/ui/templates/sidebar.html:92
-msgid "Help"
-msgstr "帮助"
-
-#: mailu/ui/templates/domain/signup.html:4 mailu/ui/templates/sidebar.html:98
-msgid "Register a domain"
-msgstr "注册域名"
-
-#: mailu/ui/templates/sidebar.html:105
-msgid "Sign out"
-msgstr "登出"
-
-#: mailu/ui/templates/working.html:4
-msgid "We are still working on this feature!"
-msgstr "该功能开发中……"
-
-#: mailu/ui/templates/admin/create.html:4
-msgid "Add a global administrator"
-msgstr "添加全局管理员"
-
-#: mailu/ui/templates/admin/list.html:4
-msgid "Global administrators"
-msgstr "全局管理员"
-
-#: mailu/ui/templates/admin/list.html:9
-msgid "Add administrator"
-msgstr "添加管理员"
-
-#: mailu/ui/templates/admin/list.html:16 mailu/ui/templates/alias/list.html:18
-#: mailu/ui/templates/alternative/list.html:18
-#: mailu/ui/templates/domain/list.html:16 mailu/ui/templates/fetch/list.html:18
-#: mailu/ui/templates/manager/list.html:18
-#: mailu/ui/templates/relay/list.html:16 mailu/ui/templates/token/list.html:18
-#: mailu/ui/templates/user/list.html:18
-msgid "Actions"
-msgstr "操作"
-
-#: mailu/ui/templates/admin/list.html:17 mailu/ui/templates/alias/list.html:19
-#: mailu/ui/templates/manager/list.html:19 mailu/ui/templates/user/list.html:20
-msgid "Email"
-msgstr "电子邮件"
-
-#: mailu/ui/templates/admin/list.html:22 mailu/ui/templates/alias/list.html:29
-#: mailu/ui/templates/alternative/list.html:25
-#: mailu/ui/templates/domain/list.html:31 mailu/ui/templates/fetch/list.html:31
-#: mailu/ui/templates/manager/list.html:24
-#: mailu/ui/templates/relay/list.html:27 mailu/ui/templates/token/list.html:26
-#: mailu/ui/templates/user/list.html:31
-msgid "Delete"
-msgstr "删除"
-
-#: mailu/ui/templates/alias/create.html:4
-msgid "Create alias"
-msgstr "创建别名"
-
-#: mailu/ui/templates/alias/edit.html:4
-msgid "Edit alias"
-msgstr "编辑别名"
-
-#: mailu/ui/templates/alias/list.html:4
-msgid "Alias list"
-msgstr "别名列表"
-
-#: mailu/ui/templates/alias/list.html:12
-msgid "Add alias"
-msgstr "添加别名"
-
-#: mailu/ui/templates/alias/list.html:22
-#: mailu/ui/templates/alternative/list.html:20
-#: mailu/ui/templates/domain/list.html:22 mailu/ui/templates/fetch/list.html:24
-#: mailu/ui/templates/relay/list.html:20 mailu/ui/templates/token/list.html:21
-#: mailu/ui/templates/user/list.html:24
-msgid "Created"
-msgstr "已创建"
-
-#: mailu/ui/templates/alias/list.html:23 mailu/ui/templates/domain/list.html:23
-#: mailu/ui/templates/fetch/list.html:25 mailu/ui/templates/relay/list.html:21
-#: mailu/ui/templates/user/list.html:25
-msgid "Last edit"
-msgstr "上次编辑"
-
-#: mailu/ui/templates/alias/list.html:28 mailu/ui/templates/domain/list.html:30
-#: mailu/ui/templates/fetch/list.html:30 mailu/ui/templates/relay/list.html:26
-#: mailu/ui/templates/user/list.html:30
-msgid "Edit"
-msgstr "编辑"
-
-#: mailu/ui/templates/alternative/create.html:4
-msgid "Create alternative domain"
-msgstr "创建替代域"
-
-#: mailu/ui/templates/alternative/list.html:4
-msgid "Alternative domain list"
-msgstr "替代域名列表"
-
-#: mailu/ui/templates/alternative/list.html:12
-msgid "Add alternative"
-msgstr "添加替代"
-
-#: mailu/ui/templates/alternative/list.html:19
-msgid "Name"
-msgstr "名称"
-
-#: mailu/ui/templates/domain/create.html:4
-#: mailu/ui/templates/domain/list.html:9
-msgid "New domain"
-msgstr "新域"
-
-#: mailu/ui/templates/domain/details.html:4
-msgid "Domain details"
-msgstr "域详细信息"
-
-#: mailu/ui/templates/domain/details.html:15
-msgid "Regenerate keys"
-msgstr "重新生成秘钥"
-
-#: mailu/ui/templates/domain/details.html:17
-msgid "Generate keys"
-msgstr "生成秘钥"
-
-#: mailu/ui/templates/domain/details.html:31
-msgid "DNS MX entry"
-msgstr "DNS MX条目"
-
-#: mailu/ui/templates/domain/details.html:35
-msgid "DNS SPF entries"
-msgstr "DNS SPF 条目"
-
-#: mailu/ui/templates/domain/details.html:42
-msgid "DKIM public key"
-msgstr "DKIM 公钥"
-
-#: mailu/ui/templates/domain/details.html:46
-msgid "DNS DKIM entry"
-msgstr "DNS DKIM 条目"
-
-#: mailu/ui/templates/domain/details.html:50
-msgid "DNS DMARC entry"
-msgstr "DNS DMARC 条目"
-
-#: mailu/ui/templates/domain/edit.html:4
-msgid "Edit domain"
-msgstr "编辑域"
-
-#: mailu/ui/templates/domain/list.html:4
-msgid "Domain list"
-msgstr "域列表"
-
-#: mailu/ui/templates/domain/list.html:17
-msgid "Manage"
-msgstr "管理"
-
-#: mailu/ui/templates/domain/list.html:19
-msgid "Mailbox count"
-msgstr "邮箱数量"
-
-#: mailu/ui/templates/domain/list.html:20
-msgid "Alias count"
-msgstr "别名数量"
-
-#: mailu/ui/templates/domain/list.html:28
-msgid "Details"
-msgstr "详细信息"
-
-#: mailu/ui/templates/domain/list.html:35
-msgid "Users"
-msgstr "用户"
-
-#: mailu/ui/templates/domain/list.html:36
-msgid "Aliases"
-msgstr "别名"
-
-#: mailu/ui/templates/domain/list.html:37
-msgid "Managers"
-msgstr "管理员"
-
-#: mailu/ui/templates/domain/list.html:39
-msgid "Alternatives"
-msgstr "备选方案"
-
-#: mailu/ui/templates/domain/signup.html:13
-msgid ""
-"In order to register a new domain, you must first setup the\n"
-"    domain zone so that the domain <code>MX</code> points to this server"
-msgstr "在注册一个新的域名前，您必须先为该域名设置 <code>MX</code> 记录，并使其指向本服务器"
-
-#: mailu/ui/templates/domain/signup.html:18
-msgid ""
-"If you do not know how to setup an <code>MX</code> record for your DNS "
-"zone,\n"
-"    please contact your DNS provider or administrator. Also, please wait "
-"a\n"
-"    couple minutes after the <code>MX</code> is set so the local server "
-"cache\n"
-"    expires."
-msgstr "如果您不知道如何为域名设置 <code>MX</code> 记录，请联系你的DNS提供商或者系统管理员。在设置完成 <code>MX</code> 记录后，请等待本地域名服务器的缓存过期。"
-
-
-#: mailu/ui/templates/fetch/create.html:4
-msgid "Add a fetched account"
-msgstr "添加一个代收账户"
-
-#: mailu/ui/templates/fetch/edit.html:4
-msgid "Update a fetched account"
-msgstr "更新代收账户"
-
-#: mailu/ui/templates/fetch/list.html:12
-msgid "Add an account"
-msgstr "添加一个账户"
-
-#: mailu/ui/templates/fetch/list.html:19
-msgid "Endpoint"
-msgstr "端点"
-
-#: mailu/ui/templates/fetch/list.html:21
-msgid "Keep emails"
-msgstr "保留电子邮件"
-
-#: mailu/ui/templates/fetch/list.html:22
-msgid "Last check"
-msgstr "上次检查"
-
-#: mailu/ui/templates/fetch/list.html:35
-msgid "yes"
-msgstr "是"
-
-#: mailu/ui/templates/fetch/list.html:35
-msgid "no"
-msgstr "否"
-
-#: mailu/ui/templates/manager/create.html:4
-msgid "Add a manager"
-msgstr "添加一个管理员"
-
-#: mailu/ui/templates/manager/list.html:4
-msgid "Manager list"
-msgstr "管理员列表"
-
-#: mailu/ui/templates/manager/list.html:12
-msgid "Add manager"
-msgstr "添加管理员"
-
-#: mailu/ui/templates/relay/create.html:4
-msgid "New relay domain"
-msgstr "新的中继域"
-
-#: mailu/ui/templates/relay/edit.html:4
-msgid "Edit relayd domain"
-msgstr "编辑中继域"
-
-#: mailu/ui/templates/relay/list.html:4
-msgid "Relayed domain list"
-msgstr "中继域列表"
-
-#: mailu/ui/templates/relay/list.html:9
-msgid "New relayed domain"
-msgstr "新的中继域"
-
-#: mailu/ui/templates/token/create.html:4
-msgid "Create an authentication token"
-msgstr "创建一个认证令牌"
-
-#: mailu/ui/templates/token/list.html:12
-msgid "New token"
-msgstr "新令牌"
-
-#: mailu/ui/templates/user/create.html:4
-msgid "New user"
-msgstr "新用户"
-
-#: mailu/ui/templates/user/create.html:15
-msgid "General"
-msgstr "通用"
-
-#: mailu/ui/templates/user/create.html:22
-msgid "Features and quotas"
-msgstr "功能和配额"
-
-#: mailu/ui/templates/user/edit.html:4
-msgid "Edit user"
-msgstr "编辑用户"
-
-#: mailu/ui/templates/user/forward.html:4
-msgid "Forward emails"
-msgstr "转发邮件"
-
-#: mailu/ui/templates/user/list.html:4
-msgid "User list"
-msgstr "用户列表"
-
-#: mailu/ui/templates/user/list.html:12
-msgid "Add user"
-msgstr "添加用户"
-
-#: mailu/ui/templates/user/list.html:19 mailu/ui/templates/user/settings.html:4
-msgid "User settings"
-msgstr "用户设置"
-
-#: mailu/ui/templates/user/list.html:21
-msgid "Features"
-msgstr "功能"
-
-#: mailu/ui/templates/user/password.html:4
-msgid "Password update"
-msgstr "更新密码"
-
-#: mailu/ui/templates/user/reply.html:4
-msgid "Automatic reply"
-msgstr "自动回复"
-
-#: mailu/ui/templates/user/settings.html:22
-msgid "Auto-forward"
-msgstr "自动转发"
-
-#: mailu/ui/templates/user/signup_domain.html:8
-msgid "pick a domain for the new account"
-msgstr "为新用户选择一个域名"
-
-#: mailu/ui/templates/user/signup_domain.html:14
-msgid "Domain"
-msgstr "域名"
-
-#: mailu/ui/templates/user/signup_domain.html:15
-msgid "Available slots"
-msgstr "可用"
-
-#~ msgid "Your account"
-#~ msgstr ""
-
-#~ msgid "Spam filter threshold"
-#~ msgstr ""
-
-#~ msgid "from"
-#~ msgstr ""
-
-#~ msgid "General settings"
-#~ msgstr ""

From 303fae00fb3a5bcc125c6223a3f3caae3a334ec5 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 14 Oct 2021 23:25:42 +0200
Subject: [PATCH 103/222] cleanup modules. use dkim selector from config

---
 core/admin/mailu/internal/views/rspamd.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/internal/views/rspamd.py b/core/admin/mailu/internal/views/rspamd.py
index 61e27a59..aa969a5a 100644
--- a/core/admin/mailu/internal/views/rspamd.py
+++ b/core/admin/mailu/internal/views/rspamd.py
@@ -1,4 +1,4 @@
-from mailu import models, dkim
+from mailu import models
 from mailu.internal import internal
 
 import flask
@@ -22,7 +22,7 @@ def rspamd_dkim_key(domain_name):
                 {
                     'domain'  : domain.name,
                     'key'     : key.decode('utf8'),
-                    'selector': 'dkim',
+                    'selector': flask.current_app.config.get('DKIM_SELECTOR', 'dkim'),
                 }
             ]
         }

From 7b0c5935a8c5d1b99ccf6927594ae0cf2b20afb1 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Fri, 15 Oct 2021 13:16:37 +0200
Subject: [PATCH 104/222] only support GET method in vault

---
 core/admin/mailu/internal/views/rspamd.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/internal/views/rspamd.py b/core/admin/mailu/internal/views/rspamd.py
index aa969a5a..8551eb8f 100644
--- a/core/admin/mailu/internal/views/rspamd.py
+++ b/core/admin/mailu/internal/views/rspamd.py
@@ -12,7 +12,7 @@ def vault_error(*messages, status=404):
 # hashicorp vault answer format:
 # {"request_id":"...","lease_id":"","renewable":false,"lease_duration":2764800,"data":{...see above...},"wrap_info":null,"warnings":null,"auth":null}
 
-@internal.route("/rspamd/vault/v1/dkim/<domain_name>")
+@internal.route("/rspamd/vault/v1/dkim/<domain_name>", methods=['GET'])
 def rspamd_dkim_key(domain_name):
     domain = models.Domain.query.get(domain_name) or flask.abort(vault_error('unknown domain'))
     key = domain.dkim_key or flask.abort(vault_error('no dkim key', status=400))

From 135c5119c568a065c74292bf6232a3970c70c788 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Fri, 15 Oct 2021 13:36:41 +0200
Subject: [PATCH 105/222] added newsfragment

---
 towncrier/newsfragments/2017.enhancement | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 towncrier/newsfragments/2017.enhancement

diff --git a/towncrier/newsfragments/2017.enhancement b/towncrier/newsfragments/2017.enhancement
new file mode 100644
index 00000000..076914d2
--- /dev/null
+++ b/towncrier/newsfragments/2017.enhancement
@@ -0,0 +1 @@
+rspamd: get dkim keys via REST API instead of filesystem

From 7fe15ea9cf81a1d29485c6d64e2dc68645ad6eef Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Fri, 15 Oct 2021 14:22:50 +0200
Subject: [PATCH 106/222] added dmarc record for report domain

---
 core/admin/mailu/models.py                        |  7 +++++++
 core/admin/mailu/ui/templates/domain/details.html | 10 ++++++----
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index 01711a60..561a4ab6 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -243,6 +243,13 @@ class Domain(Base):
             ruf = f' ruf=mailto:{ruf}@{domain};' if ruf else ''
             return f'_dmarc.{self.name}. 600 IN TXT "v=DMARC1; p=reject;{rua}{ruf} adkim=s; aspf=s"'
 
+    @cached_property
+    def dns_dmarc_report(self):
+        """ return DMARC report record for mailu server """
+        if self.dkim_key:
+            domain = app.config['DOMAIN']
+            return f'{self.name}._report._dmarc.{domain}. 600 IN TXT "v=DMARC1"'
+
     @cached_property
     def dns_autoconfig(self):
         """ return list of auto configuration records (RFC6186) """
diff --git a/core/admin/mailu/ui/templates/domain/details.html b/core/admin/mailu/ui/templates/domain/details.html
index b90ea3de..a30b9357 100644
--- a/core/admin/mailu/ui/templates/domain/details.html
+++ b/core/admin/mailu/ui/templates/domain/details.html
@@ -46,7 +46,10 @@
 </tr>
 <tr>
   <th>{% trans %}DNS DMARC entry{% endtrans %}</th>
-  <td>{{ macros.clip("dns_dmark") }}<pre id="dns_dmark" class="pre-config border bg-light">{{ domain.dns_dmarc }}</pre></td>
+  <td>
+    {{ macros.clip("dns_dmarc") }}<pre id="dns_dmarc" class="pre-config border bg-light">{{ domain.dns_dmarc }}</pre>
+    {{ macros.clip("dns_dmarc_report") }}<pre id="dns_dmarc_report" class="pre-config border bg-light">{{ domain.dns_dmarc_report }}</pre>
+  </td>
 </tr>
 {%- endif %}
 {%- set tlsa_record=domain.dns_tlsa %}
@@ -58,12 +61,11 @@
 {%- endif %}
 <tr>
   <th>{% trans %}DNS client auto-configuration (RFC6186) entries{% endtrans %}</th>
-  <td>
-    {{ macros.clip("dns_autoconfig") }}<pre id="dns_autoconfig" class="pre-config border bg-light">
+  <td>{{ macros.clip("dns_autoconfig") }}<pre id="dns_autoconfig" class="pre-config border bg-light">
 {%- for line in domain.dns_autoconfig %}
 {{ line }}
 {%- endfor -%}
-    </pre></td>
+  </pre></td>
 </tr>
 {%- endcall %}
 {%- endblock %}

From b1425015ef080696cb11c8bf4416efd7ea8698a5 Mon Sep 17 00:00:00 2001
From: qy117121 <mixuan121@gmail.com>
Date: Sat, 16 Oct 2021 03:51:22 +0800
Subject: [PATCH 107/222] Update messages.po

Fix wrong text
---
 .../translations/zh/LC_MESSAGES/messages.po    | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/core/admin/mailu/translations/zh/LC_MESSAGES/messages.po b/core/admin/mailu/translations/zh/LC_MESSAGES/messages.po
index a3363169..5543c5e8 100644
--- a/core/admin/mailu/translations/zh/LC_MESSAGES/messages.po
+++ b/core/admin/mailu/translations/zh/LC_MESSAGES/messages.po
@@ -98,11 +98,11 @@ msgstr "配额"
 
 #: mailu/ui/forms.py:81
 msgid "Allow IMAP access"
-msgstr "允许 IMAP 访问"
+msgstr "允许IMAP访问"
 
 #: mailu/ui/forms.py:82
 msgid "Allow POP3 access"
-msgstr "允许 POP3 访问"
+msgstr "允许POP3访问"
 
 #: mailu/ui/forms.py:84
 msgid "Enabled"
@@ -185,7 +185,7 @@ msgstr "您的令牌（请记录，它只显示这一次）"
 
 #: mailu/ui/forms.py:130 mailu/ui/templates/token/list.html:20
 msgid "Authorized IP"
-msgstr "授权 IP"
+msgstr "授权IP"
 
 #: mailu/ui/forms.py:136
 msgid "Alias"
@@ -272,7 +272,7 @@ msgstr "即将%(action)s，请确认您的操作。"
 
 #: mailu/ui/templates/docker-error.html:4
 msgid "Docker error"
-msgstr "Docker 错误"
+msgstr "Docker错误"
 
 #: mailu/ui/templates/docker-error.html:12
 msgid "An error occurred while talking to the Docker server."
@@ -321,7 +321,7 @@ msgstr "中继域"
 
 #: mailu/ui/templates/sidebar.html:59 mailu/ui/templates/user/settings.html:15
 msgid "Antispam"
-msgstr "发垃圾邮件"
+msgstr "反垃圾邮件"
 
 #: mailu/ui/templates/sidebar.html:66
 msgid "Mail domains"
@@ -465,19 +465,19 @@ msgstr "DNS MX条目"
 
 #: mailu/ui/templates/domain/details.html:35
 msgid "DNS SPF entries"
-msgstr "DNS SPF 条目"
+msgstr "DNS SPF条目"
 
 #: mailu/ui/templates/domain/details.html:42
 msgid "DKIM public key"
-msgstr "DKIM 公钥"
+msgstr "DKIM公钥"
 
 #: mailu/ui/templates/domain/details.html:46
 msgid "DNS DKIM entry"
-msgstr "DNS DKIM 条目"
+msgstr "DNS DKIM条目"
 
 #: mailu/ui/templates/domain/details.html:50
 msgid "DNS DMARC entry"
-msgstr "DNS DMARC 条目"
+msgstr "DNS DMARC条目"
 
 #: mailu/ui/templates/domain/edit.html:4
 msgid "Edit domain"

From 57b0dd490c55dd28f03a2e5fa92dd6385ed6d111 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 09:29:17 +0200
Subject: [PATCH 108/222] Initialize user_email in all cases

---
 core/admin/mailu/internal/nginx.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index ff7070ab..7613c48a 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -89,6 +89,7 @@ def handle_authentication(headers):
         # we need to manually decode.
         raw_user_email = urllib.parse.unquote(headers["Auth-User"])
         raw_password = urllib.parse.unquote(headers["Auth-Pass"])
+        user_email = 'invalid'
         try:
             user_email = raw_user_email.encode("iso8859-1").decode("utf8")
             password = raw_password.encode("iso8859-1").decode("utf8")

From 265ab7b5afd4be97810f8c3ea9fb9608654c83d8 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 09:31:09 +0200
Subject: [PATCH 109/222] Remove PASSWORD_SCHEME from test envs

---
 tests/compose/core/mailu.env      | 4 ----
 tests/compose/fetchmail/mailu.env | 4 ----
 tests/compose/filters/mailu.env   | 4 ----
 tests/compose/rainloop/mailu.env  | 4 ----
 tests/compose/roundcube/mailu.env | 4 ----
 tests/compose/webdav/mailu.env    | 4 ----
 6 files changed, 24 deletions(-)

diff --git a/tests/compose/core/mailu.env b/tests/compose/core/mailu.env
index a78515b8..254c3c7d 100644
--- a/tests/compose/core/mailu.env
+++ b/tests/compose/core/mailu.env
@@ -128,10 +128,6 @@ WEBSITE=https://mailu.io
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME=mailu
 
-# Default password scheme used for newly created accounts and changed passwords
-# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME=PBKDF2
-
 # Header to take the real ip from
 REAL_IP_HEADER=
 
diff --git a/tests/compose/fetchmail/mailu.env b/tests/compose/fetchmail/mailu.env
index afb57751..a015eaa8 100644
--- a/tests/compose/fetchmail/mailu.env
+++ b/tests/compose/fetchmail/mailu.env
@@ -128,10 +128,6 @@ WEBSITE=https://mailu.io
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME=mailu
 
-# Default password scheme used for newly created accounts and changed passwords
-# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME=PBKDF2
-
 # Header to take the real ip from
 REAL_IP_HEADER=
 
diff --git a/tests/compose/filters/mailu.env b/tests/compose/filters/mailu.env
index 4c8c219d..1b4fb93d 100644
--- a/tests/compose/filters/mailu.env
+++ b/tests/compose/filters/mailu.env
@@ -128,10 +128,6 @@ WEBSITE=https://mailu.io
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME=mailu
 
-# Default password scheme used for newly created accounts and changed passwords
-# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME=PBKDF2
-
 # Header to take the real ip from
 REAL_IP_HEADER=
 
diff --git a/tests/compose/rainloop/mailu.env b/tests/compose/rainloop/mailu.env
index 1f5fce0c..944dd376 100644
--- a/tests/compose/rainloop/mailu.env
+++ b/tests/compose/rainloop/mailu.env
@@ -128,10 +128,6 @@ WEBSITE=https://mailu.io
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME=mailu
 
-# Default password scheme used for newly created accounts and changed passwords
-# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME=PBKDF2
-
 # Header to take the real ip from
 REAL_IP_HEADER=
 
diff --git a/tests/compose/roundcube/mailu.env b/tests/compose/roundcube/mailu.env
index ba153ac2..9db7fcbe 100644
--- a/tests/compose/roundcube/mailu.env
+++ b/tests/compose/roundcube/mailu.env
@@ -128,10 +128,6 @@ WEBSITE=https://mailu.io
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME=mailu
 
-# Default password scheme used for newly created accounts and changed passwords
-# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME=PBKDF2
-
 # Header to take the real ip from
 REAL_IP_HEADER=
 
diff --git a/tests/compose/webdav/mailu.env b/tests/compose/webdav/mailu.env
index 939f453b..f1de013d 100644
--- a/tests/compose/webdav/mailu.env
+++ b/tests/compose/webdav/mailu.env
@@ -128,10 +128,6 @@ WEBSITE=https://mailu.io
 # Docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME=mailu
 
-# Default password scheme used for newly created accounts and changed passwords
-# (value: PBKDF2, BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT)
-PASSWORD_SCHEME=PBKDF2
-
 # Header to take the real ip from
 REAL_IP_HEADER=
 

From 4fff45bb30b69946a130d3047aad16cab5095953 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 09:31:33 +0200
Subject: [PATCH 110/222] Fix typo

---
 docs/configuration.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/configuration.rst b/docs/configuration.rst
index c736f30b..f4c3c255 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -40,7 +40,7 @@ address.
 The ``WILDCARD_SENDERS`` setting is a comma delimited list of user email addresses that are allowed to send emails from any existing address (spoofing the sender).
 
 The ``AUTH_RATELIMIT_IP`` (default: 60/hour) holds a security setting for fighting
-attackers that waste server ressources by trying to guess user passwords (typically
+attackers that waste server resources by trying to guess user passwords (typically
 using a password spraying attack). The value defines the limit of authentication
 attempts that will be processed on non-existing accounts for a specific IP subnet
 (as defined in ``AUTH_RATELIMIT_IP_V4_MASK`` and ``AUTH_RATELIMIT_IP_V6_MASK`` below).

From 068170c0ff48206c866eb0011b3526c738c55e93 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 09:35:01 +0200
Subject: [PATCH 111/222] Use app instead of flask.current_app where possible

---
 core/admin/mailu/utils.py | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 9817287a..4711ff20 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -59,14 +59,14 @@ def has_dane_record(domain, timeout=10):
         # If the DNSSEC data is invalid and the DNS resolver is DNSSEC enabled
         # we will receive this non-specific exception. The safe behaviour is to
         # accept to defer the email.
-        flask.current_app.logger.warn(f'Unable to lookup the TLSA record for {domain}. Is the DNSSEC zone okay on https://dnsviz.net/d/{domain}/dnssec/?')
-        return flask.current_app.config['DEFER_ON_TLS_ERROR']
+        app.logger.warn(f'Unable to lookup the TLSA record for {domain}. Is the DNSSEC zone okay on https://dnsviz.net/d/{domain}/dnssec/?')
+        return app.config['DEFER_ON_TLS_ERROR']
     except dns.exception.Timeout:
-        flask.current_app.logger.warn(f'Timeout while resolving the TLSA record for {domain} ({timeout}s).')
+        app.logger.warn(f'Timeout while resolving the TLSA record for {domain} ({timeout}s).')
     except dns.resolver.NXDOMAIN:
         pass # this is expected, not TLSA record is fine
     except Exception as e:
-        flask.current_app.logger.error(f'Error while looking up the TLSA record for {domain} {e}')
+        app.logger.error(f'Error while looking up the TLSA record for {domain} {e}')
         pass
 
 # Rate limiter
@@ -88,8 +88,8 @@ babel = flask_babel.Babel()
 def get_locale():
     """ selects locale for translation """
     language = flask.session.get('language')
-    if not language in flask.current_app.config.translations:
-        language = flask.request.accept_languages.best_match(flask.current_app.config.translations.keys())
+    if not language in app.config.translations:
+        language = flask.request.accept_languages.best_match(app.config.translations.keys())
         flask.session['language'] = language
     return language
 
@@ -486,7 +486,7 @@ class MailuSessionExtension:
                 with cleaned.get_lock():
                     if not cleaned.value:
                         cleaned.value = True
-                        flask.current_app.logger.info('cleaning session store')
+                        app.logger.info('cleaning session store')
                         MailuSessionExtension.cleanup_sessions(app)
 
             app.before_first_request(cleaner)

From 2dd9ea150616ab84517c0b6d248499eb1b62e3b3 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 09:36:49 +0200
Subject: [PATCH 112/222] simplify

---
 core/admin/mailu/internal/views/auth.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py
index 457efd4b..0ed967ba 100644
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@@ -24,7 +24,7 @@ def nginx_authentication():
     for key, value in headers.items():
         response.headers[key] = str(value)
     is_valid_user = False
-    if "Auth-User-Exists" in response.headers and response.headers["Auth-User-Exists"]:
+    if response.headers.get("Auth-User-Exists"):
         username = response.headers["Auth-User"]
         if utils.limiter.should_rate_limit_user(username, client_ip):
             # FIXME could be done before handle_authentication()
@@ -69,7 +69,7 @@ def user_authentication():
 def basic_authentication():
     """ Tries to authenticate using the Authorization header.
     """
-    client_ip = flask.request.headers["X-Real-IP"] if 'X-Real-IP' in flask.request.headers else flask.request.remote_addr
+    client_ip = flask.request.headers.get('X-Real-IP', flask.request.remote_addr)
     if utils.limiter.should_rate_limit_ip(client_ip):
         response = flask.Response(status=401)
         response.headers["WWW-Authenticate"] = 'Basic realm="Authentication rate limit from one source exceeded"'

From 3bda8368e41f5cbce30cc796896823eed75eef47 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 09:39:34 +0200
Subject: [PATCH 113/222] simplify the Auth-Status check

---
 core/admin/mailu/internal/views/auth.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py
index 0ed967ba..1ea2828a 100644
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@@ -36,9 +36,9 @@ def nginx_authentication():
                 response.headers['Auth-Wait'] = '3'
             return response
         is_valid_user = True
-    if ("Auth-Status" not in headers) or (headers["Auth-Status"] != "OK"):
+    if headers.get('Auth-Status') != 'OK':
         utils.limiter.rate_limit_user(username, client_ip) if is_valid_user else rate_limit_ip(client_ip)
-    elif ("Auth-Status" in headers) and (headers["Auth-Status"] == "OK"):
+    elif headers["Auth-Status"] == "OK":
         utils.limiter.exempt_ip_from_ratelimits(client_ip)
     return response
 

From de276a682285a4f568fb35d11a3f93f5d2785901 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 09:45:10 +0200
Subject: [PATCH 114/222] Simplify extract_network_from_ip

---
 core/admin/mailu/utils.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 4711ff20..db760280 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -74,12 +74,10 @@ limiter = limiter.LimitWraperFactory()
 
 def extract_network_from_ip(ip):
     n = ipaddress.ip_network(ip)
-    if isinstance(n, ipaddress.IPv4Network):
+    if n.version == 4:
         return str(n.supernet(prefixlen_diff=(32-int(app.config["AUTH_RATELIMIT_IP_V4_MASK"]))).network_address)
-    elif isinstance(n, ipaddress.IPv6Network):
+    else:
         return str(n.supernet(prefixlen_diff=(128-int(app.config["AUTH_RATELIMIT_IP_V6_MASK"]))).network_address)
-    else: # not sure what to do with it
-        return ip
 
 # Application translation
 babel = flask_babel.Babel()

From abaa2e8cc3e07e5f5a759072bdc83148f44438da Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 09:46:21 +0200
Subject: [PATCH 115/222] simplify client_ip

---
 core/admin/mailu/ui/views/base.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/ui/views/base.py b/core/admin/mailu/ui/views/base.py
index 05211804..515d6055 100644
--- a/core/admin/mailu/ui/views/base.py
+++ b/core/admin/mailu/ui/views/base.py
@@ -14,7 +14,7 @@ def index():
 
 @ui.route('/login', methods=['GET', 'POST'])
 def login():
-    client_ip = flask.request.headers["X-Real-IP"] if 'X-Real-IP' in flask.request.headers else flask.request.remote_addr
+    client_ip = flask.request.headers.get('X-Real-IP', flask.request.remote_addr)
     form = forms.LoginForm()
     if form.validate_on_submit():
         device_cookie, device_cookie_username = utils.limiter.parse_device_cookie(flask.request.cookies.get('rate_limit'))

From e14d2e7c03eca6adecff3afe6e2de0d7247c399f Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 09:48:08 +0200
Subject: [PATCH 116/222] Error out explictely if Auth-Port isn't set

---
 core/admin/mailu/internal/nginx.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index 7613c48a..4df8f55a 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -77,7 +77,7 @@ def handle_authentication(headers):
     # Authenticated user
     elif method == "plain":
         is_valid_user = False
-        if 'Auth-Port' in headers and int(urllib.parse.unquote(headers["Auth-Port"])) == 25:
+        if headers["Auth-Port"] == '25':
             return {
                 "Auth-Status": "AUTH not supported",
                 "Auth-Error-Code": "502 5.5.1",

From 99c81c20a721d8b379e4af0399328c2a8cc0238a Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 10:26:38 +0200
Subject: [PATCH 117/222] Introduce AUTH_RATELIMIT_EXEMPTION

This disables rate limiting on specific CIDRs
---
 core/admin/mailu/configuration.py | 1 +
 core/admin/mailu/limiter.py       | 2 +-
 core/admin/mailu/utils.py         | 6 ++++++
 docs/configuration.rst            | 4 ++++
 4 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 37f84b7c..6a3641fe 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -40,6 +40,7 @@ DEFAULT_CONFIG = {
     'AUTH_RATELIMIT_IP_V4_MASK': 24,
     'AUTH_RATELIMIT_IP_V6_MASK': 56,
     'AUTH_RATELIMIT_USER': '100/day',
+    'AUTH_RATELIMIT_EXEMPTION': '',
     'AUTH_RATELIMIT_EXEMPTION_LENGTH': 86400,
     'DISABLE_STATISTICS': False,
     # Mail settings
diff --git a/core/admin/mailu/limiter.py b/core/admin/mailu/limiter.py
index 88319012..ddaa07b3 100644
--- a/core/admin/mailu/limiter.py
+++ b/core/admin/mailu/limiter.py
@@ -39,7 +39,7 @@ class LimitWraperFactory(object):
         return LimitWrapper(self.limiter, limits.parse(limit), *args)
 
     def is_subject_to_rate_limits(self, ip):
-        return not (self.storage.get(f'exempt-{ip}') > 0)
+        return False if utils.is_subject_to_rate_limits(ip) else not (self.storage.get(f'exempt-{ip}') > 0)
 
     def exempt_ip_from_ratelimits(self, ip):
         self.storage.incr(f'exempt-{ip}', app.config["AUTH_RATELIMIT_EXEMPTION_LENGTH"], True)
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index db760280..d2bcc7a3 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -79,6 +79,12 @@ def extract_network_from_ip(ip):
     else:
         return str(n.supernet(prefixlen_diff=(128-int(app.config["AUTH_RATELIMIT_IP_V6_MASK"]))).network_address)
 
+def is_exempt_from_ratelimits(ip):
+    for range in [net.strip() for net in app.config['AUTH_RATELIMIT_EXEMPTION'].split(',')]:
+        if ipaddress.ip_address(ip) in ipaddress.ip_network(ip, False):
+            return False
+    return True
+
 # Application translation
 babel = flask_babel.Babel()
 
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 75f397c7..f5bd9582 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -55,6 +55,10 @@ after a successful login for which a specific IP address is exempted from rate l
 This ensures that users behind a NAT don't get locked out when a single client is
 misconfigured... but also potentially allow for users to attack each-other.
 
+The ``AUTH_RATELIMIT_EXEMPTION`` (default: '') is a comma separated list of network
+CIDRs that won't be subject to any form of rate limiting. Specifying ``0.0.0.0/0, ::/0``
+there is a good way to disable rate limiting altogether.
+
 The ``TLS_FLAVOR`` sets how Mailu handles TLS connections. Setting this value to
 ``notls`` will cause Mailu not to server any web content! More on :ref:`tls_flavor`.
 

From c5bd82650fbe6bf26fafb2e9af454f0729574e1d Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 10:30:57 +0200
Subject: [PATCH 118/222] doh

---
 core/admin/mailu/limiter.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/limiter.py b/core/admin/mailu/limiter.py
index ddaa07b3..3bc65f4f 100644
--- a/core/admin/mailu/limiter.py
+++ b/core/admin/mailu/limiter.py
@@ -39,7 +39,7 @@ class LimitWraperFactory(object):
         return LimitWrapper(self.limiter, limits.parse(limit), *args)
 
     def is_subject_to_rate_limits(self, ip):
-        return False if utils.is_subject_to_rate_limits(ip) else not (self.storage.get(f'exempt-{ip}') > 0)
+        return False if utils.is_exempt_from_ratelimits(ip) else not (self.storage.get(f'exempt-{ip}') > 0)
 
     def exempt_ip_from_ratelimits(self, ip):
         self.storage.incr(f'exempt-{ip}', app.config["AUTH_RATELIMIT_EXEMPTION_LENGTH"], True)

From 94bbed9746333dc81f136dbf2b8675cd1e84dab5 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 10:39:43 +0200
Subject: [PATCH 119/222] Ensure we have the right IP

---
 core/admin/mailu/internal/views/auth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py
index 1ea2828a..2c9a5d31 100644
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@@ -86,7 +86,7 @@ def basic_authentication():
             response.headers['Retry-After'] = '60'
             return response
         user = models.User.query.get(user_email)
-        if user and nginx.check_credentials(user, password.decode('utf-8'), flask.request.remote_addr, "web"):
+        if user and nginx.check_credentials(user, password.decode('utf-8'), client_ip, "web"):
             response = flask.Response()
             response.headers["X-User"] = models.IdnaEmail.process_bind_param(flask_login, user.email, "")
             utils.limiter.exempt_ip_from_ratelimits(client_ip)

From 98742268e6bae14dc778ecad69812068bc2038d5 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 15:12:20 +0200
Subject: [PATCH 120/222] Make it more readable

---
 core/admin/mailu/internal/views/auth.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py
index 2c9a5d31..c5cd9e28 100644
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@@ -36,10 +36,12 @@ def nginx_authentication():
                 response.headers['Auth-Wait'] = '3'
             return response
         is_valid_user = True
-    if headers.get('Auth-Status') != 'OK':
-        utils.limiter.rate_limit_user(username, client_ip) if is_valid_user else rate_limit_ip(client_ip)
-    elif headers["Auth-Status"] == "OK":
+    if headers.get("Auth-Status") == "OK":
         utils.limiter.exempt_ip_from_ratelimits(client_ip)
+    elif is_valid_user:
+        utils.limiter.rate_limit_user(username, client_ip)
+    else:
+        rate_limit_ip(client_ip)
     return response
 
 @internal.route("/auth/admin")

From 19b784b1982789f4548874a892a84c3e1828ab14 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 15:18:41 +0200
Subject: [PATCH 121/222] Parse the network configuration only once

thanks @ghostwheel42
---
 core/admin/mailu/configuration.py | 1 +
 core/admin/mailu/utils.py         | 6 ++----
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 6a3641fe..a4a42d03 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -152,6 +152,7 @@ class ConfigManager(dict):
         self.config['SESSION_COOKIE_HTTPONLY'] = True
         self.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=int(self.config['SESSION_LIFETIME']))
         hostnames = [host.strip() for host in self.config['HOSTNAMES'].split(',')]
+        self.config['AUTH_RATELIMIT_EXEMPTION'] = set(ipaddress.ip_network(net.strip(), False) for net in config['AUTH_RATELIMIT_EXEMPTION'].split(','))
         self.config['HOSTNAMES'] = ','.join(hostnames)
         self.config['HOSTNAME'] = hostnames[0]
         # update the app config itself
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index d2bcc7a3..dda927b0 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -80,10 +80,8 @@ def extract_network_from_ip(ip):
         return str(n.supernet(prefixlen_diff=(128-int(app.config["AUTH_RATELIMIT_IP_V6_MASK"]))).network_address)
 
 def is_exempt_from_ratelimits(ip):
-    for range in [net.strip() for net in app.config['AUTH_RATELIMIT_EXEMPTION'].split(',')]:
-        if ipaddress.ip_address(ip) in ipaddress.ip_network(ip, False):
-            return False
-    return True
+    ip = ipaddress.ip_address(ip)
+    return any(ip in cidr for cidr in app.config['AUTH_RATELIMIT_EXEMPTION'])
 
 # Application translation
 babel = flask_babel.Babel()

From 5b72c32251daaa283314e80de236bc47cac5a48f Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 15:44:26 +0200
Subject: [PATCH 122/222] Doh

---
 core/admin/mailu/configuration.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index a4a42d03..2136e624 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -152,7 +152,7 @@ class ConfigManager(dict):
         self.config['SESSION_COOKIE_HTTPONLY'] = True
         self.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=int(self.config['SESSION_LIFETIME']))
         hostnames = [host.strip() for host in self.config['HOSTNAMES'].split(',')]
-        self.config['AUTH_RATELIMIT_EXEMPTION'] = set(ipaddress.ip_network(net.strip(), False) for net in config['AUTH_RATELIMIT_EXEMPTION'].split(','))
+        self.config['AUTH_RATELIMIT_EXEMPTION'] = set(ipaddress.ip_network(net.strip(), False) for net in self.config['AUTH_RATELIMIT_EXEMPTION'].split(','))
         self.config['HOSTNAMES'] = ','.join(hostnames)
         self.config['HOSTNAME'] = hostnames[0]
         # update the app config itself

From e8871dd77f12e00e63ab6c6c1355ee03860afa9d Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 16:06:13 +0200
Subject: [PATCH 123/222] doh

---
 core/admin/mailu/configuration.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 2136e624..c1444ee5 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -2,6 +2,7 @@ import os
 
 from datetime import timedelta
 from socrate import system
+import ipaddress
 
 DEFAULT_CONFIG = {
     # Specific to the admin UI

From 34497cff209fa8c3cbf7a14756e0c6bff6660cea Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 16:35:48 +0200
Subject: [PATCH 124/222] doh

---
 core/admin/mailu/configuration.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index c1444ee5..4d4ee3e9 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -153,7 +153,7 @@ class ConfigManager(dict):
         self.config['SESSION_COOKIE_HTTPONLY'] = True
         self.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=int(self.config['SESSION_LIFETIME']))
         hostnames = [host.strip() for host in self.config['HOSTNAMES'].split(',')]
-        self.config['AUTH_RATELIMIT_EXEMPTION'] = set(ipaddress.ip_network(net.strip(), False) for net in self.config['AUTH_RATELIMIT_EXEMPTION'].split(','))
+        self.config['AUTH_RATELIMIT_EXEMPTION'] = set(ipaddress.ip_network(net.strip(), False) for net in self.config['AUTH_RATELIMIT_EXEMPTION'].split(',')) if self.config['AUTH_RATELIMIT_EXEMPTION'] else set()
         self.config['HOSTNAMES'] = ','.join(hostnames)
         self.config['HOSTNAME'] = hostnames[0]
         # update the app config itself

From 1c6165213cc1420b16384a8c30017b2a35b33ff6 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 16:54:56 +0200
Subject: [PATCH 125/222] better that way

---
 core/admin/mailu/configuration.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 4d4ee3e9..352bf431 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -153,7 +153,7 @@ class ConfigManager(dict):
         self.config['SESSION_COOKIE_HTTPONLY'] = True
         self.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=int(self.config['SESSION_LIFETIME']))
         hostnames = [host.strip() for host in self.config['HOSTNAMES'].split(',')]
-        self.config['AUTH_RATELIMIT_EXEMPTION'] = set(ipaddress.ip_network(net.strip(), False) for net in self.config['AUTH_RATELIMIT_EXEMPTION'].split(',')) if self.config['AUTH_RATELIMIT_EXEMPTION'] else set()
+        self.config['AUTH_RATELIMIT_EXEMPTION'] = set(ipaddress.ip_network(cidr, False) for cidr in (cidr.strip() for cidr in self.config['AUTH_RATELIMIT_EXEMPTION'].split(',')) if cidr.strip())
         self.config['HOSTNAMES'] = ','.join(hostnames)
         self.config['HOSTNAME'] = hostnames[0]
         # update the app config itself

From 693b578bbb5ee60f5286405b54c38b783db6062a Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 16 Oct 2021 17:24:12 +0200
Subject: [PATCH 126/222] The second strip isn't necessary

---
 core/admin/mailu/configuration.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 352bf431..d33efa12 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -153,7 +153,7 @@ class ConfigManager(dict):
         self.config['SESSION_COOKIE_HTTPONLY'] = True
         self.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=int(self.config['SESSION_LIFETIME']))
         hostnames = [host.strip() for host in self.config['HOSTNAMES'].split(',')]
-        self.config['AUTH_RATELIMIT_EXEMPTION'] = set(ipaddress.ip_network(cidr, False) for cidr in (cidr.strip() for cidr in self.config['AUTH_RATELIMIT_EXEMPTION'].split(',')) if cidr.strip())
+        self.config['AUTH_RATELIMIT_EXEMPTION'] = set(ipaddress.ip_network(cidr, False) for cidr in (cidr.strip() for cidr in self.config['AUTH_RATELIMIT_EXEMPTION'].split(',')) if cidr)
         self.config['HOSTNAMES'] = ','.join(hostnames)
         self.config['HOSTNAME'] = hostnames[0]
         # update the app config itself

From 913a6304a7084e5a1647c9ae868151efa84ef5ad Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Mon, 25 Oct 2021 17:24:41 +0000
Subject: [PATCH 127/222] Finishing touches. Introduce /static stub for
 handling all static files.

---
 core/admin/Dockerfile                    |  1 -
 core/nginx/conf/nginx.conf               | 38 +++++++++++++++++-------
 towncrier/newsfragments/1929.enhancement |  1 +
 3 files changed, 29 insertions(+), 11 deletions(-)

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index 1a8ef695..083c0f39 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -39,7 +39,6 @@ RUN set -eu \
  && apk del --no-cache build-dep
 
 COPY --from=assets static ./mailu/ui/static
-COPY --from=assets static ./mailu/sso/static
 COPY mailu ./mailu
 COPY migrations ./migrations
 COPY start.py /start.py
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index ce80a6ae..c7eb377a 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -128,15 +128,6 @@ http {
       include /overrides/*.conf;
 
       # Actual logic
-      location ^~ {{ WEB_ADMIN }}/sso {
-        include /etc/nginx/proxy.conf;
-        rewrite ^{{ WEB_ADMIN }}/(.*) /$1 redirect;
-      }
-      location ^~ /ui/webmail {
-        include /etc/nginx/proxy.conf;
-        return 302 {{ WEB_WEBMAIL }};
-      }
-
       {% if ADMIN == 'true' %}
       location ^~ /ui {
         include /etc/nginx/proxy.conf;
@@ -149,14 +140,31 @@ http {
         include /etc/nginx/proxy.conf;
         proxy_pass http://$admin;
       }
+
+      location ^~ /sso/static {
+        include /etc/nginx/proxy.conf;
+        rewrite /sso/static/(.*) /static/$1 permanent;
+      }
+
       location ^~ /ui/language {
         include /etc/nginx/proxy.conf;
         proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
         proxy_pass http://$admin;
         expires $expires;
       }
+
+      location ^~ /ui/webmail {
+        include /etc/nginx/proxy.conf;
+        return 302 {{ WEB_WEBMAIL }};
+      }
       {% endif %}
 
+      location ^~ /static {
+        include /etc/nginx/proxy.conf;
+        rewrite ^/static/(.*) /ui/static/$1 break;
+        proxy_pass http://$admin;
+      }
+
       {% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %}
       location / {
         expires $expires;
@@ -209,7 +217,7 @@ http {
         return 301 {{ WEB_ADMIN }}/ui;
       }
 
-      location ~ {{ WEB_ADMIN }}/(ui|static) {
+      location ~ {{ WEB_ADMIN }}/ui {
         rewrite ^{{ WEB_ADMIN }}/(.*) /$1 break;
         include /etc/nginx/proxy.conf;
         proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
@@ -217,6 +225,11 @@ http {
         expires $expires;
       }
 
+      location ^~ {{ WEB_ADMIN }}/ui/static {
+        include /etc/nginx/proxy.conf;
+        rewrite {{ WEB_ADMIN }}/ui/static/(.*) /static/$1 permanent;
+      }
+
       location {{ WEB_ADMIN }}/antispam {
         rewrite ^{{ WEB_ADMIN }}/antispam/(.*) /$1 break;
         auth_request /internal/auth/admin;
@@ -224,6 +237,11 @@ http {
         proxy_set_header X-Forwarded-For "";
         proxy_pass http://$antispam;
       }
+
+      location ^~ {{ WEB_ADMIN }}/sso {
+        include /etc/nginx/proxy.conf;
+        rewrite ^{{ WEB_ADMIN }}/(.*) /$1 redirect;
+      }
       {% endif %}
 
       {% if WEBDAV != 'none' %}
diff --git a/towncrier/newsfragments/1929.enhancement b/towncrier/newsfragments/1929.enhancement
index b21118f7..cd3712b6 100644
--- a/towncrier/newsfragments/1929.enhancement
+++ b/towncrier/newsfragments/1929.enhancement
@@ -2,4 +2,5 @@ Improved the SSO page.
  - Now shows the login target.
  - Added toggle to choose login target.
  - Made SSO page available separately. SSO page can now be used without Admin.
+ - Introduced stub /static which is used by all sites for accessing static files.
 

From f9eee0cbaffe95c231f7309eea479dc45fc0eb35 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Mon, 25 Oct 2021 17:43:53 +0000
Subject: [PATCH 128/222] Adapt HEALTHCHECK to new URL

---
 core/admin/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index cdc426c6..fbe98fea 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -51,4 +51,4 @@ ENV FLASK_APP mailu
 
 CMD /start.py
 
-HEALTHCHECK CMD curl -f -L http://localhost/ui/login?next=ui.index || exit 1
+HEALTHCHECK CMD curl -f -L http://localhost/sso/login?next=ui.index || exit 1

From 44d2448412ac4a4587ff2288916b50f03889a3d4 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Mon, 25 Oct 2021 19:21:38 +0000
Subject: [PATCH 129/222] Updated SSO logic for webmails. Fixed small bug rate
 limiting.

---
 core/admin/mailu/internal/views/auth.py    |  2 +-
 core/admin/mailu/sso/views/base.py         | 16 +++++++++++-----
 core/nginx/conf/nginx.conf                 | 21 ++++++++++++++-------
 webmails/rainloop/defaults/application.ini |  4 +---
 webmails/roundcube/config.inc.php          |  6 +++---
 5 files changed, 30 insertions(+), 19 deletions(-)

diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py
index c5cd9e28..1afb53b5 100644
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@@ -41,7 +41,7 @@ def nginx_authentication():
     elif is_valid_user:
         utils.limiter.rate_limit_user(username, client_ip)
     else:
-        rate_limit_ip(client_ip)
+        utils.limiter.rate_limit_ip(client_ip)
     return response
 
 @internal.route("/auth/admin")
diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index f3d60fd0..cb86e1ab 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -11,13 +11,13 @@ def login():
     form = forms.LoginForm()
     endpoint = flask.request.args.get('next', 'ui.index')
 
-    if str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper != 'NONE' and endpoint != 'ui.webmail':
+    if str(app.config['WEBMAIL']).upper() != 'NONE' and str(app.config['ADMIN']).upper() != 'FALSE' and endpoint != 'ui.webmail':
         form.target.choices = [('Admin', 'Admin'), ('Webmail', 'Webmail')]
-    elif str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper != 'NONE' and endpoint == 'ui.webmail':
+    elif str(app.config['WEBMAIL']).upper() != 'NONE' and str(app.config['ADMIN']).upper() != 'FALSE' and endpoint == 'ui.webmail':
         form.target.choices = [('Webmail', 'Webmail'), ('Admin', 'Admin')]
-    elif str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper == 'NONE':
+    elif str(app.config['WEBMAIL']).upper() != 'NONE' and str(app.config['ADMIN']).upper() == 'FALSE':
         form.target.choices = [('Webmail', 'Webmail')]
-    elif str(app.config['WEBMAIL']).upper == 'NONE' and str(app.config['ADMIN']).upper != 'NONE':
+    elif str(app.config['WEBMAIL']).upper() == 'NONE' and str(app.config['ADMIN']).upper() != 'FALSE':
         form.target.choices = [('Admin', 'Admin')]
 
     if form.validate_on_submit():
@@ -36,4 +36,10 @@ def login():
             client_ip = flask.request.headers["X-Real-IP"] if 'X-Real-IP' in flask.request.headers else flask.request.remote_addr
             flask.current_app.logger.warn(f'Login failed for {str(form.email.data)} from {client_ip}.')
     return flask.render_template('login.html', form=form, endpoint=endpoint)
-    
\ No newline at end of file
+    
+@sso.route('/logout', methods=['GET'])
+@access.authenticated
+def logout():
+    flask_login.logout_user()
+    flask.session.destroy()
+    return flask.redirect(flask.url_for('.login'))
\ No newline at end of file
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 81202ef0..e5fed3df 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -146,6 +146,12 @@ http {
         rewrite /sso/static/(.*) /static/$1 permanent;
       }
 
+      location ^~ {{ WEB_WEBMAIL }}/sso/ui/logout {
+        include /etc/nginx/proxy.conf;
+        rewrite ^{{ WEB_WEBMAIL }}/sso/ui/logout$ /sso/logout break;
+        proxy_pass http://$admin;
+      }
+
       location ^~ /ui/language {
         include /etc/nginx/proxy.conf;
         proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
@@ -183,11 +189,12 @@ http {
         rewrite ^{{ WEB_WEBMAIL }}/(.*) /$1 break;
         {% endif %}
         include /etc/nginx/proxy.conf;
-        client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};
-        proxy_pass http://$webmail;
-      {% if ADMIN == 'true' %}
+        client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};       
         auth_request /internal/auth/user;
+        auth_request_set $user $upstream_http_x_user;
+        auth_request_set $token $upstream_http_x_user_token;       
         error_page 403 @webmail_login;
+        proxy_pass http://$webmail;
       }
 
       location {{ WEB_WEBMAIL }}/sso.php {
@@ -202,16 +209,16 @@ http {
         auth_request_set $token $upstream_http_x_user_token;
         proxy_set_header X-Remote-User $user;
         proxy_set_header X-Remote-User-Token $token;
-        proxy_pass http://$webmail;
         error_page 403 @webmail_login;
+        proxy_pass http://$webmail;
       }
 
-      location @webmail_login {
-        return 302 {{ WEB_ADMIN }}/sso/login?next=ui.webmail;
+      location @webmail_login {       
+        return 302 /sso/login?next=ui.webmail;
       }
       {% else %}
       }
-      {% endif %}{% endif %}
+      {% endif %}
       {% if ADMIN == 'true' %}
       location {{ WEB_ADMIN }} {
         return 301 {{ WEB_ADMIN }}/ui;
diff --git a/webmails/rainloop/defaults/application.ini b/webmails/rainloop/defaults/application.ini
index 0504f174..2e266235 100644
--- a/webmails/rainloop/defaults/application.ini
+++ b/webmails/rainloop/defaults/application.ini
@@ -8,10 +8,8 @@ allow_admin_panel = Off
 
 [labs]
 allow_gravatar = Off
-{% if ADMIN == "true" %}
 custom_login_link='sso.php'
-custom_logout_link='{{ WEB_ADMIN }}/ui/logout'
-{% endif %}
+custom_logout_link='sso/ui/logout'
 
 [contacts]
 enable = On
diff --git a/webmails/roundcube/config.inc.php b/webmails/roundcube/config.inc.php
index 797f229c..3b474795 100644
--- a/webmails/roundcube/config.inc.php
+++ b/webmails/roundcube/config.inc.php
@@ -37,11 +37,11 @@ $config['managesieve_usetls'] = false;
 
 // Customization settings
 if (filter_var(getenv('ADMIN'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE)) {
-	array_push($config['plugins'], 'mailu');
-	$config['support_url'] = getenv('WEB_ADMIN') ? '../..' . getenv('WEB_ADMIN') : '';
-	$config['sso_logout_url'] = getenv('WEB_ADMIN').'/ui/logout';
+	$config['support_url'] = getenv('WEB_ADMIN') ? '../..' . getenv('WEB_ADMIN') : '';	
 }
 $config['product_name'] = 'Mailu Webmail';
+array_push($config['plugins'], 'mailu');
+$config['sso_logout_url'] = 'sso/ui/logout';
 
 // We access the IMAP and SMTP servers locally with internal names, SSL
 // will obviously fail but this sounds better than allowing insecure login

From aa7380ffba39ce510235427ba89ec4a07b7ec80d Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Mon, 25 Oct 2021 20:00:00 +0000
Subject: [PATCH 130/222] Doh!

---
 core/nginx/conf/nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index e5fed3df..20cc00a6 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -217,7 +217,7 @@ http {
         return 302 /sso/login?next=ui.webmail;
       }
       {% else %}
-      }
+      
       {% endif %}
       {% if ADMIN == 'true' %}
       location {{ WEB_ADMIN }} {

From f2474c968e7d2dee66dd705a69c924fddab92a01 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Mon, 25 Oct 2021 20:10:45 +0000
Subject: [PATCH 131/222] Modified trusted authors mergify config as disccused
 in #1932

---
 .mergify.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.mergify.yml b/.mergify.yml
index 6cd6a5a3..02e41922 100644
--- a/.mergify.yml
+++ b/.mergify.yml
@@ -27,7 +27,7 @@ pull_request_rules:
 
   - name: Trusted author and 1 approved review; trigger bors r+
     conditions:
-      - author~=^(mergify|kaiyou|muhlemmer|mildred|HorayNarea|hoellen|ofthesun9|Nebukadneza|micw|lub|Diman0|3-w-c|decentral1se|ghostwheel42|nextgens|parisni)$
+      - author~=^(mergify|kaiyou|muhlemmer|mildred|HorayNarea|hoellen|ofthesun9|Nebukadneza|micw|lub|Diman0|ghostwheel42|nextgens)$
       - -title~=(WIP|wip)
       - -label~=^(status/wip|status/blocked|review/need2)$
       - "#approved-reviews-by>=1"

From eb74a72a52dedc752937131a2ec36aaf7f30cddb Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Tue, 26 Oct 2021 07:35:06 +0000
Subject: [PATCH 132/222] Moved locations to correct area in nginx.conf.

---
 core/nginx/conf/nginx.conf | 40 ++++++++++++++++++--------------------
 1 file changed, 19 insertions(+), 21 deletions(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 20cc00a6..cc011f90 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -128,30 +128,12 @@ http {
       include /overrides/*.conf;
 
       # Actual logic
-      {% if ADMIN == 'true' %}
-      location ^~ /ui {
-        include /etc/nginx/proxy.conf;
-        rewrite ^/ui/(.*) {{ WEB_ADMIN }}/ui/$1 redirect;
-      }
-      {% endif %}
-
       {% if ADMIN == 'true' or WEBMAIL != 'none' %}
       location ^~ /sso {
         include /etc/nginx/proxy.conf;
         proxy_pass http://$admin;
       }
 
-      location ^~ /sso/static {
-        include /etc/nginx/proxy.conf;
-        rewrite /sso/static/(.*) /static/$1 permanent;
-      }
-
-      location ^~ {{ WEB_WEBMAIL }}/sso/ui/logout {
-        include /etc/nginx/proxy.conf;
-        rewrite ^{{ WEB_WEBMAIL }}/sso/ui/logout$ /sso/logout break;
-        proxy_pass http://$admin;
-      }
-
       location ^~ /ui/language {
         include /etc/nginx/proxy.conf;
         proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
@@ -159,17 +141,17 @@ http {
         expires $expires;
       }
 
-      location ^~ /ui/webmail {
+      location ^~ /sso/static {
         include /etc/nginx/proxy.conf;
-        return 302 {{ WEB_WEBMAIL }};
+        rewrite /sso/static/(.*) /static/$1 permanent;
       }
-      {% endif %}
 
       location ^~ /static {
         include /etc/nginx/proxy.conf;
         rewrite ^/static/(.*) /ui/static/$1 break;
         proxy_pass http://$admin;
       }
+      {% endif %}
 
       {% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %}
       location / {
@@ -216,10 +198,26 @@ http {
       location @webmail_login {       
         return 302 /sso/login?next=ui.webmail;
       }
+
+      location ^~ {{ WEB_WEBMAIL }}/sso/ui/logout {
+        include /etc/nginx/proxy.conf;
+        rewrite ^{{ WEB_WEBMAIL }}/sso/ui/logout$ /sso/logout break;
+        proxy_pass http://$admin;
+      }
+
+      location ^~ /ui/webmail {
+        include /etc/nginx/proxy.conf;
+        return 302 {{ WEB_WEBMAIL }};
+      }            
       {% else %}
       
       {% endif %}
       {% if ADMIN == 'true' %}
+      location ^~ /ui {
+        include /etc/nginx/proxy.conf;
+        rewrite ^/ui/(.*) {{ WEB_ADMIN }}/ui/$1 redirect;
+      }
+
       location {{ WEB_ADMIN }} {
         return 301 {{ WEB_ADMIN }}/ui;
       }

From 5d81846c5db1095c3aa6770d889e351cbcd6962c Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Tue, 26 Oct 2021 11:30:06 +0000
Subject: [PATCH 133/222] Introduce the shared stub /static for providing all
 static files

---
 core/admin/Dockerfile                        |  2 +-
 core/admin/mailu/__init__.py                 |  3 ++-
 core/admin/mailu/sso/templates/base_sso.html | 12 ++++++------
 core/admin/mailu/static_files/__init__.py    |  5 +++++
 core/admin/mailu/ui/templates/base.html      | 12 ++++++------
 core/nginx/conf/nginx.conf                   | 14 +-------------
 6 files changed, 21 insertions(+), 27 deletions(-)
 create mode 100644 core/admin/mailu/static_files/__init__.py

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index fbe98fea..ed0e7f3b 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -38,7 +38,7 @@ RUN set -eu \
  && pip3 install -r requirements.txt \
  && apk del --no-cache build-dep
 
-COPY --from=assets static ./mailu/ui/static
+COPY --from=assets static ./mailu/static_files/static
 COPY mailu ./mailu
 COPY migrations ./migrations
 COPY start.py /start.py
diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
index cbb5f769..295d2cfd 100644
--- a/core/admin/mailu/__init__.py
+++ b/core/admin/mailu/__init__.py
@@ -58,10 +58,11 @@ def create_app_from_config(config):
         )
 
     # Import views
-    from mailu import ui, internal, sso
+    from mailu import ui, internal, sso, static_files
     app.register_blueprint(ui.ui, url_prefix='/ui')
     app.register_blueprint(internal.internal, url_prefix='/internal')
     app.register_blueprint(sso.sso, url_prefix='/sso')
+    app.register_blueprint(static_files.static, url_prefix='/static')
     return app
 
 
diff --git a/core/admin/mailu/sso/templates/base_sso.html b/core/admin/mailu/sso/templates/base_sso.html
index 062adf36..913a806f 100644
--- a/core/admin/mailu/sso/templates/base_sso.html
+++ b/core/admin/mailu/sso/templates/base_sso.html
@@ -1,15 +1,15 @@
 {%- import "macros.html" as macros %}
 {%- import "bootstrap/utils.html" as utils %}
 <!doctype html>
-<html lang="{{ session['language'] }}" data-static="{{ url_for('.static', filename='') }}">
+<html lang="{{ session['language'] }}" data-static="/static/">
   <head>
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <meta name="description" content="{% trans %}Admin page for{% endtrans %} {{ config["SITENAME"] }}">
     <meta http-equiv="x-ua-compatible" content="ie=edge">
     <title>Mailu-Admin | {{ config["SITENAME"] }}</title>
-    <link rel="stylesheet" href="{{ url_for('.static', filename='vendor.css') }}">
-    <link rel="stylesheet" href="{{ url_for('.static', filename='app.css') }}">
+    <link rel="stylesheet" href="/static/vendor.css">
+    <link rel="stylesheet" href="/static/app.css">
   </head>
   <body class="hold-transition sidebar-mini layout-fixed">
     <div class="wrapper">
@@ -46,7 +46,7 @@
       </nav>
       <aside class="main-sidebar sidebar-dark-primary nav-compact elevation-4">
         <a class="brand-link bg-mailu-logo"{% if config["LOGO_BACKGROUND"] %} style="background-color:{{ config["LOGO_BACKGROUND"] }}!important;"{% endif %}>
-          <img src="{{ config["LOGO_URL"] if config["LOGO_URL"] else url_for('.static', filename='mailu.png') }}" width="33" height="33" alt="Mailu" class="brand-image mailu-logo img-circle elevation-3">
+          <img src="{{ config["LOGO_URL"] if config["LOGO_URL"] else '/static/mailu.png' }}" width="33" height="33" alt="Mailu" class="brand-image mailu-logo img-circle elevation-3">
           <span class="brand-text font-weight-light">{{ config["SITENAME"] }}</span>
         </a>
         {%- include "sidebar_sso.html" %}
@@ -80,7 +80,7 @@
         </span>
       </footer>
     </div>
-    <script src="{{ url_for('.static', filename='vendor.js') }}"></script>
-    <script src="{{ url_for('.static', filename='app.js') }}"></script>
+    <script src="/static/vendor.js"></script>
+    <script src="/static/app.js"></script>
   </body>
 </html>
diff --git a/core/admin/mailu/static_files/__init__.py b/core/admin/mailu/static_files/__init__.py
new file mode 100644
index 00000000..f038c076
--- /dev/null
+++ b/core/admin/mailu/static_files/__init__.py
@@ -0,0 +1,5 @@
+from flask import Blueprint
+
+static = Blueprint('static', __name__, static_folder='static', static_url_path='/static')
+
+
diff --git a/core/admin/mailu/ui/templates/base.html b/core/admin/mailu/ui/templates/base.html
index fc27d12b..3357d3e3 100644
--- a/core/admin/mailu/ui/templates/base.html
+++ b/core/admin/mailu/ui/templates/base.html
@@ -1,15 +1,15 @@
 {%- import "macros.html" as macros %}
 {%- import "bootstrap/utils.html" as utils %}
 <!doctype html>
-<html lang="{{ session['language'] }}" data-static="{{ url_for('.static', filename='') }}">
+<html lang="{{ session['language'] }}" data-static="/static/">
   <head>
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <meta name="description" content="{% trans %}Admin page for{% endtrans %} {{ config["SITENAME"] }}">
     <meta http-equiv="x-ua-compatible" content="ie=edge">
     <title>Mailu-Admin | {{ config["SITENAME"] }}</title>
-    <link rel="stylesheet" href="{{ url_for('.static', filename='vendor.css') }}">
-    <link rel="stylesheet" href="{{ url_for('.static', filename='app.css') }}">
+    <link rel="stylesheet" href="/static/vendor.css">
+    <link rel="stylesheet" href="/static/app.css">
   </head>
   <body class="hold-transition sidebar-mini layout-fixed">
     <div class="wrapper">
@@ -46,7 +46,7 @@
       </nav>
       <aside class="main-sidebar sidebar-dark-primary nav-compact elevation-4">
         <a href="{{ url_for('.domain_list' if current_user.manager_of or current_user.global_admin else '.user_settings') }}" class="brand-link bg-mailu-logo"{% if config["LOGO_BACKGROUND"] %} style="background-color:{{ config["LOGO_BACKGROUND"] }}!important;"{% endif %}>
-          <img src="{{ config["LOGO_URL"] if config["LOGO_URL"] else url_for('.static', filename='mailu.png') }}" width="33" height="33" alt="Mailu" class="brand-image mailu-logo img-circle elevation-3">
+          <img src="{{ config["LOGO_URL"] if config["LOGO_URL"] else '/static/mailu.png' }}" width="33" height="33" alt="Mailu" class="brand-image mailu-logo img-circle elevation-3">
           <span class="brand-text font-weight-light">{{ config["SITENAME"] }}</span>
         </a>
         {%- include "sidebar.html" %}
@@ -80,7 +80,7 @@
         </span>
       </footer>
     </div>
-    <script src="{{ url_for('.static', filename='vendor.js') }}"></script>
-    <script src="{{ url_for('.static', filename='app.js') }}"></script>
+    <script src="/static/vendor.js"></script>
+    <script src="/static/app.js"></script>
   </body>
 </html>
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index cc011f90..607e5abd 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -136,19 +136,12 @@ http {
 
       location ^~ /ui/language {
         include /etc/nginx/proxy.conf;
-        proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
         proxy_pass http://$admin;
-        expires $expires;
-      }
-
-      location ^~ /sso/static {
-        include /etc/nginx/proxy.conf;
-        rewrite /sso/static/(.*) /static/$1 permanent;
       }
 
       location ^~ /static {
         include /etc/nginx/proxy.conf;
-        rewrite ^/static/(.*) /ui/static/$1 break;
+        rewrite ^/static/(.*) /static/static/$1 break;
         proxy_pass http://$admin;
       }
       {% endif %}
@@ -230,11 +223,6 @@ http {
         expires $expires;
       }
 
-      location ^~ {{ WEB_ADMIN }}/ui/static {
-        include /etc/nginx/proxy.conf;
-        rewrite {{ WEB_ADMIN }}/ui/static/(.*) /static/$1 permanent;
-      }
-
       location {{ WEB_ADMIN }}/antispam {
         rewrite ^{{ WEB_ADMIN }}/antispam/(.*) /$1 break;
         auth_request /internal/auth/admin;

From 615743b331c4759c58ffc9856c1aa9200adfabec Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Tue, 26 Oct 2021 11:39:56 +0000
Subject: [PATCH 134/222] Improve indendation of conditions.

---
 core/admin/mailu/sso/views/base.py | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index cb86e1ab..067ea809 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -11,14 +11,28 @@ def login():
     form = forms.LoginForm()
     endpoint = flask.request.args.get('next', 'ui.index')
 
-    if str(app.config['WEBMAIL']).upper() != 'NONE' and str(app.config['ADMIN']).upper() != 'FALSE' and endpoint != 'ui.webmail':
-        form.target.choices = [('Admin', 'Admin'), ('Webmail', 'Webmail')]
-    elif str(app.config['WEBMAIL']).upper() != 'NONE' and str(app.config['ADMIN']).upper() != 'FALSE' and endpoint == 'ui.webmail':
-        form.target.choices = [('Webmail', 'Webmail'), ('Admin', 'Admin')]
-    elif str(app.config['WEBMAIL']).upper() != 'NONE' and str(app.config['ADMIN']).upper() == 'FALSE':
-        form.target.choices = [('Webmail', 'Webmail')]
-    elif str(app.config['WEBMAIL']).upper() == 'NONE' and str(app.config['ADMIN']).upper() != 'FALSE':
-        form.target.choices = [('Admin', 'Admin')]
+    if (
+        str(app.config["WEBMAIL"]).upper() != "NONE"
+        and str(app.config["ADMIN"]).upper() != "FALSE"
+        and endpoint != "ui.webmail"
+    ):
+        form.target.choices = [("Admin", "Admin"), ("Webmail", "Webmail")]
+    elif (
+        str(app.config["WEBMAIL"]).upper() != "NONE"
+        and str(app.config["ADMIN"]).upper() != "FALSE"
+        and endpoint == "ui.webmail"
+    ):
+        form.target.choices = [("Webmail", "Webmail"), ("Admin", "Admin")]
+    elif (
+        str(app.config["WEBMAIL"]).upper() != "NONE"
+        and str(app.config["ADMIN"]).upper() == "FALSE"
+    ):
+        form.target.choices = [("Webmail", "Webmail")]
+    elif (
+        str(app.config["WEBMAIL"]).upper() == "NONE"
+        and str(app.config["ADMIN"]).upper() != "FALSE"
+    ):
+        form.target.choices = [("Admin", "Admin")]
 
     if form.validate_on_submit():
         if str(form.target.data) == 'Admin':

From aab258d28454ad3050c7baec6b2106c448982206 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Tue, 26 Oct 2021 11:54:25 +0000
Subject: [PATCH 135/222] Move handling of logging out in admin, to sso logout
 page.

---
 core/admin/mailu/ui/templates/sidebar.html | 2 +-
 core/admin/mailu/ui/views/base.py          | 8 --------
 2 files changed, 1 insertion(+), 9 deletions(-)

diff --git a/core/admin/mailu/ui/templates/sidebar.html b/core/admin/mailu/ui/templates/sidebar.html
index 32feb8dd..62168ff1 100644
--- a/core/admin/mailu/ui/templates/sidebar.html
+++ b/core/admin/mailu/ui/templates/sidebar.html
@@ -130,7 +130,7 @@
       {%- endif %}
       {%- if current_user.is_authenticated %}
       <li class="nav-item" role="none">
-        <a href="{{ url_for('.logout') }}" class="nav-link" role="menuitem">
+        <a href="{{ url_for('sso.logout') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fas fa-sign-out-alt"></i>
           <p>{% trans %}Sign out{% endtrans %}</p>
         </a>
diff --git a/core/admin/mailu/ui/views/base.py b/core/admin/mailu/ui/views/base.py
index 8e628360..d05d1fb3 100644
--- a/core/admin/mailu/ui/views/base.py
+++ b/core/admin/mailu/ui/views/base.py
@@ -11,14 +11,6 @@ import flask_login
 def index():
     return flask.redirect(flask.url_for('.user_settings'))
 
-@ui.route('/logout', methods=['GET'])
-@access.authenticated
-def logout():
-    flask_login.logout_user()
-    flask.session.destroy()
-    return flask.redirect(flask.url_for('.index'))
-
-
 @ui.route('/announcement', methods=['GET', 'POST'])
 @access.global_admin
 def announcement():

From 5232bd38fd5147ea6483900260c698da09d9b916 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Tue, 26 Oct 2021 12:07:36 +0000
Subject: [PATCH 136/222] Simplify webmail logout.

---
 core/nginx/conf/nginx.conf                 | 6 ------
 webmails/rainloop/defaults/application.ini | 2 +-
 webmails/roundcube/config.inc.php          | 2 +-
 3 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 607e5abd..e439e0e1 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -192,12 +192,6 @@ http {
         return 302 /sso/login?next=ui.webmail;
       }
 
-      location ^~ {{ WEB_WEBMAIL }}/sso/ui/logout {
-        include /etc/nginx/proxy.conf;
-        rewrite ^{{ WEB_WEBMAIL }}/sso/ui/logout$ /sso/logout break;
-        proxy_pass http://$admin;
-      }
-
       location ^~ /ui/webmail {
         include /etc/nginx/proxy.conf;
         return 302 {{ WEB_WEBMAIL }};
diff --git a/webmails/rainloop/defaults/application.ini b/webmails/rainloop/defaults/application.ini
index 2e266235..d67ec9f0 100644
--- a/webmails/rainloop/defaults/application.ini
+++ b/webmails/rainloop/defaults/application.ini
@@ -9,7 +9,7 @@ allow_admin_panel = Off
 [labs]
 allow_gravatar = Off
 custom_login_link='sso.php'
-custom_logout_link='sso/ui/logout'
+custom_logout_link='/sso/logout'
 
 [contacts]
 enable = On
diff --git a/webmails/roundcube/config.inc.php b/webmails/roundcube/config.inc.php
index 3b474795..99f147fc 100644
--- a/webmails/roundcube/config.inc.php
+++ b/webmails/roundcube/config.inc.php
@@ -41,7 +41,7 @@ if (filter_var(getenv('ADMIN'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE)
 }
 $config['product_name'] = 'Mailu Webmail';
 array_push($config['plugins'], 'mailu');
-$config['sso_logout_url'] = 'sso/ui/logout';
+$config['sso_logout_url'] = '/sso/logout';
 
 // We access the IMAP and SMTP servers locally with internal names, SSL
 // will obviously fail but this sounds better than allowing insecure login

From 48764f0400d9d3b56586232f7e9c768bda748f8e Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Wed, 27 Oct 2021 08:06:53 +0000
Subject: [PATCH 137/222] Ensure all requests from the page sso go through the
 page sso.

---
 core/admin/mailu/sso/templates/base_sso.html | 2 +-
 core/admin/mailu/sso/views/__init__.py       | 2 +-
 core/admin/mailu/sso/views/languages.py      | 9 +++++++++
 core/nginx/conf/nginx.conf                   | 5 -----
 4 files changed, 11 insertions(+), 7 deletions(-)
 create mode 100644 core/admin/mailu/sso/views/languages.py

diff --git a/core/admin/mailu/sso/templates/base_sso.html b/core/admin/mailu/sso/templates/base_sso.html
index 913a806f..2d6446b2 100644
--- a/core/admin/mailu/sso/templates/base_sso.html
+++ b/core/admin/mailu/sso/templates/base_sso.html
@@ -38,7 +38,7 @@
               <span class="badge badge-primary navbar-badge">{{ session['language'] }}</span></a>
             <div class="dropdown-menu dropdown-menu-right p-0" id="mailu-languages">
             {%- for locale in config.translations.values() %}
-              <a class="dropdown-item{% if locale.language == session['language'] %} active{% endif %}" href="{{ url_for('ui.set_language', language=locale.language) }}">{{ locale.get_language_name().title() }}</a>
+              <a class="dropdown-item{% if locale.language == session['language'] %} active{% endif %}" href="{{ url_for('sso.set_language', language=locale.language) }}">{{ locale.get_language_name().title() }}</a>
             {%- endfor %}
             </div>
           </li>
diff --git a/core/admin/mailu/sso/views/__init__.py b/core/admin/mailu/sso/views/__init__.py
index 990c7919..7b1830fb 100644
--- a/core/admin/mailu/sso/views/__init__.py
+++ b/core/admin/mailu/sso/views/__init__.py
@@ -1,3 +1,3 @@
 __all__ = [
-    'base'
+    'base', 'languages'
 ]
diff --git a/core/admin/mailu/sso/views/languages.py b/core/admin/mailu/sso/views/languages.py
new file mode 100644
index 00000000..a723193a
--- /dev/null
+++ b/core/admin/mailu/sso/views/languages.py
@@ -0,0 +1,9 @@
+from mailu.sso import sso, forms
+from mailu.ui import access
+
+import flask
+
+@sso.route('/language/<language>', methods=['POST'])
+def set_language(language=None):
+    flask.session['language'] = language
+    return flask.Response(status=200)
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index e439e0e1..13317d76 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -134,11 +134,6 @@ http {
         proxy_pass http://$admin;
       }
 
-      location ^~ /ui/language {
-        include /etc/nginx/proxy.conf;
-        proxy_pass http://$admin;
-      }
-
       location ^~ /static {
         include /etc/nginx/proxy.conf;
         rewrite ^/static/(.*) /static/static/$1 break;

From a47afec4ee0be82655714421836d74424636e406 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Wed, 27 Oct 2021 08:22:36 +0000
Subject: [PATCH 138/222] Make logic more readable.

---
 core/admin/mailu/sso/views/base.py | 29 +++++++----------------------
 1 file changed, 7 insertions(+), 22 deletions(-)

diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index 067ea809..73552475 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -11,28 +11,13 @@ def login():
     form = forms.LoginForm()
     endpoint = flask.request.args.get('next', 'ui.index')
 
-    if (
-        str(app.config["WEBMAIL"]).upper() != "NONE"
-        and str(app.config["ADMIN"]).upper() != "FALSE"
-        and endpoint != "ui.webmail"
-    ):
-        form.target.choices = [("Admin", "Admin"), ("Webmail", "Webmail")]
-    elif (
-        str(app.config["WEBMAIL"]).upper() != "NONE"
-        and str(app.config["ADMIN"]).upper() != "FALSE"
-        and endpoint == "ui.webmail"
-    ):
-        form.target.choices = [("Webmail", "Webmail"), ("Admin", "Admin")]
-    elif (
-        str(app.config["WEBMAIL"]).upper() != "NONE"
-        and str(app.config["ADMIN"]).upper() == "FALSE"
-    ):
-        form.target.choices = [("Webmail", "Webmail")]
-    elif (
-        str(app.config["WEBMAIL"]).upper() == "NONE"
-        and str(app.config["ADMIN"]).upper() != "FALSE"
-    ):
-        form.target.choices = [("Admin", "Admin")]
+    form.target.choices = []
+    if str(app.config["ADMIN"]).upper() != "FALSE":
+        form.target.choices += [("Admin", "Admin")]
+    if str(app.config["WEBMAIL"]).upper() != "NONE":
+        form.target.choices += [("Webmail", "Webmail")]
+    if endpoint == "ui.webmail":
+        form.target.choices.reverse()
 
     if form.validate_on_submit():
         if str(form.target.data) == 'Admin':

From aee089f3b1f8bc3240b087f133a502f7ad0c7ab4 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 27 Oct 2021 09:59:55 +0200
Subject: [PATCH 139/222] Ensure that static assets are readable

---
 core/nginx/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/nginx/Dockerfile b/core/nginx/Dockerfile
index aeb11666..b7e5e22e 100644
--- a/core/nginx/Dockerfile
+++ b/core/nginx/Dockerfile
@@ -16,7 +16,7 @@ COPY conf /conf
 COPY static /static
 COPY *.py /
 
-RUN gzip -k9 /static/*.ico /static/*.txt
+RUN gzip -k9 /static/*.ico /static/*.txt; chmod a+rX -R /static
 
 EXPOSE 80/tcp 443/tcp 110/tcp 143/tcp 465/tcp 587/tcp 993/tcp 995/tcp 25/tcp 10025/tcp 10143/tcp
 VOLUME ["/certs"]

From d3f07a088219d51dd0e122880478872152f1d243 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 27 Oct 2021 10:54:18 +0200
Subject: [PATCH 140/222] Simplify the handling of /static

---
 core/admin/mailu/__init__.py              | 3 +--
 core/admin/mailu/sso/__init__.py          | 2 +-
 core/admin/mailu/static_files/__init__.py | 5 -----
 core/nginx/conf/nginx.conf                | 8 +-------
 4 files changed, 3 insertions(+), 15 deletions(-)
 delete mode 100644 core/admin/mailu/static_files/__init__.py

diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
index 295d2cfd..4413d68c 100644
--- a/core/admin/mailu/__init__.py
+++ b/core/admin/mailu/__init__.py
@@ -11,7 +11,7 @@ import hmac
 def create_app_from_config(config):
     """ Create a new application based on the given configuration
     """
-    app = flask.Flask(__name__)
+    app = flask.Flask(__name__, static_folder='static_files', static_url_path='')
     app.cli.add_command(manage.mailu)
 
     # Bootstrap is used for error display and flash messages
@@ -62,7 +62,6 @@ def create_app_from_config(config):
     app.register_blueprint(ui.ui, url_prefix='/ui')
     app.register_blueprint(internal.internal, url_prefix='/internal')
     app.register_blueprint(sso.sso, url_prefix='/sso')
-    app.register_blueprint(static_files.static, url_prefix='/static')
     return app
 
 
diff --git a/core/admin/mailu/sso/__init__.py b/core/admin/mailu/sso/__init__.py
index fcdc9cd0..3f3cc39f 100644
--- a/core/admin/mailu/sso/__init__.py
+++ b/core/admin/mailu/sso/__init__.py
@@ -1,5 +1,5 @@
 from flask import Blueprint
 
-sso = Blueprint('sso', __name__, static_folder='static', template_folder='templates')
+sso = Blueprint('sso', __name__, template_folder='templates')
 
 from mailu.sso.views import *
diff --git a/core/admin/mailu/static_files/__init__.py b/core/admin/mailu/static_files/__init__.py
deleted file mode 100644
index f038c076..00000000
--- a/core/admin/mailu/static_files/__init__.py
+++ /dev/null
@@ -1,5 +0,0 @@
-from flask import Blueprint
-
-static = Blueprint('static', __name__, static_folder='static', static_url_path='/static')
-
-
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 13317d76..13f5b534 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -129,16 +129,10 @@ http {
 
       # Actual logic
       {% if ADMIN == 'true' or WEBMAIL != 'none' %}
-      location ^~ /sso {
+      location ~ ^/(sso|static) {
         include /etc/nginx/proxy.conf;
         proxy_pass http://$admin;
       }
-
-      location ^~ /static {
-        include /etc/nginx/proxy.conf;
-        rewrite ^/static/(.*) /static/static/$1 break;
-        proxy_pass http://$admin;
-      }
       {% endif %}
 
       {% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %}

From fee13e6c4bbf8e01a4058a54513549c2b0e85a52 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 27 Oct 2021 11:11:22 +0200
Subject: [PATCH 141/222] Save a redirect

---
 core/admin/mailu/sso/views/base.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index 73552475..62231a65 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -21,7 +21,7 @@ def login():
 
     if form.validate_on_submit():
         if str(form.target.data) == 'Admin':
-            endpoint = 'ui.index'
+            endpoint = 'ui.user_settings'
         elif str(form.target.data) == 'Webmail':
             endpoint = 'ui.webmail'
 
@@ -41,4 +41,4 @@ def login():
 def logout():
     flask_login.logout_user()
     flask.session.destroy()
-    return flask.redirect(flask.url_for('.login'))
\ No newline at end of file
+    return flask.redirect(flask.url_for('.login'))

From f1a60aa6eaabc2267fa76169853747c2371643c3 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Wed, 27 Oct 2021 11:11:50 +0000
Subject: [PATCH 142/222] Remove unneeded auth_request_set

---
 core/nginx/conf/nginx.conf | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 13317d76..7f0449cc 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -160,9 +160,7 @@ http {
         {% endif %}
         include /etc/nginx/proxy.conf;
         client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};       
-        auth_request /internal/auth/user;
-        auth_request_set $user $upstream_http_x_user;
-        auth_request_set $token $upstream_http_x_user_token;       
+        auth_request /internal/auth/user;    
         error_page 403 @webmail_login;
         proxy_pass http://$webmail;
       }

From bdcc1831656e495a59dbe8df3225f853ae7b90fc Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Wed, 27 Oct 2021 11:24:10 +0000
Subject: [PATCH 143/222] Redirect to configured ENV VAR for Admin/Webmail,
 further simplify nginx config.

---
 core/admin/mailu/sso/views/base.py |  5 ++++-
 core/nginx/conf/nginx.conf         | 12 +-----------
 2 files changed, 5 insertions(+), 12 deletions(-)

diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index 73552475..8a21884f 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -1,3 +1,4 @@
+from werkzeug.utils import redirect
 from mailu import models
 from mailu.sso import sso, forms
 from mailu.ui import access
@@ -22,14 +23,16 @@ def login():
     if form.validate_on_submit():
         if str(form.target.data) == 'Admin':
             endpoint = 'ui.index'
+            destination = app.config['WEB_ADMIN']
         elif str(form.target.data) == 'Webmail':
             endpoint = 'ui.webmail'
+            destination = app.config['WEB_WEBMAIL']
 
         user = models.User.login(form.email.data, form.pw.data)
         if user:
             flask.session.regenerate()
             flask_login.login_user(user)           
-            return flask.redirect(flask.url_for(endpoint))
+            return flask.redirect(destination)
         else:
             flask.flash('Wrong e-mail or password', 'error')
             client_ip = flask.request.headers["X-Real-IP"] if 'X-Real-IP' in flask.request.headers else flask.request.remote_addr
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 7f0449cc..0b122da6 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -183,21 +183,11 @@ http {
 
       location @webmail_login {       
         return 302 /sso/login?next=ui.webmail;
-      }
-
-      location ^~ /ui/webmail {
-        include /etc/nginx/proxy.conf;
-        return 302 {{ WEB_WEBMAIL }};
-      }            
+      }         
       {% else %}
       
       {% endif %}
       {% if ADMIN == 'true' %}
-      location ^~ /ui {
-        include /etc/nginx/proxy.conf;
-        rewrite ^/ui/(.*) {{ WEB_ADMIN }}/ui/$1 redirect;
-      }
-
       location {{ WEB_ADMIN }} {
         return 301 {{ WEB_ADMIN }}/ui;
       }

From fb0f005343a6996f08949439dee975e9b5caec67 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Wed, 27 Oct 2021 18:36:50 +0000
Subject: [PATCH 144/222] Get rid of complicated prefix logic. Further simplify
 /static handling and nginx config.

---
 core/admin/Dockerfile                        |  2 +-
 core/admin/mailu/__init__.py                 |  7 +++---
 core/admin/mailu/sso/__init__.py             |  2 +-
 core/admin/mailu/sso/templates/base_sso.html |  8 +++----
 core/admin/mailu/ui/__init__.py              |  2 +-
 core/admin/mailu/ui/templates/sidebar.html   |  2 +-
 core/admin/mailu/utils.py                    | 20 -----------------
 core/nginx/conf/nginx.conf                   | 23 +++++---------------
 8 files changed, 17 insertions(+), 49 deletions(-)

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index ed0e7f3b..a4f28481 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -38,7 +38,7 @@ RUN set -eu \
  && pip3 install -r requirements.txt \
  && apk del --no-cache build-dep
 
-COPY --from=assets static ./mailu/static_files/static
+COPY --from=assets static ./mailu/static
 COPY mailu ./mailu
 COPY migrations ./migrations
 COPY start.py /start.py
diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
index 4413d68c..20acf360 100644
--- a/core/admin/mailu/__init__.py
+++ b/core/admin/mailu/__init__.py
@@ -11,7 +11,7 @@ import hmac
 def create_app_from_config(config):
     """ Create a new application based on the given configuration
     """
-    app = flask.Flask(__name__, static_folder='static_files', static_url_path='')
+    app = flask.Flask(__name__, static_folder='static', static_url_path='/static')
     app.cli.add_command(manage.mailu)
 
     # Bootstrap is used for error display and flash messages
@@ -25,7 +25,6 @@ def create_app_from_config(config):
     utils.babel.init_app(app)
     utils.login.init_app(app)
     utils.login.user_loader(models.User.get)
-    utils.proxy.init_app(app)
     utils.migrate.init_app(app, models.db)
 
     app.device_cookie_key = hmac.new(bytearray(app.secret_key, 'utf-8'), bytearray('DEVICE_COOKIE_KEY', 'utf-8'), 'sha256').digest()
@@ -58,8 +57,8 @@ def create_app_from_config(config):
         )
 
     # Import views
-    from mailu import ui, internal, sso, static_files
-    app.register_blueprint(ui.ui, url_prefix='/ui')
+    from mailu import ui, internal, sso
+    app.register_blueprint(ui.ui, url_prefix=app.config['WEB_ADMIN'])
     app.register_blueprint(internal.internal, url_prefix='/internal')
     app.register_blueprint(sso.sso, url_prefix='/sso')
     return app
diff --git a/core/admin/mailu/sso/__init__.py b/core/admin/mailu/sso/__init__.py
index 3f3cc39f..4b4c057b 100644
--- a/core/admin/mailu/sso/__init__.py
+++ b/core/admin/mailu/sso/__init__.py
@@ -1,5 +1,5 @@
 from flask import Blueprint
 
-sso = Blueprint('sso', __name__, template_folder='templates')
+sso = Blueprint('sso', __name__, static_folder='None' ,template_folder='templates')
 
 from mailu.sso.views import *
diff --git a/core/admin/mailu/sso/templates/base_sso.html b/core/admin/mailu/sso/templates/base_sso.html
index 2d6446b2..17aedff7 100644
--- a/core/admin/mailu/sso/templates/base_sso.html
+++ b/core/admin/mailu/sso/templates/base_sso.html
@@ -8,8 +8,8 @@
     <meta name="description" content="{% trans %}Admin page for{% endtrans %} {{ config["SITENAME"] }}">
     <meta http-equiv="x-ua-compatible" content="ie=edge">
     <title>Mailu-Admin | {{ config["SITENAME"] }}</title>
-    <link rel="stylesheet" href="/static/vendor.css">
-    <link rel="stylesheet" href="/static/app.css">
+    <link rel="stylesheet" href="{{ url_for('static', filename='vendor.css') }}">
+    <link rel="stylesheet" href="{{ url_for('static', filename='app.css') }}">
   </head>
   <body class="hold-transition sidebar-mini layout-fixed">
     <div class="wrapper">
@@ -80,7 +80,7 @@
         </span>
       </footer>
     </div>
-    <script src="/static/vendor.js"></script>
-    <script src="/static/app.js"></script>
+    <script src="{{ url_for('static', filename='vendor.js') }}"></script>
+    <script src="{{ url_for('static', filename='app.js') }}"></script>
   </body>
 </html>
diff --git a/core/admin/mailu/ui/__init__.py b/core/admin/mailu/ui/__init__.py
index ec3601a1..0780896e 100644
--- a/core/admin/mailu/ui/__init__.py
+++ b/core/admin/mailu/ui/__init__.py
@@ -1,6 +1,6 @@
 from flask import Blueprint
 
 
-ui = Blueprint('ui', __name__, static_folder='static', template_folder='templates')
+ui = Blueprint('ui', __name__, static_folder='None', template_folder='templates')
 
 from mailu.ui.views import *
diff --git a/core/admin/mailu/ui/templates/sidebar.html b/core/admin/mailu/ui/templates/sidebar.html
index 62168ff1..239eee7e 100644
--- a/core/admin/mailu/ui/templates/sidebar.html
+++ b/core/admin/mailu/ui/templates/sidebar.html
@@ -75,7 +75,7 @@
         </a>
       </li>
       <li class="nav-item" role="none">
-        <a href="{{ config["WEB_ADMIN"] }}/antispam/" data-clicked="{{ url_for('.antispam') }}" target="_blank" class="nav-link" role="menuitem">
+        <a href="{{ config["WEB_ADMIN"] }}/antispam" data-clicked="{{ url_for('.antispam') }}" target="_blank" class="nav-link" role="menuitem">
         <i class="nav-icon fas fa-trash-alt"></i>
         <p>{% trans %}Antispam{% endtrans %}</p>
         </a>
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index d7a57aaa..8d790d0c 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -95,26 +95,6 @@ def get_locale():
         flask.session['language'] = language
     return language
 
-
-# Proxy fixer
-class PrefixMiddleware(object):
-    """ fix proxy headers """
-    def __init__(self):
-        self.app = None
-
-    def __call__(self, environ, start_response):
-        prefix = environ.get('HTTP_X_FORWARDED_PREFIX', '')
-        if prefix:
-            environ['SCRIPT_NAME'] = prefix
-        return self.app(environ, start_response)
-
-    def init_app(self, app):
-        self.app = fixers.ProxyFix(app.wsgi_app, x_for=1, x_proto=1)
-        app.wsgi_app = self
-
-proxy = PrefixMiddleware()
-
-
 # Data migrate
 migrate = flask_migrate.Migrate()
 
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index fdd73e26..fd6cffd2 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -182,30 +182,19 @@ http {
       
       {% endif %}
       {% if ADMIN == 'true' %}
-      location {{ WEB_ADMIN }} {
-        return 301 {{ WEB_ADMIN }}/ui;
-      }
+       location {{ WEB_ADMIN }} {
+         include /etc/nginx/proxy.conf;         
+         proxy_pass http://$admin;
+         expires $expires;
+       }
 
-      location ~ {{ WEB_ADMIN }}/ui {
-        rewrite ^{{ WEB_ADMIN }}/(.*) /$1 break;
-        include /etc/nginx/proxy.conf;
-        proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
-        proxy_pass http://$admin;
-        expires $expires;
-      }
-
-      location {{ WEB_ADMIN }}/antispam {
+      location ~ {{ WEB_ADMIN }}/antispam/ {
         rewrite ^{{ WEB_ADMIN }}/antispam/(.*) /$1 break;
         auth_request /internal/auth/admin;
         proxy_set_header X-Real-IP "";
         proxy_set_header X-Forwarded-For "";
         proxy_pass http://$antispam;
       }
-
-      location ^~ {{ WEB_ADMIN }}/sso {
-        include /etc/nginx/proxy.conf;
-        rewrite ^{{ WEB_ADMIN }}/(.*) /$1 redirect;
-      }
       {% endif %}
 
       {% if WEBDAV != 'none' %}

From c42ad8e71e6f2c80f15d991cc19673576a86cb74 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Wed, 27 Oct 2021 18:49:36 +0000
Subject: [PATCH 145/222] Forgot to include changes for url_for of base.html

---
 core/admin/mailu/ui/templates/base.html | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/core/admin/mailu/ui/templates/base.html b/core/admin/mailu/ui/templates/base.html
index 3357d3e3..12f61149 100644
--- a/core/admin/mailu/ui/templates/base.html
+++ b/core/admin/mailu/ui/templates/base.html
@@ -8,8 +8,8 @@
     <meta name="description" content="{% trans %}Admin page for{% endtrans %} {{ config["SITENAME"] }}">
     <meta http-equiv="x-ua-compatible" content="ie=edge">
     <title>Mailu-Admin | {{ config["SITENAME"] }}</title>
-    <link rel="stylesheet" href="/static/vendor.css">
-    <link rel="stylesheet" href="/static/app.css">
+    <link rel="stylesheet" href="{{ url_for('static', filename='vendor.css') }}">
+    <link rel="stylesheet" href="{{ url_for('static', filename='app.css') }}">
   </head>
   <body class="hold-transition sidebar-mini layout-fixed">
     <div class="wrapper">
@@ -46,7 +46,7 @@
       </nav>
       <aside class="main-sidebar sidebar-dark-primary nav-compact elevation-4">
         <a href="{{ url_for('.domain_list' if current_user.manager_of or current_user.global_admin else '.user_settings') }}" class="brand-link bg-mailu-logo"{% if config["LOGO_BACKGROUND"] %} style="background-color:{{ config["LOGO_BACKGROUND"] }}!important;"{% endif %}>
-          <img src="{{ config["LOGO_URL"] if config["LOGO_URL"] else '/static/mailu.png' }}" width="33" height="33" alt="Mailu" class="brand-image mailu-logo img-circle elevation-3">
+          <img src="{{ config["LOGO_URL"] if config["LOGO_URL"] else url_for('static', filename='mailu.png') }}" width="33" height="33" alt="Mailu" class="brand-image mailu-logo img-circle elevation-3">
           <span class="brand-text font-weight-light">{{ config["SITENAME"] }}</span>
         </a>
         {%- include "sidebar.html" %}
@@ -80,7 +80,7 @@
         </span>
       </footer>
     </div>
-    <script src="/static/vendor.js"></script>
-    <script src="/static/app.js"></script>
+    <script src="{{ url_for('static', filename='vendor.js') }}"></script>
+    <script src="{{ url_for('static', filename='app.js') }}"></script>
   </body>
 </html>

From 503044ef6e3eb3905f8fe1bcb7fc4819db37802f Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Wed, 27 Oct 2021 21:51:49 +0000
Subject: [PATCH 146/222] Reintroduce ProxyFix. Use two buttons for logging in.

---
 core/admin/mailu/__init__.py                 |  1 +
 core/admin/mailu/sso/forms.py                |  7 ++++---
 core/admin/mailu/sso/templates/form_sso.html |  8 +++++--
 core/admin/mailu/sso/views/base.py           | 22 +++++++++-----------
 core/admin/mailu/ui/templates/macros.html    |  6 +++++-
 core/admin/mailu/utils.py                    | 19 ++++++++++++++++-
 core/nginx/conf/nginx.conf                   |  2 +-
 7 files changed, 45 insertions(+), 20 deletions(-)

diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
index 20acf360..1c4ded4c 100644
--- a/core/admin/mailu/__init__.py
+++ b/core/admin/mailu/__init__.py
@@ -25,6 +25,7 @@ def create_app_from_config(config):
     utils.babel.init_app(app)
     utils.login.init_app(app)
     utils.login.user_loader(models.User.get)
+    utils.proxy.init_app(app)
     utils.migrate.init_app(app, models.db)
 
     app.device_cookie_key = hmac.new(bytearray(app.secret_key, 'utf-8'), bytearray('DEVICE_COOKIE_KEY', 'utf-8'), 'sha256').digest()
diff --git a/core/admin/mailu/sso/forms.py b/core/admin/mailu/sso/forms.py
index d5124804..fb48d9f9 100644
--- a/core/admin/mailu/sso/forms.py
+++ b/core/admin/mailu/sso/forms.py
@@ -11,8 +11,9 @@ LOCALPART_REGEX = "^[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-zA-Z0-9!#$%&'*+/=?^_`
 class LoginForm(flask_wtf.FlaskForm):
     class Meta:
         csrf = False
-    target = fields.SelectField( _('Go to') )
-    email = fields.StringField(_('E-mail'), [validators.Email()])
+    email = fields.StringField(_('E-mail'), [validators.Email(), validators.DataRequired()])
     pw = fields.PasswordField(_('Password'), [validators.DataRequired()])
-    submit = fields.SubmitField(_('Sign in'))
+    submitAdmin = fields.SubmitField(_('Sign in'))
+    submitWebmail = fields.SubmitField(_('Sign in'))
+
 
diff --git a/core/admin/mailu/sso/templates/form_sso.html b/core/admin/mailu/sso/templates/form_sso.html
index 7759ae3f..8ab3101f 100644
--- a/core/admin/mailu/sso/templates/form_sso.html
+++ b/core/admin/mailu/sso/templates/form_sso.html
@@ -2,6 +2,10 @@
 
 {%- block content %}
 {%- call macros.card() %}
-{{ macros.form(form) }}
+<form class="form" method="post" role="form">
+    {{ macros.form_field(form.email) }}
+    {{ macros.form_field(form.pw) }}
+    {{ macros.form_fields( fields, label=False, class="btn btn-default", spacing=False) }}
+</form>
 {%- endcall %}
-{%- endblock %}
+{%- endblock %}
\ No newline at end of file
diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index 301f67e7..e5d2cd45 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -10,22 +10,20 @@ import flask_login
 @sso.route('/login', methods=['GET', 'POST'])
 def login():
     form = forms.LoginForm()
-    endpoint = flask.request.args.get('next', 'ui.index')
-
-    form.target.choices = []
+    form.submitAdmin.label.text = form.submitAdmin.label.text + ' Admin'
+    form.submitWebmail.label.text = form.submitWebmail.label.text + ' Webmail'
+    
+    fields = []
     if str(app.config["ADMIN"]).upper() != "FALSE":
-        form.target.choices += [("Admin", "Admin")]
+        fields.append(form.submitAdmin)
     if str(app.config["WEBMAIL"]).upper() != "NONE":
-        form.target.choices += [("Webmail", "Webmail")]
-    if endpoint == "ui.webmail":
-        form.target.choices.reverse()
+        fields.append(form.submitWebmail)
+    fields = tuple(fields)
 
     if form.validate_on_submit():
-        if str(form.target.data) == 'Admin':
-            endpoint = 'ui.user_settings'
+        if form.submitAdmin.data:
             destination = app.config['WEB_ADMIN']
-        elif str(form.target.data) == 'Webmail':
-            endpoint = 'ui.webmail'
+        elif form.submitWebmail.data:
             destination = app.config['WEB_WEBMAIL']
 
         user = models.User.login(form.email.data, form.pw.data)
@@ -37,7 +35,7 @@ def login():
             flask.flash('Wrong e-mail or password', 'error')
             client_ip = flask.request.headers["X-Real-IP"] if 'X-Real-IP' in flask.request.headers else flask.request.remote_addr
             flask.current_app.logger.warn(f'Login failed for {str(form.email.data)} from {client_ip}.')
-    return flask.render_template('login.html', form=form, endpoint=endpoint)
+    return flask.render_template('login.html', form=form, fields=fields)
     
 @sso.route('/logout', methods=['GET'])
 @access.authenticated
diff --git a/core/admin/mailu/ui/templates/macros.html b/core/admin/mailu/ui/templates/macros.html
index 4080c1e4..d18e6584 100644
--- a/core/admin/mailu/ui/templates/macros.html
+++ b/core/admin/mailu/ui/templates/macros.html
@@ -18,8 +18,12 @@
   {%- endif %}
 {%- endmacro %}
 
-{%- macro form_fields(fields, prepend='', append='', label=True) %}
+{%- macro form_fields(fields, prepend='', append='', label=True, spacing=True) %}
+  {%- if spacing %}
   {%- set width = (12 / fields|length)|int %}
+  {%- else %}
+  {%- set width = 0 %}
+  {% endif %}
   <div class="form-group">
     <div class="row">
       {%- for field in fields %}
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 8d790d0c..56344b8b 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -38,7 +38,7 @@ login.login_view = "sso.login"
 def handle_needs_login():
     """ redirect unauthorized requests to login page """
     return flask.redirect(
-        flask.url_for('sso.login', next=flask.request.endpoint)
+        flask.url_for('sso.login')
     )
 
 # DNS stub configured to do DNSSEC enabled queries
@@ -95,6 +95,23 @@ def get_locale():
         flask.session['language'] = language
     return language
 
+
+# Proxy fixer
+class PrefixMiddleware(object):
+    """ fix proxy headers """
+    def __init__(self):
+        self.app = None
+
+    def __call__(self, environ, start_response):
+        return self.app(environ, start_response)       
+
+    def init_app(self, app):
+        self.app = fixers.ProxyFix(app.wsgi_app, x_for=1, x_proto=1)
+        app.wsgi_app = self
+
+proxy = PrefixMiddleware()
+
+
 # Data migrate
 migrate = flask_migrate.Migrate()
 
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index fd6cffd2..ec6ecac2 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -176,7 +176,7 @@ http {
       }
 
       location @webmail_login {       
-        return 302 /sso/login?next=ui.webmail;
+        return 302 /sso/login;
       }         
       {% else %}
       

From 8eabece225b2a424a59de412d714946edad561a3 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Thu, 28 Oct 2021 13:56:08 +0000
Subject: [PATCH 147/222] Update reverse proxy doc with new /sso endpoint.

---
 docs/reverse.rst | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/docs/reverse.rst b/docs/reverse.rst
index 14a9154e..2c83acec 100644
--- a/docs/reverse.rst
+++ b/docs/reverse.rst
@@ -47,7 +47,7 @@ Then on your own frontend, point to these local ports. In practice, you only nee
     }
   }
 
-Because the admin interface is served as ``/admin`` and the Webmail as ``/webmail`` you may also want to use a single virtual host and serve other applications (still Nginx):
+Because the admin interface is served as ``/admin``, the Webmail as ``/webmail``, the single sign on page as ``/sso`` and webdav as ``/webdav``, you may also want to use a single virtual host and serve other applications (still Nginx):
 
 .. code-block:: nginx
 
@@ -63,6 +63,16 @@ Because the admin interface is served as ``/admin`` and the Webmail as ``/webmai
       proxy_set_header Host $http_host;
     }
 
+    location /sso {
+      proxy_pass https://localhost:8443/sso;
+      proxy_set_header Host $http_host;
+    }
+
+    location /webdav {
+      proxy_pass https://localhost:8443/webdav;
+      proxy_set_header Host $http_host;
+    }    
+
     location /main_app {
       proxy_pass https://some-host;
     }

From edb76f25d8815faa79e796514f2255493e181799 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Thu, 28 Oct 2021 15:50:24 +0000
Subject: [PATCH 148/222] Update newsfragment

---
 towncrier/newsfragments/1929.enhancement | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/towncrier/newsfragments/1929.enhancement b/towncrier/newsfragments/1929.enhancement
index cd3712b6..fa02c60b 100644
--- a/towncrier/newsfragments/1929.enhancement
+++ b/towncrier/newsfragments/1929.enhancement
@@ -1,6 +1,9 @@
-Improved the SSO page.
- - Now shows the login target.
- - Added toggle to choose login target.
- - Made SSO page available separately. SSO page can now be used without Admin.
+Improved the SSO page. Warning! The new endpoint /sso is introduced.
+This endpoint is now used for handling sign on requests.
+You may want to update your reverse proxy to proxy /sso to Mailu (to the front service).
+ - New SSO page is used for logging in Admin or Webmail.
+ - Made SSO page available separately. SSO page can now be used without Admin accessible (ADMIN=false).
  - Introduced stub /static which is used by all sites for accessing static files.
+ - Removed the /admin/ prefix to reduce complexity of routing with Mailu. Admin is accessible directly via /admin instead of /admin/ui
+Note: Failed logon attempts are logged in the logs of admin. You can watch this
 

From a01df56a9b48576945bef685ffa81b295fab64ed Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Thu, 28 Oct 2021 16:38:26 +0000
Subject: [PATCH 149/222] Forgot to include the new endpoint /static

---
 docs/reverse.rst                         | 7 ++++++-
 towncrier/newsfragments/1929.enhancement | 9 +++++----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/docs/reverse.rst b/docs/reverse.rst
index 2c83acec..4841c2de 100644
--- a/docs/reverse.rst
+++ b/docs/reverse.rst
@@ -47,7 +47,7 @@ Then on your own frontend, point to these local ports. In practice, you only nee
     }
   }
 
-Because the admin interface is served as ``/admin``, the Webmail as ``/webmail``, the single sign on page as ``/sso`` and webdav as ``/webdav``, you may also want to use a single virtual host and serve other applications (still Nginx):
+Because the admin interface is served as ``/admin``, the Webmail as ``/webmail``, the single sign on page as ``/sso``, webdav as ``/webdav`` and the static files endpoint as ``/static``, you may also want to use a single virtual host and serve other applications (still Nginx):
 
 .. code-block:: nginx
 
@@ -71,6 +71,11 @@ Because the admin interface is served as ``/admin``, the Webmail as ``/webmail``
     location /webdav {
       proxy_pass https://localhost:8443/webdav;
       proxy_set_header Host $http_host;
+    }
+
+    location /static {
+      proxy_pass https://localhost:8443/static;
+      proxy_set_header Host $http_host;
     }    
 
     location /main_app {
diff --git a/towncrier/newsfragments/1929.enhancement b/towncrier/newsfragments/1929.enhancement
index fa02c60b..12c4f607 100644
--- a/towncrier/newsfragments/1929.enhancement
+++ b/towncrier/newsfragments/1929.enhancement
@@ -1,9 +1,10 @@
-Improved the SSO page. Warning! The new endpoint /sso is introduced.
-This endpoint is now used for handling sign on requests.
-You may want to update your reverse proxy to proxy /sso to Mailu (to the front service).
+Improved the SSO page. Warning! The new endpoints /sso and /static are introduced.
+These endpoints are now used for handling sign on requests and shared static files.
+You may want to update your reverse proxy to proxy /sso and /static to Mailu (to the front service).
+The example section of using a reverse proxy is updated with this information.
  - New SSO page is used for logging in Admin or Webmail.
  - Made SSO page available separately. SSO page can now be used without Admin accessible (ADMIN=false).
  - Introduced stub /static which is used by all sites for accessing static files.
  - Removed the /admin/ prefix to reduce complexity of routing with Mailu. Admin is accessible directly via /admin instead of /admin/ui
-Note: Failed logon attempts are logged in the logs of admin. You can watch this
+Note: Failed logon attempts are logged in the logs of admin. You can watch this with fail2ban.
 

From 8784971b7f995a95f3b2456a5f698f8ea19b12f4 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Thu, 28 Oct 2021 18:55:35 +0000
Subject: [PATCH 150/222] Merge rate limiting and failed login logging

---
 core/admin/mailu/sso/views/base.py | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index e5d2cd45..b9088c03 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -1,5 +1,5 @@
 from werkzeug.utils import redirect
-from mailu import models
+from mailu import models, utils
 from mailu.sso import sso, forms
 from mailu.ui import access
 
@@ -9,6 +9,7 @@ import flask_login
 
 @sso.route('/login', methods=['GET', 'POST'])
 def login():
+    client_ip = flask.request.headers.get('X-Real-IP', flask.request.remote_addr)
     form = forms.LoginForm()
     form.submitAdmin.label.text = form.submitAdmin.label.text + ' Admin'
     form.submitWebmail.label.text = form.submitWebmail.label.text + ' Webmail'
@@ -18,23 +19,32 @@ def login():
         fields.append(form.submitAdmin)
     if str(app.config["WEBMAIL"]).upper() != "NONE":
         fields.append(form.submitWebmail)
-    fields = tuple(fields)
 
     if form.validate_on_submit():
         if form.submitAdmin.data:
             destination = app.config['WEB_ADMIN']
         elif form.submitWebmail.data:
             destination = app.config['WEB_WEBMAIL']
-
-        user = models.User.login(form.email.data, form.pw.data)
+        device_cookie, device_cookie_username = utils.limiter.parse_device_cookie(flask.request.cookies.get('rate_limit'))
+        username = form.email.data
+        if username != device_cookie_username and utils.limiter.should_rate_limit_ip(client_ip):
+            flask.flash('Too many attempts from your IP (rate-limit)', 'error')
+            return flask.render_template('login.html', form=form)
+        if utils.limiter.should_rate_limit_user(username, client_ip, device_cookie, device_cookie_username):
+            flask.flash('Too many attempts for this user (rate-limit)', 'error')
+            return flask.render_template('login.html', form=form)
+        user = models.User.login(username, form.pw.data)
         if user:
             flask.session.regenerate()
-            flask_login.login_user(user)           
-            return flask.redirect(destination)
+            flask_login.login_user(user)            
+            response = flask.redirect(destination)
+            response.set_cookie('rate_limit', utils.limiter.device_cookie(username), max_age=31536000, path=flask.url_for('sso.login'))
+            flask.current_app.logger.info(f'Login succeeded for {username} from {client_ip}.')
+            return response
         else:
+            utils.limiter.rate_limit_user(username, client_ip, device_cookie, device_cookie_username) if models.User.get(username) else utils.limiter.rate_limit_ip(client_ip)
+            flask.current_app.logger.warn(f'Login failed for {username} from {client_ip}.')
             flask.flash('Wrong e-mail or password', 'error')
-            client_ip = flask.request.headers["X-Real-IP"] if 'X-Real-IP' in flask.request.headers else flask.request.remote_addr
-            flask.current_app.logger.warn(f'Login failed for {str(form.email.data)} from {client_ip}.')
     return flask.render_template('login.html', form=form, fields=fields)
     
 @sso.route('/logout', methods=['GET'])

From 3449b67c86ce0b966d9c48ff67fe3eea8548c35b Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Fri, 29 Oct 2021 08:18:50 +0000
Subject: [PATCH 151/222] Process code review remarks PR2023

---
 core/admin/mailu/sso/__init__.py              |  2 +-
 core/admin/mailu/sso/forms.py                 | 10 +-------
 .../mailu/sso/templates/sidebar_sso.html      | 20 +++++-----------
 core/admin/mailu/sso/views/languages.py       |  4 +---
 core/admin/mailu/ui/__init__.py               |  2 +-
 core/admin/mailu/ui/templates/sidebar.html    |  6 ++---
 core/nginx/conf/nginx.conf                    | 10 ++++----
 docs/reverse.rst                              | 23 ++-----------------
 8 files changed, 19 insertions(+), 58 deletions(-)

diff --git a/core/admin/mailu/sso/__init__.py b/core/admin/mailu/sso/__init__.py
index 4b4c057b..cc066234 100644
--- a/core/admin/mailu/sso/__init__.py
+++ b/core/admin/mailu/sso/__init__.py
@@ -1,5 +1,5 @@
 from flask import Blueprint
 
-sso = Blueprint('sso', __name__, static_folder='None' ,template_folder='templates')
+sso = Blueprint('sso', __name__, static_folder=None ,template_folder='templates')
 
 from mailu.sso.views import *
diff --git a/core/admin/mailu/sso/forms.py b/core/admin/mailu/sso/forms.py
index fb48d9f9..c190b8bc 100644
--- a/core/admin/mailu/sso/forms.py
+++ b/core/admin/mailu/sso/forms.py
@@ -1,12 +1,6 @@
-from wtforms import validators, fields, widgets
-from wtforms_components import fields as fields_
+from wtforms import validators, fields
 from flask_babel import lazy_gettext as _
-
-import flask_login
 import flask_wtf
-import re
-
-LOCALPART_REGEX = "^[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+)*$"
 
 class LoginForm(flask_wtf.FlaskForm):
     class Meta:
@@ -15,5 +9,3 @@ class LoginForm(flask_wtf.FlaskForm):
     pw = fields.PasswordField(_('Password'), [validators.DataRequired()])
     submitAdmin = fields.SubmitField(_('Sign in'))
     submitWebmail = fields.SubmitField(_('Sign in'))
-
-
diff --git a/core/admin/mailu/sso/templates/sidebar_sso.html b/core/admin/mailu/sso/templates/sidebar_sso.html
index 79e5832b..1c511aec 100644
--- a/core/admin/mailu/sso/templates/sidebar_sso.html
+++ b/core/admin/mailu/sso/templates/sidebar_sso.html
@@ -2,14 +2,6 @@
   <nav class="mt-2">    
     <ul class="nav nav-pills nav-sidebar flex-column" role="menu">
     <li class="nav-header text-uppercase text-primary" role="none">{% trans %}Go to{% endtrans %}</li>   
-      {%- if config["WEBMAIL"] != "none" %}
-      <li class="nav-item" role="none">
-        <a href="{{ config["WEB_WEBMAIL"] }}" target="_blank" class="nav-link" role="menuitem">
-        <i class="nav-icon far fa-envelope"></i>
-        <p>{% trans %}Webmail{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
-        </a>
-      </li>
-      {% endif %}
       {% if config['ADMIN'] %} 
       <li class="nav-item">
         <a href="{{ url_for('ui.client') }}" class="nav-link">
@@ -24,8 +16,8 @@
         <p>{% trans %}Website{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="https://mailu.io" target="_blank" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="https://mailu.io" target="_blank" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-life-ring"></i>
           <p class="text">{% trans %}Help{% endtrans %}</p>
         </a>
@@ -39,8 +31,8 @@
       {% if config['DOMAIN_REGISTRATION'] %}
       {% if not current_user.is_authenticated %}
       {% if config['ADMIN'] %} 
-      <li class="nav-item">
-        <a href="{{ url_for('ui.domain_signup') }}" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('ui.domain_signup') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-plus-square"></i>
           <p class="text">{% trans %}Register a domain{% endtrans %}</p>
         </a>
@@ -57,8 +49,8 @@
       {% if not current_user.is_authenticated %}
       {% if signup_domains %}
       {% if config['ADMIN'] %} 
-      <li class="nav-item">
-        <a href="{{ url_for('ui.user_signup') }}" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('ui.user_signup') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-user-plus"></i>
           <p class="text">{% trans %}Sign up{% endtrans %}</p>
         </a>
diff --git a/core/admin/mailu/sso/views/languages.py b/core/admin/mailu/sso/views/languages.py
index a723193a..66c09b1f 100644
--- a/core/admin/mailu/sso/views/languages.py
+++ b/core/admin/mailu/sso/views/languages.py
@@ -1,6 +1,4 @@
-from mailu.sso import sso, forms
-from mailu.ui import access
-
+from mailu.sso import sso
 import flask
 
 @sso.route('/language/<language>', methods=['POST'])
diff --git a/core/admin/mailu/ui/__init__.py b/core/admin/mailu/ui/__init__.py
index 0780896e..49338cd1 100644
--- a/core/admin/mailu/ui/__init__.py
+++ b/core/admin/mailu/ui/__init__.py
@@ -1,6 +1,6 @@
 from flask import Blueprint
 
 
-ui = Blueprint('ui', __name__, static_folder='None', template_folder='templates')
+ui = Blueprint('ui', __name__, static_folder=None, template_folder='templates')
 
 from mailu.ui.views import *
diff --git a/core/admin/mailu/ui/templates/sidebar.html b/core/admin/mailu/ui/templates/sidebar.html
index 239eee7e..818d6076 100644
--- a/core/admin/mailu/ui/templates/sidebar.html
+++ b/core/admin/mailu/ui/templates/sidebar.html
@@ -92,7 +92,7 @@
       {%- endif %}
 
       <li class="nav-header text-uppercase text-primary" role="none">{% trans %}Go to{% endtrans %}</li>
-      {%- if config["WEBMAIL"] != "none" %}
+      {%- if config["WEBMAIL"] != "none" and current_user.is_authenticated %}
       <li class="nav-item" role="none">
         <a href="{{ config["WEB_WEBMAIL"] }}" target="_blank" class="nav-link" role="menuitem">
         <i class="nav-icon far fa-envelope"></i>
@@ -136,8 +136,8 @@
         </a>
       </li>
       {% else %}
-      <li class="nav-item">
-        <a href="{{ url_for('sso.login') }}" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('sso.login') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fas fa-sign-in-alt"></i>
           <p>{% trans %}Sign in{% endtrans %}</p>
         </a>
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index ec6ecac2..fefa305e 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -113,7 +113,7 @@ http {
       add_header X-XSS-Protection '1; mode=block';
       add_header Referrer-Policy 'same-origin';
 
-      {% if TLS_FLAVOR == 'mail-letsencrypt' %}      
+      {% if TLS_FLAVOR == 'mail-letsencrypt' %}
       location ^~ /.well-known/acme-challenge/ {
           proxy_pass http://127.0.0.1:8008;
       }
@@ -175,15 +175,13 @@ http {
         proxy_pass http://$webmail;
       }
 
-      location @webmail_login {       
+      location @webmail_login {
         return 302 /sso/login;
-      }         
-      {% else %}
-      
+      }    
       {% endif %}
       {% if ADMIN == 'true' %}
        location {{ WEB_ADMIN }} {
-         include /etc/nginx/proxy.conf;         
+         include /etc/nginx/proxy.conf;
          proxy_pass http://$admin;
          expires $expires;
        }
diff --git a/docs/reverse.rst b/docs/reverse.rst
index 4841c2de..c6b98e4a 100644
--- a/docs/reverse.rst
+++ b/docs/reverse.rst
@@ -54,30 +54,11 @@ Because the admin interface is served as ``/admin``, the Webmail as ``/webmail``
   server {
     # [...] here goes your standard configuration
 
-    location /webmail {
-      proxy_pass https://localhost:8443/webmail;
-    }
-
-    location /admin {
-      proxy_pass https://localhost:8443/admin;
+    location ~ ^/(admin|sso|static|webdav|webmail)/ {
+      proxy_pass https://localhost:8443;
       proxy_set_header Host $http_host;
     }
 
-    location /sso {
-      proxy_pass https://localhost:8443/sso;
-      proxy_set_header Host $http_host;
-    }
-
-    location /webdav {
-      proxy_pass https://localhost:8443/webdav;
-      proxy_set_header Host $http_host;
-    }
-
-    location /static {
-      proxy_pass https://localhost:8443/static;
-      proxy_set_header Host $http_host;
-    }    
-
     location /main_app {
       proxy_pass https://some-host;
     }

From 6b16756d921d5037e05d0e7d48946ee93ee11846 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Fri, 29 Oct 2021 09:22:46 +0000
Subject: [PATCH 152/222] Fix acessing antispam via sidebar.

---
 core/admin/mailu/ui/templates/sidebar.html | 2 +-
 core/admin/mailu/ui/views/base.py          | 3 +--
 core/nginx/conf/nginx.conf                 | 2 +-
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/core/admin/mailu/ui/templates/sidebar.html b/core/admin/mailu/ui/templates/sidebar.html
index 818d6076..6145bef3 100644
--- a/core/admin/mailu/ui/templates/sidebar.html
+++ b/core/admin/mailu/ui/templates/sidebar.html
@@ -75,7 +75,7 @@
         </a>
       </li>
       <li class="nav-item" role="none">
-        <a href="{{ config["WEB_ADMIN"] }}/antispam" data-clicked="{{ url_for('.antispam') }}" target="_blank" class="nav-link" role="menuitem">
+        <a href="{{ config["WEB_ADMIN"] }}/antispam/" data-clicked="{{ url_for('.antispam') }}" target="_blank" class="nav-link" role="menuitem">
         <i class="nav-icon fas fa-trash-alt"></i>
         <p>{% trans %}Antispam{% endtrans %}</p>
         </a>
diff --git a/core/admin/mailu/ui/views/base.py b/core/admin/mailu/ui/views/base.py
index d05d1fb3..01e168a1 100644
--- a/core/admin/mailu/ui/views/base.py
+++ b/core/admin/mailu/ui/views/base.py
@@ -33,7 +33,6 @@ def webmail():
 def client():
     return flask.render_template('client.html')
 
-@ui.route('/antispam', methods=['GET'])
+@ui.route('/webui_antispam', methods=['GET'])
 def antispam():
     return flask.render_template('antispam.html')
-
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index fefa305e..3879798b 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -186,7 +186,7 @@ http {
          expires $expires;
        }
 
-      location ~ {{ WEB_ADMIN }}/antispam/ {
+      location   {{ WEB_ADMIN }}/antispam {
         rewrite ^{{ WEB_ADMIN }}/antispam/(.*) /$1 break;
         auth_request /internal/auth/admin;
         proxy_set_header X-Real-IP "";

From 3141ffe79190c6bd3f7ca85228a7068b7b2cddbc Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Fri, 29 Oct 2021 14:26:23 +0200
Subject: [PATCH 153/222] removed some whitespace

---
 core/admin/mailu/__init__.py                  |  1 +
 core/admin/mailu/sso/templates/form_sso.html  |  2 +-
 .../mailu/sso/templates/sidebar_sso.html      | 12 +++++------
 core/admin/mailu/sso/views/base.py            |  7 ++++---
 core/admin/mailu/utils.py                     |  2 +-
 core/nginx/conf/nginx.conf                    | 20 +++++++++----------
 6 files changed, 23 insertions(+), 21 deletions(-)

diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
index 1c4ded4c..e4024e47 100644
--- a/core/admin/mailu/__init__.py
+++ b/core/admin/mailu/__init__.py
@@ -70,3 +70,4 @@ def create_app():
     """
     config = configuration.ConfigManager()
     return create_app_from_config(config)
+
diff --git a/core/admin/mailu/sso/templates/form_sso.html b/core/admin/mailu/sso/templates/form_sso.html
index 8ab3101f..efcc95a9 100644
--- a/core/admin/mailu/sso/templates/form_sso.html
+++ b/core/admin/mailu/sso/templates/form_sso.html
@@ -8,4 +8,4 @@
     {{ macros.form_fields( fields, label=False, class="btn btn-default", spacing=False) }}
 </form>
 {%- endcall %}
-{%- endblock %}
\ No newline at end of file
+{%- endblock %}
diff --git a/core/admin/mailu/sso/templates/sidebar_sso.html b/core/admin/mailu/sso/templates/sidebar_sso.html
index 1c511aec..b028faa9 100644
--- a/core/admin/mailu/sso/templates/sidebar_sso.html
+++ b/core/admin/mailu/sso/templates/sidebar_sso.html
@@ -1,7 +1,7 @@
 <div class="sidebar text-sm">
-  <nav class="mt-2">    
+  <nav class="mt-2">
     <ul class="nav nav-pills nav-sidebar flex-column" role="menu">
-    <li class="nav-header text-uppercase text-primary" role="none">{% trans %}Go to{% endtrans %}</li>   
+    <li class="nav-header text-uppercase text-primary" role="none">{% trans %}Go to{% endtrans %}</li>
       {% if config['ADMIN'] %} 
       <li class="nav-item">
         <a href="{{ url_for('ui.client') }}" class="nav-link">
@@ -21,12 +21,12 @@
           <i class="nav-icon fa fa-life-ring"></i>
           <p class="text">{% trans %}Help{% endtrans %}</p>
         </a>
-      </li>      
+      </li>
       {#
           Domain self-registration is only available when
            - Admin is available
            - Domain Self-registration is enabled 
-           - The current user is not logged on      
+           - The current user is not logged on
       #}
       {% if config['DOMAIN_REGISTRATION'] %}
       {% if not current_user.is_authenticated %}
@@ -44,7 +44,7 @@
           User self-registration is only available when
            - Admin is available
            - Self-registration is enabled 
-           - The current user is not logged on      
+           - The current user is not logged on
       #}
       {% if not current_user.is_authenticated %}
       {% if signup_domains %}
@@ -57,7 +57,7 @@
       </li>
       {% endif %}
       {% endif %}
-      {% endif %}  
+      {% endif %}
     </ul>
   </nav>
 </div>
diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index b9088c03..fbee52a7 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -13,7 +13,7 @@ def login():
     form = forms.LoginForm()
     form.submitAdmin.label.text = form.submitAdmin.label.text + ' Admin'
     form.submitWebmail.label.text = form.submitWebmail.label.text + ' Webmail'
-    
+
     fields = []
     if str(app.config["ADMIN"]).upper() != "FALSE":
         fields.append(form.submitAdmin)
@@ -36,7 +36,7 @@ def login():
         user = models.User.login(username, form.pw.data)
         if user:
             flask.session.regenerate()
-            flask_login.login_user(user)            
+            flask_login.login_user(user)
             response = flask.redirect(destination)
             response.set_cookie('rate_limit', utils.limiter.device_cookie(username), max_age=31536000, path=flask.url_for('sso.login'))
             flask.current_app.logger.info(f'Login succeeded for {username} from {client_ip}.')
@@ -46,10 +46,11 @@ def login():
             flask.current_app.logger.warn(f'Login failed for {username} from {client_ip}.')
             flask.flash('Wrong e-mail or password', 'error')
     return flask.render_template('login.html', form=form, fields=fields)
-    
+
 @sso.route('/logout', methods=['GET'])
 @access.authenticated
 def logout():
     flask_login.logout_user()
     flask.session.destroy()
     return flask.redirect(flask.url_for('.login'))
+
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 56344b8b..e46ad7d9 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -103,7 +103,7 @@ class PrefixMiddleware(object):
         self.app = None
 
     def __call__(self, environ, start_response):
-        return self.app(environ, start_response)       
+        return self.app(environ, start_response)
 
     def init_app(self, app):
         self.app = fixers.ProxyFix(app.wsgi_app, x_for=1, x_proto=1)
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 3879798b..4db963d3 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -1,4 +1,4 @@
-#  Basic configuration
+# Basic configuration
 user nginx;
 worker_processes auto;
 error_log /dev/stderr info;
@@ -6,7 +6,7 @@ pid /var/run/nginx.pid;
 load_module "modules/ngx_mail_module.so";
 
 events {
-    worker_connections  1024;
+    worker_connections 1024;
 }
 
 http {
@@ -15,7 +15,7 @@ http {
     default_type application/octet-stream;
     access_log /dev/stdout;
     sendfile on;
-    keepalive_timeout  65;
+    keepalive_timeout 65;
     server_tokens off;
     absolute_redirect off;
     resolver {{ RESOLVER }} ipv6=off valid=30s;
@@ -47,12 +47,12 @@ http {
 
     {% if KUBERNETES_INGRESS != 'true' and TLS_FLAVOR in [ 'letsencrypt', 'cert' ] %}
     # Enable the proxy for certbot if the flavor is letsencrypt and not on kubernetes
-    # 
+    #
     server {
       # Listen over HTTP
       listen 80;
       listen [::]:80;
-      {% if TLS_FLAVOR == 'letsencrypt' %}      
+      {% if TLS_FLAVOR == 'letsencrypt' %}
       location ^~ /.well-known/acme-challenge/ {
           proxy_pass http://127.0.0.1:8008;
       }
@@ -80,7 +80,7 @@ http {
       {% endif %}
 
       # Listen on HTTP only in kubernetes or behind reverse proxy
-      {% if KUBERNETES_INGRESS == 'true' or TLS_FLAVOR in [ 'mail-letsencrypt', 'notls',  'mail' ] %}
+      {% if KUBERNETES_INGRESS == 'true' or TLS_FLAVOR in [ 'mail-letsencrypt', 'notls', 'mail' ] %}
       listen 80;
       listen [::]:80;
       {% endif %}
@@ -153,8 +153,8 @@ http {
         rewrite ^{{ WEB_WEBMAIL }}/(.*) /$1 break;
         {% endif %}
         include /etc/nginx/proxy.conf;
-        client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};       
-        auth_request /internal/auth/user;    
+        client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};
+        auth_request /internal/auth/user;
         error_page 403 @webmail_login;
         proxy_pass http://$webmail;
       }
@@ -177,7 +177,7 @@ http {
 
       location @webmail_login {
         return 302 /sso/login;
-      }    
+      }
       {% endif %}
       {% if ADMIN == 'true' %}
        location {{ WEB_ADMIN }} {
@@ -186,7 +186,7 @@ http {
          expires $expires;
        }
 
-      location   {{ WEB_ADMIN }}/antispam {
+      location {{ WEB_ADMIN }}/antispam {
         rewrite ^{{ WEB_ADMIN }}/antispam/(.*) /$1 break;
         auth_request /internal/auth/admin;
         proxy_set_header X-Real-IP "";

From 882a27f87c100279ded636e993de3349a0f5fb73 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Fri, 29 Oct 2021 15:07:25 +0200
Subject: [PATCH 154/222] simplified if's and added external link icon

---
 .../mailu/sso/templates/sidebar_sso.html      | 50 ++++++++-----------
 core/dovecot/README.md                        |  2 +-
 2 files changed, 22 insertions(+), 30 deletions(-)

diff --git a/core/admin/mailu/sso/templates/sidebar_sso.html b/core/admin/mailu/sso/templates/sidebar_sso.html
index b028faa9..86db3333 100644
--- a/core/admin/mailu/sso/templates/sidebar_sso.html
+++ b/core/admin/mailu/sso/templates/sidebar_sso.html
@@ -2,62 +2,54 @@
   <nav class="mt-2">
     <ul class="nav nav-pills nav-sidebar flex-column" role="menu">
     <li class="nav-header text-uppercase text-primary" role="none">{% trans %}Go to{% endtrans %}</li>
-      {% if config['ADMIN'] %} 
+    {%- if config['ADMIN'] %}
       <li class="nav-item">
         <a href="{{ url_for('ui.client') }}" class="nav-link">
           <i class="nav-icon fa fa-laptop"></i>
           <p class="text">{% trans %}Client setup{% endtrans %}</p>
         </a>
       </li>
-      {% endif %}
+    {%- endif %}
       <li class="nav-item" role="none">
         <a href="{{ config["WEBSITE"] }}" target="_blank" class="nav-link" role="menuitem" rel="noreferrer">
-        <i class="nav-icon fa fa-globe"></i>
-        <p>{% trans %}Website{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
+          <i class="nav-icon fa fa-globe"></i>
+          <p>{% trans %}Website{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
         </a>
       </li>
       <li class="nav-item" role="none">
         <a href="https://mailu.io" target="_blank" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-life-ring"></i>
-          <p class="text">{% trans %}Help{% endtrans %}</p>
+          <p class="text">{% trans %}Help{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
         </a>
       </li>
-      {#
-          Domain self-registration is only available when
-           - Admin is available
-           - Domain Self-registration is enabled 
-           - The current user is not logged on
-      #}
-      {% if config['DOMAIN_REGISTRATION'] %}
-      {% if not current_user.is_authenticated %}
-      {% if config['ADMIN'] %} 
+    {#-
+      Domain self-registration is only available when
+       - Admin is available
+       - Domain Self-registration is enabled
+       - The current user is not logged on
+    #}
+    {%- if config['DOMAIN_REGISTRATION'] and not current_user.is_authenticated and config['ADMIN'] %}
       <li class="nav-item" role="none">
         <a href="{{ url_for('ui.domain_signup') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-plus-square"></i>
           <p class="text">{% trans %}Register a domain{% endtrans %}</p>
         </a>
       </li>
-      {% endif %}
-      {% endif %}
-      {% endif %}
-      {#
-          User self-registration is only available when
-           - Admin is available
-           - Self-registration is enabled 
-           - The current user is not logged on
-      #}
-      {% if not current_user.is_authenticated %}
-      {% if signup_domains %}
-      {% if config['ADMIN'] %} 
+    {%- endif %}
+    {#-
+      User self-registration is only available when
+       - Admin is available
+       - Self-registration is enabled
+       - The current user is not logged on
+    #}
+    {%- if not current_user.is_authenticated and signup_domains and config['ADMIN'] %}
       <li class="nav-item" role="none">
         <a href="{{ url_for('ui.user_signup') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-user-plus"></i>
           <p class="text">{% trans %}Sign up{% endtrans %}</p>
         </a>
       </li>
-      {% endif %}
-      {% endif %}
-      {% endif %}
+    {%- endif %}
     </ul>
   </nav>
 </div>
diff --git a/core/dovecot/README.md b/core/dovecot/README.md
index c8ae5982..e54b257e 100644
--- a/core/dovecot/README.md
+++ b/core/dovecot/README.md
@@ -4,7 +4,7 @@ Mailu Dovecot container
 Dovecot is an open source IMAP and POP3 email server for Linux/UNIX-like
 systems, written with security primarily in mind. It's fast, simple to set
 up, requires no special administration and it uses very little memory.
- 
+
 In the Mailu stack it is used as the IMAP/POP frontend service.
 
 Resources

From 8c31699baf73fbe08923434591a38a9ccce5728e Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Fri, 29 Oct 2021 15:29:20 +0200
Subject: [PATCH 155/222] fixed locale selector for no_NB

---
 core/admin/mailu/sso/templates/base_sso.html | 2 +-
 core/admin/mailu/ui/templates/base.html      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/sso/templates/base_sso.html b/core/admin/mailu/sso/templates/base_sso.html
index 17aedff7..9dfb25a5 100644
--- a/core/admin/mailu/sso/templates/base_sso.html
+++ b/core/admin/mailu/sso/templates/base_sso.html
@@ -38,7 +38,7 @@
               <span class="badge badge-primary navbar-badge">{{ session['language'] }}</span></a>
             <div class="dropdown-menu dropdown-menu-right p-0" id="mailu-languages">
             {%- for locale in config.translations.values() %}
-              <a class="dropdown-item{% if locale.language == session['language'] %} active{% endif %}" href="{{ url_for('sso.set_language', language=locale.language) }}">{{ locale.get_language_name().title() }}</a>
+              <a class="dropdown-item{% if locale|string() == session['language'] %} active{% endif %}" href="{{ url_for('sso.set_language', language=locale) }}">{{ locale.get_language_name().title() }}</a>
             {%- endfor %}
             </div>
           </li>
diff --git a/core/admin/mailu/ui/templates/base.html b/core/admin/mailu/ui/templates/base.html
index 12f61149..e646e579 100644
--- a/core/admin/mailu/ui/templates/base.html
+++ b/core/admin/mailu/ui/templates/base.html
@@ -38,7 +38,7 @@
               <span class="badge badge-primary navbar-badge">{{ session['language'] }}</span></a>
             <div class="dropdown-menu dropdown-menu-right p-0" id="mailu-languages">
             {%- for locale in config.translations.values() %}
-              <a class="dropdown-item{% if locale.language == session['language'] %} active{% endif %}" href="{{ url_for('.set_language', language=locale.language) }}">{{ locale.get_language_name().title() }}</a>
+              <a class="dropdown-item{% if locale|string() == session['language'] %} active{% endif %}" href="{{ url_for('.set_language', language=locale) }}">{{ locale.get_language_name().title() }}</a>
             {%- endfor %}
             </div>
           </li>

From 9bc685c30b339b70b106f8c5a1f74d20449d70c9 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Fri, 29 Oct 2021 15:34:00 +0200
Subject: [PATCH 156/222] removed some more whitespace

---
 core/admin/mailu/internal/templates/default.sieve        | 4 ++--
 core/admin/mailu/manage.py                               | 2 +-
 core/admin/mailu/sso/__init__.py                         | 2 +-
 core/admin/mailu/sso/templates/form_sso.html             | 6 +++---
 core/admin/mailu/translations/pl/LC_MESSAGES/messages.po | 4 ++--
 core/admin/mailu/ui/templates/macros.html                | 2 +-
 core/admin/migrations/env.py                             | 2 +-
 core/dovecot/start.py                                    | 2 +-
 core/postfix/start.py                                    | 2 +-
 9 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/core/admin/mailu/internal/templates/default.sieve b/core/admin/mailu/internal/templates/default.sieve
index 5e995611..a29e7aba 100644
--- a/core/admin/mailu/internal/templates/default.sieve
+++ b/core/admin/mailu/internal/templates/default.sieve
@@ -19,7 +19,7 @@ if header :index 2 :matches "Received" "from * by * for <*>; *"
 }
 
 {% if user.spam_enabled %}
-if spamtest :percent :value "gt" :comparator "i;ascii-numeric"  "{{ user.spam_threshold }}"
+if spamtest :percent :value "gt" :comparator "i;ascii-numeric" "{{ user.spam_threshold }}"
 {
   setflag "\\seen";
   fileinto :create "Junk";
@@ -32,6 +32,6 @@ if exists "X-Virus" {
   stop;
 }
 
-{% if user.reply_active  %}
+{% if user.reply_active %}
 vacation :days 1 {% if user.displayed_name != "" %}:from "{{ user.displayed_name }} <{{ user.email }}>"{% endif %} :subject "{{ user.reply_subject }}" "{{ user.reply_body }}";
 {% endif %}
diff --git a/core/admin/mailu/manage.py b/core/admin/mailu/manage.py
index 54f4b826..937c9f49 100644
--- a/core/admin/mailu/manage.py
+++ b/core/admin/mailu/manage.py
@@ -119,7 +119,7 @@ def password(localpart, domain_name, password):
     """ Change the password of an user
     """
     email = f'{localpart}@{domain_name}'
-    user   = models.User.query.get(email)
+    user  = models.User.query.get(email)
     if user:
         user.set_password(password)
     else:
diff --git a/core/admin/mailu/sso/__init__.py b/core/admin/mailu/sso/__init__.py
index cc066234..98b5abd0 100644
--- a/core/admin/mailu/sso/__init__.py
+++ b/core/admin/mailu/sso/__init__.py
@@ -1,5 +1,5 @@
 from flask import Blueprint
 
-sso = Blueprint('sso', __name__, static_folder=None ,template_folder='templates')
+sso = Blueprint('sso', __name__, static_folder=None, template_folder='templates')
 
 from mailu.sso.views import *
diff --git a/core/admin/mailu/sso/templates/form_sso.html b/core/admin/mailu/sso/templates/form_sso.html
index efcc95a9..b14e7600 100644
--- a/core/admin/mailu/sso/templates/form_sso.html
+++ b/core/admin/mailu/sso/templates/form_sso.html
@@ -3,9 +3,9 @@
 {%- block content %}
 {%- call macros.card() %}
 <form class="form" method="post" role="form">
-    {{ macros.form_field(form.email) }}
-    {{ macros.form_field(form.pw) }}
-    {{ macros.form_fields( fields, label=False, class="btn btn-default", spacing=False) }}
+  {{ macros.form_field(form.email) }}
+  {{ macros.form_field(form.pw) }}
+  {{ macros.form_fields(fields, label=False, class="btn btn-default", spacing=False) }}
 </form>
 {%- endcall %}
 {%- endblock %}
diff --git a/core/admin/mailu/translations/pl/LC_MESSAGES/messages.po b/core/admin/mailu/translations/pl/LC_MESSAGES/messages.po
index 664ff571..09130a7b 100644
--- a/core/admin/mailu/translations/pl/LC_MESSAGES/messages.po
+++ b/core/admin/mailu/translations/pl/LC_MESSAGES/messages.po
@@ -551,11 +551,11 @@ msgid ""
 "cache\n"
 "    expires."
 msgstr ""
-"Jeśli nie wiesz, jak skonfigurować rekord <code> MX </code>  dla swojej "
+"Jeśli nie wiesz, jak skonfigurować rekord <code> MX </code> dla swojej "
 "strefy DNS,\n"
 "skontaktuj się z dostawcą DNS lub administratorem. Proszę również "
 "poczekać\n"
-"kilka minut po ustawieniu <code> MX </code> , żeby pamięć podręczna "
+"kilka minut po ustawieniu <code> MX </code>, żeby pamięć podręczna "
 "serwera lokalnego wygasła."
 
 #: mailu/ui/templates/fetch/create.html:4
diff --git a/core/admin/mailu/ui/templates/macros.html b/core/admin/mailu/ui/templates/macros.html
index d18e6584..5143b697 100644
--- a/core/admin/mailu/ui/templates/macros.html
+++ b/core/admin/mailu/ui/templates/macros.html
@@ -58,7 +58,7 @@
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
   {%- for field in form %}
-    {%- if  bootstrap_is_hidden_field(field) %}
+    {%- if bootstrap_is_hidden_field(field) %}
       {{ field() }}
     {%- else %}
       {{ form_field(field) }}
diff --git a/core/admin/migrations/env.py b/core/admin/migrations/env.py
index cdfd2248..3e45bb18 100755
--- a/core/admin/migrations/env.py
+++ b/core/admin/migrations/env.py
@@ -37,7 +37,7 @@ def run_migrations_offline():
 
     This configures the context with just a URL
     and not an Engine, though an Engine is acceptable
-    here as well.  By skipping the Engine creation
+    here as well. By skipping the Engine creation
     we don't even need a DBAPI to be available.
 
     Calls to context.execute() here emit the given string to the
diff --git a/core/dovecot/start.py b/core/dovecot/start.py
index 1845eb93..03bdfa80 100755
--- a/core/dovecot/start.py
+++ b/core/dovecot/start.py
@@ -6,7 +6,7 @@ import multiprocessing
 import logging as log
 import sys
 
-from podop   import run_server
+from podop import run_server
 from socrate import system, conf
 
 log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING"))
diff --git a/core/postfix/start.py b/core/postfix/start.py
index c889dce1..06a097b8 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -7,7 +7,7 @@ import multiprocessing
 import logging as log
 import sys
 
-from podop   import run_server
+from podop import run_server
 from pwd import getpwnam
 from socrate import system, conf
 

From 80a85c27a98a3a2a7ea62cacaa2ad4f2f71f2c32 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 30 Oct 2021 15:30:59 +0200
Subject: [PATCH 157/222] Silent healthchecks in logs

---
 core/nginx/conf/nginx.conf | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 4db963d3..bc0a51ec 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -13,7 +13,6 @@ http {
     # Standard HTTP configuration with slight hardening
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
-    access_log /dev/stdout;
     sendfile on;
     keepalive_timeout 65;
     server_tokens off;
@@ -38,6 +37,13 @@ http {
       ~*\.(ico|css|js|gif|jpeg|jpg|png|woff2?|ttf|otf|svg|tiff|eot|webp)$ 97d;
     }
 
+    map $request_uri $loggable {
+      /health 0;
+      /auth/email 0;
+      default 1;
+    }
+    access_log /dev/stdout combined if=$loggable;
+
     # compression
     gzip on;
     gzip_static on;

From 53a0363b9e86a6a0219e712ace280004bcfee6c0 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 30 Oct 2021 15:39:13 +0200
Subject: [PATCH 158/222] Deal with the noisy keepalive messages

We don't particularly care about HTTP... and that's what's noisy.
---
 core/nginx/conf/nginx.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index bc0a51ec..71cbf9ee 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -1,7 +1,7 @@
 # Basic configuration
 user nginx;
 worker_processes auto;
-error_log /dev/stderr info;
+error_log /dev/stderr notice;
 pid /var/run/nginx.pid;
 load_module "modules/ngx_mail_module.so";
 
@@ -252,6 +252,7 @@ mail {
     auth_http http://127.0.0.1:8000/auth/email;
     proxy_pass_error_message on;
     resolver {{ RESOLVER }} ipv6=off valid=30s;
+    error_log /dev/stderr info;
 
     {% if TLS and not TLS_ERROR %}
     include /etc/nginx/tls.conf;

From f3c93212c6555432f4ae8e1f33489a41bb9f6e20 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 31 Oct 2021 19:41:12 +0100
Subject: [PATCH 159/222] The Rate-limiter should run after the deny

---
 core/admin/mailu/internal/nginx.py      | 6 ------
 core/admin/mailu/internal/views/auth.py | 7 +++++++
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index 04d6d94e..027db935 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -78,12 +78,6 @@ def handle_authentication(headers):
     # Authenticated user
     elif method == "plain":
         is_valid_user = False
-        if headers["Auth-Port"] == '25':
-            return {
-                "Auth-Status": "AUTH not supported",
-                "Auth-Error-Code": "502 5.5.1",
-                "Auth-Wait": 0
-            }
         # According to RFC2616 section 3.7.1 and PEP 3333, HTTP headers should
         # be ASCII and are generally considered ISO8859-1. However when passing
         # the password, nginx does not transcode the input UTF string, thus
diff --git a/core/admin/mailu/internal/views/auth.py b/core/admin/mailu/internal/views/auth.py
index 1afb53b5..344be78b 100644
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@@ -11,6 +11,13 @@ def nginx_authentication():
     """ Main authentication endpoint for Nginx email server
     """
     client_ip = flask.request.headers["Client-Ip"]
+    headers = flask.request.headers
+    if headers["Auth-Port"] == '25' and headers['Auth-Method'] == 'plain':
+        response = flask.Response()
+        response.headers['Auth-Status'] = 'AUTH not supported'
+        response.headers['Auth-Error-Code'] = '502 5.5.1'
+        utils.limiter.rate_limit_ip(client_ip)
+        return response
     if utils.limiter.should_rate_limit_ip(client_ip):
         status, code = nginx.get_status(flask.request.headers['Auth-Protocol'], 'ratelimit')
         response = flask.Response()

From 9d474f32a6f9eade5a312dea7e509e86ac0653d4 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 31 Oct 2021 19:47:16 +0100
Subject: [PATCH 160/222] RELAYNETS is comma separated!

---
 core/postfix/conf/main.cf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 3f478ed5..9a609ee3 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -17,7 +17,7 @@ queue_directory = /queue
 message_size_limit = {{ MESSAGE_SIZE_LIMIT }}
 
 # Relayed networks
-mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {{ RELAYNETS }}
+mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {{ RELAYNETS.split(",") }}
 
 # Empty alias list to override the configuration variable and disable NIS
 alias_maps =

From 2170e07731a423cf30cb8f70b0a171c7bfcfa606 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 31 Oct 2021 19:57:51 +0100
Subject: [PATCH 161/222] Tell rspamd about RELAYNETS

---
 core/rspamd/conf/options.inc | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 core/rspamd/conf/options.inc

diff --git a/core/rspamd/conf/options.inc b/core/rspamd/conf/options.inc
new file mode 100644
index 00000000..22bae565
--- /dev/null
+++ b/core/rspamd/conf/options.inc
@@ -0,0 +1,3 @@
+{% if RELAYNETS %}
+local_networks = [{{ RELAYNETS }}];
+{% endif %}

From 70b374c46f1a1c2ae673d26a13c9cf894cc8e0c0 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 1 Nov 2021 09:24:26 +0100
Subject: [PATCH 162/222] Document that RELAYNETS is comma separated

---
 docs/configuration.rst             | 13 ++++++-------
 towncrier/newsfragments/360.bugfix |  1 +
 2 files changed, 7 insertions(+), 7 deletions(-)
 create mode 100644 towncrier/newsfragments/360.bugfix

diff --git a/docs/configuration.rst b/docs/configuration.rst
index f5bd9582..0e2a275a 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -73,14 +73,13 @@ The ``MESSAGE_RATELIMIT`` is the limit of messages a single user can send. This
 meant to fight outbound spam in case of compromised or malicious account on the
 server.
 
-The ``RELAYNETS`` are network addresses for which mail is relayed for free with
-no authentication required. This should be used with great care. If you want other
-Docker services' outbound mail to be relayed, you can set this to ``172.16.0.0/12``
-to include **all** Docker networks. The default is to leave this empty.
+The ``RELAYNETS`` (default: unset) is a comma delimited list of network addresses
+for which mail is relayed for, with no authentication required. This should be
+used with great care.
 
-The ``RELAYHOST`` is an optional address of a mail server relaying all outgoing
-mail in following format: ``[HOST]:PORT``.
-``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed.
+The ``RELAYHOST`` is an optional address of a mail server to use as a smarthost for
+all outgoing mail in following format: ``[HOST]:PORT``.
+``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is required.
 
 By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
 by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is
diff --git a/towncrier/newsfragments/360.bugfix b/towncrier/newsfragments/360.bugfix
new file mode 100644
index 00000000..d433e0e3
--- /dev/null
+++ b/towncrier/newsfragments/360.bugfix
@@ -0,0 +1 @@
+RELAYNETS should be a comma separated list of networks

From c8316cead101c6fd53bbf8ea770879d775068500 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 1 Nov 2021 09:26:54 +0100
Subject: [PATCH 163/222] Improve wording

---
 docs/configuration.rst | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/docs/configuration.rst b/docs/configuration.rst
index 0e2a275a..fa574415 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -74,12 +74,13 @@ meant to fight outbound spam in case of compromised or malicious account on the
 server.
 
 The ``RELAYNETS`` (default: unset) is a comma delimited list of network addresses
-for which mail is relayed for, with no authentication required. This should be
-used with great care.
+for which mail is relayed for with no authentication required. This should be
+used with great care as misconfigurations may turn your Mailu instance into an
+open-relay!
 
-The ``RELAYHOST`` is an optional address of a mail server to use as a smarthost for
-all outgoing mail in following format: ``[HOST]:PORT``.
-``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is required.
+The ``RELAYHOST`` is an optional address to use as a smarthost for all outgoing
+mail in following format: ``[HOST]:PORT``. ``RELAYUSER`` and ``RELAYPASSWORD``
+can be used when authentication is required.
 
 By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
 by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is

From 8dad40f67c8f98a643c867e2580c55d8730271ab Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 1 Nov 2021 12:48:48 +0100
Subject: [PATCH 164/222] doh

---
 core/postfix/conf/main.cf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 9a609ee3..5fffc330 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -17,7 +17,7 @@ queue_directory = /queue
 message_size_limit = {{ MESSAGE_SIZE_LIMIT }}
 
 # Relayed networks
-mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {{ RELAYNETS.split(",") }}
+mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {{ RELAYNETS.split(",") | join(' ') }}
 
 # Empty alias list to override the configuration variable and disable NIS
 alias_maps =

From fe58316776138cb5dee9c351c8dfe3f1d7639ad5 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 1 Nov 2021 14:13:58 +0100
Subject: [PATCH 165/222] The DKIM folder isn't required for rspamd

---
 setup/flavors/compose/docker-compose.yml | 1 -
 setup/flavors/stack/docker-compose.yml   | 1 -
 2 files changed, 2 deletions(-)

diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml
index 08bba13b..2675a2ab 100644
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@@ -90,7 +90,6 @@ services:
     env_file: {{ env }}
     volumes:
       - "{{ root }}/filter:/var/lib/rspamd"
-      - "{{ root }}/dkim:/dkim:ro"
       - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d:ro"
     depends_on:
       - front
diff --git a/setup/flavors/stack/docker-compose.yml b/setup/flavors/stack/docker-compose.yml
index df1fe7b4..24afa9f3 100644
--- a/setup/flavors/stack/docker-compose.yml
+++ b/setup/flavors/stack/docker-compose.yml
@@ -74,7 +74,6 @@ services:
     env_file: {{ env }}
     volumes:
       - "{{ root }}/filter:/var/lib/rspamd"
-      - "{{ root }}/dkim:/dkim:ro"
       - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d:ro"
     deploy:
       replicas: 1

From 74b31dc407432736ddb1d858160b00e401f02198 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 1 Nov 2021 17:52:12 +0100
Subject: [PATCH 166/222] Ensure that RCVD_NO_TLS_LAST doesn't add spam points

---
 core/rspamd/conf/settings.conf           | 4 ++++
 towncrier/newsfragments/1705.enhancement | 1 +
 2 files changed, 5 insertions(+)
 create mode 100644 core/rspamd/conf/settings.conf
 create mode 100644 towncrier/newsfragments/1705.enhancement

diff --git a/core/rspamd/conf/settings.conf b/core/rspamd/conf/settings.conf
new file mode 100644
index 00000000..01e9780f
--- /dev/null
+++ b/core/rspamd/conf/settings.conf
@@ -0,0 +1,4 @@
+apply {
+	# see https://github.com/Mailu/Mailu/issues/1705
+	RCVD_NO_TLS_LAST = 0;
+}
diff --git a/towncrier/newsfragments/1705.enhancement b/towncrier/newsfragments/1705.enhancement
new file mode 100644
index 00000000..9a6cb11a
--- /dev/null
+++ b/towncrier/newsfragments/1705.enhancement
@@ -0,0 +1 @@
+Ensure that RCVD_NO_TLS_LAST doesn't add to the spam score (as TLS usage can't be determined)

From 1d6809193b1e02d87fdcca3f5a896ee8bd411947 Mon Sep 17 00:00:00 2001
From: DjVinnii <vincentkling@msn.com>
Date: Tue, 2 Nov 2021 11:18:21 +0100
Subject: [PATCH 167/222] Add tzdata to core

---
 core/admin/Dockerfile   | 2 +-
 core/dovecot/Dockerfile | 2 +-
 core/nginx/Dockerfile   | 2 +-
 core/postfix/Dockerfile | 2 +-
 core/rspamd/Dockerfile  | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index a4f28481..87676eb5 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -25,7 +25,7 @@ COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm
 
 # python3 shared with most images
 RUN set -eu \
- && apk add --no-cache python3 py3-pip git bash \
+ && apk add --no-cache python3 py3-pip git bash tzdata \
  && pip3 install --upgrade pip
 
 RUN mkdir -p /app
diff --git a/core/dovecot/Dockerfile b/core/dovecot/Dockerfile
index 49fcb866..da376d81 100644
--- a/core/dovecot/Dockerfile
+++ b/core/dovecot/Dockerfile
@@ -13,7 +13,7 @@ RUN git clone https://github.com/grosjo/fts-xapian.git \
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
-    python3 py3-pip git bash py3-multidict py3-yarl \
+    python3 py3-pip git bash py3-multidict py3-yarl tzdata \
   && pip3 install --upgrade pip
 
 # Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube
diff --git a/core/nginx/Dockerfile b/core/nginx/Dockerfile
index b7e5e22e..6043cd8d 100644
--- a/core/nginx/Dockerfile
+++ b/core/nginx/Dockerfile
@@ -9,7 +9,7 @@ RUN apk add --no-cache \
 RUN pip3 install socrate==0.2.0
 
 # Image specific layers under this line
-RUN apk add --no-cache certbot nginx nginx-mod-mail openssl curl \
+RUN apk add --no-cache certbot nginx nginx-mod-mail openssl curl tzdata \
  && pip3 install watchdog
 
 COPY conf /conf
diff --git a/core/postfix/Dockerfile b/core/postfix/Dockerfile
index bdf45e35..e1e1d6f9 100644
--- a/core/postfix/Dockerfile
+++ b/core/postfix/Dockerfile
@@ -2,7 +2,7 @@ ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
-    python3 py3-pip git bash py3-multidict py3-yarl \
+    python3 py3-pip git bash py3-multidict py3-yarl tzdata \
   && pip3 install --upgrade pip
 
 # Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube
diff --git a/core/rspamd/Dockerfile b/core/rspamd/Dockerfile
index 0b3b94f7..296949a2 100644
--- a/core/rspamd/Dockerfile
+++ b/core/rspamd/Dockerfile
@@ -2,7 +2,7 @@ ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
-    python3 py3-pip git bash py3-multidict \
+    python3 py3-pip git bash py3-multidict tzdata \
   && pip3 install --upgrade pip
 
 # Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube

From 50d76076ed748c4cfceab08665ba32650febc293 Mon Sep 17 00:00:00 2001
From: DjVinnii <vincentkling@msn.com>
Date: Tue, 2 Nov 2021 11:19:42 +0100
Subject: [PATCH 168/222] Add tzdata to optional

---
 optional/clamav/Dockerfile             | 2 +-
 optional/fetchmail/Dockerfile          | 2 +-
 optional/postgresql/Dockerfile         | 2 +-
 optional/radicale/Dockerfile           | 2 +-
 optional/traefik-certdumper/Dockerfile | 2 +-
 optional/unbound/Dockerfile            | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/optional/clamav/Dockerfile b/optional/clamav/Dockerfile
index efad01ad..7ce41453 100644
--- a/optional/clamav/Dockerfile
+++ b/optional/clamav/Dockerfile
@@ -2,7 +2,7 @@ ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
-    python3 py3-pip bash \
+    python3 py3-pip bash tzdata \
   && pip3 install --upgrade pip
 # Image specific layers under this line
 RUN apk add --no-cache clamav rsyslog wget clamav-libunrar
diff --git a/optional/fetchmail/Dockerfile b/optional/fetchmail/Dockerfile
index d3397a22..fc564a4b 100644
--- a/optional/fetchmail/Dockerfile
+++ b/optional/fetchmail/Dockerfile
@@ -3,7 +3,7 @@ FROM $DISTRO
 
 # python3 shared with most images
 RUN apk add --no-cache \
-    python3 py3-pip bash \
+    python3 py3-pip bash tzdata \
   && pip3 install --upgrade pip
 
 # Image specific layers under this line
diff --git a/optional/postgresql/Dockerfile b/optional/postgresql/Dockerfile
index ab197b62..ade12a24 100644
--- a/optional/postgresql/Dockerfile
+++ b/optional/postgresql/Dockerfile
@@ -2,7 +2,7 @@ ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
-    python3 py3-pip bash py3-multidict \
+    python3 py3-pip bash py3-multidict tzdata \
   && pip3 install --upgrade pip
 
 # Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube
diff --git a/optional/radicale/Dockerfile b/optional/radicale/Dockerfile
index 21c1d437..cecaa2d3 100644
--- a/optional/radicale/Dockerfile
+++ b/optional/radicale/Dockerfile
@@ -3,7 +3,7 @@ FROM $DISTRO
 
 # python3 shared with most images
 RUN apk add --no-cache \
-    python3 py3-pip bash \
+    python3 py3-pip bash tzdata \
   && pip3 install --upgrade pip
 
 # Image specific layers under this line
diff --git a/optional/traefik-certdumper/Dockerfile b/optional/traefik-certdumper/Dockerfile
index a7127ce1..ce9b4929 100644
--- a/optional/traefik-certdumper/Dockerfile
+++ b/optional/traefik-certdumper/Dockerfile
@@ -1,6 +1,6 @@
 FROM ldez/traefik-certs-dumper
 
-RUN apk --no-cache add inotify-tools util-linux bash
+RUN apk --no-cache add inotify-tools util-linux bash tzdata
 
 COPY run.sh /
 
diff --git a/optional/unbound/Dockerfile b/optional/unbound/Dockerfile
index da979496..fde67480 100644
--- a/optional/unbound/Dockerfile
+++ b/optional/unbound/Dockerfile
@@ -2,7 +2,7 @@ ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
-    python3 py3-pip git bash py3-multidict \
+    python3 py3-pip git bash py3-multidict tzdata \
   && pip3 install --upgrade pip
 
 # Shared layer between nginx, dovecot, postfix, postgresql, rspamd, unbound, rainloop, roundcube

From 5b99b6427cd8030e89f64cab378d3df00c695104 Mon Sep 17 00:00:00 2001
From: DjVinnii <vincentkling@msn.com>
Date: Tue, 2 Nov 2021 11:20:53 +0100
Subject: [PATCH 169/222] Update docs

---
 docs/configuration.rst | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/configuration.rst b/docs/configuration.rst
index fa574415..57c33755 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -62,6 +62,8 @@ there is a good way to disable rate limiting altogether.
 The ``TLS_FLAVOR`` sets how Mailu handles TLS connections. Setting this value to
 ``notls`` will cause Mailu not to server any web content! More on :ref:`tls_flavor`.
 
+The ``TZ`` sets the timezone Mailu will use. The timezone naming convention usually uses a ``Region/City`` format. This defaults to ``Etc/UTC``
+
 Mail settings
 -------------
 

From 12cbcec911cd26e58dc64eb3af2997cf0fe27503 Mon Sep 17 00:00:00 2001
From: DjVinnii <vincentkling@msn.com>
Date: Tue, 2 Nov 2021 11:21:38 +0100
Subject: [PATCH 170/222] Add newsfragment

---
 towncrier/newsfragments/1154.enhancement | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 towncrier/newsfragments/1154.enhancement

diff --git a/towncrier/newsfragments/1154.enhancement b/towncrier/newsfragments/1154.enhancement
new file mode 100644
index 00000000..d19b3d09
--- /dev/null
+++ b/towncrier/newsfragments/1154.enhancement
@@ -0,0 +1 @@
+Add support for timezones
\ No newline at end of file

From e8b5f1a185e7c4f58a73a4f2e546692d27fec863 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 2 Nov 2021 12:59:59 +0100
Subject: [PATCH 171/222] round display of range inputs to 2 decimals

---
 core/admin/assets/app.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/assets/app.js b/core/admin/assets/app.js
index 5df8052c..54602d1f 100644
--- a/core/admin/assets/app.js
+++ b/core/admin/assets/app.js
@@ -43,7 +43,7 @@ $('document').ready(function() {
             var infinity = $(this).data('infinity');
             var step = $(this).attr('step');
             $(this).on('input', function() {
-                value_element.text((infinity && this.value == 0) ? '∞' : this.value/step);
+                value_element.text((infinity && this.value == 0) ? '∞' : (this.value/step).toFixed(2));
             }).trigger('input');
         }
     });

From 598b2df5a02e6e5532f86c936812a7bd23030a9a Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 2 Nov 2021 13:04:40 +0100
Subject: [PATCH 172/222] update wtforms

---
 core/admin/requirements-prod.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 3406122d..506cf050 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -52,5 +52,5 @@ tenacity==5.0.4
 validators==0.12.6
 visitor==0.1.3
 Werkzeug==0.15.5
-WTForms==2.2.1
-WTForms-Components==0.10.4
+WTForms==2.3.3
+WTForms-Components==0.10.5

From 80be3506daddf5d075c93e94b1521321baa369af Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 2 Nov 2021 13:32:12 +0100
Subject: [PATCH 173/222] upgrade pip. completed reqs via pip freeze

---
 core/admin/Dockerfile            |  3 ++-
 core/admin/requirements-prod.txt | 27 ++++++++++++++++++++++++---
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index cdc426c6..95a46fa2 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -35,7 +35,8 @@ COPY requirements-prod.txt requirements.txt
 RUN set -eu \
  && apk add --no-cache libressl curl postgresql-libs mariadb-connector-c \
  && apk add --no-cache --virtual build-dep libressl-dev libffi-dev python3-dev build-base postgresql-dev mariadb-connector-c-dev cargo \
- && pip3 install -r requirements.txt \
+ && pip install --upgrade pip \
+ && pip install -r requirements.txt \
  && apk del --no-cache build-dep
 
 COPY --from=assets static ./mailu/ui/static
diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 506cf050..38717145 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -1,14 +1,23 @@
 alembic==1.0.10
+appdirs==1.4.4
 asn1crypto==0.24.0
 Babel==2.6.0
 bcrypt==3.1.6
 blinker==1.4
+CacheControl==0.12.6
+certifi==2020.12.5
 cffi==1.12.3
+chardet==4.0.0
 Click==7.0
+colorama==0.4.4
+contextlib2==0.6.0
 cryptography==3.4.7
 decorator==4.4.0
+distlib==0.3.1
+distro==1.5.0
 dnspython==1.16.0
 dominate==2.3.5
+email-validator==1.1.3
 Flask==1.0.2
 Flask-Babel==0.12.2
 Flask-Bootstrap==3.3.7.1
@@ -21,36 +30,48 @@ Flask-Script==2.0.6
 Flask-SQLAlchemy==2.4.0
 Flask-WTF==0.14.2
 gunicorn==20.1.0
+html5lib==1.1
 idna==2.8
 infinity==1.4
 intervals==0.8.1
 itsdangerous==1.1.0
 Jinja2==2.11.3
 limits==1.3
+lockfile==0.12.2
 Mako==1.0.9
 MarkupSafe==1.1.1
-mysqlclient==1.4.2.post1
 marshmallow==3.10.0
 marshmallow-sqlalchemy==0.24.1
+msgpack==1.0.2
+mysqlclient==1.4.2.post1
+ordered-set==4.0.2
+packaging==20.9
 passlib==1.7.4
+pep517==0.10.0
+progress==1.5
 psycopg2==2.8.2
 pycparser==2.19
 Pygments==2.8.1
 pyOpenSSL==20.0.1
+pyparsing==2.4.7
 python-dateutil==2.8.0
 python-editor==1.0.4
 pytz==2019.1
 PyYAML==5.4.1
 redis==3.2.1
-#alpine3:12 provides six==1.15.0
-#six==1.12.0
+requests==2.25.1
+retrying==1.3.3
+six==1.15.0
 socrate==0.1.1
 SQLAlchemy==1.3.3
 srslib==0.1.4
 tabulate==0.8.3
 tenacity==5.0.4
+toml==0.10.2
+urllib3==1.26.5
 validators==0.12.6
 visitor==0.1.3
+webencodings==0.5.1
 Werkzeug==0.15.5
 WTForms==2.3.3
 WTForms-Components==0.10.5

From c43f7aef5accb6c3c4af11001d97d1ccd1c735a2 Mon Sep 17 00:00:00 2001
From: DjVinnii <vincentkling@msn.com>
Date: Tue, 2 Nov 2021 14:46:28 +0100
Subject: [PATCH 174/222] Update docs

---
 docs/configuration.rst | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/configuration.rst b/docs/configuration.rst
index 57c33755..5bf2cb77 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -62,7 +62,9 @@ there is a good way to disable rate limiting altogether.
 The ``TLS_FLAVOR`` sets how Mailu handles TLS connections. Setting this value to
 ``notls`` will cause Mailu not to server any web content! More on :ref:`tls_flavor`.
 
-The ``TZ`` sets the timezone Mailu will use. The timezone naming convention usually uses a ``Region/City`` format. This defaults to ``Etc/UTC``
+The ``TZ`` sets the timezone Mailu will use. The timezone naming convention usually uses a ``Region/City`` format. See `TZ database name`_  for a list of valid timezones This defaults to ``Etc/UTC``
+
+.. _`TZ database name`: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
 
 Mail settings
 -------------

From a1f0c2058384a72c9526bc0b2c2d552eab426022 Mon Sep 17 00:00:00 2001
From: DjVinnii <vincentkling@msn.com>
Date: Tue, 2 Nov 2021 15:32:27 +0100
Subject: [PATCH 175/222] Add tzdata to webmails

---
 webmails/rainloop/Dockerfile  | 2 +-
 webmails/roundcube/Dockerfile | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/webmails/rainloop/Dockerfile b/webmails/rainloop/Dockerfile
index f1394d64..109546db 100644
--- a/webmails/rainloop/Dockerfile
+++ b/webmails/rainloop/Dockerfile
@@ -6,7 +6,7 @@ ONBUILD COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/
 
 # Shared later between dovecot postfix nginx rspamd rainloop and roundloop
 RUN apk add --no-cache \
-    python3 py3-pip \
+    python3 py3-pip tzdata \
  && pip3 install socrate==0.2.0
 
 #  https://www.rainloop.net/docs/system-requirements/
diff --git a/webmails/roundcube/Dockerfile b/webmails/roundcube/Dockerfile
index 1f788918..b8ba512f 100644
--- a/webmails/roundcube/Dockerfile
+++ b/webmails/roundcube/Dockerfile
@@ -9,7 +9,7 @@ FROM ${ARCH}php:7.4-apache as build_other
 FROM build_${QEMU}
 #Shared layer between rainloop and roundcube
 RUN apt-get update && apt-get install -y \
-  python3 curl python3-pip git python3-multidict \
+  python3 curl python3-pip git python3-multidict tzdata \
   && rm -rf /var/lib/apt/lists \
   && echo "ServerSignature Off\nServerName roundcube" >> /etc/apache2/apache2.conf \
   && sed -i 's,CustomLog.*combined$,\0 "'"expr=!(%{HTTP_USER_AGENT}=='health'\&\&(-R '127.0.0.1/8' || -R '::1'))"'",' /etc/apache2/sites-available/000-default.conf
@@ -21,12 +21,14 @@ ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1
 
 ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v4.1.2/carddav-v4.1.2.tar.gz
 
+ENV TZ Etc/UTC
+
 RUN apt-get update && apt-get install -y \
       zlib1g-dev libzip4 libzip-dev libpq-dev \
       python3-jinja2 \
       gpg \
  && docker-php-ext-install zip pdo_mysql pdo_pgsql \
- && echo date.timezone=UTC > /usr/local/etc/php/conf.d/timezone.ini \
+ && echo date.timezone=${TZ} > /usr/local/etc/php/conf.d/timezone.ini \
  && rm -rf /var/www/html/ \
  && cd /var/www \
  && curl -sL ${ROUNDCUBE_URL} | tar xz \

From 8d90a74624631745ea7f4964a4f7b55a5c27ad46 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 2 Nov 2021 15:39:41 +0100
Subject: [PATCH 176/222] update werkzeug to 1.x

---
 core/admin/mailu/debug.py        | 4 ++--
 core/admin/mailu/utils.py        | 4 ++--
 core/admin/requirements-prod.txt | 6 +++---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/core/admin/mailu/debug.py b/core/admin/mailu/debug.py
index 7677901b..4d63f3c5 100644
--- a/core/admin/mailu/debug.py
+++ b/core/admin/mailu/debug.py
@@ -1,6 +1,6 @@
 import flask_debugtoolbar
 
-from werkzeug.contrib import profiler as werkzeug_profiler
+from werkzeug.middleware.profiler import ProfilerMiddleware
 
 
 # Debugging toolbar
@@ -10,7 +10,7 @@ toolbar = flask_debugtoolbar.DebugToolbarExtension()
 # Profiler
 class Profiler(object):
     def init_app(self, app):
-        app.wsgi_app = werkzeug_profiler.ProfilerMiddleware(
+        app.wsgi_app = ProfilerMiddleware(
             app.wsgi_app, restrictions=[30]
         )
 
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index dda927b0..eddd6848 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -28,7 +28,7 @@ import redis
 from flask.sessions import SessionMixin, SessionInterface
 from itsdangerous.encoding import want_bytes
 from werkzeug.datastructures import CallbackDict
-from werkzeug.contrib import fixers
+from werkzeug.middleware.proxy_fix import ProxyFix
 
 # Login configuration
 login = flask_login.LoginManager()
@@ -109,7 +109,7 @@ class PrefixMiddleware(object):
         return self.app(environ, start_response)
 
     def init_app(self, app):
-        self.app = fixers.ProxyFix(app.wsgi_app, x_for=1, x_proto=1)
+        self.app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1)
         app.wsgi_app = self
 
 proxy = PrefixMiddleware()
diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 38717145..673c4445 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -19,7 +19,7 @@ dnspython==1.16.0
 dominate==2.3.5
 email-validator==1.1.3
 Flask==1.0.2
-Flask-Babel==0.12.2
+Flask-Babel==1.0.0
 Flask-Bootstrap==3.3.7.1
 Flask-DebugToolbar==0.10.1
 Flask-Limiter==1.0.1
@@ -28,7 +28,7 @@ flask-marshmallow==0.14.0
 Flask-Migrate==2.4.0
 Flask-Script==2.0.6
 Flask-SQLAlchemy==2.4.0
-Flask-WTF==0.14.2
+Flask-WTF==0.15.1
 gunicorn==20.1.0
 html5lib==1.1
 idna==2.8
@@ -72,6 +72,6 @@ urllib3==1.26.5
 validators==0.12.6
 visitor==0.1.3
 webencodings==0.5.1
-Werkzeug==0.15.5
+Werkzeug==1.0.1
 WTForms==2.3.3
 WTForms-Components==0.10.5

From 23d0cd04660abdb4ce9f4ebfb8b3f52070fa4c25 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 2 Nov 2021 15:55:20 +0100
Subject: [PATCH 177/222] update tabluate. fix audit.py and include in
 container

---
 core/admin/Dockerfile            |  1 +
 core/admin/audit.py              | 28 +++++++++++++++-------------
 core/admin/requirements-prod.txt |  2 +-
 3 files changed, 17 insertions(+), 14 deletions(-)
 mode change 100644 => 100755 core/admin/audit.py

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index 95a46fa2..8adf2ca5 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -43,6 +43,7 @@ COPY --from=assets static ./mailu/ui/static
 COPY mailu ./mailu
 COPY migrations ./migrations
 COPY start.py /start.py
+COPY audit.py /audit.py
 
 RUN pybabel compile -d mailu/translations
 
diff --git a/core/admin/audit.py b/core/admin/audit.py
old mode 100644
new mode 100755
index db105ff4..79365286
--- a/core/admin/audit.py
+++ b/core/admin/audit.py
@@ -1,14 +1,17 @@
-from mailu import app
+#!/usr/bin/python3
 
 import sys
 import tabulate
 
+import mailu
+app = mailu.create_app()
+
 
 # Known endpoints without permissions
 known_missing_permissions = [
-    "index",
-    "static", "bootstrap.static",
-    "admin.static", "admin.login"
+    'index',
+    'static', 'bootstrap.static',
+    'admin.static', 'admin.login'
 ]
 
 
@@ -16,7 +19,7 @@ known_missing_permissions = [
 missing_permissions = []
 permissions = {}
 for endpoint, function in app.view_functions.items():
-    audit = function.__dict__.get("_audit_permissions")
+    audit = function.__dict__.get('_audit_permissions')
     if audit:
         handler, args = audit
         if args:
@@ -28,16 +31,15 @@ for endpoint, function in app.view_functions.items():
     elif endpoint not in known_missing_permissions:
         missing_permissions.append(endpoint)
 
-
-# Fail if any endpoint is missing a permission check
-if missing_permissions:
-    print("The following endpoints are missing permission checks:")
-    print(missing_permissions.join(","))
-    sys.exit(1)
-
-
 # Display the permissions table
 print(tabulate.tabulate([
     [route, *permissions[route.endpoint]]
     for route in app.url_map.iter_rules() if route.endpoint in permissions
 ]))
+
+# Warn if any endpoint is missing a permission check
+if missing_permissions:
+    print()
+    print('The following endpoints are missing permission checks:')
+    print(','.join(missing_permissions))
+
diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 673c4445..79075f96 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -65,7 +65,7 @@ six==1.15.0
 socrate==0.1.1
 SQLAlchemy==1.3.3
 srslib==0.1.4
-tabulate==0.8.3
+tabulate==0.8.9
 tenacity==5.0.4
 toml==0.10.2
 urllib3==1.26.5

From 771b2d1112d846ddde6e5f7f54f787280c9a0c04 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 2 Nov 2021 16:21:31 +0100
Subject: [PATCH 178/222] duh

---
 core/admin/audit.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/core/admin/audit.py b/core/admin/audit.py
index 79365286..60583f83 100755
--- a/core/admin/audit.py
+++ b/core/admin/audit.py
@@ -3,6 +3,8 @@
 import sys
 import tabulate
 
+sys.path[0:0] = ['/app']
+
 import mailu
 app = mailu.create_app()
 

From dcbe55f0620395532a767d1a69647154d886a943 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 2 Nov 2021 16:28:37 +0100
Subject: [PATCH 179/222] updated crypto

---
 core/admin/requirements-prod.txt | 13 ++++++-------
 core/admin/requirements.txt      |  1 -
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 79075f96..9bd131fb 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -1,18 +1,17 @@
 alembic==1.0.10
 appdirs==1.4.4
-asn1crypto==0.24.0
 Babel==2.6.0
-bcrypt==3.1.6
+bcrypt==3.2.0
 blinker==1.4
 CacheControl==0.12.6
 certifi==2020.12.5
-cffi==1.12.3
+cffi==1.15.0
 chardet==4.0.0
 Click==7.0
 colorama==0.4.4
 contextlib2==0.6.0
-cryptography==3.4.7
-decorator==4.4.0
+cryptography==35.0.0
+decorator==5.1.0
 distlib==0.3.1
 distro==1.5.0
 dnspython==1.16.0
@@ -50,9 +49,9 @@ passlib==1.7.4
 pep517==0.10.0
 progress==1.5
 psycopg2==2.8.2
-pycparser==2.19
+pycparser==2.20
 Pygments==2.8.1
-pyOpenSSL==20.0.1
+pyOpenSSL==21.0.0
 pyparsing==2.4.7
 python-dateutil==2.8.0
 python-editor==1.0.4
diff --git a/core/admin/requirements.txt b/core/admin/requirements.txt
index e1de3b01..6cfa8a35 100644
--- a/core/admin/requirements.txt
+++ b/core/admin/requirements.txt
@@ -18,7 +18,6 @@ PyYAML
 PyOpenSSL
 Pygments
 dnspython
-bcrypt
 tenacity
 mysqlclient
 psycopg2

From 40cdff491192cf8135e9c7818d490a39ce0f5fe0 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 2 Nov 2021 16:49:25 +0100
Subject: [PATCH 180/222] updated dnspython

---
 core/admin/mailu/models.py           | 3 ++-
 core/admin/mailu/ui/views/domains.py | 1 -
 core/admin/mailu/utils.py            | 6 +++++-
 core/admin/requirements-prod.txt     | 2 +-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index f5fe3b5e..300d8d8c 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -19,7 +19,8 @@ import os
 import hmac
 import smtplib
 import idna
-import dns
+import dns.resolver
+import dns.exception
 
 from flask import current_app as app
 from sqlalchemy.ext import declarative
diff --git a/core/admin/mailu/ui/views/domains.py b/core/admin/mailu/ui/views/domains.py
index f394ce7d..a48bb154 100644
--- a/core/admin/mailu/ui/views/domains.py
+++ b/core/admin/mailu/ui/views/domains.py
@@ -5,7 +5,6 @@ from flask import current_app as app
 import flask
 import flask_login
 import wtforms_components
-import dns.resolver
 
 
 @ui.route('/domain', methods=['GET'])
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index eddd6848..d9cc1894 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -6,8 +6,12 @@ try:
 except ImportError:
     import pickle
 
-import dns
 import dns.resolver
+import dns.exception
+import dns.flags
+import dns.rdtypes
+import dns.rdatatype
+import dns.rdataclass
 
 import hmac
 import secrets
diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 9bd131fb..ecb0b8ed 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -14,7 +14,7 @@ cryptography==35.0.0
 decorator==5.1.0
 distlib==0.3.1
 distro==1.5.0
-dnspython==1.16.0
+dnspython==2.1.0
 dominate==2.3.5
 email-validator==1.1.3
 Flask==1.0.2

From 3ac1b3d86ce2452a87ff1a27de94f597773fff0e Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 2 Nov 2021 17:02:54 +0100
Subject: [PATCH 181/222] update pyyaml and pygments

---
 core/admin/requirements-prod.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index ecb0b8ed..159a3c3c 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -50,13 +50,13 @@ pep517==0.10.0
 progress==1.5
 psycopg2==2.8.2
 pycparser==2.20
-Pygments==2.8.1
+Pygments==2.10.0
 pyOpenSSL==21.0.0
 pyparsing==2.4.7
 python-dateutil==2.8.0
 python-editor==1.0.4
 pytz==2019.1
-PyYAML==5.4.1
+PyYAML==6.0
 redis==3.2.1
 requests==2.25.1
 retrying==1.3.3

From 8ad8cde0e27b62679e924fc7b4ba64ed7c53cb67 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 2 Nov 2021 17:06:28 +0100
Subject: [PATCH 182/222] removed some obsolete requirements

---
 core/admin/requirements-prod.txt | 2 --
 core/admin/requirements.txt      | 1 -
 2 files changed, 3 deletions(-)

diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 159a3c3c..9d734d94 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -53,8 +53,6 @@ pycparser==2.20
 Pygments==2.10.0
 pyOpenSSL==21.0.0
 pyparsing==2.4.7
-python-dateutil==2.8.0
-python-editor==1.0.4
 pytz==2019.1
 PyYAML==6.0
 redis==3.2.1
diff --git a/core/admin/requirements.txt b/core/admin/requirements.txt
index 6cfa8a35..65130a8c 100644
--- a/core/admin/requirements.txt
+++ b/core/admin/requirements.txt
@@ -20,7 +20,6 @@ Pygments
 dnspython
 tenacity
 mysqlclient
-psycopg2
 idna
 srslib
 marshmallow

From d8efd3057c85a397dd7c77f81d59ae4d91475841 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 2 Nov 2021 17:52:25 +0100
Subject: [PATCH 183/222] updated idna

---
 core/admin/requirements-prod.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 9d734d94..649eac49 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -30,7 +30,7 @@ Flask-SQLAlchemy==2.4.0
 Flask-WTF==0.15.1
 gunicorn==20.1.0
 html5lib==1.1
-idna==2.8
+idna==3.2
 infinity==1.4
 intervals==0.8.1
 itsdangerous==1.1.0

From ef19869cdef45829c8b52276d58ddab4e72085ad Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 2 Nov 2021 18:06:26 +0100
Subject: [PATCH 184/222] updated redis

---
 core/admin/requirements-prod.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 649eac49..40447e79 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -55,7 +55,7 @@ pyOpenSSL==21.0.0
 pyparsing==2.4.7
 pytz==2019.1
 PyYAML==6.0
-redis==3.2.1
+redis==3.5.3
 requests==2.25.1
 retrying==1.3.3
 six==1.15.0

From 866741bcbeaae33cf819bd0bebe2517ad9317008 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 2 Nov 2021 19:22:58 +0100
Subject: [PATCH 185/222] updated WTForms-Components deps

---
 core/admin/requirements-prod.txt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 40447e79..d88c71ed 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -31,8 +31,8 @@ Flask-WTF==0.15.1
 gunicorn==20.1.0
 html5lib==1.1
 idna==3.2
-infinity==1.4
-intervals==0.8.1
+infinity==1.5
+intervals==0.9.2
 itsdangerous==1.1.0
 Jinja2==2.11.3
 limits==1.3
@@ -66,7 +66,7 @@ tabulate==0.8.9
 tenacity==5.0.4
 toml==0.10.2
 urllib3==1.26.5
-validators==0.12.6
+validators==0.18.2
 visitor==0.1.3
 webencodings==0.5.1
 Werkzeug==1.0.1

From aca1e136484d73ea9c978a97563220bf1e633280 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Tue, 2 Nov 2021 20:47:53 +0100
Subject: [PATCH 186/222] update socrate - will be removed later

---
 core/admin/requirements-prod.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index d88c71ed..3883c1c6 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -59,7 +59,7 @@ redis==3.5.3
 requests==2.25.1
 retrying==1.3.3
 six==1.15.0
-socrate==0.1.1
+socrate==0.2.0
 SQLAlchemy==1.3.3
 srslib==0.1.4
 tabulate==0.8.9

From f1d7bedd1b5465ac4fd86f7c4f380b257eee9059 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Wed, 3 Nov 2021 19:54:15 +0100
Subject: [PATCH 187/222] fix display of range inputs (again)

---
 core/admin/assets/app.css | 5 +++++
 core/admin/assets/app.js  | 4 +++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/core/admin/assets/app.css b/core/admin/assets/app.css
index 3886b5c1..84644900 100644
--- a/core/admin/assets/app.css
+++ b/core/admin/assets/app.css
@@ -52,3 +52,8 @@ fieldset:disabled .form-control:disabled {
 .select2-container--default .select2-selection--multiple .select2-selection__choice {
   color: black;
 }
+
+/* range input spacing */
+.input-group-text {
+  margin-right: 1em;
+}
diff --git a/core/admin/assets/app.js b/core/admin/assets/app.js
index 54602d1f..e18228eb 100644
--- a/core/admin/assets/app.js
+++ b/core/admin/assets/app.js
@@ -43,7 +43,9 @@ $('document').ready(function() {
             var infinity = $(this).data('infinity');
             var step = $(this).attr('step');
             $(this).on('input', function() {
-                value_element.text((infinity && this.value == 0) ? '∞' : (this.value/step).toFixed(2));
+                var num = (infinity && this.value == 0) ? '∞' : (this.value/step).toFixed(2);
+                if (num.endsWith('.00')) num = num.substr(0, num.length - 3);
+                value_element.text(num);
             }).trigger('input');
         }
     });

From abc4112242d24ee6d6e4dd976ee51cae720df228 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Wed, 3 Nov 2021 20:12:20 +0100
Subject: [PATCH 188/222] updated Werkzeug, Click and Flask-Migrate

---
 core/admin/requirements-prod.txt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 3883c1c6..4a209fba 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -7,7 +7,7 @@ CacheControl==0.12.6
 certifi==2020.12.5
 cffi==1.15.0
 chardet==4.0.0
-Click==7.0
+click==8.0.3
 colorama==0.4.4
 contextlib2==0.6.0
 cryptography==35.0.0
@@ -24,7 +24,7 @@ Flask-DebugToolbar==0.10.1
 Flask-Limiter==1.0.1
 Flask-Login==0.4.1
 flask-marshmallow==0.14.0
-Flask-Migrate==2.4.0
+Flask-Migrate==3.1.0
 Flask-Script==2.0.6
 Flask-SQLAlchemy==2.4.0
 Flask-WTF==0.15.1
@@ -69,6 +69,6 @@ urllib3==1.26.5
 validators==0.18.2
 visitor==0.1.3
 webencodings==0.5.1
-Werkzeug==1.0.1
+Werkzeug==2.0.2
 WTForms==2.3.3
 WTForms-Components==0.10.5

From 26fb108a3fb435d097883901470781726757f9f4 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Wed, 3 Nov 2021 20:22:47 +0100
Subject: [PATCH 189/222] updated Flask-Login

---
 core/admin/mailu/utils.py        | 2 +-
 core/admin/requirements-prod.txt | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 972546d6..8ae028bf 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -269,7 +269,7 @@ class MailuSession(CallbackDict, SessionMixin):
 
         # set uid from dict data
         if self._uid is None:
-            self._uid = self.app.session_config.gen_uid(self.get('user_id', ''))
+            self._uid = self.app.session_config.gen_uid(self.get('_user_id', ''))
 
         # create new session id for new or regenerated sessions and force setting the cookie
         if self._sid is None:
diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 4a209fba..bb94e4b5 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -22,7 +22,7 @@ Flask-Babel==1.0.0
 Flask-Bootstrap==3.3.7.1
 Flask-DebugToolbar==0.10.1
 Flask-Limiter==1.0.1
-Flask-Login==0.4.1
+Flask-Login==0.5.0
 flask-marshmallow==0.14.0
 Flask-Migrate==3.1.0
 Flask-Script==2.0.6

From 8b15820b014f73bf41aaffca3914ee8207082114 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Wed, 3 Nov 2021 20:35:05 +0100
Subject: [PATCH 190/222] fix sso login button spacing

---
 core/admin/mailu/ui/templates/macros.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/ui/templates/macros.html b/core/admin/mailu/ui/templates/macros.html
index 5143b697..75de4e0e 100644
--- a/core/admin/mailu/ui/templates/macros.html
+++ b/core/admin/mailu/ui/templates/macros.html
@@ -22,7 +22,7 @@
   {%- if spacing %}
   {%- set width = (12 / fields|length)|int %}
   {%- else %}
-  {%- set width = 0 %}
+  {%- set width = 2 %}
   {% endif %}
   <div class="form-group">
     <div class="row">

From 833ccb5544816e5321a4066bb1102ed144c02384 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Wed, 3 Nov 2021 20:38:00 +0100
Subject: [PATCH 191/222] reload page using GET when selecting language

---
 core/admin/assets/app.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/assets/app.js b/core/admin/assets/app.js
index e18228eb..0926578d 100644
--- a/core/admin/assets/app.js
+++ b/core/admin/assets/app.js
@@ -18,7 +18,7 @@ $('document').ready(function() {
         $.post({
             url: $(this).attr('href'),
             success: function() {
-                location.reload();
+                window.location = window.location.href;
             },
         });
     });

From f613205fe16488fcc1b7658bfff35eb186a543fa Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Wed, 3 Nov 2021 21:30:34 +0100
Subject: [PATCH 192/222] update tenacity

---
 core/admin/migrations/env.py     | 69 ++++++++++++++++----------------
 core/admin/requirements-prod.txt |  2 +-
 2 files changed, 36 insertions(+), 35 deletions(-)

diff --git a/core/admin/migrations/env.py b/core/admin/migrations/env.py
index 3e45bb18..65a4e471 100755
--- a/core/admin/migrations/env.py
+++ b/core/admin/migrations/env.py
@@ -1,10 +1,12 @@
-from __future__ import with_statement
+import logging
+import tenacity
+
 from alembic import context
 from sqlalchemy import engine_from_config, pool
 from logging.config import fileConfig
-import logging
-import tenacity
-from tenacity import retry
+
+from flask import current_app
+from mailu import models
 
 # this is the Alembic Config object, which provides
 # access to the values within the .ini file in use.
@@ -17,20 +19,12 @@ logger = logging.getLogger('alembic.env')
 
 # add your model's MetaData object here
 # for 'autogenerate' support
-# from myapp import mymodel
-# target_metadata = mymodel.Base.metadata
-from flask import current_app
-config.set_main_option('sqlalchemy.url',
-                       current_app.config.get('SQLALCHEMY_DATABASE_URI'))
-#target_metadata = current_app.extensions['migrate'].db.metadata
-from mailu import models
+config.set_main_option(
+    'sqlalchemy.url',
+    current_app.config.get('SQLALCHEMY_DATABASE_URI')
+)
 target_metadata = models.Base.metadata
 
-# other values from the config, defined by the needs of env.py,
-# can be acquired:
-# my_important_option = config.get_main_option("my_important_option")
-# ... etc.
-
 
 def run_migrations_offline():
     """Run migrations in 'offline' mode.
@@ -44,7 +38,7 @@ def run_migrations_offline():
     script output.
 
     """
-    url = config.get_main_option("sqlalchemy.url")
+    url = config.get_main_option('sqlalchemy.url')
     context.configure(url=url)
 
     with context.begin_transaction():
@@ -69,28 +63,35 @@ def run_migrations_online():
                 directives[:] = []
                 logger.info('No changes in schema detected.')
 
-    engine = engine_from_config(config.get_section(config.config_ini_section),
-                                prefix='sqlalchemy.',
-                                poolclass=pool.NullPool)
+    engine = engine_from_config(
+        config.get_section(config.config_ini_section),
+        prefix    = 'sqlalchemy.',
+        poolclass = pool.NullPool
+    )
 
-    connection = tenacity.Retrying(
-        stop=tenacity.stop_after_attempt(100),
-        wait=tenacity.wait_random(min=2, max=5),
-        before=tenacity.before_log(logging.getLogger("tenacity.retry"), logging.DEBUG),
-        before_sleep=tenacity.before_sleep_log(logging.getLogger("tenacity.retry"), logging.INFO),
-        after=tenacity.after_log(logging.getLogger("tenacity.retry"), logging.DEBUG)
-        ).call(engine.connect)
+    @tenacity.retry(
+        stop   = tenacity.stop_after_attempt(100),
+        wait   = tenacity.wait_random(min=2, max=5),
+        before = tenacity.before_log(logging.getLogger('tenacity.retry'), logging.DEBUG),
+        before_sleep = tenacity.before_sleep_log(logging.getLogger('tenacity.retry'), logging.INFO),
+        after  = tenacity.after_log(logging.getLogger('tenacity.retry'), logging.DEBUG)
+    )
+    def try_connect(db):
+        return db.connect()
 
-    context.configure(connection=connection,
-                      target_metadata=target_metadata,
-                      process_revision_directives=process_revision_directives,
-                      **current_app.extensions['migrate'].configure_args)
+    with try_connect(engine) as connection:
+
+        context.configure(
+            connection      = connection,
+            target_metadata = target_metadata,
+            process_revision_directives = process_revision_directives,
+            **current_app.extensions['migrate'].configure_args
+        )
 
-    try:
         with context.begin_transaction():
             context.run_migrations()
-    finally:
-        connection.close()
+
+    connection.close()
 
 if context.is_offline_mode():
     run_migrations_offline()
diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index bb94e4b5..3d08e2ff 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -63,7 +63,7 @@ socrate==0.2.0
 SQLAlchemy==1.3.3
 srslib==0.1.4
 tabulate==0.8.9
-tenacity==5.0.4
+tenacity==8.0.1
 toml==0.10.2
 urllib3==1.26.5
 validators==0.18.2

From 5238b00f0b0358700a16c52e77f35f1759cf6437 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Wed, 3 Nov 2021 21:33:39 +0100
Subject: [PATCH 193/222] update alembic

---
 core/admin/requirements-prod.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 3d08e2ff..4b629d5d 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -1,4 +1,4 @@
-alembic==1.0.10
+alembic==1.7.4
 appdirs==1.4.4
 Babel==2.6.0
 bcrypt==3.2.0

From 56f65d724d1982fa0c3cb9a5444812328d283094 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Wed, 3 Nov 2021 21:52:59 +0100
Subject: [PATCH 194/222] update babel

---
 core/admin/mailu/__init__.py                   | 5 +++++
 core/admin/mailu/ui/templates/domain/list.html | 4 ++--
 core/admin/mailu/utils.py                      | 3 +--
 core/admin/requirements-prod.txt               | 6 +++---
 4 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
index e4024e47..b49bdd67 100644
--- a/core/admin/mailu/__init__.py
+++ b/core/admin/mailu/__init__.py
@@ -57,6 +57,11 @@ def create_app_from_config(config):
             config        = app.config,
         )
 
+    # Jinja filter
+    @app.template_filter()
+    def format_date(value):
+        return utils.flask_babel.format_date(value) if value else ''
+
     # Import views
     from mailu import ui, internal, sso
     app.register_blueprint(ui.ui, url_prefix=app.config['WEB_ADMIN'])
diff --git a/core/admin/mailu/ui/templates/domain/list.html b/core/admin/mailu/ui/templates/domain/list.html
index 6f6bc467..61c09151 100644
--- a/core/admin/mailu/ui/templates/domain/list.html
+++ b/core/admin/mailu/ui/templates/domain/list.html
@@ -46,8 +46,8 @@
     <td>{{ domain.users | count }} / {{ '∞' if domain.max_users == -1 else domain.max_users }}</td>
     <td>{{ domain.aliases | count }} / {{ '∞' if domain.max_aliases == -1 else domain.max_aliases }}</td>
     <td>{{ domain.comment or '' }}</td>
-    <td>{{ domain.created_at }}</td>
-    <td>{{ domain.updated_at or '' }}</td>
+    <td>{{ domain.created_at | format_date }}</td>
+    <td>{{ domain.updated_at | format_date }}</td>
   </tr>
   {%- endfor %}
 </tbody>
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 8ae028bf..024c487f 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -18,10 +18,9 @@ import secrets
 import time
 
 from multiprocessing import Value
-
 from mailu import limiter
-
 from flask import current_app as app
+
 import flask
 import flask_login
 import flask_migrate
diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 4b629d5d..ccd2b83d 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -1,6 +1,6 @@
 alembic==1.7.4
 appdirs==1.4.4
-Babel==2.6.0
+Babel==2.9.1
 bcrypt==3.2.0
 blinker==1.4
 CacheControl==0.12.6
@@ -18,7 +18,7 @@ dnspython==2.1.0
 dominate==2.3.5
 email-validator==1.1.3
 Flask==1.0.2
-Flask-Babel==1.0.0
+Flask-Babel==2.0.0
 Flask-Bootstrap==3.3.7.1
 Flask-DebugToolbar==0.10.1
 Flask-Limiter==1.0.1
@@ -53,7 +53,7 @@ pycparser==2.20
 Pygments==2.10.0
 pyOpenSSL==21.0.0
 pyparsing==2.4.7
-pytz==2019.1
+pytz==2021.3
 PyYAML==6.0
 redis==3.5.3
 requests==2.25.1

From 87884213c466472a98cbd19e988b65c9190fea62 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Wed, 3 Nov 2021 22:03:51 +0100
Subject: [PATCH 195/222] update misc helper libs

---
 core/admin/requirements-prod.txt | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index ccd2b83d..282d00c3 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -15,12 +15,12 @@ decorator==5.1.0
 distlib==0.3.1
 distro==1.5.0
 dnspython==2.1.0
-dominate==2.3.5
+dominate==2.6.0
 email-validator==1.1.3
 Flask==1.0.2
 Flask-Babel==2.0.0
 Flask-Bootstrap==3.3.7.1
-Flask-DebugToolbar==0.10.1
+Flask-DebugToolbar==0.11.0
 Flask-Limiter==1.0.1
 Flask-Login==0.5.0
 flask-marshmallow==0.14.0
@@ -33,12 +33,12 @@ html5lib==1.1
 idna==3.2
 infinity==1.5
 intervals==0.9.2
-itsdangerous==1.1.0
-Jinja2==2.11.3
-limits==1.3
+itsdangerous==2.0.1
+Jinja2==3.0.2
+limits==1.5.1
 lockfile==0.12.2
-Mako==1.0.9
-MarkupSafe==1.1.1
+Mako==1.1.5
+MarkupSafe==2.0.1
 marshmallow==3.10.0
 marshmallow-sqlalchemy==0.24.1
 msgpack==1.0.2

From ffd99c3fa8ee6c3ad590973c4c5ebdbe0172474d Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Wed, 3 Nov 2021 22:21:26 +0100
Subject: [PATCH 196/222] updated flask

ConfigManager should not replace app.config - this is causing trouble
with some other flask modules (swagger).
Updated ConfigManager to only modify app.config and not replace it.
---
 core/admin/mailu/__init__.py      |  2 +-
 core/admin/mailu/configuration.py | 48 +++++++++----------------------
 core/admin/requirements-prod.txt  |  2 +-
 3 files changed, 16 insertions(+), 36 deletions(-)

diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
index b49bdd67..2f1b8469 100644
--- a/core/admin/mailu/__init__.py
+++ b/core/admin/mailu/__init__.py
@@ -33,7 +33,7 @@ def create_app_from_config(config):
     app.srs_key = hmac.new(bytearray(app.secret_key, 'utf-8'), bytearray('SRS_KEY', 'utf-8'), 'sha256').digest()
 
     # Initialize list of translations
-    config.translations = {
+    app.config.translations = {
         str(locale): locale
         for locale in sorted(
             utils.babel.list_translations(),
diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 9829f798..96127ee2 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -88,7 +88,7 @@ DEFAULT_CONFIG = {
     'POD_ADDRESS_RANGE': None
 }
 
-class ConfigManager(dict):
+class ConfigManager:
     """ Naive configuration manager that uses environment only
     """
 
@@ -103,19 +103,16 @@ class ConfigManager(dict):
 
     def get_host_address(self, name):
         # if MYSERVICE_ADDRESS is defined, use this
-        if '{}_ADDRESS'.format(name) in os.environ:
-            return os.environ.get('{}_ADDRESS'.format(name))
+        if f'{name}_ADDRESS' in os.environ:
+            return os.environ.get(f'{name}_ADDRESS')
         # otherwise use the host name and resolve it
-        return system.resolve_address(self.config['HOST_{}'.format(name)])
+        return system.resolve_address(self.config[f'HOST_{name}'])
 
     def resolve_hosts(self):
-        self.config["IMAP_ADDRESS"] = self.get_host_address("IMAP")
-        self.config["POP3_ADDRESS"] = self.get_host_address("POP3")
-        self.config["AUTHSMTP_ADDRESS"] = self.get_host_address("AUTHSMTP")
-        self.config["SMTP_ADDRESS"] = self.get_host_address("SMTP")
-        self.config["REDIS_ADDRESS"] = self.get_host_address("REDIS")
-        if self.config["WEBMAIL"] != "none":
-            self.config["WEBMAIL_ADDRESS"] = self.get_host_address("WEBMAIL")
+        for key in ['IMAP', 'POP3', 'AUTHSMTP', 'SMTP', 'REDIS']:
+            self.config[f'{key}_ADDRESS'] = self.get_host_address(key)
+        if self.config['WEBMAIL'] != 'none':
+            self.config['WEBMAIL_ADDRESS'] = self.get_host_address('WEBMAIL')
 
     def __get_env(self, key, value):
         key_file = key + "_FILE"
@@ -134,6 +131,7 @@ class ConfigManager(dict):
         return value
 
     def init_app(self, app):
+        # get current app config
         self.config.update(app.config)
         # get environment variables
         self.config.update({
@@ -147,9 +145,9 @@ class ConfigManager(dict):
             template = self.DB_TEMPLATES[self.config['DB_FLAVOR']]
             self.config['SQLALCHEMY_DATABASE_URI'] = template.format(**self.config)
 
-        self.config['RATELIMIT_STORAGE_URL'] = 'redis://{0}/2'.format(self.config['REDIS_ADDRESS'])
-        self.config['QUOTA_STORAGE_URL'] = 'redis://{0}/1'.format(self.config['REDIS_ADDRESS'])
-        self.config['SESSION_STORAGE_URL'] = 'redis://{0}/3'.format(self.config['REDIS_ADDRESS'])
+        self.config['RATELIMIT_STORAGE_URL'] = f'redis://{self.config["REDIS_ADDRESS"]}/2'
+        self.config['QUOTA_STORAGE_URL'] = f'redis://{self.config["REDIS_ADDRESS"]}/1'
+        self.config['SESSION_STORAGE_URL'] = f'redis://{self.config["REDIS_ADDRESS"]}/3'
         self.config['SESSION_COOKIE_SAMESITE'] = 'Strict'
         self.config['SESSION_COOKIE_HTTPONLY'] = True
         self.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=int(self.config['SESSION_LIFETIME']))
@@ -157,25 +155,7 @@ class ConfigManager(dict):
         self.config['AUTH_RATELIMIT_EXEMPTION'] = set(ipaddress.ip_network(cidr, False) for cidr in (cidr.strip() for cidr in self.config['AUTH_RATELIMIT_EXEMPTION'].split(',')) if cidr)
         self.config['HOSTNAMES'] = ','.join(hostnames)
         self.config['HOSTNAME'] = hostnames[0]
-        # update the app config itself
-        app.config = self
 
-    def setdefault(self, key, value):
-        if key not in self.config:
-            self.config[key] = value
-        return self.config[key]
+        # update the app config
+        app.config.update(self.config)
 
-    def get(self, *args):
-        return self.config.get(*args)
-
-    def keys(self):
-        return self.config.keys()
-
-    def __getitem__(self, key):
-        return self.config.get(key)
-
-    def __setitem__(self, key, value):
-        self.config[key] = value
-
-    def __contains__(self, key):
-        return key in self.config
diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 282d00c3..ce7d4017 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -17,7 +17,7 @@ distro==1.5.0
 dnspython==2.1.0
 dominate==2.6.0
 email-validator==1.1.3
-Flask==1.0.2
+Flask==2.0.2
 Flask-Babel==2.0.0
 Flask-Bootstrap==3.3.7.1
 Flask-DebugToolbar==0.11.0

From 85d86d415624f2d3c335a1922527f92886d9fd3f Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Wed, 3 Nov 2021 22:55:26 +0100
Subject: [PATCH 197/222] some more libs updated

---
 core/admin/requirements-prod.txt | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index ce7d4017..331239ba 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -3,17 +3,17 @@ appdirs==1.4.4
 Babel==2.9.1
 bcrypt==3.2.0
 blinker==1.4
-CacheControl==0.12.6
-certifi==2020.12.5
+CacheControl==0.12.9
+certifi==2021.10.8
 cffi==1.15.0
 chardet==4.0.0
 click==8.0.3
 colorama==0.4.4
-contextlib2==0.6.0
+contextlib2==21.6.0
 cryptography==35.0.0
 decorator==5.1.0
-distlib==0.3.1
-distro==1.5.0
+# distlib==0.3.1
+# distro==1.5.0
 dnspython==2.1.0
 dominate==2.6.0
 email-validator==1.1.3
@@ -21,7 +21,7 @@ Flask==2.0.2
 Flask-Babel==2.0.0
 Flask-Bootstrap==3.3.7.1
 Flask-DebugToolbar==0.11.0
-Flask-Limiter==1.0.1
+Flask-Limiter==1.4
 Flask-Login==0.5.0
 flask-marshmallow==0.14.0
 Flask-Migrate==3.1.0
@@ -30,7 +30,7 @@ Flask-SQLAlchemy==2.4.0
 Flask-WTF==0.15.1
 gunicorn==20.1.0
 html5lib==1.1
-idna==3.2
+idna==3.3
 infinity==1.5
 intervals==0.9.2
 itsdangerous==2.0.1
@@ -44,28 +44,28 @@ marshmallow-sqlalchemy==0.24.1
 msgpack==1.0.2
 mysqlclient==1.4.2.post1
 ordered-set==4.0.2
-packaging==20.9
+# packaging==20.9
 passlib==1.7.4
-pep517==0.10.0
-progress==1.5
+# pep517==0.10.0
+progress==1.6
 psycopg2==2.8.2
 pycparser==2.20
 Pygments==2.10.0
 pyOpenSSL==21.0.0
-pyparsing==2.4.7
+pyparsing==3.0.4
 pytz==2021.3
 PyYAML==6.0
 redis==3.5.3
-requests==2.25.1
+requests==2.26.0
 retrying==1.3.3
-six==1.15.0
+# six==1.15.0
 socrate==0.2.0
 SQLAlchemy==1.3.3
 srslib==0.1.4
 tabulate==0.8.9
 tenacity==8.0.1
 toml==0.10.2
-urllib3==1.26.5
+urllib3==1.26.7
 validators==0.18.2
 visitor==0.1.3
 webencodings==0.5.1

From 4669374b9ec951c081777fe4284edc69cb4be0a2 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Wed, 3 Nov 2021 22:55:41 +0100
Subject: [PATCH 198/222] use python wheels

---
 core/admin/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index 5c1227e5..cf911d82 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -25,7 +25,7 @@ COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm
 
 # python3 shared with most images
 RUN set -eu \
- && apk add --no-cache python3 py3-pip git bash \
+ && apk add --no-cache python3 py3-pip py3-wheel git bash \
  && pip3 install --upgrade pip
 
 RUN mkdir -p /app

From 73ab4327c29b3e5f65e5c26b5f86418612daa972 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Wed, 3 Nov 2021 22:57:07 +0100
Subject: [PATCH 199/222] updated database libraries (sqlalchemy etc.)

this is working fine, but introduces a sqlalchemy warning
when using config-import:

  /app/mailu/schemas.py:822:
    SAWarning: Identity map already had an identity for (...),
    replacing it with newly flushed object.
    Are there load operations occurring inside of an event handler
    within the flush?
---
 core/admin/mailu/models.py       | 16 ++++++++--------
 core/admin/mailu/schemas.py      |  5 +++++
 core/admin/requirements-prod.txt | 13 +++++++------
 3 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index 300d8d8c..697e4df7 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -39,6 +39,8 @@ class IdnaDomain(db.TypeDecorator):
     """
 
     impl = db.String(80)
+    cache_ok = True
+    python_type = str
 
     def process_bind_param(self, value, dialect):
         """ encode unicode domain name to punycode """
@@ -48,13 +50,13 @@ class IdnaDomain(db.TypeDecorator):
         """ decode punycode domain name to unicode """
         return idna.decode(value)
 
-    python_type = str
-
 class IdnaEmail(db.TypeDecorator):
     """ Stores a Unicode string in it's IDNA representation (ASCII only)
     """
 
     impl = db.String(255)
+    cache_ok = True
+    python_type = str
 
     def process_bind_param(self, value, dialect):
         """ encode unicode domain part of email address to punycode """
@@ -70,13 +72,13 @@ class IdnaEmail(db.TypeDecorator):
         localpart, domain_name = value.rsplit('@', 1)
         return f'{localpart}@{idna.decode(domain_name)}'
 
-    python_type = str
-
 class CommaSeparatedList(db.TypeDecorator):
     """ Stores a list as a comma-separated string, compatible with Postfix.
     """
 
     impl = db.String
+    cache_ok = True
+    python_type = list
 
     def process_bind_param(self, value, dialect):
         """ join list of items to comma separated string """
@@ -91,13 +93,13 @@ class CommaSeparatedList(db.TypeDecorator):
         """ split comma separated string to list """
         return list(filter(bool, (item.strip() for item in value.split(',')))) if value else []
 
-    python_type = list
-
 class JSONEncoded(db.TypeDecorator):
     """ Represents an immutable structure as a json-encoded string.
     """
 
     impl = db.String
+    cache_ok = True
+    python_type = str
 
     def process_bind_param(self, value, dialect):
         """ encode data as json """
@@ -107,8 +109,6 @@ class JSONEncoded(db.TypeDecorator):
         """ decode json to data """
         return json.loads(value) if value else None
 
-    python_type = str
-
 class Base(db.Model):
     """ Base class for all models
     """
diff --git a/core/admin/mailu/schemas.py b/core/admin/mailu/schemas.py
index 191d01ac..00cbf464 100644
--- a/core/admin/mailu/schemas.py
+++ b/core/admin/mailu/schemas.py
@@ -145,6 +145,11 @@ class Logger:
             if history.has_changes() and history.deleted:
                 before = history.deleted[-1]
                 after = getattr(target, attr.key)
+                # we don't have ordered lists
+                if isinstance(before, list):
+                    before = set(before)
+                if isinstance(after, list):
+                    after = set(after)
                 # TODO: this can be removed when comment is not nullable in model
                 if attr.key == 'comment' and not before and not after:
                     pass
diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 331239ba..d6c7aca3 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -26,8 +26,9 @@ Flask-Login==0.5.0
 flask-marshmallow==0.14.0
 Flask-Migrate==3.1.0
 Flask-Script==2.0.6
-Flask-SQLAlchemy==2.4.0
+Flask-SQLAlchemy==2.5.1
 Flask-WTF==0.15.1
+greenlet==1.1.2
 gunicorn==20.1.0
 html5lib==1.1
 idna==3.3
@@ -39,16 +40,16 @@ limits==1.5.1
 lockfile==0.12.2
 Mako==1.1.5
 MarkupSafe==2.0.1
-marshmallow==3.10.0
-marshmallow-sqlalchemy==0.24.1
+marshmallow==3.14.0
+marshmallow-sqlalchemy==0.26.1
 msgpack==1.0.2
-mysqlclient==1.4.2.post1
+mysqlclient==2.0.3
 ordered-set==4.0.2
 # packaging==20.9
 passlib==1.7.4
 # pep517==0.10.0
 progress==1.6
-psycopg2==2.8.2
+psycopg2==2.9.1
 pycparser==2.20
 Pygments==2.10.0
 pyOpenSSL==21.0.0
@@ -60,7 +61,7 @@ requests==2.26.0
 retrying==1.3.3
 # six==1.15.0
 socrate==0.2.0
-SQLAlchemy==1.3.3
+SQLAlchemy==1.4.26
 srslib==0.1.4
 tabulate==0.8.9
 tenacity==8.0.1

From 97e79a973f1ebd1e3d586cb318f0a7484cc4313e Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 4 Nov 2021 08:32:53 +0100
Subject: [PATCH 200/222] fix sso login button spacing again

---
 core/admin/mailu/sso/templates/form_sso.html |  2 +-
 core/admin/mailu/sso/views/base.py           |  1 +
 core/admin/mailu/ui/templates/macros.html    | 14 ++++++++------
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/core/admin/mailu/sso/templates/form_sso.html b/core/admin/mailu/sso/templates/form_sso.html
index b14e7600..d2451597 100644
--- a/core/admin/mailu/sso/templates/form_sso.html
+++ b/core/admin/mailu/sso/templates/form_sso.html
@@ -5,7 +5,7 @@
 <form class="form" method="post" role="form">
   {{ macros.form_field(form.email) }}
   {{ macros.form_field(form.pw) }}
-  {{ macros.form_fields(fields, label=False, class="btn btn-default", spacing=False) }}
+  {{ macros.form_fields(fields, label=False, class="btn btn-default") }}
 </form>
 {%- endcall %}
 {%- endblock %}
diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index fbee52a7..e948aeb7 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -19,6 +19,7 @@ def login():
         fields.append(form.submitAdmin)
     if str(app.config["WEBMAIL"]).upper() != "NONE":
         fields.append(form.submitWebmail)
+    fields = [fields]
 
     if form.validate_on_submit():
         if form.submitAdmin.data:
diff --git a/core/admin/mailu/ui/templates/macros.html b/core/admin/mailu/ui/templates/macros.html
index 75de4e0e..3b7e4c1d 100644
--- a/core/admin/mailu/ui/templates/macros.html
+++ b/core/admin/mailu/ui/templates/macros.html
@@ -18,17 +18,19 @@
   {%- endif %}
 {%- endmacro %}
 
-{%- macro form_fields(fields, prepend='', append='', label=True, spacing=True) %}
-  {%- if spacing %}
+{%- macro form_fields(fields, prepend='', append='', label=True) %}
   {%- set width = (12 / fields|length)|int %}
-  {%- else %}
-  {%- set width = 2 %}
-  {% endif %}
   <div class="form-group">
     <div class="row">
       {%- for field in fields %}
       <div class="col-lg-{{ width }} col-xs-12 {{ 'has-error' if field.errors else '' }}">
-        {{ form_individual_field(field, prepend=prepend, append=append, label=label, **kwargs) }}
+        {%- if field is iterable %}
+          {%- for subfield in field %}
+            {{ form_individual_field(subfield, prepend=prepend, append=append, label=label, **kwargs) }}
+          {%- endfor %}
+        {%- else %}
+          {{ form_individual_field(field, prepend=prepend, append=append, label=label, **kwargs) }}
+        {%- endif %}
       </div>
       {%- endfor %}
     </div>

From 81e33d36790693b2a4fadd4da57325ae184a3d86 Mon Sep 17 00:00:00 2001
From: DjVinnii <vincentkling@msn.com>
Date: Thu, 4 Nov 2021 13:21:37 +0100
Subject: [PATCH 201/222] Add default TZ to config manager

---
 core/admin/mailu/configuration.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 9829f798..c4d4a830 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -44,6 +44,7 @@ DEFAULT_CONFIG = {
     'AUTH_RATELIMIT_EXEMPTION': '',
     'AUTH_RATELIMIT_EXEMPTION_LENGTH': 86400,
     'DISABLE_STATISTICS': False,
+    'TZ': 'Etc/UTC',
     # Mail settings
     'DMARC_RUA': None,
     'DMARC_RUF': None,

From 679eae51810021090c111033b099d00e544e3fa7 Mon Sep 17 00:00:00 2001
From: DjVinnii <vincentkling@msn.com>
Date: Thu, 4 Nov 2021 13:26:40 +0100
Subject: [PATCH 202/222] Add TZ to mailu.env

---
 setup/flavors/compose/mailu.env | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index 3e53e7d2..c462c5e2 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -42,6 +42,9 @@ AUTH_RATELIMIT_USER={{ auth_ratelimit_user }}/day
 # Opt-out of statistics, replace with "True" to opt out
 DISABLE_STATISTICS={{ disable_statistics or 'False' }}
 
+# Timezone for the Mailu containers. See this link for all possible values https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+TZ=Etc/UTC
+
 ###################################
 # Optional features
 ###################################

From 225160610b0dd44da446299a04eed9bfa1ead694 Mon Sep 17 00:00:00 2001
From: DjVinnii <vincentkling@msn.com>
Date: Thu, 4 Nov 2021 14:22:12 +0100
Subject: [PATCH 203/222] Set default TZ in Dockerfiles

---
 core/admin/Dockerfile                  | 2 ++
 core/dovecot/Dockerfile                | 3 +++
 core/nginx/Dockerfile                  | 3 +++
 core/postfix/Dockerfile                | 3 +++
 core/rspamd/Dockerfile                 | 3 +++
 optional/clamav/Dockerfile             | 3 +++
 optional/fetchmail/Dockerfile          | 2 ++
 optional/postgresql/Dockerfile         | 3 +++
 optional/radicale/Dockerfile           | 2 ++
 optional/traefik-certdumper/Dockerfile | 2 ++
 optional/unbound/Dockerfile            | 3 +++
 webmails/rainloop/Dockerfile           | 2 ++
 webmails/roundcube/Dockerfile          | 5 +++--
 13 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index 87676eb5..8dda76d2 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -23,6 +23,8 @@ RUN set -eu \
 FROM $DISTRO
 COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
 
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN set -eu \
  && apk add --no-cache python3 py3-pip git bash tzdata \
diff --git a/core/dovecot/Dockerfile b/core/dovecot/Dockerfile
index da376d81..7a2dbdc1 100644
--- a/core/dovecot/Dockerfile
+++ b/core/dovecot/Dockerfile
@@ -11,6 +11,9 @@ RUN git clone https://github.com/grosjo/fts-xapian.git \
   && make install
 
 FROM $DISTRO
+
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
     python3 py3-pip git bash py3-multidict py3-yarl tzdata \
diff --git a/core/nginx/Dockerfile b/core/nginx/Dockerfile
index 6043cd8d..d8899144 100644
--- a/core/nginx/Dockerfile
+++ b/core/nginx/Dockerfile
@@ -1,5 +1,8 @@
 ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
+
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
     python3 py3-pip git bash py3-multidict \
diff --git a/core/postfix/Dockerfile b/core/postfix/Dockerfile
index e1e1d6f9..9f0cc701 100644
--- a/core/postfix/Dockerfile
+++ b/core/postfix/Dockerfile
@@ -1,5 +1,8 @@
 ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
+
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
     python3 py3-pip git bash py3-multidict py3-yarl tzdata \
diff --git a/core/rspamd/Dockerfile b/core/rspamd/Dockerfile
index 296949a2..33174c1a 100644
--- a/core/rspamd/Dockerfile
+++ b/core/rspamd/Dockerfile
@@ -1,5 +1,8 @@
 ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
+
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
     python3 py3-pip git bash py3-multidict tzdata \
diff --git a/optional/clamav/Dockerfile b/optional/clamav/Dockerfile
index 7ce41453..e17d2d70 100644
--- a/optional/clamav/Dockerfile
+++ b/optional/clamav/Dockerfile
@@ -1,5 +1,8 @@
 ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
+
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
     python3 py3-pip bash tzdata \
diff --git a/optional/fetchmail/Dockerfile b/optional/fetchmail/Dockerfile
index fc564a4b..995ec48f 100644
--- a/optional/fetchmail/Dockerfile
+++ b/optional/fetchmail/Dockerfile
@@ -1,6 +1,8 @@
 ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
     python3 py3-pip bash tzdata \
diff --git a/optional/postgresql/Dockerfile b/optional/postgresql/Dockerfile
index ade12a24..3ddbb40a 100644
--- a/optional/postgresql/Dockerfile
+++ b/optional/postgresql/Dockerfile
@@ -1,5 +1,8 @@
 ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
+
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
     python3 py3-pip bash py3-multidict tzdata \
diff --git a/optional/radicale/Dockerfile b/optional/radicale/Dockerfile
index cecaa2d3..4eb8d5a7 100644
--- a/optional/radicale/Dockerfile
+++ b/optional/radicale/Dockerfile
@@ -1,6 +1,8 @@
 ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
     python3 py3-pip bash tzdata \
diff --git a/optional/traefik-certdumper/Dockerfile b/optional/traefik-certdumper/Dockerfile
index ce9b4929..506c09c2 100644
--- a/optional/traefik-certdumper/Dockerfile
+++ b/optional/traefik-certdumper/Dockerfile
@@ -1,5 +1,7 @@
 FROM ldez/traefik-certs-dumper
 
+ENV TZ Etc/UTC
+
 RUN apk --no-cache add inotify-tools util-linux bash tzdata
 
 COPY run.sh /
diff --git a/optional/unbound/Dockerfile b/optional/unbound/Dockerfile
index fde67480..bf5d4840 100644
--- a/optional/unbound/Dockerfile
+++ b/optional/unbound/Dockerfile
@@ -1,5 +1,8 @@
 ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
+
+ENV TZ Etc/UTC
+
 # python3 shared with most images
 RUN apk add --no-cache \
     python3 py3-pip git bash py3-multidict tzdata \
diff --git a/webmails/rainloop/Dockerfile b/webmails/rainloop/Dockerfile
index 109546db..02910e39 100644
--- a/webmails/rainloop/Dockerfile
+++ b/webmails/rainloop/Dockerfile
@@ -4,6 +4,8 @@ ARG ARCH=""
 FROM ${ARCH}alpine:3.14
 ONBUILD COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
 
+ENV TZ Etc/UTC
+
 # Shared later between dovecot postfix nginx rspamd rainloop and roundloop
 RUN apk add --no-cache \
     python3 py3-pip tzdata \
diff --git a/webmails/roundcube/Dockerfile b/webmails/roundcube/Dockerfile
index b8ba512f..f5fba3b0 100644
--- a/webmails/roundcube/Dockerfile
+++ b/webmails/roundcube/Dockerfile
@@ -7,6 +7,9 @@ ONBUILD COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/
 FROM ${ARCH}php:7.4-apache as build_other
 
 FROM build_${QEMU}
+
+ENV TZ Etc/UTC
+
 #Shared layer between rainloop and roundcube
 RUN apt-get update && apt-get install -y \
   python3 curl python3-pip git python3-multidict tzdata \
@@ -21,8 +24,6 @@ ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1
 
 ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v4.1.2/carddav-v4.1.2.tar.gz
 
-ENV TZ Etc/UTC
-
 RUN apt-get update && apt-get install -y \
       zlib1g-dev libzip4 libzip-dev libpq-dev \
       python3-jinja2 \

From a6beb234ffafe192fe5755c29aea77bd528527be Mon Sep 17 00:00:00 2001
From: DjVinnii <vincentkling@msn.com>
Date: Thu, 4 Nov 2021 16:17:11 +0100
Subject: [PATCH 204/222] Set timezone in roundcube.ini

---
 webmails/roundcube/Dockerfile | 1 -
 webmails/roundcube/php.ini    | 3 +--
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/webmails/roundcube/Dockerfile b/webmails/roundcube/Dockerfile
index f5fba3b0..4ad89022 100644
--- a/webmails/roundcube/Dockerfile
+++ b/webmails/roundcube/Dockerfile
@@ -29,7 +29,6 @@ RUN apt-get update && apt-get install -y \
       python3-jinja2 \
       gpg \
  && docker-php-ext-install zip pdo_mysql pdo_pgsql \
- && echo date.timezone=${TZ} > /usr/local/etc/php/conf.d/timezone.ini \
  && rm -rf /var/www/html/ \
  && cd /var/www \
  && curl -sL ${ROUNDCUBE_URL} | tar xz \
diff --git a/webmails/roundcube/php.ini b/webmails/roundcube/php.ini
index 27992231..dafa0578 100644
--- a/webmails/roundcube/php.ini
+++ b/webmails/roundcube/php.ini
@@ -1,5 +1,4 @@
 expose_php=Off
-date.timezone=UTC
+date.timezone={{ TZ }}
 upload_max_filesize = {{ MAX_FILESIZE }}M
 post_max_size = {{ MAX_FILESIZE }}M
-

From 548077c465fdfa892e51ad0d2ab95c6ab4385f07 Mon Sep 17 00:00:00 2001
From: DjVinnii <vincentkling@msn.com>
Date: Fri, 5 Nov 2021 09:45:53 +0100
Subject: [PATCH 205/222] Update docs

---
 docs/configuration.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/configuration.rst b/docs/configuration.rst
index 5bf2cb77..71497354 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -62,7 +62,7 @@ there is a good way to disable rate limiting altogether.
 The ``TLS_FLAVOR`` sets how Mailu handles TLS connections. Setting this value to
 ``notls`` will cause Mailu not to server any web content! More on :ref:`tls_flavor`.
 
-The ``TZ`` sets the timezone Mailu will use. The timezone naming convention usually uses a ``Region/City`` format. See `TZ database name`_  for a list of valid timezones This defaults to ``Etc/UTC``
+The ``TZ`` sets the timezone Mailu will use. The timezone naming convention usually uses a ``Region/City`` format. See `TZ database name`_  for a list of valid timezones This defaults to ``Etc/UTC``. Warning: if you are observing different timestamps in your log files you should change your hosts timezone to UTC instead of changing TZ to your local timezone. Using UTC allows easy log correlation with remote MTAs.
 
 .. _`TZ database name`: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
 

From 30d7e72765bba44089e86f49accecc569d731848 Mon Sep 17 00:00:00 2001
From: DjVinnii <vincentkling@msn.com>
Date: Fri, 5 Nov 2021 14:44:12 +0100
Subject: [PATCH 206/222] Move TZ to Advanced settings

---
 core/admin/mailu/configuration.py | 2 +-
 docs/configuration.rst            | 8 ++++----
 setup/flavors/compose/mailu.env   | 6 +++---
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index c4d4a830..54856c09 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -44,7 +44,6 @@ DEFAULT_CONFIG = {
     'AUTH_RATELIMIT_EXEMPTION': '',
     'AUTH_RATELIMIT_EXEMPTION_LENGTH': 86400,
     'DISABLE_STATISTICS': False,
-    'TZ': 'Etc/UTC',
     # Mail settings
     'DMARC_RUA': None,
     'DMARC_RUF': None,
@@ -73,6 +72,7 @@ DEFAULT_CONFIG = {
     'SESSION_LIFETIME': 24,
     'SESSION_COOKIE_SECURE': True,
     'CREDENTIAL_ROUNDS': 12,
+    'TZ': 'Etc/UTC',
     # Host settings
     'HOST_IMAP': 'imap',
     'HOST_LMTP': 'imap:2525',
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 71497354..03817988 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -62,10 +62,6 @@ there is a good way to disable rate limiting altogether.
 The ``TLS_FLAVOR`` sets how Mailu handles TLS connections. Setting this value to
 ``notls`` will cause Mailu not to server any web content! More on :ref:`tls_flavor`.
 
-The ``TZ`` sets the timezone Mailu will use. The timezone naming convention usually uses a ``Region/City`` format. See `TZ database name`_  for a list of valid timezones This defaults to ``Etc/UTC``. Warning: if you are observing different timestamps in your log files you should change your hosts timezone to UTC instead of changing TZ to your local timezone. Using UTC allows easy log correlation with remote MTAs.
-
-.. _`TZ database name`: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
-
 Mail settings
 -------------
 
@@ -198,6 +194,10 @@ The ``LETSENCRYPT_SHORTCHAIN`` (default: False) setting controls whether we send
 
 The ``REAL_IP_HEADER`` (default: unset) and ``REAL_IP_FROM`` (default: unset) settings controls whether HTTP headers such as ``X-Forwarded-For`` or ``X-Real-IP`` should be trusted. The former should be the name of the HTTP header to extract the client IP address from and the later a comma separated list of IP addresses designing which proxies to trust. If you are using Mailu behind a reverse proxy, you should set both. Setting the former without the later introduces a security vulnerability allowing a potential attacker to spoof his source address.
 
+The ``TZ`` sets the timezone Mailu will use. The timezone naming convention usually uses a ``Region/City`` format. See `TZ database name`_  for a list of valid timezones This defaults to ``Etc/UTC``. Warning: if you are observing different timestamps in your log files you should change your hosts timezone to UTC instead of changing TZ to your local timezone. Using UTC allows easy log correlation with remote MTAs.
+
+.. _`TZ database name`: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+
 Antivirus settings
 ------------------
 
diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index c462c5e2..a8709ab3 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -42,9 +42,6 @@ AUTH_RATELIMIT_USER={{ auth_ratelimit_user }}/day
 # Opt-out of statistics, replace with "True" to opt out
 DISABLE_STATISTICS={{ disable_statistics or 'False' }}
 
-# Timezone for the Mailu containers. See this link for all possible values https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
-TZ=Etc/UTC
-
 ###################################
 # Optional features
 ###################################
@@ -173,6 +170,9 @@ REJECT_UNLISTED_RECIPIENT={{ reject_unlisted_recipient }}
 # Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET)
 LOG_LEVEL=WARNING
 
+# Timezone for the Mailu containers. See this link for all possible values https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+TZ=Etc/UTC
+
 ###################################
 # Database settings
 ###################################

From 5714b4f4b0326ee808d0fb4242a1d92ac913d4ae Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 6 Nov 2021 10:05:52 +0100
Subject: [PATCH 207/222] introduce MESSAGE_RATELIMIT_EXEMPTION

---
 core/admin/mailu/configuration.py          | 1 +
 core/admin/mailu/internal/views/postfix.py | 2 ++
 docs/configuration.rst                     | 8 +++++---
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 9829f798..d395073d 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -54,6 +54,7 @@ DEFAULT_CONFIG = {
     'DKIM_PATH': '/dkim/{domain}.{selector}.key',
     'DEFAULT_QUOTA': 1000000000,
     'MESSAGE_RATELIMIT': '200/day',
+    'MESSAGE_RATELIMIT_EXEMPTION': '',
     'RECIPIENT_DELIMITER': '',
     # Web settings
     'SITENAME': 'Mailu',
diff --git a/core/admin/mailu/internal/views/postfix.py b/core/admin/mailu/internal/views/postfix.py
index ab965967..2664f968 100644
--- a/core/admin/mailu/internal/views/postfix.py
+++ b/core/admin/mailu/internal/views/postfix.py
@@ -149,6 +149,8 @@ def postfix_sender_login(sender):
 def postfix_sender_rate(sender):
     """ Rate limit outbound emails per sender login
     """
+    if sender in [s for s in flask.current_app.config.get('MESSAGE_RATELIMIT_EXEMPTION', '').lower().replace(' ', '').split(',') if s]:
+        flask.abort(404)
     user = models.User.get(sender) or flask.abort(404)
     return flask.abort(404) if user.sender_limiter.hit() else flask.jsonify("450 4.2.1 You are sending too many emails too fast.")
 
diff --git a/docs/configuration.rst b/docs/configuration.rst
index fa574415..39680fbd 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -69,9 +69,11 @@ The ``MESSAGE_SIZE_LIMIT`` is the maximum size of a single email. It should not
 be too low to avoid dropping legitimate emails and should not be too high to
 avoid filling the disks with large junk emails.
 
-The ``MESSAGE_RATELIMIT`` is the limit of messages a single user can send. This is
-meant to fight outbound spam in case of compromised or malicious account on the
-server.
+The ``MESSAGE_RATELIMIT`` (default: 200/day) is the maximum number of messages
+a single user can send. ``MESSAGE_RATELIMIT_EXEMPTION`` contains a comma delimited
+list of user email addresses that are exempted from any restriction.  Those
+settings are meant to reduce outbound spam in case of compromised or malicious
+account on the server.
 
 The ``RELAYNETS`` (default: unset) is a comma delimited list of network addresses
 for which mail is relayed for with no authentication required. This should be

From 6c6b0b161caa31c2ba4ce45e715d0324ebf22e41 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 6 Nov 2021 10:45:59 +0100
Subject: [PATCH 208/222] Set the right flags on the rate_limit cookie

---
 core/admin/mailu/sso/views/base.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index fbee52a7..c11c588a 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -38,7 +38,7 @@ def login():
             flask.session.regenerate()
             flask_login.login_user(user)
             response = flask.redirect(destination)
-            response.set_cookie('rate_limit', utils.limiter.device_cookie(username), max_age=31536000, path=flask.url_for('sso.login'))
+            response.set_cookie('rate_limit', utils.limiter.device_cookie(username), max_age=31536000, path=flask.url_for('sso.login'), secure=True, httponly=True)
             flask.current_app.logger.info(f'Login succeeded for {username} from {client_ip}.')
             return response
         else:

From bbef4bee2763011af11a14568c4d85c54a73557e Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 7 Nov 2021 12:20:31 +0100
Subject: [PATCH 209/222] Don't return any key for relayed domains

We may want to revisit this (ARC signing)... but in the meantime
it saves from a scary message in rspamd

signing failure: cannot request data from the vault url: /internal/rspamd/vault/v1/dkim/ ...
---
 core/admin/mailu/internal/views/rspamd.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/core/admin/mailu/internal/views/rspamd.py b/core/admin/mailu/internal/views/rspamd.py
index 8551eb8f..123ec4e2 100644
--- a/core/admin/mailu/internal/views/rspamd.py
+++ b/core/admin/mailu/internal/views/rspamd.py
@@ -14,6 +14,11 @@ def vault_error(*messages, status=404):
 
 @internal.route("/rspamd/vault/v1/dkim/<domain_name>", methods=['GET'])
 def rspamd_dkim_key(domain_name):
+    models.Relay.query.get(domain_name) and return flask.jsonify({
+        'data': {
+            'selectors': []
+        }
+    })
     domain = models.Domain.query.get(domain_name) or flask.abort(vault_error('unknown domain'))
     key = domain.dkim_key or flask.abort(vault_error('no dkim key', status=400))
     return flask.jsonify({

From dc6e970a7f668a9030aff44100682b3a17dc6346 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 7 Nov 2021 12:41:29 +0100
Subject: [PATCH 210/222] handle HTTP too

---
 core/admin/mailu/sso/views/base.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index c11c588a..831949e7 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -38,7 +38,7 @@ def login():
             flask.session.regenerate()
             flask_login.login_user(user)
             response = flask.redirect(destination)
-            response.set_cookie('rate_limit', utils.limiter.device_cookie(username), max_age=31536000, path=flask.url_for('sso.login'), secure=True, httponly=True)
+            response.set_cookie('rate_limit', utils.limiter.device_cookie(username), max_age=31536000, path=flask.url_for('sso.login'), secure=app.config['SESSION_COOKIE_SECURE'], httponly=True)
             flask.current_app.logger.info(f'Login succeeded for {username} from {client_ip}.')
             return response
         else:

From b68033eb43fd249a9092df3f536ffa551de156a5 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 8 Nov 2021 09:23:24 +0100
Subject: [PATCH 211/222] only parse it once

---
 core/admin/mailu/configuration.py          | 1 +
 core/admin/mailu/internal/views/postfix.py | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index d395073d..a997a8c7 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -156,6 +156,7 @@ class ConfigManager(dict):
         self.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=int(self.config['SESSION_LIFETIME']))
         hostnames = [host.strip() for host in self.config['HOSTNAMES'].split(',')]
         self.config['AUTH_RATELIMIT_EXEMPTION'] = set(ipaddress.ip_network(cidr, False) for cidr in (cidr.strip() for cidr in self.config['AUTH_RATELIMIT_EXEMPTION'].split(',')) if cidr)
+        self.config['MESSAGE_RATELIMIT_EXEMPTION'] = set([s for s in self.config['MESSAGE_RATELIMIT_EXEMPTION'].lower().replace(' ', '').split(',') if s])
         self.config['HOSTNAMES'] = ','.join(hostnames)
         self.config['HOSTNAME'] = hostnames[0]
         # update the app config itself
diff --git a/core/admin/mailu/internal/views/postfix.py b/core/admin/mailu/internal/views/postfix.py
index 2664f968..ed951943 100644
--- a/core/admin/mailu/internal/views/postfix.py
+++ b/core/admin/mailu/internal/views/postfix.py
@@ -149,7 +149,7 @@ def postfix_sender_login(sender):
 def postfix_sender_rate(sender):
     """ Rate limit outbound emails per sender login
     """
-    if sender in [s for s in flask.current_app.config.get('MESSAGE_RATELIMIT_EXEMPTION', '').lower().replace(' ', '').split(',') if s]:
+    if sender in flask.current_app.config['MESSAGE_RATELIMIT_EXEMPTION']:
         flask.abort(404)
     user = models.User.get(sender) or flask.abort(404)
     return flask.abort(404) if user.sender_limiter.hit() else flask.jsonify("450 4.2.1 You are sending too many emails too fast.")

From 6bf1a178b94bbfe17da0f0073ab4553ada399c01 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 8 Nov 2021 09:34:02 +0100
Subject: [PATCH 212/222] Go with ghostwheel42's suggestion

---
 core/admin/mailu/internal/views/rspamd.py | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/core/admin/mailu/internal/views/rspamd.py b/core/admin/mailu/internal/views/rspamd.py
index 123ec4e2..458dbb81 100644
--- a/core/admin/mailu/internal/views/rspamd.py
+++ b/core/admin/mailu/internal/views/rspamd.py
@@ -14,22 +14,14 @@ def vault_error(*messages, status=404):
 
 @internal.route("/rspamd/vault/v1/dkim/<domain_name>", methods=['GET'])
 def rspamd_dkim_key(domain_name):
-    models.Relay.query.get(domain_name) and return flask.jsonify({
-        'data': {
-            'selectors': []
-        }
-    })
-    domain = models.Domain.query.get(domain_name) or flask.abort(vault_error('unknown domain'))
-    key = domain.dkim_key or flask.abort(vault_error('no dkim key', status=400))
-    return flask.jsonify({
-        'data': {
-            'selectors': [
+    selectors = []
+    if domain := models.Domain.query.get(domain_name):
+        if key := domain.dkim_key:
+            selectors.append(
                 {
                     'domain'  : domain.name,
                     'key'     : key.decode('utf8'),
                     'selector': flask.current_app.config.get('DKIM_SELECTOR', 'dkim'),
                 }
-            ]
-        }
-    })
-
+            )
+    return flask.jsonify({'data': {'selectors': selectors}})

From c48e00ee2664a8d74d9797706d465029cd358605 Mon Sep 17 00:00:00 2001
From: Till Skrodzki <till@mueskro.de>
Date: Tue, 9 Nov 2021 12:22:53 +0100
Subject: [PATCH 213/222] Do not call .split() on RELAYNETS if not specified

---
 core/postfix/conf/main.cf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 5fffc330..8ac646da 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -17,7 +17,7 @@ queue_directory = /queue
 message_size_limit = {{ MESSAGE_SIZE_LIMIT }}
 
 # Relayed networks
-mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }} {{ RELAYNETS.split(",") | join(' ') }}
+mynetworks = 127.0.0.1/32 [::1]/128 {{ SUBNET }}  {% if RELAYNETS %}{{ RELAYNETS.split(",") | join(' ') }}{% endif %}
 
 # Empty alias list to override the configuration variable and disable NIS
 alias_maps =

From 2404cf2e3ddf0456fe2cc1a399d6b1738c0798ad Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Tue, 9 Nov 2021 14:10:04 +0000
Subject: [PATCH 214/222] Fix for issue #1223

---
 optional/fetchmail/Dockerfile            | 3 +++
 optional/fetchmail/fetchmail.py          | 1 +
 setup/flavors/compose/docker-compose.yml | 2 ++
 setup/flavors/stack/docker-compose.yml   | 2 +-
 towncrier/newsfragments/1223.bugfix      | 4 ++++
 5 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 towncrier/newsfragments/1223.bugfix

diff --git a/optional/fetchmail/Dockerfile b/optional/fetchmail/Dockerfile
index 995ec48f..0b3d4375 100644
--- a/optional/fetchmail/Dockerfile
+++ b/optional/fetchmail/Dockerfile
@@ -12,6 +12,9 @@ RUN apk add --no-cache \
 RUN apk add --no-cache fetchmail ca-certificates openssl \
  && pip3 install requests
 
+RUN mkdir -p /data
+RUN chown fetchmail:fetchmail /data
+
 COPY fetchmail.py /fetchmail.py
 
 USER fetchmail
diff --git a/optional/fetchmail/fetchmail.py b/optional/fetchmail/fetchmail.py
index 4be3c2bd..3752c395 100755
--- a/optional/fetchmail/fetchmail.py
+++ b/optional/fetchmail/fetchmail.py
@@ -13,6 +13,7 @@ import traceback
 
 FETCHMAIL = """
 fetchmail -N \
+    --idfile /data/.fetchids \
     --sslcertck --sslcertpath /etc/ssl/certs \
     -f {}
 """
diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml
index 2675a2ab..5cdd6129 100644
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@@ -129,6 +129,8 @@ services:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}fetchmail:${MAILU_VERSION:-{{ version }}}
     restart: always
     env_file: {{ env }}
+    volumes:
+      - "{{ root }}/fetchmail:/data"
     {% if resolver_enabled %}
     depends_on:
       - resolver
diff --git a/setup/flavors/stack/docker-compose.yml b/setup/flavors/stack/docker-compose.yml
index 24afa9f3..ae4f0022 100644
--- a/setup/flavors/stack/docker-compose.yml
+++ b/setup/flavors/stack/docker-compose.yml
@@ -110,7 +110,7 @@ services:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}fetchmail:${MAILU_VERSION:-{{ version }}}
     env_file: {{ env }}
     volumes:
-      - "{{ root }}/data:/data"
+      - "{{ root }}/fetchmail:/data"
     deploy:
       replicas: 1
     healthcheck:
diff --git a/towncrier/newsfragments/1223.bugfix b/towncrier/newsfragments/1223.bugfix
new file mode 100644
index 00000000..3c23d1a4
--- /dev/null
+++ b/towncrier/newsfragments/1223.bugfix
@@ -0,0 +1,4 @@
+Fixed fetchmail losing track of fetched emails upon container recreation. 
+The relevant fetchmail files are now retained in the /data folder (in the fetchmail image).
+See the docker-compose.yml file for the relevant volume mapping.
+If you already had your own mapping, you must double check the volume mapping and take action.

From 92e65b33e03ba0bc881db28a7412489c572b732e Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Wed, 10 Nov 2021 09:07:03 +0000
Subject: [PATCH 215/222] Configure fetchmail to use idfile to keep track of
 messages. Run fetchmail as root. This is unfortunately required because all
 files are owned by root in the mailu data folder. In the future  we must
 switch all images to running all all processes with a non-root user.

---
 optional/fetchmail/Dockerfile   | 5 +----
 optional/fetchmail/fetchmail.py | 2 +-
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/optional/fetchmail/Dockerfile b/optional/fetchmail/Dockerfile
index 0b3d4375..068a5dce 100644
--- a/optional/fetchmail/Dockerfile
+++ b/optional/fetchmail/Dockerfile
@@ -13,10 +13,7 @@ RUN apk add --no-cache fetchmail ca-certificates openssl \
  && pip3 install requests
 
 RUN mkdir -p /data
-RUN chown fetchmail:fetchmail /data
 
 COPY fetchmail.py /fetchmail.py
 
-USER fetchmail
-
-CMD ["/fetchmail.py"]
+CMD ["/fetchmail.py"]
\ No newline at end of file
diff --git a/optional/fetchmail/fetchmail.py b/optional/fetchmail/fetchmail.py
index 3752c395..f3b65fc0 100755
--- a/optional/fetchmail/fetchmail.py
+++ b/optional/fetchmail/fetchmail.py
@@ -13,7 +13,7 @@ import traceback
 
 FETCHMAIL = """
 fetchmail -N \
-    --idfile /data/.fetchids \
+    --idfile /data/.fetchids --uidl \
     --sslcertck --sslcertpath /etc/ssl/certs \
     -f {}
 """

From c81aa67dfa9c8d01cb9d55a7bd8c216518d74f98 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Wed, 10 Nov 2021 13:08:33 +0000
Subject: [PATCH 216/222] Use a better location for storing the fetchmail data.

---
 setup/flavors/compose/docker-compose.yml | 2 +-
 setup/flavors/stack/docker-compose.yml   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml
index 5cdd6129..18a881b8 100644
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@@ -130,7 +130,7 @@ services:
     restart: always
     env_file: {{ env }}
     volumes:
-      - "{{ root }}/fetchmail:/data"
+      - "{{ root }}/data/fetchmail:/data"
     {% if resolver_enabled %}
     depends_on:
       - resolver
diff --git a/setup/flavors/stack/docker-compose.yml b/setup/flavors/stack/docker-compose.yml
index ae4f0022..0c744d7e 100644
--- a/setup/flavors/stack/docker-compose.yml
+++ b/setup/flavors/stack/docker-compose.yml
@@ -110,7 +110,7 @@ services:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}fetchmail:${MAILU_VERSION:-{{ version }}}
     env_file: {{ env }}
     volumes:
-      - "{{ root }}/fetchmail:/data"
+      - "{{ root }}/data/fetchmail:/data"
     deploy:
       replicas: 1
     healthcheck:

From fd5bdc86501562645d540e44358a787a55ebe542 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 11 Nov 2021 12:20:52 +0100
Subject: [PATCH 217/222] added localized date output

---
 core/admin/mailu/__init__.py                        | 6 +++++-
 core/admin/mailu/ui/templates/alias/list.html       | 4 ++--
 core/admin/mailu/ui/templates/alternative/list.html | 4 +++-
 core/admin/mailu/ui/templates/fetch/list.html       | 6 +++---
 core/admin/mailu/ui/templates/relay/list.html       | 4 ++--
 core/admin/mailu/ui/templates/token/list.html       | 4 +++-
 core/admin/mailu/ui/templates/user/list.html        | 4 ++--
 7 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
index 2f1b8469..fe1f376c 100644
--- a/core/admin/mailu/__init__.py
+++ b/core/admin/mailu/__init__.py
@@ -57,11 +57,15 @@ def create_app_from_config(config):
             config        = app.config,
         )
 
-    # Jinja filter
+    # Jinja filters
     @app.template_filter()
     def format_date(value):
         return utils.flask_babel.format_date(value) if value else ''
 
+    @app.template_filter()
+    def format_datetime(value):
+        return utils.flask_babel.format_datetime(value) if value else ''
+
     # Import views
     from mailu import ui, internal, sso
     app.register_blueprint(ui.ui, url_prefix=app.config['WEB_ADMIN'])
diff --git a/core/admin/mailu/ui/templates/alias/list.html b/core/admin/mailu/ui/templates/alias/list.html
index 0b784d52..6b52165e 100644
--- a/core/admin/mailu/ui/templates/alias/list.html
+++ b/core/admin/mailu/ui/templates/alias/list.html
@@ -34,8 +34,8 @@
     <td>{{ alias }}</td>
     <td>{{ alias.destination|join(', ') or '-' }}</td>
     <td>{{ alias.comment or '' }}</td>
-    <td>{{ alias.created_at }}</td>
-    <td>{{ alias.updated_at or '' }}</td>
+    <td>{{ alias.created_at | format_date }}</td>
+    <td>{{ alias.updated_at | format_date }}</td>
   </tr>
   {%- endfor %}
 </tbody>
diff --git a/core/admin/mailu/ui/templates/alternative/list.html b/core/admin/mailu/ui/templates/alternative/list.html
index b56cd751..4ca9f3c8 100644
--- a/core/admin/mailu/ui/templates/alternative/list.html
+++ b/core/admin/mailu/ui/templates/alternative/list.html
@@ -19,6 +19,7 @@
     <th>{% trans %}Actions{% endtrans %}</th>
     <th>{% trans %}Name{% endtrans %}</th>
     <th>{% trans %}Created{% endtrans %}</th>
+    <th>{% trans %}Last edit{% endtrans %}</th>
   </tr>
 </thead>
 <tbody>
@@ -28,7 +29,8 @@
       <a href="{{ url_for('.alternative_delete', alternative=alternative.name) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>
     </td>
     <td>{{ alternative }}</td>
-    <td>{{ alternative.created_at }}</td>
+    <td>{{ alternative.created_at | format_date }}</td>
+    <td>{{ alternative.updated_at | format_date }}</td>
   </tr>
   {%- endfor %}
 </tbody>
diff --git a/core/admin/mailu/ui/templates/fetch/list.html b/core/admin/mailu/ui/templates/fetch/list.html
index d9374fc6..60b214de 100644
--- a/core/admin/mailu/ui/templates/fetch/list.html
+++ b/core/admin/mailu/ui/templates/fetch/list.html
@@ -36,10 +36,10 @@
     <td>{{ fetch.protocol }}{{ 's' if fetch.tls else '' }}://{{ fetch.host }}:{{ fetch.port }}</td>
     <td>{{ fetch.username }}</td>
     <td>{% if fetch.keep %}{% trans %}yes{% endtrans %}{% else %}{% trans %}no{% endtrans %}{% endif %}</td>
-    <td>{{ fetch.last_check or '-' }}</td>
+    <td>{{ fetch.last_check | format_datetime or '-' }}</td>
     <td>{{ fetch.error or '-' }}</td>
-    <td>{{ fetch.created_at }}</td>
-    <td>{{ fetch.updated_at or '' }}</td>
+    <td>{{ fetch.created_at | format_date }}</td>
+    <td>{{ fetch.updated_at | format_date }}</td>
   </tr>
   {%- endfor %}
 </tbody>
diff --git a/core/admin/mailu/ui/templates/relay/list.html b/core/admin/mailu/ui/templates/relay/list.html
index 07838273..80bc5338 100644
--- a/core/admin/mailu/ui/templates/relay/list.html
+++ b/core/admin/mailu/ui/templates/relay/list.html
@@ -32,8 +32,8 @@
     <td>{{ relay.name }}</td>
     <td>{{ relay.smtp or '-' }}</td>
     <td>{{ relay.comment or '' }}</td>
-    <td>{{ relay.created_at }}</td>
-    <td>{{ relay.updated_at or '' }}</td>
+    <td>{{ relay.created_at | format_date }}</td>
+    <td>{{ relay.updated_at | format_date }}</td>
   </tr>
   {%- endfor %}
 </tbody>
diff --git a/core/admin/mailu/ui/templates/token/list.html b/core/admin/mailu/ui/templates/token/list.html
index c3cc9b5c..d7c48737 100644
--- a/core/admin/mailu/ui/templates/token/list.html
+++ b/core/admin/mailu/ui/templates/token/list.html
@@ -20,6 +20,7 @@
     <th>{% trans %}Comment{% endtrans %}</th>
     <th>{% trans %}Authorized IP{% endtrans %}</th>
     <th>{% trans %}Created{% endtrans %}</th>
+    <th>{% trans %}Last edit{% endtrans %}</th>
   </tr>
 </thead>
 <tbody>
@@ -30,7 +31,8 @@
     </td>
     <td>{{ token.comment }}</td>
     <td>{{ token.ip or "any" }}</td>
-    <td>{{ token.created_at }}</td>
+    <td>{{ token.created_at | format_date }}</td>
+    <td>{{ token.updated_at | format_date }}</td>
   </tr>
   {%- endfor %}
 </tbody>
diff --git a/core/admin/mailu/ui/templates/user/list.html b/core/admin/mailu/ui/templates/user/list.html
index 59a06ea7..7faddab5 100644
--- a/core/admin/mailu/ui/templates/user/list.html
+++ b/core/admin/mailu/ui/templates/user/list.html
@@ -45,8 +45,8 @@
     </td>
     <td>{{ user.quota_bytes_used | filesizeformat }} / {{ (user.quota_bytes | filesizeformat) if user.quota_bytes else '∞' }}</td>
     <td>{{ user.comment or '-' }}</td>
-    <td>{{ user.created_at }}</td>
-    <td>{{ user.updated_at or '' }}</td>
+    <td>{{ user.created_at | format_date }}</td>
+    <td>{{ user.updated_at | format_date }}</td>
   </tr>
   {%- endfor %}
 </tbody>

From cf7914d050687d72606a0157cdf73c7fab785f56 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 11 Nov 2021 16:00:00 +0100
Subject: [PATCH 218/222] fixed field iteration

---
 core/admin/mailu/ui/templates/macros.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/ui/templates/macros.html b/core/admin/mailu/ui/templates/macros.html
index 3b7e4c1d..0da069a9 100644
--- a/core/admin/mailu/ui/templates/macros.html
+++ b/core/admin/mailu/ui/templates/macros.html
@@ -24,7 +24,7 @@
     <div class="row">
       {%- for field in fields %}
       <div class="col-lg-{{ width }} col-xs-12 {{ 'has-error' if field.errors else '' }}">
-        {%- if field is iterable %}
+        {%- if field.__class__.__name__ == 'list' %}
           {%- for subfield in field %}
             {{ form_individual_field(subfield, prepend=prepend, append=append, label=label, **kwargs) }}
           {%- endfor %}

From 84a5514a97c564c23faa36714e33750899fdf28a Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Fri, 12 Nov 2021 12:19:45 +0100
Subject: [PATCH 219/222] fixed auto reply form

---
 core/admin/assets/app.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/assets/app.js b/core/admin/assets/app.js
index 0926578d..03ea6215 100644
--- a/core/admin/assets/app.js
+++ b/core/admin/assets/app.js
@@ -28,10 +28,10 @@ $('document').ready(function() {
         var fieldset = $(this).parents('fieldset');
         if (this.checked) {
             fieldset.removeAttr('disabled');
-            fieldset.find('input').not(this).removeAttr('disabled');
+            fieldset.find('input,textarea').not(this).removeAttr('disabled');
         } else {
             fieldset.attr('disabled', '');
-            fieldset.find('input').not(this).attr('disabled', '');
+            fieldset.find('input,textarea').not(this).attr('disabled', '');
         }
     });
 

From c3dd7330cb9f4b90bc0897fe48556761f5c1c66d Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Fri, 12 Nov 2021 13:30:31 +0000
Subject: [PATCH 220/222] Update reverse proxy documentation (see #1962).

---
 docs/configuration.rst              |  4 +-
 docs/reverse.rst                    | 95 +++++++++++++----------------
 towncrier/newsfragments/1962.bugfix |  4 ++
 3 files changed, 51 insertions(+), 52 deletions(-)
 create mode 100644 towncrier/newsfragments/1962.bugfix

diff --git a/docs/configuration.rst b/docs/configuration.rst
index ccf49058..8f363a63 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -194,7 +194,9 @@ The ``LETSENCRYPT_SHORTCHAIN`` (default: False) setting controls whether we send
 
 .. _`android handsets older than 7.1.1`: https://community.letsencrypt.org/t/production-chain-changes/150739
 
-The ``REAL_IP_HEADER`` (default: unset) and ``REAL_IP_FROM`` (default: unset) settings controls whether HTTP headers such as ``X-Forwarded-For`` or ``X-Real-IP`` should be trusted. The former should be the name of the HTTP header to extract the client IP address from and the later a comma separated list of IP addresses designing which proxies to trust. If you are using Mailu behind a reverse proxy, you should set both. Setting the former without the later introduces a security vulnerability allowing a potential attacker to spoof his source address.
+.. _reverse_proxy_headers:
+
+The ``REAL_IP_HEADER`` (default: unset) and ``REAL_IP_FROM`` (default: unset) settings controls whether HTTP headers such as ``X-Forwarded-For`` or ``X-Real-IP`` should be trusted. The former should be the name of the HTTP header to extract the client IP address from and the later a comma separated list of IP addresses designating which proxies to trust. If you are using Mailu behind a reverse proxy, you should set both. Setting the former without the later introduces a security vulnerability allowing a potential attacker to spoof his source address.
 
 The ``TZ`` sets the timezone Mailu will use. The timezone naming convention usually uses a ``Region/City`` format. See `TZ database name`_  for a list of valid timezones This defaults to ``Etc/UTC``. Warning: if you are observing different timestamps in your log files you should change your hosts timezone to UTC instead of changing TZ to your local timezone. Using UTC allows easy log correlation with remote MTAs.
 
diff --git a/docs/reverse.rst b/docs/reverse.rst
index c6b98e4a..6cde55f2 100644
--- a/docs/reverse.rst
+++ b/docs/reverse.rst
@@ -11,7 +11,10 @@ There are basically three options, from the most to the least recommended one:
 - `use Traefik in another container as central system-reverse-proxy`_
 - `override Mailu Web frontend configuration`_
 
-All options will require that you modify the ``docker-compose.yml`` file.
+All options will require that you modify the ``docker-compose.yml`` and ``mailu.env`` file.
+
+Mailu must also be configured with the information what header is used by the reverse proxy for passing the remote client IP. 
+This is configured in the mailu.env file. See the :ref:`configuration reference <reverse_proxy_headers>` for more information.
 
 Have Mailu Web frontend listen locally
 --------------------------------------
@@ -43,10 +46,19 @@ Then on your own frontend, point to these local ports. In practice, you only nee
     # [...] here goes your standard configuration
 
     location / {
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr
       proxy_pass https://localhost:8443;
     }
   }
 
+.. code-block:: docker
+
+  #mailu.env file
+  REAL_IP_HEADER=X-Real-IP
+  REAL_IP_FROM=x.x.x.x,y.y.y.y.y
+  #x.x.x.x,y.y.y.y.y is the static IP address your reverse proxy uses for connecting to Mailu. 
+  
 Because the admin interface is served as ``/admin``, the Webmail as ``/webmail``, the single sign on page as ``/sso``, webdav as ``/webdav`` and the static files endpoint as ``/static``, you may also want to use a single virtual host and serve other applications (still Nginx):
 
 .. code-block:: nginx
@@ -55,8 +67,9 @@ Because the admin interface is served as ``/admin``, the Webmail as ``/webmail``
     # [...] here goes your standard configuration
 
     location ~ ^/(admin|sso|static|webdav|webmail)/ {
-      proxy_pass https://localhost:8443;
-      proxy_set_header Host $http_host;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr
+      proxy_pass https://localhost:8443;     
     }
 
     location /main_app {
@@ -76,6 +89,13 @@ Because the admin interface is served as ``/admin``, the Webmail as ``/webmail``
     }
   }
 
+.. code-block:: docker
+  
+  #mailu.env file
+  REAL_IP_HEADER=X-Real-IP
+  REAL_IP_FROM=x.x.x.x,y.y.y.y.y
+  #x.x.x.x,y.y.y.y.y is the static IP address your reverse proxy uses for connecting to Mailu. 
+
 Finally, you might want to serve the admin interface on a separate virtual host but not expose the admin container directly (have your own HTTPS virtual hosts on top of Mailu, one public for the Webmail and one internal for administration for instance).
 
 Here is an example configuration :
@@ -88,6 +108,8 @@ Here is an example configuration :
     # [...] here goes your standard configuration
 
     location /webmail {
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr
       proxy_pass https://localhost:8443/webmail;
     }
   }
@@ -98,12 +120,21 @@ Here is an example configuration :
     # [...] here goes your standard configuration
 
     location /admin {
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr
       proxy_pass https://localhost:8443/admin;
       proxy_set_header Host $http_host;
     }
 
   }
 
+.. code-block:: docker
+
+  #mailu.env file
+  REAL_IP_HEADER=X-Real-IP
+  REAL_IP_FROM=x.x.x.x,y.y.y.y.y
+  #x.x.x.x,y.y.y.y.y is the static IP address your reverse proxy uses for connecting to Mailu. 
+
 Depending on how you access the front server, you might want to add a ``proxy_redirect`` directive to your ``location`` blocks:
 
 .. code-block:: nginx
@@ -151,7 +182,16 @@ If your Traefik is configured to automatically request certificates from *letsen
 and this is the ``DOMAIN`` in your ``.env``?
 To support that use-case, Traefik can request ``SANs`` for your domain. The configuration for this will depend on your Traefik version.
 
-----
+Mailu must also be configured with the information what header is used by the reverse proxy for passing the remote client IP.  This is configured in mailu.env:
+
+.. code-block:: docker
+  
+  #mailu.env file
+  REAL_IP_HEADER=X-Real-IP
+  REAL_IP_FROM=x.x.x.x,y.y.y.y.y
+  #x.x.x.x,y.y.y.y.y is the static IP address your reverse proxy uses for connecting to Mailu. 
+
+For more information see the :ref:`configuration reference <reverse_proxy_headers>` for more information.
 
 Traefik 2.x using labels configuration
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -179,53 +219,6 @@ Of course, be sure to define the Certificate Resolver ``foo`` in the static conf
 
 Alternatively, you can define SANs in the Traefik static configuration using routers, or in the static configuration using entrypoints. Refer to the Traefik documentation for more details.
 
-Traefik 1.x with TOML configuration
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Lets add something like
-
-.. code-block:: yaml
-
-  [acme]
-    [[acme.domains]]
-      main = "your.example.com" # this is the same as $TRAEFIK_DOMAIN!
-      sans = ["mail.your.example.com", "webmail.your.example.com", "smtp.your.example.com"]
-
-to your ``traefik.toml``.
-
-----
-
-You might need to clear your ``acme.json``, if a certificate for one of these domains already exists.
-
-You will need some solution which dumps the certificates in ``acme.json``, so you can include them in the ``mailu/front`` container.
-One such example is ``mailu/traefik-certdumper``, which has been adapted for use in Mailu. You can add it to your ``docker-compose.yml`` like:
-
-.. code-block:: yaml
-
-  certdumper:
-    restart: always
-    image: mailu/traefik-certdumper:$VERSION
-    environment:
-    # Make sure this is the same as the main=-domain in traefik.toml
-    # !!! Also don’t forget to add "TRAEFIK_DOMAIN=[...]" to your .env!
-      - DOMAIN=$TRAEFIK_DOMAIN
-    volumes:
-      # Folder, which contains the acme.json
-      - "/data/traefik:/traefik"
-      # Folder, where cert.pem and key.pem will be written
-      - "/data/mailu/certs:/output"
-
-
-Assuming you have ``volume-mounted`` your ``acme.json`` put to ``/data/traefik`` on your host. The dumper will then write out ``/data/mailu/certs/cert.pem`` and ``/data/mailu/certs/key.pem`` whenever ``acme.json`` is updated.
-Yay! Now let’s mount this to our ``front`` container like:
-
-.. code-block:: yaml
-
-    volumes:
-      - /data/mailu/certs:/certs
-
-This works, because we set ``TLS_FLAVOR=mail``, which picks up the key-certificate pair (e.g., ``cert.pem`` and ``key.pem``) from the certs folder in the root path (``/certs/``).
-
 .. _`Traefik`: https://traefik.io/
 
 Override Mailu configuration
diff --git a/towncrier/newsfragments/1962.bugfix b/towncrier/newsfragments/1962.bugfix
new file mode 100644
index 00000000..423271a9
--- /dev/null
+++ b/towncrier/newsfragments/1962.bugfix
@@ -0,0 +1,4 @@
+Reverse proxy documentation has been updated to reflect new security hardening from PR#1959.
+If you do not set the required header, Mailu will not have access to the real ip address of the connecting client.
+This means that rate limiting will not properly work. You can also not use fail2ban. 
+It is very important to set this header when using a reverse proxy.
\ No newline at end of file

From 5911ee605658328bbba375ecfab17bcd63bce54e Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Sat, 13 Nov 2021 14:35:23 +0000
Subject: [PATCH 221/222] Reworded changelog that it is very important to set 
 the new configuration parameters

---
 towncrier/newsfragments/1962.bugfix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/towncrier/newsfragments/1962.bugfix b/towncrier/newsfragments/1962.bugfix
index 423271a9..70b2aa72 100644
--- a/towncrier/newsfragments/1962.bugfix
+++ b/towncrier/newsfragments/1962.bugfix
@@ -1,4 +1,5 @@
 Reverse proxy documentation has been updated to reflect new security hardening from PR#1959.
-If you do not set the required header, Mailu will not have access to the real ip address of the connecting client.
+If you do not set the configuration parameters in Mailu what reverse proxy header to trust,
+then Mailu will not have access to the real ip address of the connecting client.
 This means that rate limiting will not properly work. You can also not use fail2ban. 
-It is very important to set this header when using a reverse proxy.
\ No newline at end of file
+It is very important to configure this when using a reverse proxy.

From d7d02152bbc55f1d26dca7c245d3224786a2ed4a Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Sat, 13 Nov 2021 14:40:22 +0000
Subject: [PATCH 222/222] Make fetchid file not hidden.

---
 optional/fetchmail/fetchmail.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/optional/fetchmail/fetchmail.py b/optional/fetchmail/fetchmail.py
index f3b65fc0..5459de59 100755
--- a/optional/fetchmail/fetchmail.py
+++ b/optional/fetchmail/fetchmail.py
@@ -13,7 +13,7 @@ import traceback
 
 FETCHMAIL = """
 fetchmail -N \
-    --idfile /data/.fetchids --uidl \
+    --idfile /data/fetchids --uidl \
     --sslcertck --sslcertpath /etc/ssl/certs \
     -f {}
 """