From 8fc2846924f8148092926a45cf225485970b5ef9 Mon Sep 17 00:00:00 2001
From: Ionut Filip <ionut.philip@gmail.com>
Date: Tue, 18 Dec 2018 17:06:39 +0200
Subject: [PATCH 01/19] Added regex validation for alias username

---
 core/admin/mailu/ui/forms.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/ui/forms.py b/core/admin/mailu/ui/forms.py
index 57c106c3..40a56a82 100644
--- a/core/admin/mailu/ui/forms.py
+++ b/core/admin/mailu/ui/forms.py
@@ -136,7 +136,7 @@ class TokenForm(flask_wtf.FlaskForm):
 
 
 class AliasForm(flask_wtf.FlaskForm):
-    localpart = fields.StringField(_('Alias'), [validators.DataRequired()])
+    localpart = fields.StringField(_('Alias'), [validators.DataRequired(), validators.Regexp(LOCALPART_REGEX)])
     wildcard = fields.BooleanField(
         _('Use SQL LIKE Syntax (e.g. for catch-all aliases)'))
     destination = DestinationField(_('Destination'))

From c041a9d45c1e6acd6bec476800d1f09500549e45 Mon Sep 17 00:00:00 2001
From: hoellen <dev@hoellen.eu>
Date: Wed, 19 Dec 2018 16:19:37 +0100
Subject: [PATCH 02/19] allow all characters for username in dovecot

---
 core/dovecot/conf/dovecot.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/dovecot/conf/dovecot.conf b/core/dovecot/conf/dovecot.conf
index a9ec2676..bc5055d9 100644
--- a/core/dovecot/conf/dovecot.conf
+++ b/core/dovecot/conf/dovecot.conf
@@ -64,6 +64,7 @@ plugin {
 ###############
 # Authentication
 ###############
+auth_username_chars =
 auth_mechanisms = plain login
 disable_plaintext_auth = no
 

From 736607ab0cec4166ac0d415b9bef724b3cb18fc5 Mon Sep 17 00:00:00 2001
From: Daniel Huber <daniel@dani09.de>
Date: Fri, 21 Dec 2018 15:56:12 +0100
Subject: [PATCH 03/19] Update admin account create command in setup utility to
 use the flask cli

---
 setup/flavors/compose/setup.html | 2 +-
 setup/flavors/stack/setup.html   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/setup/flavors/compose/setup.html b/setup/flavors/compose/setup.html
index 3d87a263..0487c98f 100644
--- a/setup/flavors/compose/setup.html
+++ b/setup/flavors/compose/setup.html
@@ -36,7 +36,7 @@ docker-compose -p mailu up -d
 
 Before you can use Mailu, you must create the primary administrator user account. This should be {{ postmaster }}@{{ domain }}. Use the following command, changing PASSWORD to your liking:
 
-<pre><code>docker-compose -p mailu exec admin python manage.py admin {{ postmaster }} {{ domain }} PASSWORD
+<pre><code>docker-compose -p mailu exec admin flask mailu admin {{ postmaster }} {{ domain }} PASSWORD
 </pre></code>
 
 <p>Login to the admin interface to change the password for a safe one, at
diff --git a/setup/flavors/stack/setup.html b/setup/flavors/stack/setup.html
index d68a6422..329a2cba 100644
--- a/setup/flavors/stack/setup.html
+++ b/setup/flavors/stack/setup.html
@@ -45,7 +45,7 @@ Command for removing docker stack is
 
 Before you can use Mailu, you must create the primary administrator user account. This should be {{ postmaster }}@{{ domain }}. Use the following command, changing PASSWORD to your liking:
 
-<pre><code>docker exec $(docker ps | grep admin | cut -d ' ' -f1) python manage.py admin {{ postmaster }} {{ domain }} PASSWORD 
+<pre><code>docker exec $(docker ps | grep admin | cut -d ' ' -f1) flask mailu admin {{ postmaster }} {{ domain }} PASSWORD
 </pre></code>
 
 <p>Login to the admin interface to change the password for a safe one, at

From 3a5b763018d6c2bdda28244901b1e383e6bdfede Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <muhlemmer@gmail.com>
Date: Tue, 25 Dec 2018 13:52:12 +0200
Subject: [PATCH 04/19] Option to disable full text search (lucene) This is a
 workaround for the bug in issue #751

---
 core/dovecot/conf/dovecot.conf | 2 ++
 docs/compose/.env              | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/core/dovecot/conf/dovecot.conf b/core/dovecot/conf/dovecot.conf
index bc5055d9..83c78f16 100644
--- a/core/dovecot/conf/dovecot.conf
+++ b/core/dovecot/conf/dovecot.conf
@@ -7,6 +7,7 @@ postmaster_address = {{ POSTMASTER }}@{{ DOMAIN }}
 hostname = {{ HOSTNAMES.split(",")[0] }}
 submission_host = {{ FRONT_ADDRESS }}
 
+{% if DISABLE_FTS_LUCENE != 'true' %}
 ###############
 # Full-text search
 ###############
@@ -20,6 +21,7 @@ plugin {
 
   fts_lucene = whitespace_chars=@.
 }
+{% endif %}
 
 ###############
 # Mailboxes
diff --git a/docs/compose/.env b/docs/compose/.env
index 73964e3a..836e9dbf 100644
--- a/docs/compose/.env
+++ b/docs/compose/.env
@@ -3,6 +3,10 @@
 # these few settings must however be configured before starting the mail
 # server and require a restart upon change.
 
+# Set this to `true` to disable full text search by lucene (value: true, false)
+# This is a workaround for the bug in issue #751 (indexer-worker crashes)
+DISABLE_FTS_LUCENE=false
+
 ###################################
 # Common configuration variables
 ###################################

From e128d8e975529485e7533766e43e93d1e4376bbc Mon Sep 17 00:00:00 2001
From: Dario Ernst <dario@kanojo.de>
Date: Wed, 5 Dec 2018 21:50:07 +0100
Subject: [PATCH 05/19] Add documentation for usage behind traefik

---
 docs/reverse.rst | 67 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)

diff --git a/docs/reverse.rst b/docs/reverse.rst
index ca68fd7f..cd23aad1 100644
--- a/docs/reverse.rst
+++ b/docs/reverse.rst
@@ -8,6 +8,7 @@ In such a configuration, one would usually run a frontend reverse proxy to serve
 There are basically three options, from the most to the least recommended one:
 
 - have Mailu Web frontend listen locally and use your own Web frontend on top of it
+- use ``Traefik`` in another container as central system-reverse-proxy
 - override Mailu Web frontend configuration
 - disable Mailu Web frontend completely and use your own
 
@@ -114,6 +115,72 @@ Depending on how you access the front server, you might want to add a ``proxy_re
 
 This will stop redirects (301 and 302) sent by the Webmail, nginx front and admin interface from sending you to ``localhost``.
 
+use ``traefik`` in another container as central system-reverse-proxy
+--------------------------------------------------------------------
+
+``traefik`` is a popular reverse-proxy aimed at containerized systems. As such, many may wish to integrate ``Mailu`` into a system which already uses ``traefik`` as its sole ingress/reverse-proxy.
+
+As the ``mailu/front`` container uses ``nginx`` not only for ``HTTP`` forwarding, but also for the mail-protocols like ``SMTP``, ``IMAP``, etc, we need to keep this container around even when using another ``HTTP`` reverse-proxy. Furthermore, ``traefik`` is neither able to forward non-HTTP, nor can it easily forward HTTPS-to-HTTPS. This, however, means 3 things:
+
+- ``mailu/front`` needs to listen internally on ``HTTP`` rather than ``HTTPS``
+- ``mailu/front`` is not exposed to the outside world on ``HTTP``
+- ``mailu/front`` still needs ``SSL`` certificates (here, we assume ``letsencrypt``) for a well-behaved mail service
+
+This makes the setup with ``traefik`` a bit harder: ``traefik`` saves its certificates in a proprietary ``JSON`` file, which is not readable by the ``nginx`` in the ``front``-container. To solve this, your ``acme.json`` needs to be exposed to the host or a ``docker-volume``. It will then be read by a script in another container, which will dump the certificates as ``PEM`` files, making them readable for ``nginx``. The `front` container will make sure to reload `nginx` whenever these certificates change.
+
+To set this up, first set ``TLS_FLAVOR=mail`` in your ``.env``. This tells ``mailu/front`` not to try to request certificates using ``letsencrypt``, but to read provided certificates, and use them only for mail-protocols, not for ``HTTP``.
+Next, in your ``docker-compose.yml``, comment out the ``port`` lines of the ``front`` section for port ``…:80`` and ``…:440``. Add the respective traefik labels for your domain/configuration, like
+
+.. code-block:: yaml
+
+    labels:
+      - "traefik.enable=true"
+      - "traefik.port=80"
+      - "traefik.frontend.rule=Host:$TRAEFIK_DOMAIN"
+
+**Please don’t forget to add ``TRAEFIK_DOMAIN=[...]`` TO YOUR ``.env``**
+
+If your ``traefik`` is configured to automatically request certificates from ``letsencrypt``, then you’ll have a certificate for ``mail.your.doma.in`` now. However, ``mail.your.doma.in`` might only be the location where you want the ``Mailu`` web-interfaces to live — your mail should be sent/received from ``your.doma.in``, and this is the ``DOMAIN`` in your ``.env``?
+To support that use-case, ``traefik`` can request ``SANs`` for your domain. Lets add something like
+
+.. code-block:: toml
+
+  [acme]
+    [[acme.domains]]
+      main = "your.doma.in" # this is the same as $TRAEFIK_DOMAIN!
+      sans = ["mail.your.doma.in", "webmail.your.doma.in", "smtp.your.doma.in"]
+
+to your ``traefik.toml``. You might need to clear your ``acme.json``, if a certificate for one of these domains already exists.
+
+For the last part, you’re still a bit on your own. You need some solution which dumps the certificates in ``acme.json``, so you can include them in the ``mailu/front`` container. One such example is `traefik-certdumper <https://github.com/Nebukadneza/traefik-certdumper>`, which has been adapted for use in Mailu. You can add it to your ``docker-compose.yml`` like:
+
+.. code-block:: yaml
+
+  certdumper:
+    restart: always
+    image: nebukadneza/traefik-certdumper:latest
+    environment:
+    # Make sure this is the same as the main=-domain in traefik.toml
+    # !!! Also don’t forget to add "TRAEFIK_DOMAIN=[...]" to your .env!
+      - DOMAIN=$TRAEFIK_DOMAIN
+    volumes:
+      - "/data/traefik:/traefik"
+      - "$ROOT/certs:/output"
+
+
+
+assuming you have ``volume-mounted`` your ``acme.json`` put to ``/data/traefik`` on your host. The dumper will then write out ``/data/traefik/ssl/your.doma.in.crt`` and ``/data/traefik/ssl/your.doma.in.key`` whenever ``acme.json`` is updated. Yay! Now let’s mount this to our ``front`` container like:
+
+.. code-block:: yaml
+
+    volumes:
+      - "$ROOT/certs:/certs" # Mount both certs directory (for dhparams.pem) and your domains key
+      - "$ROOT/overrides/nginx:/overrides"
+      - /data/traefik/ssl/$TRAEFIK_DOMAIN.crt:/certs/cert.pem
+      - /data/traefik/ssl/$TRAEFIK_DOMAIN.key:/certs/key.pem
+
+
+Note that we still keep the ``$ROOT/certs`` directory-mount there, where ``dhparams.pem`` is going to be placed.
 
 Override Mailu configuration
 ----------------------------

From dc5f5bb023a33d55b1b99a1a4f30407d68390ddf Mon Sep 17 00:00:00 2001
From: Dario Ernst <github@kanojo.de>
Date: Thu, 6 Dec 2018 09:38:28 +0100
Subject: [PATCH 06/19] Traefik configuration examples

---
 docs/compose/treafik/docker-compose.yml | 145 ++++++++++++++++++++++++
 docs/compose/treafik/traefik.toml       |  33 ++++++
 2 files changed, 178 insertions(+)
 create mode 100644 docs/compose/treafik/docker-compose.yml
 create mode 100644 docs/compose/treafik/traefik.toml

diff --git a/docs/compose/treafik/docker-compose.yml b/docs/compose/treafik/docker-compose.yml
new file mode 100644
index 00000000..0dc8369f
--- /dev/null
+++ b/docs/compose/treafik/docker-compose.yml
@@ -0,0 +1,145 @@
+version: '2'
+
+services:
+
+  # This would normally not be here, but where you define your system services
+  traefik:
+    image: traefik:alpine
+    command: --docker
+    restart: always
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
+      - "/data/traefik/acme.json:/acme.json"
+      - "/data/traefik/traefik.toml:/traefik.toml"
+      # This may be needed (plus defining mailu_default external: true) if traefik lives elsewhere
+      # networks:
+      # - mailu_default
+
+  certdumper:
+    restart: always
+    image: nebukadneza/traefik-certdumper:latest
+    environment:
+    # Make sure this is the same as the main=-domain in traefik.toml
+    # !!! Also don’t forget to add "TRAEFIK_DOMAIN=[...]" to your .env!
+      - DOMAIN=$TRAEFIK_DOMAIN
+    volumes:
+      - "/data/traefik:/traefik"
+      - "$ROOT/certs:/output"
+
+  front:
+    image: mailu/nginx:$VERSION
+    restart: always
+    env_file: .env
+    logging:
+      driver: $LOG_DRIVER
+    labels: # Traefik labels for simple reverse-proxying
+      - "traefik.enable=true"
+      - "traefik.port=80"
+      - "traefik.frontend.rule=Host:$TRAEFIK_DOMAIN"
+      - "traefik.docker.network=mailu_default"
+    ports:
+      - "80" # Let’s not expose 80 or 443 on host, since that’s taken by traefik
+      - "$BIND_ADDRESS4:110:110"
+      - "$BIND_ADDRESS4:143:143"
+      - "$BIND_ADDRESS4:993:993"
+      - "$BIND_ADDRESS4:995:995"
+      - "$BIND_ADDRESS4:25:25"
+      - "$BIND_ADDRESS4:465:465"
+      - "$BIND_ADDRESS4:587:587"
+      - "$BIND_ADDRESS6:110:110"
+      - "$BIND_ADDRESS6:143:143"
+      - "$BIND_ADDRESS6:993:993"
+      - "$BIND_ADDRESS6:995:995"
+      - "$BIND_ADDRESS6:25:25"
+      - "$BIND_ADDRESS6:465:465"
+      - "$BIND_ADDRESS6:587:587"
+    volumes:
+      - "$ROOT/certs:/certs" # Mount both certs directory (for dhparams.pem) and your domains key
+      - "$ROOT/overrides/nginx:/overrides"
+      - /data/traefik/ssl/$TRAEFIK_DOMAIN.crt:/certs/cert.pem
+      - /data/traefik/ssl/$TRAEFIK_DOMAIN.key:/certs/key.pem
+
+  redis:
+    image: redis:alpine
+    restart: always
+    volumes:
+      - "$ROOT/redis:/data"
+
+  imap:
+    image: mailu/dovecot:$VERSION
+    restart: always
+    env_file: .env
+    volumes:
+      - "$ROOT/mail:/mail"
+      - "$ROOT/overrides:/overrides"
+    depends_on:
+      - front
+
+  smtp:
+    image: mailu/postfix:$VERSION
+    restart: always
+    env_file: .env
+    volumes:
+      - "$ROOT/overrides:/overrides"
+    depends_on:
+      - front
+
+  antispam:
+    image: mailu/rspamd:$VERSION
+    restart: always
+    env_file: .env
+    volumes:
+      - "$ROOT/filter:/var/lib/rspamd"
+      - "$ROOT/dkim:/dkim"
+      - "$ROOT/overrides/rspamd:/etc/rspamd/override.d"
+    depends_on:
+      - front
+
+  antivirus:
+    image: mailu/$ANTIVIRUS:$VERSION
+    restart: always
+    env_file: .env
+    volumes:
+      - "$ROOT/filter:/data"
+
+  webdav:
+    image: mailu/$WEBDAV:$VERSION
+    restart: always
+    env_file: .env
+    volumes:
+      - "$ROOT/dav:/data"
+
+  admin:
+    image: mailu/admin:$VERSION
+    restart: always
+    env_file: .env
+    volumes:
+      - "$ROOT/data:/data"
+      - "$ROOT/dkim:/dkim"
+    depends_on:
+      - redis
+
+  webmail:
+    image: "mailu/$WEBMAIL:$VERSION"
+    restart: always
+    env_file: .env
+    volumes:
+      - "$ROOT/webmail:/data"
+    depends_on:
+      - imap
+
+  fetchmail:
+    image: mailu/fetchmail:$VERSION
+    restart: always
+    env_file: .env
+
+networks:
+  default:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+        - subnet: $SUBNET
diff --git a/docs/compose/treafik/traefik.toml b/docs/compose/treafik/traefik.toml
new file mode 100644
index 00000000..c09cf42a
--- /dev/null
+++ b/docs/compose/treafik/traefik.toml
@@ -0,0 +1,33 @@
+# This is just boilerplate stuff you probably have in your own config
+logLevel = "INFO"
+defaultEntryPoints = ["https","http"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+  [entryPoints.https.tls]
+
+[docker]
+endpoint = "unix:///var/run/docker.sock"
+watch = true
+exposedByDefault = false
+
+# Make sure we get acme.json saved, and onHostRule enabled
+[acme]
+email = "your@mail.tld"
+storage = "acme.json"
+entryPoint = "https"
+onHostRule = true
+
+[acme.httpChallenge]
+entryPoint = "http"
+
+# This should include all of your mail domains, and main= should be your $TRAEFIK_DOMAIN
+[[acme.domains]]
+  main = "mail.your.doma.in"
+  sans = ["web.mail.your.doma.in", "smtp.mail.doma.in", "imap.mail.doma.in"]
+

From 633919e97cb638125ae82626bcb0596ca20a498c Mon Sep 17 00:00:00 2001
From: Dario Ernst <dario@kanojo.de>
Date: Wed, 26 Dec 2018 11:42:48 +0100
Subject: [PATCH 07/19] Add docker to dump traefiks certificates to pem

This is required since traefik sitting on HTTP is able to grab
LetsEncrypt certificates which then need to be injected into the front
container.
---
 optional/traefik-certdumper/.dockerignore |  2 ++
 optional/traefik-certdumper/Dockerfile    |  8 ++++++
 optional/traefik-certdumper/LICENSE       | 21 ++++++++++++++++
 optional/traefik-certdumper/README.md     | 27 ++++++++++++++++++++
 optional/traefik-certdumper/run.sh        | 30 +++++++++++++++++++++++
 5 files changed, 88 insertions(+)
 create mode 100644 optional/traefik-certdumper/.dockerignore
 create mode 100644 optional/traefik-certdumper/Dockerfile
 create mode 100644 optional/traefik-certdumper/LICENSE
 create mode 100644 optional/traefik-certdumper/README.md
 create mode 100755 optional/traefik-certdumper/run.sh

diff --git a/optional/traefik-certdumper/.dockerignore b/optional/traefik-certdumper/.dockerignore
new file mode 100644
index 00000000..9b54c5ba
--- /dev/null
+++ b/optional/traefik-certdumper/.dockerignore
@@ -0,0 +1,2 @@
+README.md
+Dockerfile
diff --git a/optional/traefik-certdumper/Dockerfile b/optional/traefik-certdumper/Dockerfile
new file mode 100644
index 00000000..c8a3aa3f
--- /dev/null
+++ b/optional/traefik-certdumper/Dockerfile
@@ -0,0 +1,8 @@
+FROM alpine
+
+RUN apk --no-cache add inotify-tools jq openssl util-linux bash docker
+# while not strictly documented, this script seems to always(?) support previous acme.json versions too
+RUN wget https://raw.githubusercontent.com/containous/traefik/master/contrib/scripts/dumpcerts.sh -O dumpcerts.sh
+
+COPY run.sh /
+ENTRYPOINT ["/run.sh"]
diff --git a/optional/traefik-certdumper/LICENSE b/optional/traefik-certdumper/LICENSE
new file mode 100644
index 00000000..259ccd34
--- /dev/null
+++ b/optional/traefik-certdumper/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 Sven Dowideit
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/optional/traefik-certdumper/README.md b/optional/traefik-certdumper/README.md
new file mode 100644
index 00000000..f5434f62
--- /dev/null
+++ b/optional/traefik-certdumper/README.md
@@ -0,0 +1,27 @@
+# Single-domain traefik-certdumper for mailu
+
+This is based on the work by Sven Dowideit on https://github.com/SvenDowideit/traefik-certdumper
+
+## Fork?
+This is a slight modification that is less flexible, but is adapted to the
+usecase in mailu. If you wish to deploy mailu behind a traefik, you face many
+problems. One of these is that you need to get the certificates into mailu in a
+very defined manner. This will copy the certificate for the **Main:**-domain
+given in the DOMAIN-environment onto `output`.
+
+If your output happens to be mailu-front-`/certs`, the certificate-watcher in
+the front-container will catch it and reload nginx. This works for mailu
+`TLS_FLAVOR=[mail, cert]`
+
+
+```
+  certdumper:
+    restart: always
+    image: Mailu/traefik-certdumper:$VERSION
+    environment:
+      - DOMAIN=$DOMAIN
+    volumes:
+      # your traefik data-volume is probably declared outside of the mailu composefile
+      - /data/traefik:/traefik
+      - $ROOT/certs/:/output/
+```
diff --git a/optional/traefik-certdumper/run.sh b/optional/traefik-certdumper/run.sh
new file mode 100755
index 00000000..2f73eaf7
--- /dev/null
+++ b/optional/traefik-certdumper/run.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+function dump() {
+    echo "$(date) Dumping certificates"
+    bash dumpcerts.sh /traefik/acme.json /tmp/work/
+
+    for crt_file in $(ls /tmp/work/certs/*); do
+        pem_file=$(echo $crt_file | sed 's/certs/pem/g' | sed 's/.crt/-public.pem/g')
+        echo "openssl x509 -inform PEM -in $crt_file > $pem_file"
+        openssl x509 -inform PEM -in $crt_file > $pem_file
+    done
+    for key_file in $(ls /tmp/work/private/*); do
+        pem_file=$(echo $key_file | sed 's/private/pem/g' | sed 's/.key/-private.pem/g')
+        echo "openssl rsa -in $key_file -text > $pem_file"
+        openssl rsa -in $key_file -text > $pem_file
+    done
+
+    echo "$(date) Copying certificates"
+    cp -v /tmp/work/pem/${DOMAIN}-private.pem /output/key.pem
+    cp -v /tmp/work/pem/${DOMAIN}-public.pem /output/cert.pem
+}
+
+mkdir -p /tmp/work/pem /tmp/work/certs
+# run once on start to make sure we have any old certs
+dump
+
+while true; do
+    inotifywait -e modify /traefik/acme.json && \
+        dump
+done

From 5bdbbf60d7874fd45732efd021d57785b20bfa7a Mon Sep 17 00:00:00 2001
From: TheLegend875 <40040530+TheLegend875@users.noreply.github.com>
Date: Sat, 22 Dec 2018 22:39:38 +0100
Subject: [PATCH 08/19] fixed display of username when not logged in

---
 core/admin/mailu/ui/templates/client.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/ui/templates/client.html b/core/admin/mailu/ui/templates/client.html
index 6adc68a2..81bee135 100644
--- a/core/admin/mailu/ui/templates/client.html
+++ b/core/admin/mailu/ui/templates/client.html
@@ -53,7 +53,7 @@ configure your email client
     </tr>
     <tr>
       <th>{% trans %}Username{% endtrans %}</th>
-      <td><pre>{{ current_user or "******" }}</pre></td>
+      <td><pre>{{ current_user if current_user.is_authenticated else "******" }}</pre></td>
     </tr>
     <tr>
       <th>{% trans %}Password{% endtrans %}</th>

From e7c9b32e231e533b844a50260e49cb6735b63363 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <muhlemmer@gmail.com>
Date: Sun, 30 Dec 2018 15:07:45 +0200
Subject: [PATCH 09/19] Restore VERSION_TAG template

---
 docs/_templates/page.html | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 docs/_templates/page.html

diff --git a/docs/_templates/page.html b/docs/_templates/page.html
new file mode 100644
index 00000000..97296793
--- /dev/null
+++ b/docs/_templates/page.html
@@ -0,0 +1,4 @@
+{%- extends "layout.html" %}
+{% block body %}
+  {{ body|replace("VERSION_TAG", version) }}
+{% endblock %}

From d6ba39b6a9736b9c972781caf7ec6888856713cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <muhlemmer@gmail.com>
Date: Sun, 30 Dec 2018 16:49:37 +0200
Subject: [PATCH 10/19] Traefik docs improvements: - Removed code tages to
 increase readability - Some extra line-breaks for source readability - Fix
 link to new mailu/traefik-certdumper container - dhparams is no longer stored
 in /certs - Use a proper "note" box - Fix typo in docs/compose/traefik
 directory name - Include links to example config files - Fix toml lexer build
 warning

---
 .../{treafik => traefik}/docker-compose.yml   |  4 +-
 .../compose/{treafik => traefik}/traefik.toml |  0
 docs/reverse.rst                              | 49 ++++++++++++-------
 3 files changed, 32 insertions(+), 21 deletions(-)
 rename docs/compose/{treafik => traefik}/docker-compose.yml (93%)
 rename docs/compose/{treafik => traefik}/traefik.toml (100%)

diff --git a/docs/compose/treafik/docker-compose.yml b/docs/compose/traefik/docker-compose.yml
similarity index 93%
rename from docs/compose/treafik/docker-compose.yml
rename to docs/compose/traefik/docker-compose.yml
index 0dc8369f..607fcaf1 100644
--- a/docs/compose/treafik/docker-compose.yml
+++ b/docs/compose/traefik/docker-compose.yml
@@ -20,7 +20,7 @@ services:
 
   certdumper:
     restart: always
-    image: nebukadneza/traefik-certdumper:latest
+    image: mailu/traefik-certdumper:$VERSION
     environment:
     # Make sure this is the same as the main=-domain in traefik.toml
     # !!! Also don’t forget to add "TRAEFIK_DOMAIN=[...]" to your .env!
@@ -41,7 +41,6 @@ services:
       - "traefik.frontend.rule=Host:$TRAEFIK_DOMAIN"
       - "traefik.docker.network=mailu_default"
     ports:
-      - "80" # Let’s not expose 80 or 443 on host, since that’s taken by traefik
       - "$BIND_ADDRESS4:110:110"
       - "$BIND_ADDRESS4:143:143"
       - "$BIND_ADDRESS4:993:993"
@@ -57,7 +56,6 @@ services:
       - "$BIND_ADDRESS6:465:465"
       - "$BIND_ADDRESS6:587:587"
     volumes:
-      - "$ROOT/certs:/certs" # Mount both certs directory (for dhparams.pem) and your domains key
       - "$ROOT/overrides/nginx:/overrides"
       - /data/traefik/ssl/$TRAEFIK_DOMAIN.crt:/certs/cert.pem
       - /data/traefik/ssl/$TRAEFIK_DOMAIN.key:/certs/key.pem
diff --git a/docs/compose/treafik/traefik.toml b/docs/compose/traefik/traefik.toml
similarity index 100%
rename from docs/compose/treafik/traefik.toml
rename to docs/compose/traefik/traefik.toml
diff --git a/docs/reverse.rst b/docs/reverse.rst
index cd23aad1..5f64b8f3 100644
--- a/docs/reverse.rst
+++ b/docs/reverse.rst
@@ -115,21 +115,28 @@ Depending on how you access the front server, you might want to add a ``proxy_re
 
 This will stop redirects (301 and 302) sent by the Webmail, nginx front and admin interface from sending you to ``localhost``.
 
-use ``traefik`` in another container as central system-reverse-proxy
+Use Traefik in another container as central system-reverse-proxy
 --------------------------------------------------------------------
 
-``traefik`` is a popular reverse-proxy aimed at containerized systems. As such, many may wish to integrate ``Mailu`` into a system which already uses ``traefik`` as its sole ingress/reverse-proxy.
+`Traefik`_ is a popular reverse-proxy aimed at containerized systems.
+As such, many may wish to integrate Mailu into a system which already uses Traefik as its sole ingress/reverse-proxy.
 
-As the ``mailu/front`` container uses ``nginx`` not only for ``HTTP`` forwarding, but also for the mail-protocols like ``SMTP``, ``IMAP``, etc, we need to keep this container around even when using another ``HTTP`` reverse-proxy. Furthermore, ``traefik`` is neither able to forward non-HTTP, nor can it easily forward HTTPS-to-HTTPS. This, however, means 3 things:
+As the ``mailu/front`` container uses Nginx not only for ``HTTP`` forwarding, but also for the mail-protocols like ``SMTP``, ``IMAP``, etc, we need to keep this
+container around even when using another ``HTTP`` reverse-proxy. Furthermore, Traefik is neither able to forward non-HTTP, nor can it easily forward HTTPS-to-HTTPS. 
+This, however, means 3 things:
 
 - ``mailu/front`` needs to listen internally on ``HTTP`` rather than ``HTTPS``
 - ``mailu/front`` is not exposed to the outside world on ``HTTP``
 - ``mailu/front`` still needs ``SSL`` certificates (here, we assume ``letsencrypt``) for a well-behaved mail service
 
-This makes the setup with ``traefik`` a bit harder: ``traefik`` saves its certificates in a proprietary ``JSON`` file, which is not readable by the ``nginx`` in the ``front``-container. To solve this, your ``acme.json`` needs to be exposed to the host or a ``docker-volume``. It will then be read by a script in another container, which will dump the certificates as ``PEM`` files, making them readable for ``nginx``. The `front` container will make sure to reload `nginx` whenever these certificates change.
+This makes the setup with Traefik a bit harder: Traefik saves its certificates in a proprietary *JSON* file, which is not readable by Nginx in the ``front``-container.
+To solve this, your ``acme.json`` needs to be exposed to the host or a ``docker-volume``. It will then be read by a script in another container,
+which will dump the certificates as ``PEM`` files, readable for Nginx. The ``front`` container will automatically reload Nginx whenever these certificates change.
 
-To set this up, first set ``TLS_FLAVOR=mail`` in your ``.env``. This tells ``mailu/front`` not to try to request certificates using ``letsencrypt``, but to read provided certificates, and use them only for mail-protocols, not for ``HTTP``.
-Next, in your ``docker-compose.yml``, comment out the ``port`` lines of the ``front`` section for port ``…:80`` and ``…:440``. Add the respective traefik labels for your domain/configuration, like
+To set this up, first set ``TLS_FLAVOR=mail`` in your ``.env``. This tells ``mailu/front`` not to try to request certificates using ``letsencrypt``,
+but to read provided certificates, and use them only for mail-protocols, not for ``HTTP``.
+Next, in your ``docker-compose.yml``, comment out the ``port`` lines of the ``front`` section for port ``…:80`` and ``…:440``.
+Add the respective Traefik labels for your domain/configuration, like
 
 .. code-block:: yaml
 
@@ -138,12 +145,14 @@ Next, in your ``docker-compose.yml``, comment out the ``port`` lines of the ``fr
       - "traefik.port=80"
       - "traefik.frontend.rule=Host:$TRAEFIK_DOMAIN"
 
-**Please don’t forget to add ``TRAEFIK_DOMAIN=[...]`` TO YOUR ``.env``**
+.. note:: Please don’t forget to add ``TRAEFIK_DOMAIN=[...]`` TO YOUR ``.env``
 
-If your ``traefik`` is configured to automatically request certificates from ``letsencrypt``, then you’ll have a certificate for ``mail.your.doma.in`` now. However, ``mail.your.doma.in`` might only be the location where you want the ``Mailu`` web-interfaces to live — your mail should be sent/received from ``your.doma.in``, and this is the ``DOMAIN`` in your ``.env``?
-To support that use-case, ``traefik`` can request ``SANs`` for your domain. Lets add something like
+If your Traefik is configured to automatically request certificates from *letsencrypt*, then you’ll have a certificate for ``mail.your.doma.in`` now. However,
+``mail.your.doma.in`` might only be the location where you want the Mailu web-interfaces to live — your mail should be sent/received from ``your.doma.in``,
+and this is the ``DOMAIN`` in your ``.env``?
+To support that use-case, Traefik can request ``SANs`` for your domain. Lets add something like
 
-.. code-block:: toml
+.. code-block:: guess
 
   [acme]
     [[acme.domains]]
@@ -152,13 +161,14 @@ To support that use-case, ``traefik`` can request ``SANs`` for your domain. Lets
 
 to your ``traefik.toml``. You might need to clear your ``acme.json``, if a certificate for one of these domains already exists.
 
-For the last part, you’re still a bit on your own. You need some solution which dumps the certificates in ``acme.json``, so you can include them in the ``mailu/front`` container. One such example is `traefik-certdumper <https://github.com/Nebukadneza/traefik-certdumper>`, which has been adapted for use in Mailu. You can add it to your ``docker-compose.yml`` like:
+You will need some solution which dumps the certificates in ``acme.json``, so you can include them in the ``mailu/front`` container.
+One such example is ``mailu/traefik-certdumper``, which has been adapted for use in Mailu. You can add it to your ``docker-compose.yml`` like:
 
 .. code-block:: yaml
 
   certdumper:
     restart: always
-    image: nebukadneza/traefik-certdumper:latest
+    image: mailu/traefik-certdumper:$VERSION
     environment:
     # Make sure this is the same as the main=-domain in traefik.toml
     # !!! Also don’t forget to add "TRAEFIK_DOMAIN=[...]" to your .env!
@@ -169,23 +179,23 @@ For the last part, you’re still a bit on your own. You need some solution whic
 
 
 
-assuming you have ``volume-mounted`` your ``acme.json`` put to ``/data/traefik`` on your host. The dumper will then write out ``/data/traefik/ssl/your.doma.in.crt`` and ``/data/traefik/ssl/your.doma.in.key`` whenever ``acme.json`` is updated. Yay! Now let’s mount this to our ``front`` container like:
+Assuming you have ``volume-mounted`` your ``acme.json`` put to ``/data/traefik`` on your host. The dumper will then write out ``/data/traefik/ssl/your.doma.in.crt``
+and ``/data/traefik/ssl/your.doma.in.key`` whenever ``acme.json`` is updated. Yay! Now let’s mount this to our ``front`` container like:
 
 .. code-block:: yaml
 
     volumes:
-      - "$ROOT/certs:/certs" # Mount both certs directory (for dhparams.pem) and your domains key
       - "$ROOT/overrides/nginx:/overrides"
       - /data/traefik/ssl/$TRAEFIK_DOMAIN.crt:/certs/cert.pem
       - /data/traefik/ssl/$TRAEFIK_DOMAIN.key:/certs/key.pem
 
-
-Note that we still keep the ``$ROOT/certs`` directory-mount there, where ``dhparams.pem`` is going to be placed.
+.. _`Traefik`: https://traefik.io/
 
 Override Mailu configuration
 ----------------------------
 
-If you do not have the resources for running a separate reverse proxy, you could override Mailu reverse proxy configuration by using a Docker volume. Simply store your configuration file (Nginx format), in ``/mailu/nginx.conf`` for instance.
+If you do not have the resources for running a separate reverse proxy, you could override Mailu reverse proxy configuration by using a Docker volume.
+Simply store your configuration file (Nginx format), in ``/mailu/nginx.conf`` for instance.
 
 Then modify your ``docker-compose.yml`` file and change the ``front`` section to add a mount:
 
@@ -202,7 +212,10 @@ Then modify your ``docker-compose.yml`` file and change the ``front`` section to
       - "$ROOT/certs:/certs"
       - "$ROOT/nginx.conf:/etc/nginx/nginx.conf"
 
-You can use our default configuration file as a sane base for your configuration.
+You can also download the example configuration files:
+
+- :download:`compose/traefik/docker-compose.yml`
+- :download:`compose/traefik/traefik.toml`
 
 Disable completely Mailu reverse proxy
 --------------------------------------

From fd23e02aaa25d556403d05f2280a9b16f2a04fde Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <muhlemmer@gmail.com>
Date: Sun, 30 Dec 2018 16:55:18 +0200
Subject: [PATCH 11/19] Use alpine versioned and defin volumes

---
 optional/traefik-certdumper/Dockerfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/optional/traefik-certdumper/Dockerfile b/optional/traefik-certdumper/Dockerfile
index c8a3aa3f..92e5e900 100644
--- a/optional/traefik-certdumper/Dockerfile
+++ b/optional/traefik-certdumper/Dockerfile
@@ -1,8 +1,11 @@
-FROM alpine
+FROM alpine:3.8
 
 RUN apk --no-cache add inotify-tools jq openssl util-linux bash docker
 # while not strictly documented, this script seems to always(?) support previous acme.json versions too
 RUN wget https://raw.githubusercontent.com/containous/traefik/master/contrib/scripts/dumpcerts.sh -O dumpcerts.sh
 
+VOLUME ["/traefik"]
+VOLUME ["/output"]
+
 COPY run.sh /
 ENTRYPOINT ["/run.sh"]

From 7c7b52d935fbfbd0e90d82c963fa4a70d906045e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <muhlemmer@gmail.com>
Date: Sun, 30 Dec 2018 17:06:52 +0200
Subject: [PATCH 12/19] Include certdumper in autobuild

---
 tests/build.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tests/build.yml b/tests/build.yml
index 0d89c5b8..4f6e33de 100644
--- a/tests/build.yml
+++ b/tests/build.yml
@@ -30,6 +30,10 @@ services:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX}radicale:${MAILU_VERSION:-local}
     build: ../optional/radicale
 
+  traefik-certdumper:
+    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX}traefik-certdumper:${MAILU_VERSION:-local}
+    build: ../optional/traefik-certdumper
+
   admin:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX}admin:${MAILU_VERSION:-local}
     build: ../core/admin

From a5b96553aac0919fda68b64ef2dab7d2f48a4767 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <muhlemmer@gmail.com>
Date: Sun, 30 Dec 2018 18:47:12 +0200
Subject: [PATCH 13/19] Check for dumpcerts.sh return status code

---
 optional/traefik-certdumper/run.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/optional/traefik-certdumper/run.sh b/optional/traefik-certdumper/run.sh
index 2f73eaf7..78d20a84 100755
--- a/optional/traefik-certdumper/run.sh
+++ b/optional/traefik-certdumper/run.sh
@@ -2,7 +2,7 @@
 
 function dump() {
     echo "$(date) Dumping certificates"
-    bash dumpcerts.sh /traefik/acme.json /tmp/work/
+    bash dumpcerts.sh /traefik/acme.json /tmp/work/ || return
 
     for crt_file in $(ls /tmp/work/certs/*); do
         pem_file=$(echo $crt_file | sed 's/certs/pem/g' | sed 's/.crt/-public.pem/g')

From e1902907ff8616bdb64158e82c512b55e9cdcf0d Mon Sep 17 00:00:00 2001
From: hoellen <dev@hoellen.eu>
Date: Sun, 30 Dec 2018 18:08:51 +0100
Subject: [PATCH 14/19] Prepare changelog for 1.6

---
 CHANGELOG.md | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 103 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2afc69cf..9ced5a79 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,109 @@ Notable changes to this project are documented in the current file. For more
 details about individual changes, see the Git log. You should read this before
 upgrading Freposte.io as some changes will include useful notes.
 
+v1.6.0 - unreleased
+-------------------
+
+- Global: Architecture of the central container (#56, #108)
+- Global: Serve documentation with docker (#601, #608)
+- Global: Travis-CI automated test build (#602)
+- Global: Abstract db access from Postfix and Dovecot (#612)
+- Global: Refactor the admin architecture and configuration management (#670)
+- Feature: Used quota in admin interface (#216)
+- Feature: User Signup (#281, #340)
+- Feature: Client setup page (#342)
+- Feature: Administration setup page (#343)
+- Feature: Visual notice whether the mx record points to mailu server (#356)
+- Feature: Option for vacation start (#362)
+- Feature: Enable enigma in Roundcube (#391)
+- Feature: Allow more charcaters as a valid email address (#443)
+- Feature: IDNA support (#446)
+- Feature: Disable user account  (#449)
+- Feature: Use fuzzy hashes in rpamd (#456, #527)
+- Feature: Enable “doveadm -A” command (#458)
+- Feature: Remove the Service Status page (#463)
+- Feature: Automated Releases (#487)
+- Feature: Support for ARC (#495)
+- Feature: Add posibilty to run webmail on root (#501)
+- Feature: Upgrade docker-compose.yml to version 3 (#539)
+- Feature: Documentation to deploy mailu on a docker swarm (#551)
+- Feature: Add full-text search support (#552)
+- Feature: Add optional Maildir-Compression (#553)
+- Feature: Preserve rspamd history on container restart (#561)
+- Feature: FAQ (#564, #677)
+- Feature: Kubernetes support (#576)
+- Feature: Option to bounce or reject email when recipient is unknown (#583, #626)
+- Feature: implement healthchecks for all containers (#631)
+- Feature: Option to send front logs to journald or syslog (#584, #661)
+- Feature: Support bcrypt and PBKDF2 (#647, #667)
+- Feature: enable http2 (#674)
+- Feature: Unbound DNS as optional service (#681)
+- Feature: Re-write test suite (#682)
+- Feature: Docker image prefixes (#702)
+- Feature: Add authentication method “login” for Outlook (#704)
+- Feature: Allow extending nginx config with overrides (#713)
+- Feature: Dynamic attachment size limit (#731)
+- Feature: Certificate watcher for external certs to reload nginx (#732)
+- Feature: Kubernetes
+- Enhancement: Use pre-defined dhparam (#322)
+- Enhancement: Disable ssl_session_tickets (#329)
+- Enhancement: max attachment size in roundcube (#338)
+- Enhancement: Use x-forwarded-proto with redirects (#347)
+- Enhancement: Added adress verification before accepting mails for delivery (#353)
+- Enhancement: Reverse proxy - Real ip header and mail-letsencrypt (#358)
+- Enhancement: Parametrize hosts (#373)
+- Enhancement: Expose ports in dockerfiles (#392)
+- Enhancement: Added webmail-imap dependency in docker-compose (#403)
+- Enhancement: Add environment variables to allow running outside of docker-compose (#429)
+- Enhancement: Add original Delivered-To header to received messages (#433)
+- Enhancement: Use HOST_ADMIN in "Forwarding authentication server" (#436, #437)
+- Enhancement: Use POD_ADDRESS_RANGE for Dovecot (#448)
+- Enhancement: Using configurable filenames for TLS certs (#468)
+- Enhancement: Don't require BootstrapCDN (GDPR-compliance) (#477)
+- Enhancement: Use dynamic client_max_body_size for webmail (#502)
+- Enhancement: New logo design (#509)
+- Enhancement: New manifests for Kubernetes (#544)
+- Enhancement: Pin Alpine image (#548, #557)
+- Enhancement: Use safer cipher in roundcube (#597)
+- Enhancement: Improve sender checks (#633)
+- Enhancement: Use PHP 7.2 for rainloop and roundcube (#606, #642)
+- Enhancement: Multi-version documentation (#664)
+- Enhancement: Contribution documentation (#700)
+- Enhancement: Move Mailu Docker network to a fixed subnet (#727)
+- Enhancement: Added regex validation for alias username (#764)
+- Enhancement: Update documentation
+- Upstream: Update Roundcube
+- Upstream: Update Rainloop
+- Bug: Rainloop fails with "domain not allowed" (#93)
+- Bug: Announces fail (#309)
+- Bug: Authentication issues with rspamd admin ui (#315)
+- Bug: front hangup on restart (#341)
+- Bug: Display the proper user quota when set to 0/infinity (#345)
+- Bug: Domain details button "Regenerate keys" when no keys are generated yet (#346)
+- Bug: Relayed Domains: access denied error (#351)
+- Bug: Do not deny HTTP access upon TLS error when the flavor is mail (#352)
+- Bug: php_zip extension missing in Roundcube webmail (#364)
+- Bug: RoundCube webmail .htaccess assumes PHP 5 (#366)
+- Bug: No quota shows "0 Bytes" in user list (#368)
+- Bug: RELAYNETS not honored when login is different from sender (#369)
+- Bug: Request Entity Too Large (#371)
+- Bug: Pass the full host to the backend (#372)
+- Bug: Can't send from an email account that has forwarding (#390)
+- Bug: SSL protocol error roundcube/imap (#411, #414)
+- Bug: Unable to send from alternative domains (#415)
+- Bug: Webadmin redirect ignores host port (#419)
+- Bug: Disable esld when signing with dkim (#435)
+- Bug: DKIM missing when using identities (#462)
+- Bug: Moving mails from Junk to Trash flags them as ham (#474)
+- Bug: Cannot set the "keep emails" for fetched accounts (#479)
+- Bug: CVE-2018-8740 (#482)
+- Bug: Hide administration header in sidebar for normal users (#505)
+- Bug: Return correct status codes from auth rate limiter failure (#513)
+- Bug: Domain edit page shows "Create" button (#523)
+- Bug: Hostname resolving in start.py should retry on failure [docker swarm]  (#555)
+- Bug: Error when trying to log in with an account without domain (#585)
+- Bug: Fix rainloop permissions (#637)
+
 v1.5.1 - 2017-11-21
 -------------------
 

From a7853ff52811464e71b7cc72bafbfc91004ba88d Mon Sep 17 00:00:00 2001
From: hoellen <dev@hoellen.eu>
Date: Sun, 30 Dec 2018 18:21:51 +0100
Subject: [PATCH 15/19] link issue to url

---
 CHANGELOG.md | 190 +++++++++++++++++++++++++--------------------------
 1 file changed, 95 insertions(+), 95 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9ced5a79..f3bcce93 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,105 +8,105 @@ upgrading Freposte.io as some changes will include useful notes.
 v1.6.0 - unreleased
 -------------------
 
-- Global: Architecture of the central container (#56, #108)
-- Global: Serve documentation with docker (#601, #608)
-- Global: Travis-CI automated test build (#602)
-- Global: Abstract db access from Postfix and Dovecot (#612)
-- Global: Refactor the admin architecture and configuration management (#670)
-- Feature: Used quota in admin interface (#216)
-- Feature: User Signup (#281, #340)
-- Feature: Client setup page (#342)
-- Feature: Administration setup page (#343)
-- Feature: Visual notice whether the mx record points to mailu server (#356)
-- Feature: Option for vacation start (#362)
-- Feature: Enable enigma in Roundcube (#391)
-- Feature: Allow more charcaters as a valid email address (#443)
-- Feature: IDNA support (#446)
-- Feature: Disable user account  (#449)
-- Feature: Use fuzzy hashes in rpamd (#456, #527)
-- Feature: Enable “doveadm -A” command (#458)
-- Feature: Remove the Service Status page (#463)
-- Feature: Automated Releases (#487)
-- Feature: Support for ARC (#495)
-- Feature: Add posibilty to run webmail on root (#501)
-- Feature: Upgrade docker-compose.yml to version 3 (#539)
-- Feature: Documentation to deploy mailu on a docker swarm (#551)
-- Feature: Add full-text search support (#552)
-- Feature: Add optional Maildir-Compression (#553)
-- Feature: Preserve rspamd history on container restart (#561)
-- Feature: FAQ (#564, #677)
-- Feature: Kubernetes support (#576)
-- Feature: Option to bounce or reject email when recipient is unknown (#583, #626)
-- Feature: implement healthchecks for all containers (#631)
-- Feature: Option to send front logs to journald or syslog (#584, #661)
-- Feature: Support bcrypt and PBKDF2 (#647, #667)
-- Feature: enable http2 (#674)
-- Feature: Unbound DNS as optional service (#681)
-- Feature: Re-write test suite (#682)
-- Feature: Docker image prefixes (#702)
-- Feature: Add authentication method “login” for Outlook (#704)
-- Feature: Allow extending nginx config with overrides (#713)
-- Feature: Dynamic attachment size limit (#731)
-- Feature: Certificate watcher for external certs to reload nginx (#732)
+- Global: Architecture of the central container ([#56](https://github.com/Mailu/Mailu/issues/56), [#108](https://github.com/Mailu/Mailu/issues/108))
+- Global: Serve documentation with docker ([#601](https://github.com/Mailu/Mailu/issues/601), [#608](https://github.com/Mailu/Mailu/issues/608))
+- Global: Travis-CI automated test build ([#602](https://github.com/Mailu/Mailu/issues/602))
+- Global: Abstract db access from Postfix and Dovecot ([#612](https://github.com/Mailu/Mailu/issues/612))
+- Global: Refactor the admin architecture and configuration management ([#670](https://github.com/Mailu/Mailu/issues/670))
+- Feature: Used quota in admin interface ([#216](https://github.com/Mailu/Mailu/issues/216))
+- Feature: User Signup ([#281](https://github.com/Mailu/Mailu/issues/281), [#340](https://github.com/Mailu/Mailu/issues/340))
+- Feature: Client setup page ([#342](https://github.com/Mailu/Mailu/issues/342))
+- Feature: Administration setup page ([#343](https://github.com/Mailu/Mailu/issues/343))
+- Feature: Visual notice whether the mx record points to mailu server ([#356](https://github.com/Mailu/Mailu/issues/356))
+- Feature: Option for vacation start ([#362](https://github.com/Mailu/Mailu/issues/362))
+- Feature: Enable enigma in Roundcube ([#391](https://github.com/Mailu/Mailu/issues/391))
+- Feature: Allow more charcaters as a valid email address ([#443](https://github.com/Mailu/Mailu/issues/443))
+- Feature: IDNA support ([#446](https://github.com/Mailu/Mailu/issues/446))
+- Feature: Disable user account  ([#449](https://github.com/Mailu/Mailu/issues/449))
+- Feature: Use fuzzy hashes in rpamd ([#456](https://github.com/Mailu/Mailu/issues/456), [#527](https://github.com/Mailu/Mailu/issues/527))
+- Feature: Enable “doveadm -A” command ([#458](https://github.com/Mailu/Mailu/issues/458))
+- Feature: Remove the Service Status page ([#463](https://github.com/Mailu/Mailu/issues/463))
+- Feature: Automated Releases ([#487](https://github.com/Mailu/Mailu/issues/487))
+- Feature: Support for ARC ([#495](https://github.com/Mailu/Mailu/issues/495))
+- Feature: Add posibilty to run webmail on root ([#501](https://github.com/Mailu/Mailu/issues/501))
+- Feature: Upgrade docker-compose.yml to version 3 ([#539](https://github.com/Mailu/Mailu/issues/539))
+- Feature: Documentation to deploy mailu on a docker swarm ([#551](https://github.com/Mailu/Mailu/issues/551))
+- Feature: Add full-text search support ([#552](https://github.com/Mailu/Mailu/issues/552))
+- Feature: Add optional Maildir-Compression ([#553](https://github.com/Mailu/Mailu/issues/553))
+- Feature: Preserve rspamd history on container restart ([#561](https://github.com/Mailu/Mailu/issues/561))
+- Feature: FAQ ([#564](https://github.com/Mailu/Mailu/issues/564), [#677](https://github.com/Mailu/Mailu/issues/677))
+- Feature: Kubernetes support ([#576](https://github.com/Mailu/Mailu/issues/576))
+- Feature: Option to bounce or reject email when recipient is unknown ([#583](https://github.com/Mailu/Mailu/issues/583), [#626](https://github.com/Mailu/Mailu/issues/626))
+- Feature: implement healthchecks for all containers ([#631](https://github.com/Mailu/Mailu/issues/631))
+- Feature: Option to send front logs to journald or syslog ([#584](https://github.com/Mailu/Mailu/issues/584), [#661](https://github.com/Mailu/Mailu/issues/661))
+- Feature: Support bcrypt and PBKDF2 ([#647](https://github.com/Mailu/Mailu/issues/647), [#667](https://github.com/Mailu/Mailu/issues/667))
+- Feature: enable http2 ([#674](https://github.com/Mailu/Mailu/issues/674))
+- Feature: Unbound DNS as optional service ([#681](https://github.com/Mailu/Mailu/issues/681))
+- Feature: Re-write test suite ([#682](https://github.com/Mailu/Mailu/issues/682))
+- Feature: Docker image prefixes ([#702](https://github.com/Mailu/Mailu/issues/702))
+- Feature: Add authentication method “login” for Outlook ([#704](https://github.com/Mailu/Mailu/issues/704))
+- Feature: Allow extending nginx config with overrides ([#713](https://github.com/Mailu/Mailu/issues/713))
+- Feature: Dynamic attachment size limit ([#731](https://github.com/Mailu/Mailu/issues/731))
+- Feature: Certificate watcher for external certs to reload nginx ([#732](https://github.com/Mailu/Mailu/issues/732))
 - Feature: Kubernetes
-- Enhancement: Use pre-defined dhparam (#322)
-- Enhancement: Disable ssl_session_tickets (#329)
-- Enhancement: max attachment size in roundcube (#338)
-- Enhancement: Use x-forwarded-proto with redirects (#347)
-- Enhancement: Added adress verification before accepting mails for delivery (#353)
-- Enhancement: Reverse proxy - Real ip header and mail-letsencrypt (#358)
-- Enhancement: Parametrize hosts (#373)
-- Enhancement: Expose ports in dockerfiles (#392)
-- Enhancement: Added webmail-imap dependency in docker-compose (#403)
-- Enhancement: Add environment variables to allow running outside of docker-compose (#429)
-- Enhancement: Add original Delivered-To header to received messages (#433)
-- Enhancement: Use HOST_ADMIN in "Forwarding authentication server" (#436, #437)
-- Enhancement: Use POD_ADDRESS_RANGE for Dovecot (#448)
-- Enhancement: Using configurable filenames for TLS certs (#468)
-- Enhancement: Don't require BootstrapCDN (GDPR-compliance) (#477)
-- Enhancement: Use dynamic client_max_body_size for webmail (#502)
-- Enhancement: New logo design (#509)
-- Enhancement: New manifests for Kubernetes (#544)
-- Enhancement: Pin Alpine image (#548, #557)
-- Enhancement: Use safer cipher in roundcube (#597)
-- Enhancement: Improve sender checks (#633)
-- Enhancement: Use PHP 7.2 for rainloop and roundcube (#606, #642)
-- Enhancement: Multi-version documentation (#664)
-- Enhancement: Contribution documentation (#700)
-- Enhancement: Move Mailu Docker network to a fixed subnet (#727)
-- Enhancement: Added regex validation for alias username (#764)
+- Enhancement: Use pre-defined dhparam ([#322](https://github.com/Mailu/Mailu/issues/322))
+- Enhancement: Disable ssl_session_tickets ([#329](https://github.com/Mailu/Mailu/issues/329))
+- Enhancement: max attachment size in roundcube ([#338](https://github.com/Mailu/Mailu/issues/338))
+- Enhancement: Use x-forwarded-proto with redirects ([#347](https://github.com/Mailu/Mailu/issues/347))
+- Enhancement: Added adress verification before accepting mails for delivery ([#353](https://github.com/Mailu/Mailu/issues/353))
+- Enhancement: Reverse proxy - Real ip header and mail-letsencrypt ([#358](https://github.com/Mailu/Mailu/issues/358))
+- Enhancement: Parametrize hosts ([#373](https://github.com/Mailu/Mailu/issues/373))
+- Enhancement: Expose ports in dockerfiles ([#392](https://github.com/Mailu/Mailu/issues/392))
+- Enhancement: Added webmail-imap dependency in docker-compose ([#403](https://github.com/Mailu/Mailu/issues/403))
+- Enhancement: Add environment variables to allow running outside of docker-compose ([#429](https://github.com/Mailu/Mailu/issues/429))
+- Enhancement: Add original Delivered-To header to received messages ([#433](https://github.com/Mailu/Mailu/issues/433))
+- Enhancement: Use HOST_ADMIN in "Forwarding authentication server" ([#436](https://github.com/Mailu/Mailu/issues/436), [#437](https://github.com/Mailu/Mailu/issues/437))
+- Enhancement: Use POD_ADDRESS_RANGE for Dovecot ([#448](https://github.com/Mailu/Mailu/issues/448))
+- Enhancement: Using configurable filenames for TLS certs ([#468](https://github.com/Mailu/Mailu/issues/468))
+- Enhancement: Don't require BootstrapCDN (GDPR-compliance) ([#477](https://github.com/Mailu/Mailu/issues/477))
+- Enhancement: Use dynamic client_max_body_size for webmail ([#502](https://github.com/Mailu/Mailu/issues/502))
+- Enhancement: New logo design ([#509](https://github.com/Mailu/Mailu/issues/509))
+- Enhancement: New manifests for Kubernetes ([#544](https://github.com/Mailu/Mailu/issues/544))
+- Enhancement: Pin Alpine image ([#548](https://github.com/Mailu/Mailu/issues/548), [#557](https://github.com/Mailu/Mailu/issues/557))
+- Enhancement: Use safer cipher in roundcube ([#597](https://github.com/Mailu/Mailu/issues/597))
+- Enhancement: Improve sender checks ([#633](https://github.com/Mailu/Mailu/issues/633))
+- Enhancement: Use PHP 7.2 for rainloop and roundcube ([#606](https://github.com/Mailu/Mailu/issues/606), [#642](https://github.com/Mailu/Mailu/issues/642))
+- Enhancement: Multi-version documentation ([#664](https://github.com/Mailu/Mailu/issues/664))
+- Enhancement: Contribution documentation ([#700](https://github.com/Mailu/Mailu/issues/700))
+- Enhancement: Move Mailu Docker network to a fixed subnet ([#727](https://github.com/Mailu/Mailu/issues/727))
+- Enhancement: Added regex validation for alias username ([#764](https://github.com/Mailu/Mailu/issues/764))
 - Enhancement: Update documentation
 - Upstream: Update Roundcube
 - Upstream: Update Rainloop
-- Bug: Rainloop fails with "domain not allowed" (#93)
-- Bug: Announces fail (#309)
-- Bug: Authentication issues with rspamd admin ui (#315)
-- Bug: front hangup on restart (#341)
-- Bug: Display the proper user quota when set to 0/infinity (#345)
-- Bug: Domain details button "Regenerate keys" when no keys are generated yet (#346)
-- Bug: Relayed Domains: access denied error (#351)
-- Bug: Do not deny HTTP access upon TLS error when the flavor is mail (#352)
-- Bug: php_zip extension missing in Roundcube webmail (#364)
-- Bug: RoundCube webmail .htaccess assumes PHP 5 (#366)
-- Bug: No quota shows "0 Bytes" in user list (#368)
-- Bug: RELAYNETS not honored when login is different from sender (#369)
-- Bug: Request Entity Too Large (#371)
-- Bug: Pass the full host to the backend (#372)
-- Bug: Can't send from an email account that has forwarding (#390)
-- Bug: SSL protocol error roundcube/imap (#411, #414)
-- Bug: Unable to send from alternative domains (#415)
-- Bug: Webadmin redirect ignores host port (#419)
-- Bug: Disable esld when signing with dkim (#435)
-- Bug: DKIM missing when using identities (#462)
-- Bug: Moving mails from Junk to Trash flags them as ham (#474)
-- Bug: Cannot set the "keep emails" for fetched accounts (#479)
-- Bug: CVE-2018-8740 (#482)
-- Bug: Hide administration header in sidebar for normal users (#505)
-- Bug: Return correct status codes from auth rate limiter failure (#513)
-- Bug: Domain edit page shows "Create" button (#523)
-- Bug: Hostname resolving in start.py should retry on failure [docker swarm]  (#555)
-- Bug: Error when trying to log in with an account without domain (#585)
-- Bug: Fix rainloop permissions (#637)
+- Bug: Rainloop fails with "domain not allowed" ([#93](https://github.com/Mailu/Mailu/issues/93))
+- Bug: Announces fail ([#309](https://github.com/Mailu/Mailu/issues/309))
+- Bug: Authentication issues with rspamd admin ui ([#315](https://github.com/Mailu/Mailu/issues/315))
+- Bug: front hangup on restart ([#341](https://github.com/Mailu/Mailu/issues/341))
+- Bug: Display the proper user quota when set to 0/infinity ([#345](https://github.com/Mailu/Mailu/issues/345))
+- Bug: Domain details button "Regenerate keys" when no keys are generated yet ([#346](https://github.com/Mailu/Mailu/issues/346))
+- Bug: Relayed Domains: access denied error ([#351](https://github.com/Mailu/Mailu/issues/351))
+- Bug: Do not deny HTTP access upon TLS error when the flavor is mail ([#352](https://github.com/Mailu/Mailu/issues/352))
+- Bug: php_zip extension missing in Roundcube webmail ([#364](https://github.com/Mailu/Mailu/issues/364))
+- Bug: RoundCube webmail .htaccess assumes PHP 5 ([#366](https://github.com/Mailu/Mailu/issues/366))
+- Bug: No quota shows "0 Bytes" in user list ([#368](https://github.com/Mailu/Mailu/issues/368))
+- Bug: RELAYNETS not honored when login is different from sender ([#369](https://github.com/Mailu/Mailu/issues/369))
+- Bug: Request Entity Too Large ([#371](https://github.com/Mailu/Mailu/issues/371))
+- Bug: Pass the full host to the backend ([#372](https://github.com/Mailu/Mailu/issues/372))
+- Bug: Can't send from an email account that has forwarding ([#390](https://github.com/Mailu/Mailu/issues/390))
+- Bug: SSL protocol error roundcube/imap ([#411](https://github.com/Mailu/Mailu/issues/411), [#414](https://github.com/Mailu/Mailu/issues/414))
+- Bug: Unable to send from alternative domains ([#415](https://github.com/Mailu/Mailu/issues/415))
+- Bug: Webadmin redirect ignores host port ([#419](https://github.com/Mailu/Mailu/issues/419))
+- Bug: Disable esld when signing with dkim ([#435](https://github.com/Mailu/Mailu/issues/435))
+- Bug: DKIM missing when using identities ([#462](https://github.com/Mailu/Mailu/issues/462))
+- Bug: Moving mails from Junk to Trash flags them as ham ([#474](https://github.com/Mailu/Mailu/issues/474))
+- Bug: Cannot set the "keep emails" for fetched accounts ([#479](https://github.com/Mailu/Mailu/issues/479))
+- Bug: CVE-2018-8740 ([#482](https://github.com/Mailu/Mailu/issues/482))
+- Bug: Hide administration header in sidebar for normal users ([#505](https://github.com/Mailu/Mailu/issues/505))
+- Bug: Return correct status codes from auth rate limiter failure ([#513](https://github.com/Mailu/Mailu/issues/513))
+- Bug: Domain edit page shows "Create" button ([#523](https://github.com/Mailu/Mailu/issues/523))
+- Bug: Hostname resolving in start.py should retry on failure [docker swarm]  ([#555](https://github.com/Mailu/Mailu/issues/555))
+- Bug: Error when trying to log in with an account without domain ([#585](https://github.com/Mailu/Mailu/issues/585))
+- Bug: Fix rainloop permissions ([#637](https://github.com/Mailu/Mailu/issues/637))
 
 v1.5.1 - 2017-11-21
 -------------------

From aefb638eca56b8ba4bb8f2e4b16fb68a454a73eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <muhlemmer@gmail.com>
Date: Sun, 30 Dec 2018 21:08:29 +0200
Subject: [PATCH 16/19] Fix links to documentation

---
 CONTRIBUTING.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 4a7611f0..ff7939e5 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,7 +1,7 @@
 This project is open source, and your contributions are all welcome. There are mostly three different ways one can contribute to the project:
 
 1. use Mailu, either on test or on production instances, and report meaningful bugs when you find some;
-2. contribute code and/or configuration to the repository (see [the development guidelines](https://mailu.io/contributors/guide.html) for details);
-3. contribute localization to your native language (see [the localization docs](https://mailu.io/contributors/localization.html) for details);
+2. contribute code and/or configuration to the repository (see [the development guidelines](https://mailu.io/master/contributors/guide.html) for details);
+3. contribute localization to your native language (see [the localization docs](https://mailu.io/master/contributors/localization.html) for details);
 
 Either way, keep in mind that the code you write or the translation you produce muts be licensed under the same conditions as the project itself. Additionally, all contributors are considered equal co-authors of the project.

From 2dfed9dc908a2765c779cac495f7461b1fb12110 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <muhlemmer@gmail.com>
Date: Sun, 30 Dec 2018 21:15:41 +0200
Subject: [PATCH 17/19] Add usrpro team to authors

---
 AUTHORS.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/AUTHORS.md b/AUTHORS.md
index f62c2e14..11aca2a4 100644
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -22,3 +22,5 @@ Other contributors:
  - "SunMar" - Dutch translation
  - "Marty Hou" - Chinese Simple translation
  - [Thomas Sänger](https://github.com/HorayNarea) - German translation
+ - [Tim Mohlmann](https://github.com/muhlemmer) - [Contributions](https://github.com/Mailu/Mailu/commits?author=muhlemmer)
+ - [Ionut Filip](https://github.com/ionutfilip) - [Contributions](https://github.com/Mailu/Mailu/commits?author=ionutfilip)

From 03ee3aa918a77d9f4136c14c8a61eb97ebc48910 Mon Sep 17 00:00:00 2001
From: Dario Ernst <dario@kanojo.de>
Date: Sun, 30 Dec 2018 21:46:02 +0100
Subject: [PATCH 18/19] Fix typo in contributor docs

---
 docs/contributors/environment.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/contributors/environment.rst b/docs/contributors/environment.rst
index b539293b..263ef747 100644
--- a/docs/contributors/environment.rst
+++ b/docs/contributors/environment.rst
@@ -184,7 +184,7 @@ directory structure.
 
 If you do no posses the resources, but want to become an involved tester/reviewer.
 Please contact `muhlemmer on Matrix`_.
-He can provide access to a testing server, if a thrust relation can be established.
+He can provide access to a testing server, if a trust relation can be established.
 
 .. _`muhlemmer on Matrix`: https://matrix.to/#/@muhlemmer:matrix.org
 

From aaa7ef5de3da26b8ee86f29e1f74025715e56be3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <muhlemmer@gmail.com>
Date: Mon, 31 Dec 2018 03:13:47 +0200
Subject: [PATCH 19/19] Update demo server docs

---
 docs/demo.rst | 29 ++++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/docs/demo.rst b/docs/demo.rst
index e2f6c4b0..9415e670 100644
--- a/docs/demo.rst
+++ b/docs/demo.rst
@@ -5,21 +5,32 @@ The demo server is for demonstration and test purposes only. Please be
 respectful and keep the demo server functional for others to be able to try it
 out.
 
-The server is reset every day at 3am, french time. If you find the server is
-unusable, you can still ask for someone to reset it manually on our Matrix
-chat channel. Please do not open tickets everytime the server is down. Please
-do not open tickets if the server is quite slow: it *is* slow because the
-machine is a cheap leased server.
+If you find the server is unusable, you can ask for someone to reset it manually on our Matrix
+chat channel. Please do not open tickets every time the server is down.
+Please do not open tickets if the server is quite slow: it *is* slow because the
+services have only limited resources available.
 
-Keep in mind that the demo server is also used for some automated tests and runs
-the latest unstable version. If you find actual bugs when using the demo
-server, please report these!
+Keep in mind that the demo server runs the latest unstable (master) version.
+If you find actual bugs when using the demo server, please report these!
+
+Functionality
+-------------
+
+- The server is reset every day at 3am, UTC.
+- You can send mail from any client to the server.
+  However, the stmp server is made incapable of relaying the e-mail to the destination server.
+  As such, the mail will never arrive. This is to prevent abuse of the server.
+- The server is capable of receiving mail for any configured domains.
+- The server exposes IMAP, POP3 and SMTP as usual for connection with mail clients such as Thunderbird.
+- The containers have limited (throttled) CPU, this means it can respond slow during heavy operations.
+- The containers have limited memory available and will be killed when exceeded.
+  This is to prevent people from doing nasty things to the server as a whole.
 
 Connecting to the server
 ------------------------
 
  * Server name : ``test.mailu.io``
- * IP address : ``51.15.169.20``
+ * IP address : ``173.249.45.89``
  * Webmail : https://test.mailu.io/webmail/
  * Admin UI : https://test.mailu.io/admin/
  * Admin login : ``admin@test.mailu.io``