From 4f96e991449b52400b5a1fe8d968f07ff9346842 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 29 Aug 2021 17:40:37 +0200
Subject: [PATCH 01/53] MTA-STS (use rather than publish policies)

---
 core/postfix/Dockerfile         |  5 +++++
 core/postfix/conf/main.cf       |  2 +-
 core/postfix/mta-sts-daemon.yml | 10 ++++++++++
 core/postfix/start.py           | 10 ++++++++++
 4 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 core/postfix/mta-sts-daemon.yml

diff --git a/core/postfix/Dockerfile b/core/postfix/Dockerfile
index 062155c1..8efe5da4 100644
--- a/core/postfix/Dockerfile
+++ b/core/postfix/Dockerfile
@@ -12,10 +12,15 @@ RUN pip3 install socrate==0.2.0
 RUN pip3 install "podop>0.2.5"
 
 # Image specific layers under this line
+RUN apk add --no-cache --virtual .build-deps gcc musl-dev python3-dev
+RUN pip3 install --no-binary :all: postfix-mta-sts-resolver==1.0.1
+RUN apk del .build-deps gcc musl-dev python3-dev
+
 RUN apk add --no-cache postfix postfix-pcre cyrus-sasl-login
 
 COPY conf /conf
 COPY start.py /start.py
+COPY mta-sts-daemon.yml /etc/
 
 EXPOSE 25/tcp 10025/tcp
 VOLUME ["/queue"]
diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 7f84ade7..0194324f 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -59,7 +59,7 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
 smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
-smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map
+smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
 smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
diff --git a/core/postfix/mta-sts-daemon.yml b/core/postfix/mta-sts-daemon.yml
new file mode 100644
index 00000000..39f60e48
--- /dev/null
+++ b/core/postfix/mta-sts-daemon.yml
@@ -0,0 +1,10 @@
+path: "/tmp/mta-sts.socket"
+mode: 0600
+shutdown_timeout: 20
+cache:
+  type: internal
+  options:
+    cache_size: 10000
+default_zone:
+  strict_testing: false
+  timeout: 4
diff --git a/core/postfix/start.py b/core/postfix/start.py
index 799d42f5..50565e3d 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -30,6 +30,12 @@ def start_podop():
         ("senderrate", "url", url + "sender/rate/§")
     ])
 
+def start_mta_sts_daemon():
+    os.chmod("/root/", 0o755) # read access to /root/.netrc required
+    os.setuid(getpwnam('postfix').pw_uid)
+    from postfix_mta_sts_resolver import daemon
+    daemon.main()
+
 def is_valid_postconf_line(line):
     return not line.startswith("#") \
             and not line == ''
@@ -68,6 +74,9 @@ for map_file in glob.glob("/overrides/*.map"):
     os.system("postmap {}".format(destination))
     os.remove(destination)
 
+if os.path.exists("/overrides/mta-sts-daemon.yml"):
+    shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml")
+
 if not os.path.exists("/etc/postfix/tls_policy.map.db"):
     with open("/etc/postfix/tls_policy.map", "w") as f:
         for domain in ['gmail.com', 'yahoo.com', 'hotmail.com', 'aol.com', 'outlook.com', 'comcast.net', 'icloud.com', 'msn.com', 'hotmail.co.uk', 'live.com', 'yahoo.co.in', 'me.com', 'mail.ru', 'cox.net', 'yahoo.co.uk', 'verizon.net', 'ymail.com', 'hotmail.it', 'kw.com', 'yahoo.com.tw', 'mac.com', 'live.se', 'live.nl', 'yahoo.com.br', 'googlemail.com', 'libero.it', 'web.de', 'allstate.com', 'btinternet.com', 'online.no', 'yahoo.com.au', 'live.dk', 'earthlink.net', 'yahoo.fr', 'yahoo.it', 'gmx.de', 'hotmail.fr', 'shawinc.com', 'yahoo.de', 'moe.edu.sg', 'naver.com', 'bigpond.com', 'statefarm.com', 'remax.net', 'rocketmail.com', 'live.no', 'yahoo.ca', 'bigpond.net.au', 'hotmail.se', 'gmx.at', 'live.co.uk', 'mail.com', 'yahoo.in', 'yandex.ru', 'qq.com', 'charter.net', 'indeedemail.com', 'alice.it', 'hotmail.de', 'bluewin.ch', 'optonline.net', 'wp.pl', 'yahoo.es', 'hotmail.no', 'pindotmedia.com', 'orange.fr', 'live.it', 'yahoo.co.id', 'yahoo.no', 'hotmail.es', 'morganstanley.com', 'wellsfargo.com', 'wanadoo.fr', 'facebook.com', 'yahoo.se', 'fema.dhs.gov', 'rogers.com', 'yahoo.com.hk', 'live.com.au', 'nic.in', 'nab.com.au', 'ubs.com', 'shaw.ca', 'umich.edu', 'westpac.com.au', 'yahoo.com.mx', 'yahoo.com.sg', 'farmersagent.com', 'yahoo.dk', 'dhs.gov']:
@@ -81,6 +90,7 @@ if "RELAYUSER" in os.environ:
 
 # Run Podop and Postfix
 multiprocessing.Process(target=start_podop).start()
+multiprocessing.Process(target=start_mta_sts_daemon).start()
 os.system("/usr/libexec/postfix/post-install meta_directory=/etc/postfix create-missing")
 # Before starting postfix, we need to check permissions on /queue
 # in the event that postfix,postdrop id have changed

From 52d3a338751c6f7dd14c63de6c2164d3a9d9f8da Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 29 Aug 2021 17:41:55 +0200
Subject: [PATCH 02/53] Remove the domains that have a valid MTA-STS policy

gmail.com
comcast.net
mail.ru
googlemail.com
wp.pl
---
 core/postfix/start.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/postfix/start.py b/core/postfix/start.py
index 50565e3d..de559b27 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -79,7 +79,7 @@ if os.path.exists("/overrides/mta-sts-daemon.yml"):
 
 if not os.path.exists("/etc/postfix/tls_policy.map.db"):
     with open("/etc/postfix/tls_policy.map", "w") as f:
-        for domain in ['gmail.com', 'yahoo.com', 'hotmail.com', 'aol.com', 'outlook.com', 'comcast.net', 'icloud.com', 'msn.com', 'hotmail.co.uk', 'live.com', 'yahoo.co.in', 'me.com', 'mail.ru', 'cox.net', 'yahoo.co.uk', 'verizon.net', 'ymail.com', 'hotmail.it', 'kw.com', 'yahoo.com.tw', 'mac.com', 'live.se', 'live.nl', 'yahoo.com.br', 'googlemail.com', 'libero.it', 'web.de', 'allstate.com', 'btinternet.com', 'online.no', 'yahoo.com.au', 'live.dk', 'earthlink.net', 'yahoo.fr', 'yahoo.it', 'gmx.de', 'hotmail.fr', 'shawinc.com', 'yahoo.de', 'moe.edu.sg', 'naver.com', 'bigpond.com', 'statefarm.com', 'remax.net', 'rocketmail.com', 'live.no', 'yahoo.ca', 'bigpond.net.au', 'hotmail.se', 'gmx.at', 'live.co.uk', 'mail.com', 'yahoo.in', 'yandex.ru', 'qq.com', 'charter.net', 'indeedemail.com', 'alice.it', 'hotmail.de', 'bluewin.ch', 'optonline.net', 'wp.pl', 'yahoo.es', 'hotmail.no', 'pindotmedia.com', 'orange.fr', 'live.it', 'yahoo.co.id', 'yahoo.no', 'hotmail.es', 'morganstanley.com', 'wellsfargo.com', 'wanadoo.fr', 'facebook.com', 'yahoo.se', 'fema.dhs.gov', 'rogers.com', 'yahoo.com.hk', 'live.com.au', 'nic.in', 'nab.com.au', 'ubs.com', 'shaw.ca', 'umich.edu', 'westpac.com.au', 'yahoo.com.mx', 'yahoo.com.sg', 'farmersagent.com', 'yahoo.dk', 'dhs.gov']:
+        for domain in ['yahoo.com', 'hotmail.com', 'aol.com', 'outlook.com', 'icloud.com', 'msn.com', 'hotmail.co.uk', 'live.com', 'yahoo.co.in', 'me.com', 'cox.net', 'yahoo.co.uk', 'verizon.net', 'ymail.com', 'hotmail.it', 'kw.com', 'yahoo.com.tw', 'mac.com', 'live.se', 'live.nl', 'yahoo.com.br', 'libero.it', 'web.de', 'allstate.com', 'btinternet.com', 'online.no', 'yahoo.com.au', 'live.dk', 'earthlink.net', 'yahoo.fr', 'yahoo.it', 'gmx.de', 'hotmail.fr', 'shawinc.com', 'yahoo.de', 'moe.edu.sg', 'naver.com', 'bigpond.com', 'statefarm.com', 'remax.net', 'rocketmail.com', 'live.no', 'yahoo.ca', 'bigpond.net.au', 'hotmail.se', 'gmx.at', 'live.co.uk', 'mail.com', 'yahoo.in', 'yandex.ru', 'qq.com', 'charter.net', 'indeedemail.com', 'alice.it', 'hotmail.de', 'bluewin.ch', 'optonline.net', 'yahoo.es', 'hotmail.no', 'pindotmedia.com', 'orange.fr', 'live.it', 'yahoo.co.id', 'yahoo.no', 'hotmail.es', 'morganstanley.com', 'wellsfargo.com', 'wanadoo.fr', 'facebook.com', 'yahoo.se', 'fema.dhs.gov', 'rogers.com', 'yahoo.com.hk', 'live.com.au', 'nic.in', 'nab.com.au', 'ubs.com', 'shaw.ca', 'umich.edu', 'westpac.com.au', 'yahoo.com.mx', 'yahoo.com.sg', 'farmersagent.com', 'yahoo.dk', 'dhs.gov']:
             f.write(f'{domain}\tsecure\n')
     os.system("postmap /etc/postfix/tls_policy.map")
 

From a01960787362ed3fc5e7774c3bc573b3c52a86d9 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 29 Aug 2021 17:46:28 +0200
Subject: [PATCH 03/53] towncrier

---
 towncrier/newsfragments/1798.feature | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 towncrier/newsfragments/1798.feature

diff --git a/towncrier/newsfragments/1798.feature b/towncrier/newsfragments/1798.feature
new file mode 100644
index 00000000..1b63a85c
--- /dev/null
+++ b/towncrier/newsfragments/1798.feature
@@ -0,0 +1 @@
+Implement MTA-STS (use published policies)

From 5634354911bf645ea6b8204af4964d51e06178db Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 29 Aug 2021 18:28:56 +0200
Subject: [PATCH 04/53] document how to publish an MTA-STS policy

---
 docs/faq.rst | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/docs/faq.rst b/docs/faq.rst
index a2c6bd33..98026ab1 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -369,6 +369,31 @@ How do I use webdav (radicale)?
 .. _`575`: https://github.com/Mailu/Mailu/issues/575
 .. _`1591`: https://github.com/Mailu/Mailu/issues/1591
 
+How do I setup a MTA-STS policy?
+````````````````````````````````
+
+Mailu can serve an `MTA-STS policy`_; To configure it you will need to:
+
+1. setup the appropriate DNS/CNAME record (``mta-sts.example.com`` -> ``mailu.example.com``) and DNS/TXT record (``_mta-sts.example.com`` -> ``v=STSv1; id=1``) paying attention to the ``TTL`` as this is used by MTA-STS.
+
+2. configure an override with the policy itself; for example, your ``overrides/mta-sts.conf`` could read:
+
+.. code-block:: bash
+
+   location ^~ /.well-known/mta-sts.txt {
+   return 200 "version: STSv1
+   mode: enforce
+   max_age: 86401
+   mx: mailu.example.com\r\n";
+   }
+
+3. add ``mta-sts.example.com`` to the ``HOSTNAMES`` configuration variable (and ensure that a valid SSL certificate is available for it)
+
+*issue reference:* `1798`_.
+
+.. _`1798`: https://github.com/Mailu/Mailu/issues/1798
+.. _`MTA-STS policy`: https://datatracker.ietf.org/doc/html/rfc8461
+
 Technical issues
 ----------------
 

From 5efe35329be9862cf4dcb34292b7b5a9b1976b5f Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 29 Aug 2021 18:29:44 +0200
Subject: [PATCH 05/53] doh

---
 docs/faq.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/faq.rst b/docs/faq.rst
index 98026ab1..92b208de 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -376,7 +376,7 @@ Mailu can serve an `MTA-STS policy`_; To configure it you will need to:
 
 1. setup the appropriate DNS/CNAME record (``mta-sts.example.com`` -> ``mailu.example.com``) and DNS/TXT record (``_mta-sts.example.com`` -> ``v=STSv1; id=1``) paying attention to the ``TTL`` as this is used by MTA-STS.
 
-2. configure an override with the policy itself; for example, your ``overrides/mta-sts.conf`` could read:
+2. configure an override with the policy itself; for example, your ``overrides/nginx/mta-sts.conf`` could read:
 
 .. code-block:: bash
 

From 7c5dcfa025e8b7e1f7e5bb6b3ac56331bc928287 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 29 Aug 2021 18:32:17 +0200
Subject: [PATCH 06/53] MTA-STS is a major feature

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c4354b28..8c7d1640 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ Main features include:
 - **Web access**, multiple Webmails and administration interface
 - **User features**, aliases, auto-reply, auto-forward, fetched accounts
 - **Admin features**, global admins, announcements, per-domain delegation, quotas
-- **Security**, enforced TLS, Letsencrypt!, outgoing DKIM, anti-virus scanner
+- **Security**, enforced TLS, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner
 - **Antispam**, auto-learn, greylisting, DMARC and SPF
 - **Freedom**, all FOSS components, no tracker included
 

From a8142dabbe4df86a2aa87d3f323de20c045d7db3 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 30 Aug 2021 14:21:28 +0200
Subject: [PATCH 07/53] Introduce DEFER_ON_TLS_ERROR

This will default to True and defer emails that fail even "loose"
validation of DANE or MTA-STS

It should work most of the time but if it doesn't and you would rather
see your emails delivered, you can turn it off.
---
 core/postfix/conf/main.cf       | 6 +++++-
 core/postfix/mta-sts-daemon.yml | 2 +-
 core/postfix/start.py           | 1 +
 docs/configuration.rst          | 2 +-
 4 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 0194324f..78ffcee1 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -58,13 +58,17 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET
 # 2. not all will have and up-to-date TLS stack.
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
-smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
+smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
+smtp_tls_dane_insecure_mx_policy = dane
 smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
 smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
 smtp_host_lookup = dns
 smtp_dns_support_level = dnssec
+delay_warning_time = 5m
+smtp_tls_loglevel = 1
+notify_classes = resource, software, delay
 
 ###############
 # Virtual
diff --git a/core/postfix/mta-sts-daemon.yml b/core/postfix/mta-sts-daemon.yml
index 39f60e48..361bcbf9 100644
--- a/core/postfix/mta-sts-daemon.yml
+++ b/core/postfix/mta-sts-daemon.yml
@@ -6,5 +6,5 @@ cache:
   options:
     cache_size: 10000
 default_zone:
-  strict_testing: false
+  strict_testing: {{ DEFER_ON_TLS_ERROR |default('true') }}
   timeout: 4
diff --git a/core/postfix/start.py b/core/postfix/start.py
index de559b27..5e439bdb 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -76,6 +76,7 @@ for map_file in glob.glob("/overrides/*.map"):
 
 if os.path.exists("/overrides/mta-sts-daemon.yml"):
     shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml")
+conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
 
 if not os.path.exists("/etc/postfix/tls_policy.map.db"):
     with open("/etc/postfix/tls_policy.map", "w") as f:
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 27f8db7d..4fd84c07 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -73,7 +73,7 @@ mail in following format: ``[HOST]:PORT``.
 
 By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
 by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is highly recommended
-if you are using a relayhost that supports TLS.
+if you are using a relayhost that supports TLS but discouraged otherwise. ``DEFER_ON_TLS_ERROR`` (default: True) controls whether incomplete policies (DANE without DNSSEC or "testing" MTA-STS policies) will be taken into account and whether emails will be defered if the additional checks enforced by those policies fail.
 
 Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed
 by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for

From 05b57c972ec3a6fbe6a8f9cc048246e24747390c Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 30 Aug 2021 14:44:13 +0200
Subject: [PATCH 08/53] remove the static policy as it will override MTA-STS
 and DANE

---
 core/postfix/start.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/postfix/start.py b/core/postfix/start.py
index 5e439bdb..69855e29 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -80,7 +80,7 @@ conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
 
 if not os.path.exists("/etc/postfix/tls_policy.map.db"):
     with open("/etc/postfix/tls_policy.map", "w") as f:
-        for domain in ['yahoo.com', 'hotmail.com', 'aol.com', 'outlook.com', 'icloud.com', 'msn.com', 'hotmail.co.uk', 'live.com', 'yahoo.co.in', 'me.com', 'cox.net', 'yahoo.co.uk', 'verizon.net', 'ymail.com', 'hotmail.it', 'kw.com', 'yahoo.com.tw', 'mac.com', 'live.se', 'live.nl', 'yahoo.com.br', 'libero.it', 'web.de', 'allstate.com', 'btinternet.com', 'online.no', 'yahoo.com.au', 'live.dk', 'earthlink.net', 'yahoo.fr', 'yahoo.it', 'gmx.de', 'hotmail.fr', 'shawinc.com', 'yahoo.de', 'moe.edu.sg', 'naver.com', 'bigpond.com', 'statefarm.com', 'remax.net', 'rocketmail.com', 'live.no', 'yahoo.ca', 'bigpond.net.au', 'hotmail.se', 'gmx.at', 'live.co.uk', 'mail.com', 'yahoo.in', 'yandex.ru', 'qq.com', 'charter.net', 'indeedemail.com', 'alice.it', 'hotmail.de', 'bluewin.ch', 'optonline.net', 'yahoo.es', 'hotmail.no', 'pindotmedia.com', 'orange.fr', 'live.it', 'yahoo.co.id', 'yahoo.no', 'hotmail.es', 'morganstanley.com', 'wellsfargo.com', 'wanadoo.fr', 'facebook.com', 'yahoo.se', 'fema.dhs.gov', 'rogers.com', 'yahoo.com.hk', 'live.com.au', 'nic.in', 'nab.com.au', 'ubs.com', 'shaw.ca', 'umich.edu', 'westpac.com.au', 'yahoo.com.mx', 'yahoo.com.sg', 'farmersagent.com', 'yahoo.dk', 'dhs.gov']:
+        for domain in ['example.com']:
             f.write(f'{domain}\tsecure\n')
     os.system("postmap /etc/postfix/tls_policy.map")
 

From 67db72d7743a5f2850e6c6a7d19b2ff99e8ea6d5 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 30 Aug 2021 17:00:12 +0200
Subject: [PATCH 09/53] Behave like documented

---
 core/postfix/conf/main.cf            | 2 +-
 docs/configuration.rst               | 8 ++++++--
 towncrier/newsfragments/1798.feature | 2 +-
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 78ffcee1..ae54326d 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -59,7 +59,7 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
 smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
-smtp_tls_dane_insecure_mx_policy = dane
+smtp_tls_dane_insecure_mx_policy = {% if DEFER_ON_TLS_ERROR == 'false' %}may{% else %}dane{% endif %}
 smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 4fd84c07..7cf3c926 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -72,8 +72,12 @@ mail in following format: ``[HOST]:PORT``.
 ``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed.
 
 By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
-by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is highly recommended
-if you are using a relayhost that supports TLS but discouraged otherwise. ``DEFER_ON_TLS_ERROR`` (default: True) controls whether incomplete policies (DANE without DNSSEC or "testing" MTA-STS policies) will be taken into account and whether emails will be defered if the additional checks enforced by those policies fail.
+by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is
+highly recommended if you are using a relayhost that supports TLS but discouraged
+otherwise. ``DEFER_ON_TLS_ERROR`` (default: True) controls whether incomplete
+policies (DANE without DNSSEC or "testing" MTA-STS policies) will be taken into
+account and whether emails will be defered if the additional checks enforced by
+those policies fail.
 
 Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed
 by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for
diff --git a/towncrier/newsfragments/1798.feature b/towncrier/newsfragments/1798.feature
index 1b63a85c..125b1767 100644
--- a/towncrier/newsfragments/1798.feature
+++ b/towncrier/newsfragments/1798.feature
@@ -1 +1 @@
-Implement MTA-STS (use published policies)
+Implement MTA-STS and DANE validation. Introduce DEFER_ON_TLS_ERROR (default: True) to harden or loosen the policy enforcement.

From fccb0cc57f82f88235d3d10d58be4aff7762a483 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 30 Aug 2021 17:16:41 +0200
Subject: [PATCH 10/53] Add a longer max_age (15days)

---
 docs/faq.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/faq.rst b/docs/faq.rst
index 92b208de..b5627743 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -383,7 +383,7 @@ Mailu can serve an `MTA-STS policy`_; To configure it you will need to:
    location ^~ /.well-known/mta-sts.txt {
    return 200 "version: STSv1
    mode: enforce
-   max_age: 86401
+   max_age: 1296000
    mx: mailu.example.com\r\n";
    }
 

From fb34f5349348ebc22af08737a6ef641bd6a156a7 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 30 Aug 2021 17:18:19 +0200
Subject: [PATCH 11/53] Do operations in the right (safe) order

---
 docs/faq.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/faq.rst b/docs/faq.rst
index b5627743..fb6f66df 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -374,7 +374,7 @@ How do I setup a MTA-STS policy?
 
 Mailu can serve an `MTA-STS policy`_; To configure it you will need to:
 
-1. setup the appropriate DNS/CNAME record (``mta-sts.example.com`` -> ``mailu.example.com``) and DNS/TXT record (``_mta-sts.example.com`` -> ``v=STSv1; id=1``) paying attention to the ``TTL`` as this is used by MTA-STS.
+1. add ``mta-sts.example.com`` to the ``HOSTNAMES`` configuration variable (and ensure that a valid SSL certificate is available for it)
 
 2. configure an override with the policy itself; for example, your ``overrides/nginx/mta-sts.conf`` could read:
 
@@ -387,7 +387,7 @@ Mailu can serve an `MTA-STS policy`_; To configure it you will need to:
    mx: mailu.example.com\r\n";
    }
 
-3. add ``mta-sts.example.com`` to the ``HOSTNAMES`` configuration variable (and ensure that a valid SSL certificate is available for it)
+3. setup the appropriate DNS/CNAME record (``mta-sts.example.com`` -> ``mailu.example.com``) and DNS/TXT record (``_mta-sts.example.com`` -> ``v=STSv1; id=1``) paying attention to the ``TTL`` as this is used by MTA-STS.
 
 *issue reference:* `1798`_.
 

From d607ba0ef2b345a44f9f95cd227a73f0a63f9489 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Mon, 30 Aug 2021 17:52:31 +0200
Subject: [PATCH 12/53] Clarify that a restart may be required

---
 docs/faq.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/faq.rst b/docs/faq.rst
index fb6f66df..43fb8606 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -374,7 +374,7 @@ How do I setup a MTA-STS policy?
 
 Mailu can serve an `MTA-STS policy`_; To configure it you will need to:
 
-1. add ``mta-sts.example.com`` to the ``HOSTNAMES`` configuration variable (and ensure that a valid SSL certificate is available for it)
+1. add ``mta-sts.example.com`` to the ``HOSTNAMES`` configuration variable (and ensure that a valid SSL certificate is available for it; this may mean restarting your smtp container)
 
 2. configure an override with the policy itself; for example, your ``overrides/nginx/mta-sts.conf`` could read:
 

From a1da4daa4c30668d98325cebd640ae3cf2f5fc97 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 31 Aug 2021 20:24:06 +0200
Subject: [PATCH 13/53] Implement the DANE-only lookup policyd

https://github.com/Snawoot/postfix-mta-sts-resolver/issues/67 for
context
---
 core/admin/mailu/internal/views/postfix.py |  3 +++
 core/admin/mailu/utils.py                  | 24 +++++++++++++++++++++-
 core/postfix/conf/main.cf                  |  2 +-
 core/postfix/start.py                      |  1 +
 4 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/internal/views/postfix.py b/core/admin/mailu/internal/views/postfix.py
index 2e7d0b9b..330fed5b 100644
--- a/core/admin/mailu/internal/views/postfix.py
+++ b/core/admin/mailu/internal/views/postfix.py
@@ -7,6 +7,9 @@ import idna
 import re
 import srslib
 
+@internal.route("/postfix/dane/<domain_name>")
+def postfix_dane_map(domain_name):
+    return flask.jsonify('dane-only') if utils.has_dane_record(domain_name) else flask.abort(404)
 
 @internal.route("/postfix/domain/<domain_name>")
 def postfix_mailbox_domain(domain_name):
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 02150754..914638fa 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -6,6 +6,9 @@ try:
 except ImportError:
     import pickle
 
+import dns
+import dns.resolver
+
 import hmac
 import secrets
 import time
@@ -25,7 +28,6 @@ from itsdangerous.encoding import want_bytes
 from werkzeug.datastructures import CallbackDict
 from werkzeug.contrib import fixers
 
-
 # Login configuration
 login = flask_login.LoginManager()
 login.login_view = "ui.login"
@@ -37,6 +39,26 @@ def handle_needs_login():
         flask.url_for('ui.login', next=flask.request.endpoint)
     )
 
+# DNS stub configured to do DNSSEC enabled queries
+resolver = dns.resolver.Resolver()
+resolver.use_edns(0, 0, 1500)
+resolver.flags = dns.flags.AD | dns.flags.RD
+
+def has_dane_record(domain, timeout=5):
+    try:
+        result = resolver.query(f'_25._tcp.{domain}', dns.rdatatype.TLSA,dns.rdataclass.IN, lifetime=timeout)
+        if (result.response.flags & dns.flags.AD) == dns.flags.AD:
+            for record in result:
+                if isinstance(record, dns.rdtypes.ANY.TLSA.TLSA):
+                    record.validate()
+                    if record.usage in [2,3]: # postfix wants DANE-only
+                        return True
+    except dns.resolver.NoNameservers:
+        # this could be an attack / a failed DNSSEC lookup
+        return True
+    except:
+        pass
+
 # Rate limiter
 limiter = limiter.LimitWraperFactory()
 
diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index ae54326d..16fdfa6e 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -60,7 +60,7 @@ smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
 smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
 smtp_tls_dane_insecure_mx_policy = {% if DEFER_ON_TLS_ERROR == 'false' %}may{% else %}dane{% endif %}
-smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix
+smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, ${podop}dane, socketmap:unix:/tmp/mta-sts.socket:postfix
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
 smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
diff --git a/core/postfix/start.py b/core/postfix/start.py
index 69855e29..03dca93c 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -21,6 +21,7 @@ def start_podop():
     run_server(0, "postfix", "/tmp/podop.socket", [
 		("transport", "url", url + "transport/§"),
 		("alias", "url", url + "alias/§"),
+                ("dane", "url", url + "dane/§"),
 		("domain", "url", url + "domain/§"),
         ("mailbox", "url", url + "mailbox/§"),
         ("recipientmap", "url", url + "recipient/map/§"),

From 9f66e2672b3c646570fba1f644f1b35e44ebaeec Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 31 Aug 2021 20:44:57 +0200
Subject: [PATCH 14/53] Use DEFER_ON_TLS_ERROR here too

We just don't know whether the lookup failed because we are under attack
or whether it's a glitch; the safe behaviour is to defer
---
 core/admin/mailu/configuration.py | 1 +
 core/admin/mailu/utils.py         | 6 ++++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 7cd3a56b..4c48fcc4 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -35,6 +35,7 @@ DEFAULT_CONFIG = {
     'WILDCARD_SENDERS': '',
     'TLS_FLAVOR': 'cert',
     'INBOUND_TLS_ENFORCE': False,
+    'DEFER_ON_TLS_ERROR': True,
     'AUTH_RATELIMIT': '1000/minute;10000/hour',
     'AUTH_RATELIMIT_SUBNET': False,
     'DISABLE_STATISTICS': False,
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 914638fa..2313a1e6 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -54,8 +54,10 @@ def has_dane_record(domain, timeout=5):
                     if record.usage in [2,3]: # postfix wants DANE-only
                         return True
     except dns.resolver.NoNameservers:
-        # this could be an attack / a failed DNSSEC lookup
-        return True
+        # If the DNSSEC data is invalid and the DNS resolver is DNSSEC enabled
+        # we will receive this non-specific exception. The safe behaviour is to
+        # accept to defer the email.
+        return app.config['DEFER_ON_TLS_ERROR']
     except:
         pass
 

From 489520f0673a25482294cb5b1b7d6bb28a3b8dd1 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 1 Sep 2021 08:41:39 +0200
Subject: [PATCH 15/53] forgot about alpine/lmdb

---
 core/postfix/conf/main.cf | 2 +-
 core/postfix/start.py     | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 16fdfa6e..6152388c 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -60,7 +60,7 @@ smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
 smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
 smtp_tls_dane_insecure_mx_policy = {% if DEFER_ON_TLS_ERROR == 'false' %}may{% else %}dane{% endif %}
-smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, ${podop}dane, socketmap:unix:/tmp/mta-sts.socket:postfix
+smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy.map, ${podop}dane, socketmap:unix:/tmp/mta-sts.socket:postfix
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
 smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
diff --git a/core/postfix/start.py b/core/postfix/start.py
index 03dca93c..8aa279ef 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -20,7 +20,7 @@ def start_podop():
     # TODO: Remove verbosity setting from Podop?
     run_server(0, "postfix", "/tmp/podop.socket", [
 		("transport", "url", url + "transport/§"),
-		("alias", "url", url + "alias/§"),
+                ("alias", "url", url + "alias/§"),
                 ("dane", "url", url + "dane/§"),
 		("domain", "url", url + "domain/§"),
         ("mailbox", "url", url + "mailbox/§"),
@@ -79,7 +79,7 @@ if os.path.exists("/overrides/mta-sts-daemon.yml"):
     shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml")
 conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
 
-if not os.path.exists("/etc/postfix/tls_policy.map.db"):
+if not os.path.exists("/etc/postfix/tls_policy.map.lmdb"):
     with open("/etc/postfix/tls_policy.map", "w") as f:
         for domain in ['example.com']:
             f.write(f'{domain}\tsecure\n')

From 92cc664e82f3f40f9a247093d440c3b75ff768d8 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 1 Sep 2021 08:41:59 +0200
Subject: [PATCH 16/53] Cosmetic change

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8c7d1640..4c19ad78 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ Main features include:
 - **Web access**, multiple Webmails and administration interface
 - **User features**, aliases, auto-reply, auto-forward, fetched accounts
 - **Admin features**, global admins, announcements, per-domain delegation, quotas
-- **Security**, enforced TLS, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner
+- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner
 - **Antispam**, auto-learn, greylisting, DMARC and SPF
 - **Freedom**, all FOSS components, no tracker included
 

From c1d94bb72563430d151916de0e3d9e31708348fe Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 1 Sep 2021 09:01:04 +0200
Subject: [PATCH 17/53] Ensure that postfix will be able to use the TLSA
 records

see https://www.huque.com/dane/testsite/ for the testcases
---
 core/admin/mailu/utils.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 2313a1e6..66cf0476 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -44,14 +44,14 @@ resolver = dns.resolver.Resolver()
 resolver.use_edns(0, 0, 1500)
 resolver.flags = dns.flags.AD | dns.flags.RD
 
-def has_dane_record(domain, timeout=5):
+def has_dane_record(domain, timeout=10):
     try:
         result = resolver.query(f'_25._tcp.{domain}', dns.rdatatype.TLSA,dns.rdataclass.IN, lifetime=timeout)
         if (result.response.flags & dns.flags.AD) == dns.flags.AD:
             for record in result:
                 if isinstance(record, dns.rdtypes.ANY.TLSA.TLSA):
                     record.validate()
-                    if record.usage in [2,3]: # postfix wants DANE-only
+                    if record.usage in [2,3] and record.selector in [0,1] and record.mtype in [0,1,2]:
                         return True
     except dns.resolver.NoNameservers:
         # If the DNSSEC data is invalid and the DNS resolver is DNSSEC enabled

From 4abf49edf429e2ebb594a002c9f5e922a6e824e7 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 1 Sep 2021 09:15:13 +0200
Subject: [PATCH 18/53] indent

---
 core/postfix/start.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/core/postfix/start.py b/core/postfix/start.py
index 8aa279ef..19c23c19 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -19,10 +19,10 @@ def start_podop():
     url = "http://" + os.environ["ADMIN_ADDRESS"] + "/internal/postfix/"
     # TODO: Remove verbosity setting from Podop?
     run_server(0, "postfix", "/tmp/podop.socket", [
-		("transport", "url", url + "transport/§"),
-                ("alias", "url", url + "alias/§"),
-                ("dane", "url", url + "dane/§"),
-		("domain", "url", url + "domain/§"),
+        ("transport", "url", url + "transport/§"),
+        ("alias", "url", url + "alias/§"),
+        ("dane", "url", url + "dane/§"),
+        ("domain", "url", url + "domain/§"),
         ("mailbox", "url", url + "mailbox/§"),
         ("recipientmap", "url", url + "recipient/map/§"),
         ("sendermap", "url", url + "sender/map/§"),

From fe186afb6f319fb6cc9dc5f903db7fa4a7414532 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 1 Sep 2021 18:52:35 +0200
Subject: [PATCH 19/53] Revert "Switch to openssl to workaround alpine #12763"

This reverts commit f8362d04e4d46c44ab07beffb77cdd041af193c0.
---
 core/admin/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index 97cf1736..f10d3251 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -24,9 +24,9 @@ RUN mkdir -p /app
 WORKDIR /app
 
 COPY requirements-prod.txt requirements.txt
-RUN apk add --no-cache openssl curl postgresql-libs mariadb-connector-c \
+RUN apk add --no-cache libressl curl postgresql-libs mariadb-connector-c \
   && apk add --no-cache --virtual build-dep \
-  openssl-dev libffi-dev python3-dev build-base postgresql-dev mariadb-connector-c-dev cargo \
+  libressl-dev libffi-dev python3-dev build-base postgresql-dev mariadb-connector-c-dev cargo \
   && pip3 install -r requirements.txt \
   && apk del --no-cache build-dep
 

From 0c4455ccf5e453f5dc2e1810601696d7b4707f01 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 1 Sep 2021 18:53:20 +0200
Subject: [PATCH 20/53] Revert "Rollback to alpine 1.12"

This reverts commit e1ddbb6eec85cde7a6efed13f66e887c56334a80.
---
 optional/unbound/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/optional/unbound/Dockerfile b/optional/unbound/Dockerfile
index abb45420..2b472d44 100644
--- a/optional/unbound/Dockerfile
+++ b/optional/unbound/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.12
+ARG DISTRO=alpine:3.14
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \

From d7c2b510c7321cfa79989f6817f16e63e88946de Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 1 Sep 2021 18:56:44 +0200
Subject: [PATCH 21/53] Give alpine 3.14.2 a shot

---
 core/admin/Dockerfile          | 2 +-
 core/dovecot/Dockerfile        | 2 +-
 core/nginx/Dockerfile          | 2 +-
 core/none/Dockerfile           | 2 +-
 core/postfix/Dockerfile        | 2 +-
 core/rspamd/Dockerfile         | 2 +-
 optional/clamav/Dockerfile     | 2 +-
 optional/fetchmail/Dockerfile  | 2 +-
 optional/postgresql/Dockerfile | 2 +-
 optional/radicale/Dockerfile   | 2 +-
 optional/unbound/Dockerfile    | 2 +-
 setup/Dockerfile               | 2 +-
 12 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index f10d3251..4b991269 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -1,5 +1,5 @@
 # First stage to build assets
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 ARG ARCH=""
 FROM ${ARCH}node:8 as assets
 COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
diff --git a/core/dovecot/Dockerfile b/core/dovecot/Dockerfile
index 22145bde..49fcb866 100644
--- a/core/dovecot/Dockerfile
+++ b/core/dovecot/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO as builder
 WORKDIR /tmp
 RUN apk add git build-base automake autoconf libtool dovecot-dev xapian-core-dev icu-dev
diff --git a/core/nginx/Dockerfile b/core/nginx/Dockerfile
index 1906ed31..3837e64b 100644
--- a/core/nginx/Dockerfile
+++ b/core/nginx/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
diff --git a/core/none/Dockerfile b/core/none/Dockerfile
index 51b8d1c5..bae5e8a3 100644
--- a/core/none/Dockerfile
+++ b/core/none/Dockerfile
@@ -1,6 +1,6 @@
 # This is an idle image to dynamically replace any component if disabled.
 
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 
 CMD sleep 1000000d
diff --git a/core/postfix/Dockerfile b/core/postfix/Dockerfile
index 062155c1..652404e8 100644
--- a/core/postfix/Dockerfile
+++ b/core/postfix/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
diff --git a/core/rspamd/Dockerfile b/core/rspamd/Dockerfile
index 6706ef14..0b3b94f7 100644
--- a/core/rspamd/Dockerfile
+++ b/core/rspamd/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
diff --git a/optional/clamav/Dockerfile b/optional/clamav/Dockerfile
index 20cebcdc..efad01ad 100644
--- a/optional/clamav/Dockerfile
+++ b/optional/clamav/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
diff --git a/optional/fetchmail/Dockerfile b/optional/fetchmail/Dockerfile
index 506e409a..d3397a22 100644
--- a/optional/fetchmail/Dockerfile
+++ b/optional/fetchmail/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 
 # python3 shared with most images
diff --git a/optional/postgresql/Dockerfile b/optional/postgresql/Dockerfile
index 0f5034da..ab197b62 100644
--- a/optional/postgresql/Dockerfile
+++ b/optional/postgresql/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
diff --git a/optional/radicale/Dockerfile b/optional/radicale/Dockerfile
index 13761164..21c1d437 100644
--- a/optional/radicale/Dockerfile
+++ b/optional/radicale/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 
 # python3 shared with most images
diff --git a/optional/unbound/Dockerfile b/optional/unbound/Dockerfile
index 2b472d44..da979496 100644
--- a/optional/unbound/Dockerfile
+++ b/optional/unbound/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 # python3 shared with most images
 RUN apk add --no-cache \
diff --git a/setup/Dockerfile b/setup/Dockerfile
index 5775ab6b..e0f685ee 100644
--- a/setup/Dockerfile
+++ b/setup/Dockerfile
@@ -1,4 +1,4 @@
-ARG DISTRO=alpine:3.14
+ARG DISTRO=alpine:3.14.2
 FROM $DISTRO
 
 RUN mkdir -p /app

From 39d7a5c504e93f1f6940f7fb2e42256681970ee6 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 2 Sep 2021 20:46:08 +0200
Subject: [PATCH 22/53] pngcrushed images

---
 core/nginx/static/android-chrome-192x192.png | Bin 6274 -> 4993 bytes
 core/nginx/static/android-chrome-512x512.png | Bin 18169 -> 15628 bytes
 core/nginx/static/apple-touch-icon.png       | Bin 5802 -> 4662 bytes
 core/nginx/static/favicon-16x16.png          | Bin 978 -> 924 bytes
 core/nginx/static/favicon-32x32.png          | Bin 1523 -> 1483 bytes
 core/nginx/static/mstile-150x150.png         | Bin 4788 -> 3897 bytes
 6 files changed, 0 insertions(+), 0 deletions(-)

diff --git a/core/nginx/static/android-chrome-192x192.png b/core/nginx/static/android-chrome-192x192.png
index 86231db9042b8cf7191d469d5c1c39c164ba9514..75665d8c2e5be997b14c00a099033bee75f9a94b 100644
GIT binary patch
delta 4723
zcmV-(5{&JFF@YzLgntquNkl<Zc-rlq2apw27KU4b2q-~BL`)<>Q52N|#K>xy*M#fp
z3c6UkYd{HGt1H%;%Uv<+mH~A^L`4}SN>D)%RFoM6QD8uV7#PyL$$4JyIj_%5&-2Zj
zmpa_;{%_TXRw?iGyZ!&&=iYnnxtfNSd7GKfG$#%wx)3K2XMYn{5F?4P#KXjs#B0R=
z;=upy3F0B*ZeoOd#!#XUakzX(^T>Cip*bvarkRMahlqTnh<h^e5wVWgLF^?;h-#vi
z2orjegyrv4%V+E%w##QPCf*<(6oZ^abSK)%wP`R1nw5fYNgOF+A5FYWd`4^|ibbfp
zOVr3UY$cWxFMkoYiz$vETEGx!sfwPTqMaq|_&f1Fv4JRZS?tMDE7!W7c!wB6oJkx;
z8~`(*H70s~QXWeTm#63&q9DbvMOFAWgote7dEy%4XpAEudVbO$Mf{O?lh{I3`atlB
zs30~Hlf>}d>c<Xffr#nb6BiIKNN5uT(Z_>-`**~%#D6fN9mWj)ecJaV?jn}Sz)=TL
z@VH?Kafi$*;jQ2U;qwg6K;mf$acUs+q-K_KWj$hm^da=*G2tIXoJUL{c0<%@vx|70
zI9K`<`cgc;ZzaN?M&v`lmXR-gdY<$##t90BI=uMv7KCrR5qQOWQ2insnybR+g`IxH
zi;^w?k$*Zvp3EHe!Qz^G;SMK;-6LrL5T!c{Y&=*VFDvH=iyRU^$DmgdD<oMAVssb2
z2cHs`5(mNr_CED{Nvc92gr^)KNww&Xw}Cy=nm0*;R~TYbIxJdCTwgz1gqHDB|2RoO
z#_FwiD3nx_WAHXeU;Lb{cro!cp8B4B8+;*oSAR&WNb#xPPG)#8wds%5WS%KH1aE`n
z#NSg^9V;OoU!`DAmOU3RK@;NV)!bDOjBi6Cp1K|k6U2(2m(_2Sjo%Q9zu6)iaj+vz
z#NV3u2Xc4<#Xc$f65tF|L;M}2R!%uY5jaYT$Lj~j0Tln?Qr`yY48h)#`HEDm2$cAF
zBY*Y`kCYh!_U}M@OKL9#Vy1_u!e(M|3;bq=D68HCzB7U;eomBHgc}ZmV**qB{KIDB
zMuP<S%ml^{=_)@AVGl^=P4JFC2F8Z?50&Z+5I;zzzUid;LR}sfe_Pokf!Q9A&Q7z5
zvQX+t@pGky`y~+yHx#5pnN;ZZPz4IJT7Sczv2_txREp(BZw!jf8J`P@pK<emMR1bj
zIqI9hxWK+d4sIH-m{n2~L22=KB4*)c0h^dE<?WTt>3<Xzn1RhRLle~6OJK(R!;#Yu
z9NJ58xf<gEQ~W1L%^ut!-~>5pj0X(y^O?DC<E8+IdEMPbGV|$w8+LR7mlnxJxqlZ5
z8DD&=Y;wj80dBB~ILUbfn4!;f+yvk<Q=AQj%+Ti+gg!t4N;KoFXNN)|<BNI_>(Kc?
z5msw;g?Jqhe{(5if{q6&ZK8QZv-P;9=<<bm=yaeMoP2qPeW8%?!EG?`1q$<~J=NyS
zr~g$N4ypj^QlJ@UN?80BFg~y&@qZCI87R&?&C+s<=F|TMOnU;4Op9J^wE_6){|P!5
zc!c@Zyal44{@C0Oyh3UHTOcD7nCEpN_6J^Lu9W4;`00Oz#8v22;3c>s$wleE1<V7g
z-$!Qxk1|y=>Qkj{fFT-=Dh1x<SK_qP4PX|xdJ3HgJkF!3he75+78}ulz<=X#)^fMx
z4PXv_N1?<C@Bw@dSqh~U&7(`_p!0xF;E9}8sTkl441R&n2E+Xm8^8>I?n9>mpD`|R
z7-akpoI|k`9R_^HqQoo1h5-f<`(3@*ET9DbG60A4r^h#dLgCMVC58HJYfAOM0oNF@
zx<qd`H{>@HjEx@#nOhzgxqtoipYUCoj^=L5E3egiE-LWbn_zbQEt7@;PLdHb3;+Z8
z(EvM$-mwOVE_PJ|1EBfT09C~Gv0;#z`!mV)i-ZAS0DE~Mo&h>Zg)JBW&Cdq-oaoS)
z0S3B0{RsoW0M1N@p3;~BZq-yc(H#bW0qlj(8T*rI05ksouM!ss1Ao8(_Vc7U4lw?O
zmx!0a0B8X*z+$cbOaa3HJvHMrZWsV92nN`!)t6H@3@}V;slWheK`=lOF|?rp{;C-@
z)?om&AQ*rrdqy@iz(i#(4hDb$oZ+!L1MpU{8884^zzi^rXu$?Jl=vD3Kns`wmJ{tY
z$&T9^Gy~Lzb-lDE9Dkuq{;4tzuQ3b*Siz>qOc4EXHnBHo24EpQvawtr@@bKN<}z<E
zlz4Vag<eq$16aVWNcs=`ajmA(!50pOK-)`e^{c-u)(=p9YvPQ2y#@8nE!idduJT%h
zK-R!VeO<-|xKpVDSPqW?_Ed!RQ8^`gix1SjSqII^*T=3a)qe}B!WaWsn-g>k8{iRT
z)&N`@1cyji<JOhwt!629lc+Bao*mL3+)y3~*)RyUd@W!C8{k#dZn_(@Kqb{-{UH)s
z+u0#y`k~|8kp9e;az|qR02+XKmJN^v0~n2k_RQvTz5Se!yEmS``|$Z8{k82CdUe>9
zt_X?&-qa*B4u1xaRz)UY;dP$xk_qTLk6uuqzxPvRWU3bH0Jbuh4e$jF5W7ae0z7Jg
z!vdi1I(~71z96p(3t`T%lnsy#1H?9d_%0+N_Hs%D^d0>_DbzpPSB;fm=lD{S+-Mje
zPWx<cwSMx)h4u=8KARWhazZsog>aTtFhCNGg*li6YJZCu=rb=|QLJw)s!{4U2gCs1
z!vIOP4J6PDNT^l{;sAnIqIZ<mD))N>Vt~ysKsu=t7W~fUALQ#JS38&500RWb05y{7
zX-8whvT&Pc@EZ@Dm9LLpTdL>Vl-j^X{kE`19RsLarajk}2H0O2j(o-sCH6dB_tEFG
zfLnf$`hRb0GdmQywql!BxQtM(NPl@-g%Sqf9IGQgEQm}grvtBvw70KJdk!05y&nzG
z@1sI}*k?r%LD<oXNWk~gb+(=rO8R%Tn-kKX$Sv2)ZF)Op(_noN4c0kCQ^ElBcaK?E
zps(0ht#2x-jSTctWpi<@K4x91t<#{Z{Ahp^d4KA1hB3XEoo|l`c#{eX`jAAa6ZGE>
zn-_|RvdX5Ae|dxHS~kEdiWq=DBQL{o&SRU(?FxlfYRVMEvcmvb<^t2Qz4k0HRnonE
zd25B<X<i%?WEmmA+dJ(^ZQzgma9357Sbb-JjkXzJ0UKbRuMHrd*?Vz8L@0Iy9~{w4
zBY%Oj(4%e?{d*4*z}#Q$`Cc~E^hQ!PV1T4~pA9h8_Xd#9WuZ*}$-XBs3%&cog8Da4
zKe~ob_t^91;W6~9B=XLUym?@Nq<Mu6@N^&yAfL^GnY7KmG~*>C_!DUWe)^I^eYH(v
z4^G>Ds)@917$7Oak=j7?$304vMR&pg@_+d(oTo`ZcCA729DHuEJ>ut$I}dzcW^CNa
zioe1P10<v-vK^TI7$IjT1;YRh=HnmOVBdVa9gVkc@|0krt(!1FQdAJb*#H+4g@H1F
zz(N{Ff(lisZ-U(w;Yd}8WH#@^07<crIFAi*D)Dm=4N$jId23Foo>!r+33is%>VLym
zmFUe<NV0<g62iv;^koBdCB6%)0qO*E9SQ751+y}9i);0ZR;HGK2LmL<8lp2B;1J^D
zARD0WdoLlO*)@1gr+rgU6R8H5>dl7%lH3nGGrx^G=L5TK0Qv5-NpLJYx7*5n)%t)X
z>Fq>=0g~dyhUWwP69zE9pM|&5#ecoIi}I@UK8w@eh6w{C#n^@hxJH?&P`3>r*T4e&
zXt%S~8F&~z^Oq|9*oB!14+cnT3iQ&31~^p?5QYI7Tn7u01?fb69?mD4yrWV-Vt(d1
z_%J|1ekJ-fG{9lRS{NYqTDr^+MTBYRdKqVwKDVVJQVP+E8w~>_gb#%2(0|YXEs6JF
zfX1(<0}1n`t@h*(l_$HWzzqX%C^jRrvhMsD3L0Pv(Y&DnnEPOW_}9ewLlbkYEmX_9
z$|gj1m08<|Rv3V{eR2T+PU;)Dv?wk3@A7BxXDMcY@#abKTD=J_A<AHYrt^pHw`f1_
z{&e>hJ7fU<g<M#Ge`_XKaet(f#Re!L&Nszx8sIqM2N)nh{tyZFuC<xv4_Q%J!fpeo
z)GRhYu6as)v;kVl>KF`=ME=mt*(G{j8u3tFZJ}m1_8|<=Br{~p8)E?Gei$G*Sisk$
zSk<krWQpCyreJ_385bS@N1Nbxa(EaFkfhMKuIHvCO0U>jUlayNmVW|bXsq~619WkH
zJ-|Z-sJmW1!gNg&m7Tf5G*_l@s>~n^(B%Aor=|?RiE%H%0I6T|DJ1X}zbU;^SF)s+
z!!<TxfVe!<c=!`N4!BlwC18LQue*1H(_QLLnd!E``2w>rK%?*!{}u5KV4C1q%{WFL
z21utAAPN4Rot65e?SGAzEP(-BGr&68{H4Wjh5?$nx<A0n253+N^k5fHnuG!3=Kmki
zv;nlJ^yqRJz?;ATF_aRQB^JMFfUd612EhO@fb|CWDzg7K1p_eufdOCupBUi5rU$=`
zo8U~TodN^E0PY$fv-0S>i8GQHziEIr#2hyaaQC{>NFgXr8h=Zbyz+1)<>2_m!8QQz
zG1!x4AF2fZhI`kSWmW;&$a72C0L)E9rPDXC^Zby0@+XCn10T|Xi_^B66$+&I>)`c=
z{u%V4GSF}6!rMgC>j$35xh}QvCpI-A+pV#Hq6e#agDfABem{H>KlLH`x4^xD7ZdOz
zT=9HNdQbmo6Mytp?j%V760<=zd1>i4GePcgbSUr`|H|y?9~}mrNNhu=0*}DCY`roQ
zf9zY}-{@H25gy3==^twXehX|x=Yrro{bSz(52J&D!i1&1m1eC0OcV4V)}y0=qVS;?
zM_Vuc=mGI)q8gnI6oWGs{$kJ5KiULbNOuW394N*Dvwz^NW~%|1%ZU&=9Vo(n;zE0$
z{?R5lka!s#4;10~*lKU~o1ibT5uFcQhBv$SbWZ%yq0p_a?HvZdsPuf3Goer8Cg3Ah
z-^GmpF7Z0i+IjIuo1h;;A>abv5`Ekge{?7`LUX&QE(j8Z#2?%VeHu3b@40+ImZEWk
zfZgd1Pk%Z)>yzADpc}CqHwf6w$HWn8h(Fc@XAwJalYmWZAqJ`?{#X;-g7E;b0Y2Q~
z1~uaT#H+-QBVi6$oapwTI&ptu6Lch|;l=@rm`t=&U;NRb&@spw1s1SSCRjA@G}8p9
zXl|c52E5E_*@~-q%K*_PI9F5Q0B+#Ly}d)cDS!T06Y$wgKjWr?B-!Cye!nv&;0^VB
z>dY?OT#$gDh^zb|{#X-?B=+JagC@j(wU*RbUfwhTAHa7ru?IIB1V{X_CK!$}0cgNZ
z5x?eN@yCWkS8Av?3XIC*7y0|iAAfe}d=%OWG~Y-9r4}6V$C}_YVg<wyIF=G82UGm9
zCV${v{aHi}gyDNQN%Cz;l?kx;V~xNS=bqM#Q@tS+e^M-&!W|*}#!bLG{BI+EfmnPw
z(=$ra<)QZkGepBQ<9K`QG4{tE-j&4J!J6sGd|c3-c!MZ|h&&62v#%iDPu~b_iQ9?o
z5R>QFDwP9UL-?78M7$AtE>Q(xd1CwGOn+hkLLO^FBAz)IPy7gxDgD$RUB7)1;<x2(
zaJtkZ#dN7!)0<O?{&?y;H#Xp^z}ZAC1n3&PaQP*19nl8DcRnmSN;A%cMKLbtr#3m<
z;S(9VBHVG;2+bs?<RxM^#A!RctM56@s0!W;!dJ%#Tr_DgF-0@ZjDlFLg&!`j5`Tk;
z77)I=VG&oVK1VYSPsoFCEqUVC3BM(T@2xiiuOB=s3uzcEr#86dLbOjwx;ljKVIwpr
zjwkLRRw1<_Vd}!?#5kfCVtoItAsi+pH>OH<BHju{AN(lwH~IYMLouu4|8WAR<eng_
zmJ4No7Y^7oCjaL7#GRUP)>cahKYy5JXe)Uu<3$j^__VZpwN&EZoT{<%n_ENlXbsJ9
zkQ8I(0$#5XYlx6XL#0}|_8dt`=7S9T%5Q||(Gr@02Y{VrZQ%~toA8xP3#yovS}AWY
z9_UY!H1feR?!jOdEn`FQY*Gi}B;xnPy|UK8XCUNCOkHl{+afHVT_)=rn^2^(!fP_a
zb-BE~I>@!+-k~`%#d?VBcp4%FfXB$@{&&S3IZ_^;%Rv?;7;J~-|Jg0`@SN=Tv7ELu
zk+@sFV~~7jJBU5A_J7Q!bkAkbyO@))7l8r@nUgdaJ`h%*GN}Ln002ovPDHLkV1ga5
ByypM_

delta 6014
zcmV-^7lG)3CxS7Mgnt(!Nkl<Zc-rlqd7NBTmB+uYx_YZh(&>aGkc6xdmOxhcL>>4j
zh$D;x3Q<Q9RD#IPprXhqiprp}34#cMD2vFbLC_IY6o(zfPB#e>vb6-VbcZb6>2!5h
zbydCj<5cBUI$hnhyjO3j^Zk74ldej4)qStd@7{CIJ@;G#rGI>u?*ym;8i6P<4mbc9
z3p8h*Hv^H(Yc+Y^DFy5V`ZE9S0=hCkZ_hlBW&S_K(s6EIx$iODZh&tPBL@f}hCC6N
z0?Y(v1Jg3kCjm`}5E_B{%-<Lke!tDkBMrn6qwfWF10BF7;7y<%_$RO#*oFur4WQyE
z3>82=EQ7BFCVwDCJ|CEyc}&f`9zhJ;4N{2FZ$m`!4`5a1u^t&Ul7I>#4=R9M#OOo7
zcwi3j4qypz6k_mE+%xt<Nh71hMnnjI1zrZ$0y_Xx#bBWV5Tg$x?#r>jiHPCP0><F~
zdt?ILzy{!X;Aun<ThMug@4wvAuzLE*z;VDSz`GDXzJJc`<~d9pnKwKO{1JE&*b1bp
zQ4G~10L!OuLVEhsfRhm4KIlfDj|8v|coO(6@ONaQT{Uxt;0wU&?Pmi21}p^@1Ebt-
zn#brtT%+Z{6UZDQ@S{R-1t5lB3oHOWhV=L|$sdDPgcLGgcocXTcoi53st|%F05SXq
zWFq@%#DBk^=ytPwN(b;e-~l9>)E_h<1VaFpe_s#06Zj0`?limIw1BV+cpSI~nKZ|N
zK+F^TF96HcSpu97d;m3kr`QEN2HXj>07<`#z`p_z!#98<feV2DKvrfI=jjA~jtF5b
zK3-h&p8za(XCmU`pN}kBDV4=ULa28kbA-16-+#G9{t|!~e?4$Aa0N2a4ZGc}Dklj%
z2iySs2}t-!1pW|!)$1Pud>;4&lBS?|hc4iL;1*=1*%zaM_XS{uH9rhoiDY7Wzunb|
z39JOZjjSWYy)FXp8j{uP&p-_SEOhnOFYE^H18zk2EqHb`@TLH)9airHz6l)T*|sYA
zFn@uUfUf~h;nB1TZyA-<>yJS~n^&NrO~2EDOpxzJ@{K$-8hA$lmhsO9z5#rM>dn#&
z8gXRZ;2I>!&NCwLh5#(%KMwI5m$=;|#db_&L(Ufw*T@qhaDRKBwIl0HWI;uZKbROu
z2loIH(W}Yn_*`w2d&muF1TF!tLUVYkg?}ALaN|d~oMGyo0L1vm0$)J{(BN8I6gP+g
zw<2o>J#LA>9RY~(Pt08WC((3<Y9#^u1o$ej-3<{`UI1eJQ;;R|Gw{MZL~)Z85+S-0
z*ivZ`R89cagl9T%GjMuEKVR`OCh!Pw8B(sLViBUs7@%eRGl3rh@2|+`Dt^Kh5q~%@
z0L%C%19t!)bo?_FKeL<)il9>d_d&q-k;)8;G8|_hi=hWp;=`O3fb{<3kZ8{tsL!vA
zjDc)#y$%@T^kSKF0+5DBfv*E+qsFfkP6#*$36C~9DFSB%U{z|k9NDw0p-!b(!pH*Y
zML^go5!i2-R<(w+fG;6?con4-8h?>YfsX<>Ap(2d603plLss~vICyiE>fsIGQ@}HT
zt&t%oT$96r@1Vx7*vAaudZZ|Vt=K03>HWte5uZhsxi3l;u>`mlXtL84vPS?`PXFb=
zsTIF9O0}>QxELGv5|l3ht05oS+c-sWhA>hW>J-41NpX1suo`d#67SayEq{vBj7Rp2
z+cF=p!vz|JELa@n;!RPii$%bfv0;&{bOBf&d=`@CpeU8(OyJ`{S*}pIBftXS3+Q%6
zrSdc)3$0~&9;FFD6gLVPhHQ_`DoTMIh7?aL*%c~Y0M-Y67|rch+{d!R5=2m{3p5M(
z9P0Wg?h{4a@M)#|ad85$ihtH#2+VW)$`vKUV&q^%qu5cPZ~<6v{7xjlUs1e*0W3p=
zP?RfFtP2!Da<nJ8eZ`70h$+CO6zP^1CICxO|B4(#swiIMgTQ-$f=7X3Mu28ycaEOY
zqIi`iBp+>bp?@&404yb)3>@$F6)MUIoB*6u=r0#K0yG2XqG3<P`+r0cTOD198#KHC
z_U-+TbNk8^r9iAvU<45qG6IZ2N>u3PcEvA55SxvT^o#igU@7O_z`NYOB1I{Zca!y6
zh8YD$8UY%RMXwQ+q$nO^4Dbo0K2=^u62L;TaaBd}A147v5BCd03&1LFwG=(4SMe_g
zA?Hx!b%TZ*0j8m=zJH4UIgMdzRP8SSODXRK4t2Zric%(rBNO5wM}d4JKqHb@p(Rcf
zzf*^l>=`nQpHBdDk+f$;2?EC<+b8#9Ujgh}+*T*QN>Dfmaq0JSgN7ObMk4}Hlpyhb
zhFH%U>VWDaf%&dB)pYgKl`O$J(`OMfA#TZi(Gq|)G@OW>>wo1M3!7_L(i~PDxJWEz
z^4Qh^b`J#RTbO{P^S7{k=iW0029E#{vLPe4FyWL*wfy(oMpv6r?R561d0|JA-3c>D
zBf)!sJAwY}3xnqXv(Rb}N^n^K9Gv@t2*7fGjsYgR-AYAqh{<FRZ^_tv?g(HYY0tX&
zr395);9qiI$bS{UI3)X1QG(23U~KkDt^j6b9*PoV4h5!XpX3T)9y!WTlz`GqPD%Ap
zPVWCg^h9?h_=J&Y5G>!h*We@Q5l2e(Fb~Oi-Yb9u$?=O6CE&~?lkAxlz;rbJuT&2Q
zl35VT3g8ejLxQ4I0a0K!>??raWPB*f@PvRl*&pf=pMOYEs)-puID`xbIssOyje~(`
z7&&@=yxXm*G-(t1(~|3M;Qc)~xovE$G1OlzpGiPd7?}}|al18@rax_R)4DiMbPQnl
z#F`A?!&B<Ga8^C_x@1`{O~9lu68@~ZQ(q!A24_#JqqQr^qnii3Jp!2Gte!Q!j*m^P
zRpYmZQGdY1><Ca>=9~GF8IcfoEsWA!7vuho36dUFK|>8(Fsq(xj%cK*)+fW2_h|qo
zgb`n;YWtK4^#(T`9ib^4;*R!y;%T>Al!FPQ!UkWM)4-SJ)Dx*u<F}CzFgYuLs=l*h
zYYo12WCKmL1~;tjr#Iz+p}>UZI)kf^XyBq*4S(wP*iQ(U5TXhrKtmA?8+`e&1`$Ho
za5pSu!o&uH>yK{a(%EYK4l*u85l2b}o%#@5GP{8r=QT2+!6gxxaBw8VZSx~6n_f@2
zs>f!>X;uLYqBaD}rq^@({0LJcp~{NDggK)_+_fmeN2k^iQsZ};Q6Z#yu98E@fR9YA
z<A3f&5e^wuArY7`Z)^?sERJ%@q^b<cxj|!yDqI9B1OqsEQZ4r`j&gKUjk6*!;hp2d
z{A6*I<Hv`~e?O&A44qz$!0`u!`ROrH-Z4Jxj0jA4-=tdZT^wQ2SglA?VMeO}3SiOL
z8tz>j;iO5mwu-<2PM=cC-HRd|K3a|61%GN)00nZy=o;=`6yfwKwYDsp)EIE~v^wrs
z5Mg>mzXrDm<eg8MQr*~YW<)~Vu^__P)9T79pH~-x3uo1H%lrrjHrW3ayb(*YYIn-^
z_bnN-%!h+53*?Ned%)zTb^R=xQP1qCy#{t*Lx`K_MHo|Sa94YrqN<0R5D6Pxet$?k
zR~^>CC<lW4t9w#h_DYPUQ|dT+jQeg?*no)*p^`(o2CzG6((O!{_B~-B?%wTjj>onP
z@Y2pCw=alrgw6i-_&S5@<~Gt4Hn@3RoW67cUycc5Y7M?}cmtQsuBX9)yq=b>6c@L}
z_}k7TOQ(1sx^2SbNQj>u8)ZUW2!FGL?!3k@_(6L=x2|`@OcP<C*X{e{1f~H`btXBt
zCB|*@BP?#VR|KQOV$5S|4X%B?pPqqX>gbzrK)u1Y<~DNf^m<2TUe9b#a!Ff^Roy8J
z!#l}cwFVp-4Kb+<S8qanW-Z44i%NyaIV>P>81UkbB+FLx^7Qtk?Qh>$V}Ee@Aq`xA
zR3qc-^Q2CgFu5_rt@9&%c82}NZvu~Z46v-FmsQ;<?^wRw7wHVULqLz)*XJk(tn5m0
z-ilrx@34R4OI--gn_17T^CL`d9JFd|!mLpt?pzq*;|JTH+K@Kk7n>5C-x_1Xo^&vc
z-&yvAfL(64!f^~(*OTV_)_)kk*p#3Um%SKj3^?=PI__K;VP-V6H+nI*sfHgfigM~f
z_JmGzNt$ra8*wgei?J!D#$O^k!@%2ax1u5#uql@2(zY182TabHVQ;3T0i1eJEzxk4
zOWR^J*1(+$qa0)N+yfw<hTAvv^R3nW5*<<FF9j3W9tJvrGyz=`*nbBD-j17maaA8Z
zNt26aH(+-d{=^Ak9$pfqJ_K_{*>C*4Nt5f>_H)y^IK4?V{xV1dTf@LsAVoC@0KkxS
zf~#Nar#or##Y63n$2%2&?;0?<W_2HTw#Q}brW$`aB!SKl;sW)#-I|JG$V%~d*YxwX
z*ZS!4!CAQ5;wGP48Gqvk8{*#Dx9nf`0NX=A2SJYn<sqJi+cw0xVpSiVaqo)Yt-drD
zw|TpAg%9ZgIzq@Cpv&#nxJA;0do$6LH)G!GTG#GLbKZ&=%Qq+RUh90#E?`Fp849+#
z-5NJBfnRP)a6xN~wR^miMAp`wVp&Tse{f*^LSYlon-#!6-G6S4>lpAv#{i#ciP6^W
zz6hS*kz`p*FVAmJ>SWg$HUhB_(gC)+-5O6|z_Z&khPT81)QLj*L+1eJw!~=N70}cM
zZ?FNZ(C1oU!0i@!0s~rir8u`G#*^DBdrM5<ku3w9-x_00j~c&&#1Wg{D}Z*Ycp|(X
z2CV5xao&m;kAG|#uswBRC{iZew=u!RtuZ$CYHEYS>_l9ky#m+-Y;n6)p2C2Qy=g9L
z?dASAoee)G(s28RIG<k`qoZGqzXEImHiIRAZeWeut@0cOboR>v)ZPD#J0gPql*ujY
z`?>nHK6WKMmfBG6Rz~NyG?vP1WY)g2TOtR5HsGUfw|~rY7|@k4x$4zE_9RU%JH)<P
zojpmD@2u(Pd+Yk?^H^#_IAkzyYz<@U3_>NIAd)ssrbR-8y;tIHC6fL_n5E-j`A!f4
z^r6S4?oTFv=$cIS<(F;P&$}~W^7Yky#qTSw5aa3$9y~T$_WUPg$i^WL(F?Q!uyh=`
zo8ng^^M8QZZnw~rWb%h@T-(p?q{%mrY-DVShgEd+r@8XgK7RIQ0{2%O@?LIG&m-7O
zCIkxmW`J%*d?RHT;wJpCJ<jDTV|12~mG(v~%|&f79`vyB2b`7UWIp5yAP)T1?bi8$
zqzMmfOmI<ajEzO)53TNzt(m{xJfL|!?(qUSYkyuMfTiQI&tF1PBa{(H1Haxfz<Db&
zi&i7BqASI+mKcBP)YJwS=?4A=?6vv9@r+l=@sE_@F@YyL2UxZuMr&7o5j?v+$vG{(
zytG4&-(}VUujjrnSOD9QAwnq>1764&_;Z6wujH02S=ptj4Ibb*U`Or?g9Ts$e<q;S
z;(r{&fLFRwEL+jb6P@B-rcFt){%mWE^;)vT3-keh8T_Ip0Baubci;`TTkAVArB^Ok
z5##4?CHV2iIG41=*sLW>yuv!fwsUQrp^D?a1v~>B=5~vHhXHTK(p=CQBMt1)k|kc^
z8D#tKKJ4oPi89i_?+J3rL?<z%n(-bjS%2asVu($fxxGK+FNN|VnjEJDhgZplKL?Rd
z09z5oC`u4`oIDi}_ZNUQMEr(9AtOa`h4Ng<ZNTpU2D?8n^dvY-8}K}ETBWadPs(Il
z+$3!lpNeQ;uyY_yvdVJ}x(7_&j+>-PxQAY%#xRCIdtqdr23F<!&!OK|(xU;+0)Ku?
zg%8u7P;bcDStWjVDHAsIrioW#FQZ49(imcVoq^Bo9}L*mZ<dsJhy-#z3H%Zmas<e)
zD-ppYWcXNI@e42ai>vksjNc7Em(st>7lBiO9YYyE4DSMgRE_&3ZU~^-4Y*wN{-uHc
zVT5^X{>^=sVje+O(G<l`tN|Va$bZ-SLt!P+*8{(D`)U-WNPbQMDLsV<zyuyd%O@)S
zVGSaHVS9fVNdVR#uSWbSMezd<A)d>Kj64E}2u$Dsw1%kSebyiX7_s+<;*LdHjkrRJ
z;#ExGJ__vpp-=%>qriPgVv(YFkv6iObOF6T6n`*YJ8&0rz?h<Vi3IRNWPd+P!4xh4
zOHmIan+p`hOZ=H(QXcYAN|np)!1vH{>WX*RNr^UDoB%9k{Sg@n6vYcX2>c&VRPPU^
zi~#Zh3E)-+)mTv!7gz~=9~das_@TVh;a>-CME4FW?$Ha}KpDl{N)v#kv|j*^x_uXv
zs^wu|IZ(9glcl_*S=lo%7k^2XJKXKNp;Q&CfR6xcN;Q5c&jrfz58yhqsIF2ub_3U9
zL*<h41hB6w^b>-$4@vPRCh#NR*FedxPZpa_yCM#J7kJji8>3VQe+F)%#Hi0;?AbVH
zZK6L8iOEiP=iVp*XFYHx@Uk7o4|a_JR%4z6u0iJmiv4s0UjtsY^M6h4a)EM1@DOkt
znlPu>M*>N8kgd5k_5NU|0IY^3ki`kzL8jQnLx=!u@%wYJR{$2ffd2xXa`wI`Rlx6o
zuL8U6HhyqI09GU41U?VE;@rJa0?yxoFCb_8I)XDJfF*)gfd51f-cyQa4R9IRv#TBG
z{lPgGD7V2+1E0e|6@M#%V<T`WQrgfl;|C`Nuy4cv7g2LZ>2Ib~37de+fhPe+jUSvA
zfOP>TvUGhVvZG8<hGG-aQI1&B&@P-8fOR3+3UgPG=d=!`s>vGvqYQDDms3=>hOnee
zgn%=ETYxDQ{d~o%yoCfyY)Nn{hRPSw77-Z8$ur*rW>&lnihq|_hfH|?NCkWTEbdg1
zx02^hK=yMU<w`pgw`oI+|2d$dJ%5(U%mD^tUFctcPwl+{N;UBp<oF`jj33+*z`hr}
z0{Aqtw=?Bhdz4C%L~?sRP4@6Qmy930a*&R=L<ay@0T%!fx0|Fm!X6}3_y%B?n}(mo
z8v=l=2pSQW=znTpvfE8kY~?LvugHTy!VAU^UJ?N0Mu<)Tz6~7fxi%`rVgfH9qx*BX
z5a}5X?-`dBA)1M#!G0VW85I8!Lk?EC4#^I7)!!cq?+GA_2qB6@3cdu)aJxxLQM4n5
z{}9mUHN(&1T>(I@OLPn}FE|;fb-P*0uq2S=$7_)|zkjD(p22uq0FdhvH3R1$OXkzu
zZk946?a1o>{YddD&$&E<@xB1ESfjxrB%$s!G+gQx_8@sYHzKipPxtz{_(uR)thvGI
zNZ$BD++5JBZc<2@lAD3w0WrTAeir`;0CL@;slc+#LyK`$4ih;z{T|?_z*fNX?#@v7
zQvg}4^ndEPz=gn4V4~a23OF4|$(y^8qjS@KH2f_77C;seLM^ZuNu@Xy@b9<cO|~JM
zRqh2^fTW)dKT9wK0J&~aJ+K5>KlpcGlG{!5IUT@n5W`=A1I4M_Bsc=d#TpS7AjMQa
zgoI9YvRoJ`#K(UOS;$&Nzzjc2Fa?lBgir&_Mt?+b1~3mzt;k0VS-koc@LMFV?`t1_
zB!Vq~EY=#rc%+2;8NhpxJ;~KRDx{GO=}#ehGG0K=-SuTur&y{(09mYgLLD+HychTY
zvbZ*(itdMrROWaYcmntn(%TOJRblv9s^tscA4?2TU=EUkeIl~3HW3KB-9(#70-eZ2
z_J1j)V&CgPA5c|BpG)-$AQwvv4ZtiU`R;fmtU41Iga2HmG?I_gj`Z};Xa0SI?Agv$
zYV^6N00v`;A%x5sW+N`rVx)S-w9M;X%SufkRrlUPPET*mJk}#VeV`|^rJ@2D2}=+)
zz-T1>Vis@&a40fDOa;awBSjs~j233*5nD%k_AX!xQh9qFQboBv^I8v(QiC5E6+o$2
zA=U_zsyzib2sjuSB_<<tiLpQvB8~=N6#4JFiDXvxAx7Sf95&L481|;jV>6O}(*^XR
s#$Gc254p}<e4r*{J(I8!fdY7(lQR=O5b{Dbl>h($07*qoM6N<$f+aoj&j0`b

diff --git a/core/nginx/static/android-chrome-512x512.png b/core/nginx/static/android-chrome-512x512.png
index f029c9fd484a7603a43cb63159b8d95fca06f95a..32a69b21675b748d731d9cd624c8624a412f35f3 100644
GIT binary patch
literal 15628
zcmZ{LXH=6-(CDTBK@d<7R8WJBUPOv0kkAxFdIxC&0#XgVCMY%p0clbM6lo$wkX{lS
zRf>T0rZlAsQUW2lPkjBpd+v{WJjduhv(t8Fc4v0>k)F<#{risY0|4yT)KD`301o{V
z4p5BH&!2$49q0$?q^zwBz}pxWiX8*=f3&@Zfi?g^X8|BY06+&J`~<*P5`cMI04_cQ
zfX6GnR$l@7z<5LJiW;EN|711f#X}=ZKAPI<Oj9sMHZGp2#kK$dE){92DH{b0FO4y!
zAKGZx`dzNIf<EadDp+Zze=0X+FuKY5#*G{8(O*9$4L%jPZ0~VH^wH($x5<Y~^p&w{
zdhg+pH`E!pTnt_<4>bl?cC7DZu3xgW4HwJ1My6Po_%FvRY+ZhK{ycHz3q?!xvc8ez
z{LslfY;DSNkKs<L(k6zf?dB2LtRXz!BIYJOsd#g4%KxQc<jZ_N=}qze?qE&KF9}r#
zmh$IA>N-h=(>^t7RAITak(ncb#<@3JT-PEfHA9#=Zuyd-%o)KU^U5lW(@vM-AXR)%
z^o>tB$Hx^NeJ*wN+14?|Gh3AcJ_DmwamO60L$o?$Z7fu2b@igXGhzj?5d|)}CiDIJ
znRfd(F#~&ZeZ}ienl!TTVi)CpR0Xk}*2chnn5~Ss&gRE@e~_1vCv0C}JQl*tQ1LY{
z^Tz{=cwT;{wnw-W#T<;weq6XrhcEAPZ9TzdX{DR8@~o7&%j+jf9T>k^Eyuh&lJ?}-
z;^EEms#8cr<V(Reo{q-u#(SPFy6<e_RcGebECY?k6VAZgCdr#A_YnT9CGp-43CE_s
zbF&5=MA21qU16wB*~_vuqd#i2YNc>SIdCk)dBJ(y+;CvA==~n<EuYg1SKVFrpac8p
z;GNQxV%dl8?Bv|gOycm-nB7JzzHZZXyIx!3y<P3&u_Dt*7KY{C_Sxw3ToAnA>%{vL
zpBY~rvz>T>KkMHrQWkZYSI{Hm{mB$(1P84-thd3PWXB&)cqu4ct3A=sGckPmRh=oB
znDk&t6UU$}?PD^S&{Q|WvlcoukSoOPrL4!Les5QZ7^BEg`*nMu<y8ObKo9!V){t$%
zwYXrnn@#Kva+j`DTSK(r<EwSUFQu;xQFi`}?noSY^T3ypr&gDdbDE9!dcd;={vQ^Q
zaqQFR^>6Q87RS6hv~amS&p<m{mDjk9sq*EI6Vs<H<Fi=kytUbAPiXHAcQG!H*(0`+
z2Cw=`OZ(hsd1BMTg3EhuA3XT9={lZET|dxy$K${=)oEPdXyZ(Y!>!|G3VyaZMXFwz
z9pZ=IORGW(T$Bsl>hmq_*a&O0?k#?Cj-P!L*JLwfy`Oz3E&O@P4Gn#+#G0m++=cz|
zEHmfG8YaDj$#Ufgan^cwEgl=&h5eEZv5;C3y1QvZQYFjxcQVFo$+_&r!U}KS`_WhA
z?<=xEvdfMx+D8X}%Hy7`X&gFxkvVlA{GxSMPi}gnU7BiW(Ga<_^FCzCjlXz?J%V@!
z6&CLq+?X(PIgM%$2tPQ|;`}CE9I-Sifkx?Z9m;81@d#;fd^LJ9QzQLzAV-`oQhn2W
z;cT!-cg5{hv>oAPK8I}B)~nvJersBzSoc)FQ^}3_<0p4avU-|W6!@<US0{VaAIcIG
zzNWkD@gn1x`^V@0Iq9%aZ1&N*v*V?|B1T3?%6EXeez+UOW2jGgGnFQ5?uOXeu4H%H
zF2Yt=iO97T_hfb<AQ#CY*EL~`o|GQi=^yS@Dj|ngcA@ht)QhPuk8RxFTO+yD$rZo1
z-Z2C}Npf1!yr0YNLoLF_xnG+uE-D&)04*g(hWdOuZ*zaV=Pq_r_AE|$Qo3%|%=Y2S
z{CerIs-<Nwc~fi0_s7vr2mLypyAIg0(;2I|Me*?JAy+PW9FlWDOT1n@sxVQkN&jN*
zLh)duc~lB@X~{lFNt2AlC;DkyI}bSf)4!&;Q83AxvNkDc;**#ezvx<5U!I%$^|-!$
zZJPMpC}AxsarKCt8Jc6X;-YouTXV!4eyqMx+EILX#}w^RRJ?&lJ{Fyme1!T|?EDwS
zCol6&c!|ANbe;-09+A^SbB$Jn5cwoR15ZJd)@LWiWKY%T&f-2IRa&h^{M+Qru04F|
zOt~jZS}{ray#L_CPfe=lXD%N3THOV47I%xfoHi-5cJ%Q!h~rEysN6+QAq0g_Mo)-w
zuOU)wU8BmaF&tys50Zx0J~Rt30Yk1s!?QG*8q>zuiyj29Xf4^*#I*Qj1VrxB?e%AD
zF<ygdZNUdydOmozt49|yA7m61E{&d$A2neT`R<D$$hu+bEvO<7Dyx$rn|j!^!o5DE
zOg+6m^pXdAsV2CIug0SCG*T~tmPT}?G`L~ATr2Sxboao;9a)mQw6uAnd;47;4y0fk
zUUzT#$EdzXQlj5)948|7k@B6#(~QC8W-Yw1$h9s*JVt(uk^H;%1XebewKlk&OTIse
zYt|j8&yWiyie@+bNA@KQ?18dl$WiorUPpmSzTA9@!p2sW=U#8M5Uk~H@^qT)^1~_^
zSK{5-m4jR2Yr*CpwNcpPp+d=3hj}4gn^=?UmV$_9B)q0zlczl7zpJ_x+-5`>7%?IU
z!40z4!W^@2ll$38p7w~F?SW+syZiKvZl)50i~M30L=TNRgY9R$Q6Y~PwNP34oei7*
zB^2GnBW~jeG`0|>6P@FCZ0X}1h`fbg_kX-|U8Fs5h8;~PMAbUBl*GEDU|ioSn^vNp
zURm-zD#r<wXJq-kEn{OGywK|I_2fG8JEvAlgO42uEXrtP-<`Zc#V5Op>P5Yjs-%gb
zdJB)E;KQcoq<4*htN>Eas8<BP6||@<^y4xN{b^L{gMX`a1Q4F@m?)a}zf&)4Jjw^u
z2x*-P{7J(%p52BSole8ETS`xrAGX|rKO8rDzcurqC!PbVUO@J=b0wEdUIyq7+(Sn1
zl_4zqIwssFc0C_?|3+ZHTGSX;LImxO{haGx$Cz1Hx}3Yd4Z5YpCut6uW<joYAHbof
zvlG3HyB!XiHehfv2(~h);(QOn!`eZtN*C8Uvd9F|u1nZHN$;z6=HMsnb6%ggR{VBG
zvZfkl+dDcg;K81dc@?7q4!xUQX|&s)n0CYMI}13*40GHBGS#=Q19gThvZn~m?)C}r
zGvO*ZO)OCdl@&5ZVR7dw<n2hE{J}toVrBDTHySwr7sO!5D-xdPdrknUHbp(fGrQ0j
zQHHjR%leW<Mqo|)h7|oyBM?Fu8Cv{|Vk!nWC?f06FdYE-A#yYi+-uRv4@g3KBlC8#
zBH?Qc6kBM$4oW<y!SpD+j>-QNQm@8?>eQkjt^!)p0{tY;BK725sCzTbYw|oN!1VJv
zo=i<tR@oS3tf$em?V$KYuo~Tkf*Dn&5iOI}M8stQ8mT9Z2LMup-MYV}f%Qp|nrc9R
z*23u>&HUO1f<W5O>fi^yeTM?W>@%rv?BI^P`l>WH%gc*B6y2HD69DesIM&V#>pRPf
zU$59RALjvgx|VuzUgg0Gdrxjvkp1IMIUeBI4<b}TMJvK%N7PFp^cDRSmKl)J%76eb
zSYRHA7kj*_KwZX_y4yN(uJR89K@zvMDO7gK6P7=#OIwZzcreQjUYLmJwpG?MXOVdZ
zAFaN6e)u{XaCk72W8B`S5uBL_{C+1-R|^8P)az-BBWmE`&Gm^dI)tm@jNoDVzM88+
zobZ?5D8WPQHl6AK#PxA#xv$Qeuq<k#9$sEw5zcFu5(nU6eGU$O7oL6Y2MuNZMUx$r
z%D`{R7ISOdlLb-lKBMR5f5AXUE>olEDHQCx8};Li{ACIP$V#4{oRGZ~)p+FP?8<EL
zxKp;0{8tz#5_*c!uu;KYNX4_)TsHB>L6CMe6on*<lNm}!SC#Qjp9hC|K(}A!&=+8`
zkJSrYxHdlHzzE)XM-xnEuyCwo8tu5$lLItBV9QUs;&_-JZPtMoA?HQUPpdHkAGH*U
z=FS25ov)O!r%#AUGU@ezpku*5ckVd)@Lj4-8H_I-TFz_R*hW>b>c2iQVdDKGf&n=6
z;2n9!k=x~DPci@VKiNSngUs5MBUsd`>H5m4<g3gALIADx1Lqg@91+S1MsI01w}$BG
z0BlmnQ`JD0$(TIa*i4|#Re)t{Ml4=KwRo;iT&I3$MS+&LBKE(u@1kJx?7$;FGgCue
z;3Pmdo3#G!Nd&PYvn!0YeCTp{W*7)uvk<LVRPco1w&(G@fl=`g7fw|zXcepn9P633
zHb8pB1X{|k%3IZPf-=m^%0k(*cs4M}>1|(-=*+?l8?svRbc^~%1%UcJsAo#{e6%ji
z{OHC?u2r8`84QFpb!gNPbYUs%V7a1AFnFV@3J(Yq(t~+~xYi7H$5-S!A-w7gL&4N(
z1lTqzQV>D}vc#r<NpACM9pMW#04UAL=G2+hc9SmA{?OdbNriZT#VRp`2%mbY7&X62
zB2uNkS{HiVfPp(%7RTScU-+}m#z<(-c^1zMI3x>a+~C;eRHCJk9d`*824GgaliEY!
z9Nmqx6CK>f8eRus0N%FWnsy166$+b_HviCy0H|s*j+H;ly#p_h(nhDJ(a#u=Q~?{V
z9H(WzN{D9!90y&e=MV29-QJP$1B}$$9{~8^kh-V>oE5>Jgex}||1bemrf|*kDo}*k
z%RHi0wB7s&O5d{OaSHrdj$lwHV{RINh|!Nd4?y>yKlq$a^5>ucP-WCPBZi#^i$W6K
zP||nuMu=#S2r@Sn|6)|oH=P3z9(q|a+HiMN0qqhhQE0_W3Ib|sAdg>q4I{a4?E34#
z0Tx;F&7&l__$xC^TbFjF^*Vh_twHR;<vBy_yhQE2(T_3g;Ni9<A<aH+P$28qFPf40
zXZlceAWm(20{)76XQV}y0_BdU$Ar`F$pLA_y-Yz@@_QK2z_m}}<?20Q0Xs~<R@Ec!
zJrtH9Dju8>H^Q6&urL#yV4JWc<mS<?Y{$XC!w;4OqjiZ``&S7k4g-RT*#3c9P(W-k
zSv!n@{5&oF0LL9j7G5f!&>>1G0B(JzYa6yi2Ir&Oaz+`GR~SH+wuk3+9&{`}dV^`@
z<O8iU7(oEs%M94w{q_zI-SM9|cYL}T39>pykHh3X8`RA*`c2a`%sXP30k*FC8|(qo
z%6aTO`>5`6Y*3g60K+*t#qs0snIQ$z{GZ;VJOsdJTa2{%9x}U~yPHpG0x}c=G^U}_
z8NW<rrwcb?fpeK;f@r9Y3jC>Z^rjIRH1=S1<~Is{G$TNk;i&YEy}L!j3W9_V{KhD`
zIt2sWHSY;iuSzBm1k25>pNG>R_lOlLbh8M3k(o&y^SMWp+GYoYsDdQ?X(q&uG^oCZ
z-;AH3m;vAr#jA(0sa&6PBJ_cKm}axB6Hw^z&g_@ioPdTFXkrfBhBN?L+7d`EQY0Hs
zm_Z2*FRV_1WOHzroP0}V1_gPv<7@SOYX}&Kt$0s}Ienrwlnby$zFo!uFeGcbx!MdZ
z3#hhgBilikgtrRzOv&t^U>2h{{{0FJpal%!Hg9!T0@;Dnc{=@c^V3(RC4lr2Wy>ro
zkxu<k)p#f7M&Jm)<OchA*DQ7YE+pZl<=)`qCX8-DJH%@y>#ER*;d1Y8AbB59bUcWG
z10Zke>I$FUh8E<+wtGrP3;<Z`dXeB+aUk75r4@Z5!ywcwRnn_DHEbZ%0nP-`t`Cw*
z8jcZgf=$+~ontyqAFyHT3<J*O9byE69l}u5+2I6P*@{Hh?QR%Yz1N&$>8FYn1|bqn
zKOlj(KVOqS9SqC*wL$Ye=SOWXb^?T8{$V$F(ZWlRYte45Ni$u#R2wC}#`xrMuxdt3
za2n#Fg1_$M_(RzsbZ{oj05<7Geu#K}Ox5?j&8}w7*5u1uD~<QS%f)eqZ><kt%hAr+
z1NH@bfo0r4d};%~X}ufs?D}GZmC*uJ2>2!&Fy1M_?d_>%Srp~y=t;=^N@MqmE$0D#
zDQX}~FcR8ScGG-1+)x?}gu4z$nVtctegFfFf9hGgE`x2&s3JTw;8H&TCQa9;Bfc=u
zMdh#Z^7=REI`CPlQr&Bw=*)AZJ^T!Sa%w;*Q502`Is%@=OI#>Lg2<OBu)6n}F!3`4
zI9u$kB=Z@;p|k-BwlhZZSJFH2j2e49Zv0!f_5Q=jfx^d)r=Y;86zY}#I3#)5Z~83-
z0Oz1R{L?o-2nT^+B($S&%no-pJZA&R-je@j9^P2%eG-Gv*gN5IX6t`Pt8at7OPpXc
z`4^wYf0U7JT4koY2yE{HZAI$<)6@TC4lgr$^3xgo{6N9~1M80&#;~C`@TD>nw0|Vb
z@K0gKm_aa9Q2IAZW_)wa#UEUVTKcCc4zqPfqY(u5HJPVH_d>vb8bG}{YWbxkdI}iO
z9^akeW;+gpGDtXpFAek*D#C1?Qb^&a{%Q}KrRZ>XXQTqwt-{9l56J!gV$Cnm{SI`;
z88rVdTw<%-@KI3PeveQ3KYk-Vm>X38=7`+~RHwz+4*xe<<vV+tHAlV+nB@AuLzpsc
zOE^iXECO-)KNage6FMc!2T~b9nCa0Aw*PqUxPxVK4^YnPqg~M@A7Og@pTsZL?(Szt
zUSlA1Ov|!y{i9NK(sm-6flxFp^uI$hVM90UVWbYQO+cvsBNJ$Kzv#qYGTLqOdjH5I
zGL$XchZ9EN+n4xG{}ZLBWy1;D3lLRSlj?lv{~0{eQ&a&Y^*p|V1OM4TLYPp4B@0Mv
zpZdQ*M7LU65X?3><umN$e<~G>PI^(q0OT0F#F!rb6XMTX#l;dihHiJbQP=;%9UA%=
z_84><KRE?B{v+`2dJJYTcdzOhd|Lz#{t0^w=(wlud$tekP2a49odw$kCPs1ra(I&&
zt6j}ADnBpQTrS?J?g@5rEK1IwOBVoWCfKA@@J~-xaCaJm1aLy;E#H^#>+Jjz2mGU+
zbm0e1M%4bS$M^-MY&E40JABNBPEo=GQ?y&`d(kl4hxJzh8f+I`_2sD#4y%xJyYbeP
z6nId0?9gIoXw_(%X;U@^2IN@*ZQva@wpW%^E`I?DFeZsRAJ1!Xjz5VYbf+(jUEvAD
z7_Zxy>8wNiG{Yuk{_-=TDa7;uOb)!(&ph1lrfDRcgJXL=q-8q*$4ctCnhN0!lx#k}
z!;2uHG`(z5AdJYbV{W_<x=>-znM}x-N-HGWVCs5AUVpz!hc&p#zV~+474-duEx9<x
zHFoYK64_<zO8qPixz(D`*LO#4Zz)X{Kw1F&VCZ6%ztO4SklS}=bpe)IV~uxP`))()
zF%*xpU}J@$HTZ4)T%K>0ZwX)U59y2^*(RQ0o+WdF$xPs7@fY$6Rn(X7FdW-`OF6K?
zKU@VM5PNy;KTmp=Bwux=LQ&>%@F30cFQ}=<8E9GWSgap{hy7N*H{j`(zTR@B15Y!(
zTA!lsOXrW0(|LSnw;HmsrZRQ_L$_4Oew`eX&Wq%jM2t1PN~P8PuAR<18VSGz1Hm$$
zomP3Wn+viF^v@Z_XJc6$l3v%-b>V?Mh8?u+UykF!e{t5IAjM0ekAZR9BerntVc}v9
zujcys>DS@urZwMGJ7}Ne+Up$?H;y-C0${^LC}<t`)PjqjhIsv8P)t^+j^&8e3T<v`
zh@TMFDqg-qU%v}5TP>lvEC|AcT@V@7ea;urbD_D+f4o*#JUPVdyI9GMcPF3&=j8EC
zrxsf}gMFUx%Mw}vOgcipYY)Q9aGh)h>%<-Vq|Gw`ZQI|X2ki(@Dg{1Vk2mQHcyLW@
zqZXIp_$OqHdhf=Hf2K*0>p{9K@LUD*Y6+hF#0ZB)0Xufs6<v|_ptZAE>lxx#Wpjgh
zjDmA2=zw?lfKHq+8w!SA+|a-M+<zwur-Btoqj|~XJm5J~kE2_bvN8XqI^ZP*BLI%X
zR7;DM=No=C19!cPRp)-T2o>anw$m37nG(D}Q>2T4+b}n8@E^L8XuUFLCR3_7m&beM
zoTG7(sqPA-lAo`ideSx|1P%fe&@X(criuf+&@p;$cHkSu<^^Ok9J#=&j0F(mZqeDg
zI<xa^1T(o+E)w59fMfHpwW57hAOG!{6nMVBzwDg^4Dhpps%C>-gts0F#6cM<b!Tk7
zu%YOzSGIc*Idjb<MK15%llXgp5X(rgWClorps8`_-L0QLko;LG*7lM0<>Nwm5M3;Q
zc%SCaDt^DamCWoZ;Qul7?C{(V!tL8DJu$-dXA(u1v;g)Yf}~0J3CBb|V(@KsZQQTP
z{QCr|{nYr(Eo!0pSPURYYPD?8K`J`6w-SwITFJ}$mzbDhVuJChmY;hXksu;-fn0R}
zlE3fb%;h>_Wo`d%ziUpMJng=c&EgnQ@;x0$O#qD2<B48TLfVQ_VRh%F^`$kvOn-)c
z$_b<O5{C@PZjg{A<QsK}7p&`;q6AUj<xMYK^zBrvNPxT)&_Ca5NHw)yvDyw(&o|lc
z(}AyQJu|*g=o)|bgb<Wy{KeikKhL-lY5v{p;-J`Sd9zl*tj$Myj6ecN{e<Cwny<gb
zk*s_??27`h0ZL3jcHeGkwKz^|SC)f**#slZJ0~s_hpampkIPCRSDHqRJ7_I(ZS{eU
z8`i2we3km44QpRT=)4H=DrIm+X1{gc%_lWS;8pnJSsYp3g%g7TIK#}Y_Lo)fO45b{
zR_@%Q+i{@C>!T<D7U+}o{X_Ma8hB#H7aVxt9)>6{qIoiqrai{IS#5kBIqpn66f{jV
zCdQ}D2Q1ee8gIJ=2eu-xaV$jA=XK+`ioQ!8LFTyc>8TGlczA*`%u`o4Lu)=|@{>|&
zXKqp3PYzQ`(v83G?>pz!{DZQE0^|!!h%*+!uyk!Y260etG5<M3e2pz2=TlmJ+1aPr
zZC51L?NHt1cVjG{$Bj>zUWNpiG47`{f9CaEMiNHnm2z7~LUEetMgEUAqQ8TlJR0{P
z{9W+p`#{$#lLT*m+n&gy5|M?iPxMh2Zds%Zbg<7og%A00MmFF>^q=!(AE?-Q_e#9R
z<71Z3Iz9=+vU>zC%@JS!K3lv><T33FVi&ur_A6e?9#r=?GId8VgJW!<^|PY`<{p8G
z+vLi!H^Eip#G!#ef%=p=j;x6ryN^DPKR@73E!SG8H*`u6a8h^|kfQ}!<hPvIdp?pV
zYeAk+cs<DjI^W?{InM$gVQ_jNX@C~&dIm2ye=)KgaUHcC&H~F`_hzfnJwT&MegAx_
zpE4E@<v-;+?(%DPqU|j|v{<r-z~*CHaN!Z;PAx`2!&7o9x249kTm68mnm97Vz+ld5
zNB`b{`!$cQ%!Y52X0eh-(@{}Eg|`|!i6*t*C)NMjiN$^(zzNxB3M<gA`|`PABINp!
z8jeY7rAOOyOPNwvwsB-NzA3*TC(ez!ymAS$xCKKkIi<)nh$<RLn+i44y~~^#bmYC*
z3o?;bCGb94hU;aDE}w|C9_xB8r@uS>!(=P?mga{`0frr!f2X}ERJmLYyrObosgf{s
zIgIq@1kV<<0jc8%CVeV|5w)M5>#ytIPfeM-P(7?@>_5I*j+LmyP-Dce23*n+^;qBd
zkNKmC?MdQ*wMrTb>Cxc~xS-hlDL%V=F5$ALPEgA79gokS98fLYH%>J)aRufzSS5}2
z3EVRNl}h^&A@@aw<`jv7d=HKlfRmCoJ)J)w32zv{7O_`V_f4Mq1!VQFxQ_yd{4XM_
z#U6FxOGbC4?yyj*efMY=@}z27^y{9Sg2FUi3mjmL3tWpiw_M?yvNb>db1CRqzOLBe
zcLQ2yj<LZS`X~~5>o(ShI%Zc)WEZ>B=({5U#P*{zTcAvfH8D}z4vrOv6M7we;{03s
zdZv5c>x=lShIj;O3nSmH^ZmleE<+oxa7|MvR~nI5FXj4h)!hM}zr>wcK}qY)x6?!g
zOX&`(>d|vB^a2d6sJ%K_aAsWVz<yXsN%2PGR*-pG%m9#SyfkYZ{P{q-_IFvSi@%D>
zrlX#AUbmqKP#C(vI#-q*7%pL69pD7GgW#za6Qu4ZKm4+5va5Yo>(qV6&-J#+9!X$~
zjuA-S6f24ze|fcCcp+Xy#4jkG`>#yh3Lq*m9Fpm2GNf6;btZzeT-L(x&yS|%*7Cmv
z|29Gi@{I+p`=1)KG1HGv-{j80;m722e8+$Hwo8?(^8OV`qp;kHu-o*M_H;+iSNaAV
zs|3ehL{eOprR7S=DsmYox<t2vipy=g+4?Ej+)<<Pv@b6&dQK-i{ZjNw<L_#uG7*Rx
znLc1!gs$f<5SuZ+IagymKCJdfg<yGcyWU^qDL<)U|DdmdG;||!c=_lBud6PFp6dUZ
zL*BQxZ$0e{gz+^dx?(0^=o;Ht7FecnV4+X8$3t6`mv&px@>W>AI1Z1OtFc>a8=g*j
z!(d+B_}_ek==8H=H(K$5l|PMk*<C&%3H6MGzSrUE<DQtJKisB$0ya!n3SQ42efpSD
z-QDoS040+m^?m8jjoVFK0)O>bY7H*v)aD{czoE4u*ub$n0oSv5D|eNwPc%rt<Amkv
z-tUKxow5AqPSVL59>_m#`cN(k9~$^;1*8)&k~U|EtZy&%)vG5Q96c8C&Z{1orc3TL
z749_5Uqzewi%c%{z|c2o_m9DtLE}E~i(_&&oLEySi!1q@-A(a)X83D=>*U$LyD-c)
zp1ZBT13}o8TZd!<L<Rz6s6VLko^J|fw6PkHO8mzJ<ZnUe6G(<EvJ|P;@$oFomSvaS
zob4HytOK!Zum|&*Gf8Y7Xe6?h`{(80@4JVrGv{!96zHq~`QbW{v|yBjN~H3WdGrw?
zBf$qXXv*`GNW2!{K(Ouq5E-;G>fhe5Y#)gm_}@vZ{=X&^z@I8wEaZ)=?m$B#X2C-=
zMogz$8)3BE+i~Ty@A%M4f<RS7XY;?n@l=sIP)XIb2VS(<eGt2(6&U&$d^F^D-P{$=
zyXjf7H2=u?`i~QWT5R)Q2L5MKFg0ClER6|Nag$ozP-+0B0yKDcLPqQCbc}J|`Pzsb
zw6TEa{(}qTOS=D=!eb!WmP?ak1ap6VOan&R^Ja<>KyFuz&WCl075-*RwU~dr0Hu+T
z;hqkr6c@~978`-X;)kT|;aFQZ;aFAp)Q|BqCrnOXNj9VkRz3P!uH{;PApYuFa2N*^
zc#(uzrFgp{2Ex(|XDa0UdN9%xtCe%=tz&<<55hyfQsT9Cp{!eBD)S!^u7=@vD7|)2
znsY7d2q%E^fW_?^?TAtBac!CGwXI=VlYHX%Cg<bx#OxD)t>ovM2dVwQ`3M-b09#+9
zm_axz@M8^*eiVE~TTATNwV6ipgk)V0?^?*H%|Cm5WpyUhf(0~8pQN)?3PU&GNk3ms
z=dT}$Af$gAR=expVDrxgH7?l%RdR#cmbY|)yAjxR4oP3*qGn|HV$w)ov)Jl++jQOk
zf#n^#u<rRBaFn};r|i=Js1TqbeoWz_@3m&}5`Lt^i%~w>w_EubgY}iA{*5j2-(^!%
z0B>T)EM;j){I)#g^!wKUN)<SVojO{=q1Q1;ib||2!CyC+d#;qNP*I=@iY4eS{{v>5
zyZG)cC@oUZRXqzLgupA$%j}|WHX~gF4#hs2#b|ZV>PnK&PLv^Mc1}X^|KxFS+<BO>
zdIOZ!jH=S7h=B`xO-=E;ObHzDi{BEI1a*oQY&c5)uEN6rP~GUlL+VEmc#mykq#d9X
zh%R~Q#jm8K4@+-SgSyh*mG$%HOw^+Ze*-<oZ{T&`XUq(E@gn)I(DBQF3!zZbw&jvj
z^{y;~qq_-LxEpP0J+-us)0_<R{2NB}j6|3!#wnKf341vYb0NuHfmdy`_?q}$X^*7}
zYS5uZEIHHS>FTC;2kqCSHGLz%Mj%LTL)l_bkplVbvLQrB9@<s8;9+FDds~{C$M|g#
zGmP5fGQ{B#yBoJ{@lO8{`jfu2Ro)6p84yq)(MN$+IoR4=D2LnnQ4v8fNu@18+j)@y
zvK~77(`}YGjH9Kof`%EXR4EvG9}K-GKiT4vGydgd5}VFI<b2Qyd$~x1`-krTe4HfD
zdmL0#BMAcC2@rZ_pyPiJ$d!cth)ivfqm{g#Z?Fk9iyO5%$Mx3$ANqm(1W)L~wu%+@
zphfuTc^Fz4M!Ib{vKdnFiML#|mf!YXDv_7x>q5<{)nB325G2u|JgDdtaV_T@CwR#P
zdiZT6?h(GWAB=OQ7WVN;kV!JM0Kt;K*6|WH*{aPBuH)57BQ9T%gnR}lOl_yCkjk~P
z55PxrmAtPm)R*5WEnxraK+Yu-TEtBxsFGQ|Cw&u+<w8K)*`iX-r(iF;3RC?7j`>-P
zWe08Wm*aa&D5s%Ef_J_QB(q>R!TVK0cRD07D{vX9*IV3kx2`Zf@_}PAmA3o);>u4K
zN9*rDS8Z${kM!7MsM<CFHJD2<^h#2D)kr^m*%8yBsgU$-P}mu(OxIf+J5UB4?S!Fx
zHi$`EXg_|P-5Ge{dw#jzYDhNe50EH%v!83r$q&DYwmQeZA4qrxG5j@B=~YiUo*oz}
zEUlxdxuH<0_)n7Yw+BC3X`c_twBBaBcc8ZM4mS{lV;QU8hTOe$5R7&bOus_B$FYOW
z-D(&v8E^DUjNJ?6)j^}52e$8jcu3d1@EzFXXeFLzgXbf)8YtgA3)GarpyzaM%ifQ>
z`#km4S5*kXOZbsF<MGl*pT8epg$kf3&}kuG8QMW~L|u4xo4#|9E~cTNfYeMhPa0Jd
z)IhX(q?so2^_g*erTd$@D5%!n+g!K?yr#hMJY~8KiuoR~nm#7i@MZU1AB~^nK0npJ
zF@aN2=%Kq?q#4*wb{k3o-P*-Df5Ca#V4fvK8%sWU0ou2GiLj|3aYSghH~Iu8<t)*t
zMCt`l^$;thoeC|Vvm$cw9JIRb6+{)nZuT1;>C*!nD{``(P&~?dc?fW~o;wEJWANK1
ze0ilw=Y`i=M)DZ^_59vf+u5XVftZjyg^KJGe;Kg=&rS#X)|2HJ2=3G8JWkSO%}r(t
z`_Ud@nlZ<4cQ&a%Fz<_C%&aX2DhL8EsyIUG07$p-=KPx>xUX(kL)o{Q^(K3Mfv(un
zLMn#H0LkYDG+G#*yHdqeNkWyml5z(jFSg~BHAMwD>z}M?@F;GJ#&~I!9=}*2UBP{c
zh=8Wt0^4eAT@Jv@n>o+x6dn8U&F<=IXv<HOce$|KIw3=w_Ed%nF?#y!psVc(lutCw
zuz8%O$CQzcVDV+ELXOgtkG1oz#ZYx6v;!tyL9qa`m$nl*=<~2FA>{Q>Wh6TAE~_4@
z8fW5&GYXSUrR}j4HXQ4*Y{Jzu1EW3!=_>j5Y%1Omx)D~Iys1KW6>rWL=hVl|R}zBD
zrK)|r0@r7|enVU!2?+&dp0aS#tQ-3^2+n7*%6I*@ZifDBsL?2yLodO3wK&sClg==b
z;5&9ou?*7Nf?Fg^j($APYPiHKjO06C^d+tA^%U`~<p3=;M#Qji_x31M^@e3>#)ZC)
zacnezO<qX(xc?rs>OZ&dC__H=`)pCZ%fM|vch}qM4gQI#cs#wF1d-Ti5SeJZ2?i}P
zrtZ`E_K`&<1aUUL{ykiVE8Vp*&!5FNjm*4R(52fq?^*)umz&UXidKvo(F5iak%Y0c
z$pJB<R|CFnq<K(1e2K-`@*YsN7<3C)*-d<VK0?WJ=buETv}^z6hT^FN)kL>e8C3|b
z#w$$=^(X4hXMODrPteU|u$0|B*IG0<aUU3IckmFVtNmu!){>3j=CYOE^Ynp<dTSf2
zh3KB&Gp(5bdjPtgkNVRAnb-2uAP-SG^sMZG+S`7KRcF6;4^qZ1gp2d>{zY7UqvmW~
z2@MK8y^b(BdQyP)CK7ok=aSf{BlW_bnaNu80v5zIclq?lkSA3eW{b*%(M9~SP{<)^
zdwq1_gDakn%Q<Z>$5b3a@GdmMdDHC;OV>=GB}L%MUjp{i-X7u*FOUOq!O#*)ah|iq
zbU#sE+b72Z5e9TJvEKXF+-3);p1V#2-kb<tRv2M|<L?K<!s(}@ja1Jg@XK!nIiNrd
zVNwSzH8Bn=qjI!d$n~wK8CAig91=!238te)61Ton6!xGkg{S?NhZGVJ=!(JJNJ)<)
z&Q5RvzvP&jR*rvI9v$hy5a~v(fHod=hKeh691g}Q6d76vQ3&w4mz=Kt`ai(Ot5|8U
zFsO3wAk2$A@DD?(#SxLQy#v62KMN~fZuO{o=zqZLD{z(gRD7=`;n>W157~c=l$EVb
zJSeLn!m+|gpE$gxj9mJYu`Ivm*8nK<4YkS#rI7&Zei|&UtN=ZJ{IyMs3FG<mB)iSX
zJG?qfZi+7k>q4z7<Zi1MZBa~R8n<3j(}Nq0Q~(yuCtvg>7>YM?{9u3^x4;l+YxiM<
z{P_m4Yj5JxkZb5+a6?w&cOY**NjvX(ZH&;`eQnWAzqIQI4>x2yULWD-V2pYk{81ng
zIlrT_y!dK%!aK^dYvL$5=Fi&10xc;MHVW?HJT4r=8y^v*+??D|G27l66-)e>BRM;A
zHI#9%M^?!8DjI<2h5{1pSenwFTqvVgFsDtsEf#8`?kFnToie+%t~kL2wzzGX$dM=5
zpk@#4y<L^cCo{ft#LasICESCC+Q}<OkY#_DRvec>rJG%r-ln}Ig!Wh^)KvADK?q#9
zJFOXf?>#$oPd!o-{s*da1}}ZOV^{ztbCF@qCK5lIAp}b%Lur5Rpc#SF!v==Qzaz(E
zat8L;jezq$m`D4E^C<^W0Gn3x+xx*#K&{#8>tAA|N~x3+T!0`OXjF-s?WOH_!a9G5
z0qC|p!Fsa_T}|J|4xi;D+rhwK{(~C@XEyBLmly#rt;1BwB#WL{`bGW5p?3ZEVH*=c
zs6nBmVc};djzD8$5|;P!=q6vhcB)|d3M0t6SAlb@&Y(i>_g(7AiKBqPz05KJQ7lAc
zaN0w+yP#+EHC`ZM{TD=XP(5Rci3y+=b!iJLTmcygzq1kG<g$po(5Nm=OqDP)zA6+3
zwVj`$J-&aRNUpkma+}q>joy}!U-SJKnfRMy(r;f#EGGaQ`c;|}Kc#6&o-myRi3`jC
z99VzEccdr}I&){mjJ7_48i-;oYQE++HNP~~_JobrHkV)EhoH_`u|?iox4|GsPc!T6
z1K5_DGkA%Z*+N>sD#=<ZkrM$paGZ`#srdFPAbz0eJH11r?<Dyg#PI`yn7tbp5}@)f
z25QvyQY`T-UQ)eqs6;J2!q~9>hX}Ql7$3LAq5)cMl&u<{L-vFYT>|Ij?VzrX->IzG
z<SH@b_4foUz@py7W`3oNROyn|D=iKRZ~*kf*E5gIru%nSLQog3b9+Hp;R>rOwyAjN
zf>e(DIN>(ENhMdUIEU=7fOHc%|0;vt+rl9uWi2ZJd=!veEl1w=4Y#Hn0Rr0W<byN8
zhrbn60grF5h$FW9bVLCm)40jNa&L3;7v{Vt%r7#hl6BS)08+^)ju`L2n?XI#10UTN
zJ~x=PPe+R0ozr3}d$))s`cio&oU!fhoBaT+{vr`4u1Z+%IVl0IHtV&wXT)?a0D?^h
zRiMRhb11d(c}@jP$JQMHLd=_lm9sW`y_9lpkRFEP^n^i8Jb^pJi%HhY$sl%vqqMNT
z^>0_v+qZvo@Y1yO2p}giDad=fl^MEpdmu55Zrq)lGbDMM@j@*GOdg`cU57U^i5!#G
zb(A#D10Z&4g}T+&U%%7kiMpURi&KFE-1PpT2eT_N1>u;alk|?LB(cOP^72Y%6-aB%
zyiwr$OkNoVhGJtE+*pt5(v%?INhCc=&jJL|&@KFRzgOhl^GLo^nYfp5Ahmexi2Br)
zC(3JA!sZk7jDo;wanfmZdWFUzso{}yRmTEg1!~-Xju{ZgT&V9+Fpq*sr^8$*@H0ZV
zMz`_>nMnl6CwyK$90rc@{gKn$%po&*>rJMV5jc;4Zk=-XM$E(>qFy6*M8Z}^;5^8R
zPHO!evc(>TI_x&#MMpHqRrPxDgd^y{@IguB5eb>}Q9#)5#U9Dts+WqdRw1>R-9j+k
zgx-Sm&jfvRecSiC>`w;=+ddx=hR!)PCh%tJy!<m|{P+DZ4{Y;LS!Db%V9VY5NSe0#
zfH02BDO&#Yh#h?8PG+$$$eI2Xe*gtT%!otiu&)w_5O$bU{5ur_?+n>lw1Nm(22gu!
zIlC2Sc8hj+=f)=$tg>i@6UnDw<^~|Nc(I4Yv?jG$W7XHhurC&cJg+M9Fn|c_BE{|K
zQYPgcyNEnSzc~Fe$)sUQI13VdD0rVr%h&`h`FIs9E@<-W+rB2{2mnw5{xK6Vv$_@B
z@F($Su0t1Z7d;MC+uIjt|8S=E1@UK<P=uS7!vV+H^+gy2=PnKPXk{h0T@^nHPzqIR
z3kA^~nJ;Azz<1gm%kDg80&v%RW9_@Wl!DC&0<2PnYZsDkRW!MM$y&!Id-xcfvHe6&
z`eSAQw@;Cwg-hdKpXY~yd0qleA4XUaOB8XY8l6=oDMGAekqx2033$;LWWx|P05T{-
z!c+XVhoOKHA~zZHm1@+fLaOllaT^8)hI{#_dw`n-4!FrLPV&LU9p9os3z<OFa-kYE
zLNV?V$sPUf{^Nt7Y?(zqV^)_egiIHD{3@J<3rKa2S@L{J_57u!ufz;foH=YRxN-dr
zh&|`K_Lff!vb2N~s)S4DV%~99JbBCwE*6>OwhsiX<x!5qN11DrpO?y9uLs?B-=wrR
z6I4<$Gh0yIg45SO@T-okxC3y`yb5gxad(<_MbsJ4$ZAeM*TB<Fejh;h@iVw&)|}sl
z%4~4e>6?$d^%11AHA3G^n|c;@ApH>@fU0XbBl$l>#66%^UJV)<SNSKGY-pFp?^X82
z@jd`=<a%iP)2@!)ZPLAW4mu2coHk};f@7y_iNA3`ch87RiFxsquEseY3<2f6n?EXW
z%9&!6aEG+H#?!<AMfcBZyu5<iHd!a3AS5{Oc-k<Dosr|fvh`MY`unm*qdus@zluw*
z|56P_Qd54;Y0Hq6y!_nTFc0u$&)}0b9E&PSy5z2nU*6-Y(BT*~DULrhDheWgCK7kQ
z1ZqyTg>k7@9EI<+{#vW-h@N4Dqw^0+eVg6ddPO!g8o5JKt~_v=LGA$58Q4X$9*SAn
z<N8MBD9yfpMk^<rcOQXJzec+j=8-8=lWAxqpv25)-|kQrAqj{QzZNQ$G1r5>QiNWw
zD?{7+)8JQ8P?6z;a3ZgpF%en<b;o6GY`EK*xptnAgHX%lvh|-hvBmO~vBGLkL!<ku
z*e{oRYL#VZb{kj_=s{UN{)f=9w9;gYiEInw@G2Rod<(l{a{vjZ?Xo69cz?<z<b_4H
z?FodBuN||rC{OBw!rp41%_-fHG>wcMA>o)zWRE8zOrZT4)HeF~6lH8X+op|MVZ$(i
z*u)spl{;Blz(Kgyxa`mJR8ip6(u=#Zy822iu+DzjLryOmUQaPHW@X=Uiy&Gy<Gro7
z42>l3kocu^B9EL#Wj!Cw`;@p=y*Tk>Tt(jqeTQUQV{~)P9AJ5C2KIVq6n<$<<>lKx
z2yd7PGyj5C2E2h|7*mgAE0-OvLr|^AxHF-(Qj5os5%wx?vna`FMx)NuYvNTt2V=OM
ztmCR!TK~uW91n}H26iYN+RXcHXtaG78?HT9(_Fda5R2w$C<rZ|HW@k}s0%$iG4Mpx
zwrj3My!oDsQv0A{Nu)W~F?nHL<v+Yn_~RCC)3SYdWIw{L!lbEfNb2F|5W&c+4+!E?
z*NbE2%+ye*ZwDJC+SSX-trkYN1S2gZP=8_(GndH;X#yNSn=sm8oUV;l66*SWXYXKb
zMqE~Pr5>aSaR_?5X|Bdq>Y}z}B3}+eZw>mgJli_f&d8aN29%O9!!qsflp<eB9Yl_1
zy*M>(ZT>l$do_{VzkQ_@9K}EnN7!HtmF(N!ahY7Vrx@05#f_e3YRA&Q)a-*lXvH|l
zYq21p23!9}(OvR{CS83ar90RcZfAE}GaZkl?T49<z4TA9a@}2foe4d8L5Baaec#|-
zn#KDtVX_Fs#+?b~tkjyADKng!RDz67Uujo*GMC*$z;sv%k+>)We4N?vIbv<TDOQFJ
z&O6Yv8-7%EO|xZN%;H&-w)s1xvu749Zd<Nr*x9=WmAXN~D^sMqzcm_%>1M>`7<`_C
zWqo#~?&BTY(k0(-m|bZr42yjEfdjd3>CmiFCBrYbw974)Fg4?7_wMyZinZUnTpNw4
zJVD_o<t!3p`z^>|5j{;+tXl4B;?M`h>?Il6&5mN0<wMYmrIW0m-0nWT>#i8i?vS&e
z@X{RZc6VpAX0MV`qCK_H|HA_6j*IjX9JCfMeG6aaR6b|Vz_IGN>*{XWkvE+u6>(En
zpR3|KdNL!5?dihInKYeeSufCN;l=dlZkE4~YxL#`LJuzvd$p$@7xHg4GXEj~-~Mxm
zxLb_Tq~4kn)%s(=rS6DEaSh)P^soxQwA4XL7FCQ=km%UWdH#4gT|u4k{IeM7EnBc%
z*5gH6yGg&`d5gBlyDeW;6rs0be#?6;ou9>}L!ozIqxWHQo<Y^=?%9Qzl?^B}8<1k)
za@SyNvX6Iq`lk104VzHp%McF6QKvgaGrPEGg_Gyq#$}>em%ewV{K63_7Eda@3uAL3
zab{@P$$ovzCvHAma9+%uAxu{4p=U;eGH$L-*X?W@`lyn+zESB%g5~{yh=ya;YRgHc
z?zg%7k3O7@3=vu4^E!X6Gx?NTot58MHuN0M1ua<0U_RQ2Y;Nfi<ER&Rb$;@qqA6^u
zZb=T))EUm->U{@#H5WNL0^73k&kxaNOJ;Gm7;p%_`YMpo`%vS|CU0#Z8I$mFQSNwK
zRS5kBU<J1OTgE>BxRMddvg-^pS)<LRv~emaI^!(+h^Oz%(2o<}WJl~$kE`o*eOty(
zre3iby6l%6x2Z;^P3xz*=xK9y4pr?|AM^HKEGc&hWHPh$uDiCG{oN3Ha5uD%VJwH(
zpyTKLVJj)yO)_P-Nx?+v-M1g}+N$TJ*Ee{BEp`IF4V~k2ZT=HtdBb1#(yVIH(D@UP
zS46hC3VKZ>1`qeWeNpN2+XI&$E#k#;Nb%-+``l1p`BB4>t7fR)t!*FG64#lPr6-@;
z*RmRn<p-V&dHAtD7(TbuS``e5CoK2^t+<etr&z>Rw!u7FIPdP5kbbMKspkDH+S{Ak
zPu$N~depTWr_A5%D9<%FEOO;WmkqTn$ac55E_NkRy-l8dll|5yHb5bCyd{33c4jXg
zc5}2BADxvCeRah?J8y_CCjWkvmD}!=wQQ#?;a<f1&FQ+t&<UlljHhbln5&)zi;C8}
z<POQc8!}_8X`<HU4Ph3<f@Sbd<(RH}n@$Sv`>zl7P}$OkCJKl$+ZmhwvzHXrXWmjV
z-SNkhVlVn^Ls{1uA9XVy2Rk3fi}pB2=m$tio|6}oJSQe8YjjTfqLk!Csq-R|=PpW0
zX0+Aw{67=iJsn(b2LAsitRy1~p$VozMrJ++cK&EDoaap!H%GKjpqC@s#mmPYI?JU@
zt+AqRn+OWF>9&8-oG}21Q!L{4ES#q}wc@!DoM<(I^hXE8sd6K9`(R(or!SxQJ~6cu
dG_tOWgL$3<J|<aG1rQ0Ksjj0|tYUlT{{Z(j?6m*@

literal 18169
zcmX6_c|4Tg_kU)y%a(*}8HB7Mvdk34SR-2{MA@=ND9b$4V);m9-^rSUBwLnwDkV!1
zDOtx(!l0~U=J)viUjAU_x%WQzo_o%@?{m-lh`nfT$jK(e1^@sj!N|Z00FdyXNPvY2
z{`EKX`!4(o?S9tmECAFbu+y$%;LqZ&MpkA3a8DWlz=r^E&;(onfIG?n@Y@*x&SU_9
zfPc<gOC9(DlZ%O=0l+x;DQGQAhQDDBBAA_Lo<=YoIxH~#rz;cy&Swz}&RT~KFOP-f
zIN04~to8N;t9K`Pcb~7nQPJo+z}lX8A-X*y@#01innlFL+Z9q1zHi3)Fbg2{S%Me&
z&T+Ojbtavx81b^L`Th0J%Ae5*v0la6-&fr>zvk}UB|F~gl&h%y7rq+!^{zRB@at8O
z03P8XwwsE)cx;W)88e~uW5-DhEvH{i90D$itohjijV`vstFnZmiy7M$iE0umH4X8h
zo-%D3&Ces^gE{wyI33jfF8M&6P-Z)tqfg~8Bk%%k*npoD2F8ECf1bx4@kdmsJJMO5
zhmE(uZ=sj-$#xyW>+Err6Gn@wfKj|{*lj=5nP|r|7idF=a+q?AO&2zzB3I89L}z#_
z%~52C7ihG;>gjvLYXUK>v_5>mLNzC&1v#qmcUsX|q>ufj$Sxx+D)J@wvjSqfiP#4l
z4C?;(i%dYdqZePqX_d<s64F#fXD0tM%K4$^aQvFC3qQ@vG@7``PxNmt-%{85T5SWG
z=__q<OI$zYFYroa$nfC<ULMii7|>Zc@i+F?gmv*8cXGtjjF~dd*1z0*`{yBVXO&km
zp@lffWeN8lIf`SUm%j`TuPxuZ0=2)>q6OaKiJv+EaS@B<&PX<ucfCk+@w_PktL%kd
z@w}Che$m@;LfB0SZ=@}<0a%KSU}=uM`DhH^c~M*>AAvt(ZMwbOZh(sp&BDc>m{7w0
znCq2%4?5{D8iTFvQSI8`tU-yh%q!Q0jxqd4xKEFtqm_>Uee_wn7IeA&Q}YHG7z-45
zFEH10KcjqoCiatSfB4Ap!`7VWE^QRJ?zvcntcwrb05K4z{RSD(lv<W}QB}`#)>+F^
zcF5?De53HtNB-L1cWzj9alq{*^480c^ME@a-+mLs>%uwF@s4H`!^d0^(~7Q$xx^B}
zOQL{-h*=T>Us+!Nged2)r_!0P|8hb}+IZLZ2VeW#`>>cU$m=-wNg3ojw-4ZzRJf(2
z^uFR0E5nKs*}g)PYM+@<U-?<7Bg>P_5ONmum-jzqDRNYe`?<|gAjL;zaf^GF#*9e6
zD8JM@OJUOPxBtg8NU|}w<19$MRCxUxcpZP)4Y;`3UOZu@GmAUihzrnJ^`>BHEw-*$
zgY@?{?NRS15V+%V7|~PKbKCJ&zqpelnN@z_j)k(UrQi}Y%aqJY<(Na{Xj0S&ms8IS
zIZ|1f0QCmVst{?a2PGl)&i+75?XK0SqgXkVaO@=vgE?GeXmahG`Y9BcWudd&ixg$j
zi63gh=`1#vR=e3soZ<EbBDum*+Y;lK3#4xV7vH+Pjvh{}<zf<L)`>c?ns4e5FMpGO
zOeudvT17H2qmh02s)tXUX9CRH9?0w?RXTAzjX9dNxVXk^)ft-?OU^t;?!_KyZ$RZ^
z=+TWI#1Xs?z<y_-Z>HRgcHTvRu>(zTThPi-12tL+SFS#4><Sg3icsR(WAFd&i?czP
z386rt>fl^oW_V<dP*JL3d)?b>+fC2I%XxK~HUS(!7ui<eIV5M#--o4UR|!p1%Jvlt
zWqbLd30||XxBmM1Xl4AUbLc6mpbHslHNY#gJipEXyr>>-pJ3_{ze3d$36-n+8eX+*
z5?#T2-C5X@XPe7ezJ>_RA_j92_<wxKMBxC3RTqjDG#xA67nSeV?}0V&Bk4lvBnzG}
zrr@b-=ogY?iCa@%m3J)=Ur}_?P-H-OZ?B3c?Zx*^R+@Z(%C|!;(fB)*)9&$3K2tc(
zMvhRuZ`l)d5#{t<(2rM!Ig;7?6O(=xfC4{N1uw7Y6zZ-{@M!P(3`wdx;;8H{`4EHW
z=ix0uw3;mw5bp?&5tp%@fA-kyl6jbi)uB{UJ}O`GKE%X<6hfiECrZ+E^QpIEIO*LD
z+_42hm`BnH1P;|^fF{-9$!GB$u0Y>65uG*Me;$K-{?1;*`pH2VC<E?oxd8RGD>~{0
zuFAlIf8BIAdyL85JOfkOK)+~K@$@hkEk^U)wyra~GZ#YS6Ht(KrF%S?)WMs(Cwl(P
zYHEtY)!69=6PPy4A62vm76o1iUd?9H$+Dj&Kh_+VksZ-MO-NTs(j_b<UL6-l;a3KK
z?1-Izv((CApS1Z3J2;lxuHNp1jC}Ov;q6`^(N1Mefb<b!kC9=-^^2wzM+u3)WsT&w
zXB)*>b0T+c0H2F8XzmClw5VawYHe&nidZx0D%gv1dbf{gf}bW|k<9PlO=f%mGq>-G
z&sv`Q!?i8-&4!xopdwEQyO^aDIo%tVK~q9HveC4Z^EH3V$WAcDjxdo?En@br>f&M?
zK;_H&W(Jya9vUD8*4(Ks{*X!<iCKzf#5V>)14xA)pzl8~K3w|%{Z{N9`r@`qdQgy!
zvp|3Yb>G1Koin$GmN`>pvBsJ}40{+|bo(mBw58Clf58SEG*G8Z#Fn0m0*|-?9{hER
zkz?(b7^#qc%-DWpj#Ru2{{kwKZB+TME58v3vhrQ5#FCfAzE68HJ&wd+?vePqW72QH
zf!yLw1uc-mvEt6>#iu!d%eG;^^DpGg6Gi+b()OeV?arY|4AeM=_OLOc&kG+V2)tgP
zl+hnSIPNi8DW${OY8nffQ$DoQLC(-we>bhmH_VpHiD#%r6tAflj)W{z273$twnD%|
zxc8@{z-z2DLxbWyWy+8Te|d75Sow}|wxl;+72jk!id6joBx0DIe(nJjA(t;sNm=i#
zC}YrSY%<E1y9Wq~b^kzZqR*r9rSI*SSk;EIebc38LY>?GnXHkCS!4az&QnP37szEi
z!u!~AK@o8cmdGQGgWZp^vJnNB&;KIIS^g#`u^=4BCCh)=#FU<0mDFGp_17xU5(Kg=
zP3i108f{9<b5kA0R>9V!e-IgPLTd;jvl5bxPnG*@?nzE<w#moHf!Leh94Q+RnYRNo
zc5KLi1Nd@WnjuQ5j+u_&0?xo%hBdn=Mhz?!qWTovVDUJ_1iEo2Gd!UUPyo5nFPelM
zwB)x(g{L%La*mb|k6;4T294<-nrTYR=B8oxN#Dh_V{{Q>h%`ZD|4qQiq_Sdy5B$k(
zw-sEbdy?Sw%8_CS#X|{*ElhDckQkLgYmO-uwBr-l9ZDfsIa-4wvDp{~-w9!)bUwoQ
z^~V{aD%FJ|1<87H5t6K4BevZs$xuWT*m)DkFjd)6LW~=w(A`UQu>|8^iiLrcW-uOp
z2y4`v;R|FW)tSOX;c4duv9g<(a8xL>zc9DLLrxUuO~9jgcxHlACo6QFeE90FasRX3
zm`;Wbq!e59APQts1=Ngv*7K1%JfU3va=x3%#YN@F3h)-}@1-E_K5-`S!gDivZOkXV
zYLr_sys$11J!Je4EP?dk#{d&}FRqh}|MQoqMfGZVZ<qAxxJ1>FHpI4Ojis^*`g=N}
zAkQnAv1pJS*Im<;fQ`3{^$-i^dxg=*UlRm=OGz`1`}0_?laDPNh%_Z2!l1UGf)u8V
z{vMAg5cRU4rz6Freb)oa$k;(c995l?4_<{IK0-Jbx~#9FSD3@W#-WZ*r=;JvxVIIk
zub+vH9o0N5O302Go?#eF1<T7230{viro#R($CP?yiOU1i{K-USYI=JV8FL`%+s=)=
z{tDDf1rx^5_EF$dk;V>#zef5_@UVVTan5B!Zw{J}vNOw3?R4PN3ymEdCRE#;o|F=W
zY2Tuh0V0w@uRK#;0*}v!-~S@sMfXD=DS>yWtEm}Wim4*mB0oWZ@)ebxUSyt$gKfYC
zcu*`NfCyzPqaVj2oYi2_u#@bNfdjC%Es95hDyqP-gk&=I<|7Gbj!|^zNtK-~pjTY+
zU%+~L@m$@}P<DTeFNcmI3i@^|{QK%)`*LJb@m&4UQ2D$=nu_Vblj0wft4gu1((DH#
zdYanueYxNE<jeghp8@~putaW9aznp5CB61i_;zxEtc*VP2~d7%D=oCL%uw`Rl_y-@
z3WHU!nogBxLO=kw7knC0-JuS!_P|;^-@kyWN$DsuiWlMrvjIbM`gsa3g(-(7Rc>=Q
zb_9iEarlp`jpz)poTo%W(J>a>1goVJymqW)_6#n{BG|$V4$DB7Awv=~cQ=q!{G*?V
zrV{XaiK8HKi#u@w;1=6PuEkP=r#dI#9lc_w{Y{K=fr1tPnF`XFK;`IdgHX1$SP6oc
zPcAeIZIJi|L`}2S1p%-9eJ6a-?viPkQBpBsfU^a$9p-H8SOM&?19fz|65xpY8%VHf
z`^)V!o(}}gtDtA(fp+Fbkx<@%+KKOPqG6jlPimwrw?ajolcf+14GuGJT7cOgd=@5Q
zW$%<B{jm2iGsclfe5g28!)2a~B}isN3Z0ku#l;ZfdIjvUW@71cbIWPi_zT)p|3Y4W
zE5~#AC5wk^Bpty<wr%#&H6_9shtt$hN(uBv=OOsx5U_^$gUmC`*~>}VOvDn*mJBG5
zpjyzSA{zX`3Dj|oUW(yb$T^ss*S#{{4pctNo1iiXel%$T646JBbz$MUokTjKbWSXj
z)U0kXfkxi*e6n9h_OS$4OF)#Zg+sH#rUIxG0H#oP<fyk@2Aq~!<CBUnEEU#2)M@3{
z$KNu0vWEE0l*dZ@*VijW5K8cDFF8x(d@~ve{$Pct&@&ywF6veWE40;I?m6oevD8ic
z@5;nY;CG?M&P0CW_*U<Me9BA0GaK<Mia=FH>Sn0)$vu8>c!nrs`C=#ef790@Vsw}_
z5gxI#pf{`m%+7K(7dBq@kj;{c-M*jAVGBL3V5RH#sPnba%P%d+jHjE<Sc1YWX@7O9
zA%3m`_ytQNgvLt|18WbIx_tH;x`kJh`EwA<XE)$^>xX%O$gCr=ECJi{bakvQVgT%k
z0==2QzVoIuC6h4mq~g)0tf8RsyiNQk`7nfdk}aY!aT_o-JJ6O<E!IX}dyX5g*%B)O
zf9g}R9diD_f~|b7G3lf?UeFAb5Wk8LH$~(bAKOXB%9<%jt>iA6hKakT<^tTEFIXH*
z9R`MY=ar=hnLki1srG4#Zslx=@xaBf=&u+@=A5Son=AA>rZG})7v+vc-;e|zDpD5P
zZ{jWsHDJr@_(|QdMWoEjY@fRfuAoKnL3`bQp0X3Hy0gyZur+2p?y3BO`&`n@)*cXd
z8Yr6{CS%KY4#%v343?hH?^W>|%z%fa?@rjv!3KI=Scaxa?n$Jb7fmR<&ORJCAZiAz
zU@>cmgtET!_c(Ox$`@gvFkDrnktrj(gh;U35O!p1WLxl_D*@+V)!KnR_)q6!Wwqae
zGJIxBS+;?&TA6OiTsisGC`>a68~^QOp$UcNR*6(|0%Ag}nZH?IXHBC^5q@2QeQ}H2
zGU?bY@XJCqX!!J56k8Hj#D$HDr38Gj$9Pl$+^Yq(u_7sDWxB@*Nzx0ZQ`nInH+IAq
zKEP`=W1jCC<K(_c((9_+1=o$^1?4NO9#0OWNRzcx%*;EG;)~>8?W6Uuwm<%U3?Uwb
z>P09T!P|=+{DlIEKvpSRVkE2&l61Dlm$IMWEsVIs*YHb^)#E?zzLUwzI+V-M{Wr|V
z304ns*mW=&S(|wAW#FO--a_&o-6ZLI7yW+5hE+9EO&>!+7M@f+wM;Tf`tDrDX9Mnd
za$#HH-7aIHaen)2m{hFO_;_e5&5K_=7oOn*u|qm(9HZGM30Ap1Kpu-j&YXC^12O~Q
zfY3SdB?QD0WVbI-ZWriQ%0V-*{tNFaPc1qn6}QL&3CyC%;@5{0Z84M^6s6b^I(&2#
zF(WLbOU$Ur!hjd+yeg&Kv*le9Ry`IOa9lj?y-X8Z;sp#PsPIpK6&s@-OZaj_f_l{X
z#|_4ZWC6gdbMCCcj#Co$JU@lk*{T9azJ}1uwO`HnTP#ViO1^?uYtPorWGu{}!7GJL
zxTis|l)emr>?A@3($ozec50Ntn!N32oRorb=lw#Gu4L=m2Dk~O_#mD2gE>ovoe6NI
z6k8*tE0D?|3!K?{1V$c~a5?bIHxYlU7eG90tL#L@<6R8+JX^?PJ&6=@#CSLW&pByW
z$|@+!8DRo1v8|~+3er^g2?K})DNti-k+IIi&`!eE{pXIH=iZwaDpf%gq}jXi-eTy+
zhfBg9P(p@>b3^E@U)5875czGC(itC)g1=V5Pz2jQ-sQZ?<Z%PYVA2t8rW2CXY~6Xo
z5JL6DDmsEf`9iet{Y;i1SlzmXas+x1LRJ`$?=z$N-Y%N0XRF~Q*@m2<&g0!B9q&e<
z@Cwg*nDW@)oTiGv@{+&B?1=6Ge#0v;z!acD)%@i+_1=pUtk{Kpi?^Iz2n8$EE#sw#
zUWxngCJT|xDIe7+nh~uiJWnV~z_Q=iz<*eR)&P@EN+b4pRbcSG<K>rTu-XdmS|(x5
zMmY*gBCl-?4xTbQ3`#+guV_jHtJWZ70<(Gf`~~P96L|dF8|S&=wyW?$eK10OSIhLO
zPw;knQ&{ck>Dcn|Qr?gy(`q~Z0!Kn2K1Jp$R78Yr;VO?khfYggwZF^p*dU}u$-C16
zgrpSLQ!yo*Z*@F=Rv`Ux6yzV848f`>h{q7wThXD4Z$-l4v+!Y98K!egN4b=*^RWX@
z@ov0^jM7q?`BQB9;1@KVcOlDzzd)29l;O^1z)fBG!9cKEdiTFiVzAy#t8h%%og^d)
zE#D}Vfgbv@<al5xRutZYH}&6Glvo+dJpI&8wGB47V+q)*{ZuR=d7gu!B)!fiZG~81
z5{;fE!cJj?z_E%tI<E>DAfbodTrh-j7$&jDit0?OZo*xK5}<YX==Ib}X8nsk>W6Wb
zqZ)>8<R5$!yTD<8v{w}hMZtm9415^$*P=tIq4cRCBwpdV4tzxfx5_rOMtt(t;Rgkw
z2T_qJSi)i^N{4&l=n~uy2|a)hn8-LO0xvMnE8%Q<ff(VZa9Ib9!n;a&a^bBmJ@2ku
z?IP92MsGMho>hw110G&B*mLru-vaBArhZC&mTD-Y`+K{5O#5yH)7cmY(~~F;|Bo*%
z_e*M+z&%vlK%~jl!JMzi-t38w?>*0x7fNy}q^X}~rRukKzTk^qXLxV~ZFn%=+oPaI
z?dlI-G@#vrk8D>AoC&4Iy6(R+@={Ml`(ClpfFXYxH~+3BGx*I1`S>40&;WQvn-I4l
zf0ZIk2det>^yv)`0IpgX|CPQtSb6l~z@4J~53a1hJdYF;A?bT~8Ze)*$t8vZ3}m0h
zonVChtA-tkr-X`K!tehm-)w=e?PIV3t2du-mpa>_J`B9dU>((hcUSu3qsO<K=tGDC
z+jE-22@H6wKSxfDR&Hr_14ZQkhnNEFroZ?w)$sUtt<fnSNGS91b-QOUyc)a<33lx1
z8*%}4{qJ-}ffEEP+mjM=E3QIj7-zkrQOgr>(9;kz3HU#b06N%#G8fp56`z#l%?)!u
zw#p?EhrlNl|G5j)M6W)7at!d2dN2_41r1{}?XQxeQwhKA`9Te5gulzM-y_%*lLttb
zz@inDrY)d}Y1CY9z{5vZ_g#q9aPNyN2GnY#!?tF7%~WkeyAb~TE0hku?B$t!*JIN-
z9iaWnS<;a1!as5n_U3@jlNv6H2S0e3V?q{|!0YD^8b4Rh8<Fq60hIZEGNcGyZ#T5M
zJll#eAfF0gl$3I(hy$oozkm7h)NuqXpYMv!9Q>d;<zyibESs(>&vsPAT3<Y9$Ogy&
zTP9)cFrraR0|vPEKT2Xi!T-&y!rs&xdFXaApd8<5Vh_(^;`kF7<=#To#+smE)7u<N
znAApG_=D1XgY4rxi9LfbhJ~{vUd5#6@fD{Am`Z4{!`S9WO-#l#gVG1|VPF_?LW*E@
zO<__K;mkIEApVNW?<GQz2EcP4wv78S0IVnK?%XzX+|kR36WlUDX{oL;A<5c~Jw^{l
z3|$Zt1m2S1pcvjuub99XJ_Pg*QNXULz5I=kR2-$5S%e0IoqdOklCcEN013-w=0k^o
zOH^KQLeiB%!m$!$A4vg(0g6rB(EwiOnSE#g%=An!hjpxd@z^tD-xCo4etJ^|2n3NP
zA^Q?Q5O)Xc;H{Rj40Zl?5Thb>MEnree7}CAQ&)v|hjbH*bq}lK5zmo>X!_L5A;s(g
zbN7J4YMcImoU=VUC`lC5^2Sgq{<|%>E*?&)Qr+W3D3n*)Q&h@=sl}JHPwZ|>s9!;7
z#!FfQ<|bh``i%n5u(#Z^6bO9FHrn{2=hL{{C-BF&%MabZF3k)}>7LA)D<Z2AzTWVV
zq<l65Wu|$-te(G{|Fh&~rQg@-DTVn3mExqYNF7&4nV-2!GfHN!FOf7f8<7-QK)qz;
zxX#XZ^Zy<ptD7p*Ic<@z<w?nJ*;<^>3MlC|#|?z#&`Jo_;-Z@)&ukGH?<IbsjlUEZ
zu~?j`dtjmCEJxHSi<qjun5;z7x`uJQZ7xuKZFG4?sl+vuPyFMv{FCkL<Sd6U1T2KF
zW&;2GGbO|W-9q?77qzan+`E2SCU|@Kf-ylxe<LDbK}Odz!AK~+9;xG8Dj|M}*Iv2q
z^PXbf`wD^J!28MMlu~4X?8UIBLmbKi@<3P2BscY`Ng4J1PL+dt^UkHXmg)PVdBGRT
zlF8qXl_DPn9|wleMw$J#;6`afz?UT77ZAB}HPF>LS&)9Tb#l~K5mz}Njk5|o!OgYr
zv#ie;P^tMTQ{wvW`|;|l{buewdbKtA5&W+BQy%irzPZPAQM&o;6yGo`jyaW4j^{q1
ze3auaffGev^RCSJ%y0SsoANDf*z?S(f8t_F7i(r%E9NfFD5*a?RB#cifi$-WQ|mYA
z`F)c5I`D1d?SRv#wAo63r348~*2siV*Y+%CllX=`Hc%4k*~pqd6B;e?Z&C0n8~M(#
zwM^wGy44GWPW)C~x>w=JC2RNgKkCq>Gu!DVrT$(C*Mv)?HPWBKSmh7$`4N@cBB)y+
zcr7Zh`LgoI;f))aKO8Bnf!f;zumlA^lmX`N*}y9Xh|qDGA}^)X=BBOKbJc}$=#!DN
zn>)!p_g80~$y=?ukv=K)rpa*}M!Wp^O<li8fm&Dxr@yM6UKMReA@8I?vAGz>#)7zt
z^r10}t{CLE{f1VN1@ka9E6KxPx5d&8udAff)h9Nxukp)ya=oy@`p=~t@71bEw)-_~
z*OlcPB?oMjUt`18<rwDk`Y4V!zfBMu)5iZYhT5$sa~97#HaBLw_bmNgC`qwA@2pY9
zsQ9S6n{sIU?sYB;y~<=?+(<_?8+)0+-49K=I^CU4T`!Qzbs~QXUW7MpKhzk%7s=&=
z+3pS7T{H>9UrvTl?hOI6g}!;p4G+rA=~lM<;EpfSy6R-6<IER$>x@I5CR8pJ{hUS=
zB|{(F8UjCHbaif<YoDKwl<j7NdX76c9G>l(@;qOq-H`qB<ZqY%Dt|vwB1M1ooxdkT
zEKkLbqY50deqE*vvNy{fp?uQrPKkeK_}voh$QypQlpeGJ@#WG=Y^~7dA1?u2naF^s
zeH-@XyIUVGc{>N9MKGc3<sze@*SWYd2YsE0<sTc-1*39+Oz>fNm(1yl??v??7Txoq
zzXfw0h-bOx&HYT^ct;2_1G`#RTu5cP<7clTs;)Y^EYrQJ1U{NCoS-tk{+{VNKbG^&
z^+eJY>nXbibWj8T_R@g%PM_4J(7u=TqoPl8;Ty=i?swLs0uOBbhYeb>9x2Ybc=COI
z?&w)Vo+?M%sfI1iQr%*LdUGvw>&TsrLd><Em7V}r1Fr~-a}<x0(6d$`A!p!Svr^Xk
zn}O@e2^NcT>lOm$le6=hJ0@C_ykO9C*qmL0wZ&Q{4%0Uue|-}@a1rCOPTYe99OxKb
z8Bubqvsdzo8q-IlL(n<lpSdGu{M+lg`w9&T1@>TI>5(QnY}INF4@7%+2u&_P;*-f1
zL7!3ovs^MkhqwQHqNjO^IGlv0Jbl9d^vmkpu+`4}fh-wa>vlZz<Pq!>_GzMy;la1w
z99lU6H4V6~6BoQ?h_cl$0iz=2vI+>+b;Nf2uHGgGHq(K3;RIA<?loT;SL#3cxZdH;
zmdWQkVa$ulZbZ)%w~!;DOLxawd<mz^Zc-nIhau=Q#fS8QI;|D;B%G2NB;)t6V~*I=
zO{I&6O?>=ry?F?0{d)U^j`^h#c88|t*+hq-kBgUC5v(v8qc%2)gj175kC@BP{U(Gu
zNloHbR_2|4Zq+v94D(<1*YK;Zi<o}-eM)$*$){Ib;q_@>>;EvJv+sQ!YhT5kANWu0
zP8khd8ge-F>*d^og`dp&@x7?B*(btAuf8hbw1QG?xphfm*^H#fHRPYufXBHu{}9|y
z1*NsxTz;n8){Y{F5UY&^(Q)P;x4v>KtL-qxF6TNl7iTwVHUIIr>Xe#oo7xn4KGSFR
zg`HrTMCXu6q&3OL7x}&YFy(4C^U#&5^(X9Mq2CE2K{GSLKCtp>wkEqE#@`n9EQc|9
zX3f20?a8*9S==~tcSq}5PFigz(WI%Xc~x%1Z)xwBZesQ7pD%^AEc2#5T^`{X$Udh>
zVa5+qHa5gBd3D6sWIadHBDch=ui8#63qbjKqi6Gkx~@fDk-<<Tmv(pF)gzetMK7vL
zGb)aRY~-BM&U~6~pmAeo{Oou`X+rhrsW)>@;(it(X4iw=pJprm?re7(Kw>n~D@I?v
zZqGvP5P)Uq5N*8=Ed_mPW^S5$!mFfUbN6fJwV;`WXB$cuOEZ7UeOhW*CVnNkuozK#
zV5@gX>Fp$bY&$#trm*Ly#@40sscEzSO5eP5HShfT0UAcx=w;Marw2QW)QF0k8SyvH
zww;B|u`~(Vm=C!*7e_2)gC3n44jtLiJq-H!i8%Mm_p&;u*2c>Vgls%)5^2h!G4nOv
z>=j>a3G`Us>LY)W@UwWojCUG-aB<0qt%kl^pL&z&1-0jtww8(vpJffV1SN|7UIwo2
zbM%i*v++-#(TaJ$K3(lyom>mlR<#VSO!q?KepyZ`$Q#qb-KFe0tV&`}xR~4KN<nj0
zsY`Zgp&hw5SGvDRzjQ%-&HwgEJ+2wvsIg=#gr^cD_QiL8_n0~TfqpWhE+l1pZL@2}
z?pm?8F{o#OcrL-~d{t{w^46XaZ{z0Z%BVGx4U!#$MfCmrRfOJ~(gYNzS4y8Fh|?{9
z&~UBq%f5U4yw^JJB4PW-55#!w+XScOm)j>K;~kMNeVL7C{1)|-pK)Is(yMPv7=QOL
zJ$K;a-GSPGlg|(Noe6A?bEtcsJ@A&@f&9AX>zR;eaX;FYTQ=T{DrROTY%RTlJCtNI
zg>L-E3!jVT^!_0%ly}@;08TsijguZ)yj-1sJA2c1rMowB02vV5$37RbmbP&(W9;(t
z5xXlEJc_v12ib~QNzI*PwG3*i8Ooudu>I{ZkzYx_D@BG95O_{oQPb^DbCGP&foMk;
zceErmD|O$l-D!A-tCXv~H_@JFU-pJSbhqWuc#tF4#_QW+XLJ8lU|WcHGU4-N-Z!6C
z!rJ*WgsY?sh+w7tOpA03xTS;}w<LraBzs*6Bf01Q`e-Jw=|9QpGyP;#*9ViQQvIMI
zH@~-&v735xyy0zcr;`vFZO>&r98I4Gl+~9l%m4kenPeVe9&#dtcJGYQK6Z+Da(VU#
z9hr<R3${9OIP`;vRNAu0)oF_0GN$Uv=oj`QLAQ<V=+caa%99&wcOt$G|Lk<iipj;-
zi5wN*MC3elvduz2V5Qx*dvsb+$r7OJ7)lhh0u~t~?_NGZ`dzl1+Z!?bd5ZcF{-9eO
zP1deR=DU463purT1GedI-^E$tYUQh5eR{uv6o)!PIP&pPC<4ebV5Mg7G2NY94cqw}
zMRyp(4mpB`J+WhZ3EHzmlVw28&}9mYny8~YJ6W^}R&QCGyPaQJ!`+v_WU@6bOz;JO
z#kU=~F?jd|>&vCe^{81X*Z~d;<_66bzrF^D`nw4Kbm~Jv#0hP@x)!ZBN2}y>v{LSS
z$@w>@qzt1E?CBOm+-}TqDs1b}%wm*A`8VFe-%hf;7K{cL3|_XW*?M+Z+c?}yUo0%}
zN7pj_)W|jjpNw-Y=5M(&DZN5jG{&FeCk|%xL9Alhy-hzZYOW8A98lKajqSVLN-8D4
zSFBR)CTyqlZ|x1)%tvW`S;;9s@7wY!+C7Iy0zSJw4*VDH;j!LpVuLP7g8V}4LOT^&
zVZT-ov0t)l0`48Xf_#o_g%R&>5!2A_F4e=79rrsbWfh6p*UDkdhmW|^kC5JfL}qdY
zE<DI@Y1!wNF^GI!^j^LDUen#J0x3ed3a_(*eh0t|-ZbF;Y-ggPp1bb+{%TtKfoe?B
z6u&OWTJ?0E)NE+}%)I(jUn+Kku64JTltClEEzkd{q*N13cBhpvEn$)-yTKM-d$S^k
zN5Zx#ziiDL-3X`IOJ`)zLGvD!#Gy9h_dic_QGf8mCWbWv2RUp2IcThr_2QReAm4t%
z5D6oBhvO;f+=(*UdwhDWHThd(Hf}{@`^BBgpZi`js47sdKKX=tyd1UjU&Nn<irfE^
zd_}`u+Nzp;?!Z0hH+?d>s#aXX^5HIo*YVGGB14I5;;*EZEeX*tkQ1Y-kWEAS_Q$HO
z>+Z9uX4%~~<ALePWVKFS=TrKv#3&RVGxT3K;C1c+q!eu1=yo|)%v(%+tyXQ|hsg8w
zIsTjDt8hRv`HBty$OvO~NeCU;RQvu`dg}J5?!NTk<0}(aXMN;NXnRq5hpb^Bbl4kf
z&QJ+wD?oZ1hgtX6a3C92L}$#pO|1DsH#2kLyj+pBne(slv%U^CbMo1{i`7%`@YAAE
zX}|?0Fy1r4_)H$!KCGZC+b(6uj&RV&)GtKZ(`^tP*$|d^YxTt1gD_@qZMhN|iOoHc
zH_Xm}eL@(Jg7_dosgyTv3ArP-w=6L7<^}6$i+f^4`oDGZ2s|z6S5NfQ;FKmO`~smk
zpV@~*$7@U!b@t{AH>ra1zc!Q2SD8ciUZ|4CZEE1KBU%Lip1=0Q?T;@fokme91EQH~
zUYMa@>D2M&u9lT2yi13+!+)LJt)Nyapd4CXwpWMT8)^KGwLMk1vHCge({5}(m?DB1
z8q24~-ibKyzxVX<zv1R3VY>%MX2mAwF8r1R1&&n4vwAeZ184vO#k%J_P1*XiS@N5k
z6V4&V{e4ewl+7$08k6p~dn9a^y8ZLt{^;0MDL7x4)p_NKC4zdQ;B`4Ldv<&DQ>0^f
zpb~lL=C8Z2VF#BRlC}+HwPnx-L=%hkD{r)0F+Q{5SsS(Bkbc@0v{Ijh&AQLYEVKj0
zkvDAj+MTMO+_EFS$5qR2Jgb9s%;X?U3+ijdMcV>8tOY&rUDmV+zhj7Dte8(VMfTmN
z;a~aG|E`AJo$!JIeCJqK3>)+rP&Rsl3KmFJt<Hihf~`X*zc6oa{y^yCQPzAz-_ofs
zu7>UWo<nSMz~I)*Ti73P-u~+pFvH;3pUZk<C_DJU85y!%y`D94Z)fEPV)t?Von)YU
zi*vpIDx3}$3HqI$H9Gcq2w-8h17Oel(l{)|O1Dz$;;c=>zjZO;y`fVS19eN*Z$BBS
z4V$ln0&&dnB2G5)58>7Y4silETlnw_9$!du)oqpS?yD>A)e_F5a;&3o-4lO~+D=7}
z$ZKwyWCom$R@>7Kiu)URT*^qn9fp=!H>ChLE|#g)X5V}+_<$rw^EZ6d@bbi3TrU65
zy%O)stbd=-9_h;i5$!f4E0bY6LgT&5v0K%OwM{dZ|9$&i{XV3D(|>Tel@=Zi$B-)g
zg#&&!+w;gg2=T~(?HABqzi8$66MOQkt1Y!XW)-_bH&`^QB2ph#`>f2vRx^4pA4d5c
zZ{zfTFea&N0Ho)9cep53$Wxq@@KPag`h{xu)*&I}6PI56`?AxUf&X6f!a=6adI$&M
zi!VQXUlj(zbic~)9uchJH_XJU$wlp7niXz|dBN>vH2$t_PMV~JucyEM9fP14MObZ3
zTjFQi0qSxkD&+<1>70oVD2q3Dl%e`IIkC$l9UVXa!ONOax;d)qy!wnBTFi!53UEzK
zVMnpj7RK4^l;qdOd{BJEM}iG?4ztVh-L!$+n;Kd>CYSAyKLS59;WgEO?~#FfeQ_!5
z`>Ztout)NKN^5mrb~q6uT{h#9?wJYIt3?hU;fS<tu)Uvt{Yia^yMVvpa8a7{CFIEo
z?a#vL>D#~O=x?G=E!J;I9at8*YPC#FbM2>0x$NjWOY=<;1>jG61u0dZ)xQG<wQpK_
zh`wEhEYGE1-JTGyZmCSS@Lnjp5r!*IeMvcipm=EKtqAX$Sgmkuy(NBFS8ZnIr3X98
zTpGSod&JR<@^$}#!`-mhRc{e0_Tl$?E7&JnVsjn{XYL{VA0hbaZK0$y4UpgDygl}x
zYM4B=5R?1&jXlfrL;wDfH=pn_0;`jWmyAEJV3s4#sXtJFY(f3g!2732h`-i(Q8DHw
zs1B8Qk}+0SH2&G%oqwTvp0axN1e!ydx*sOr5^y(mVx{WhzwA2$p7Kzcm|7|f*<Oxa
zd77wPQi+cXZ@Tg8_LG`t4EyN32Cn^^FjKMuxN2fE{`z%$>FrcI#XnPTR=gWNz{X47
zIz$~FF&V81QLg36sH_5L-@Ny%JkI%|>P41MC;ZF(<M@Z=#92h}KdEqkGqKexgB@wN
zgUfonkgzYxx0{%oQJRI84b&MiPxzI(+jrhMIvc~+u_-T*e{Fg7URNcwdA+xZYu37D
zTrY=sz<Pk-h>imtpB$CWCS4g-jLN4cyrOd%Rsi4WRB0FHXT``ACO*1P1Wt)um#)3(
zHvcMIinIlLpS(dBC78by*FcC4u8Cf+ch(nQ6pt8u2*ZBL@0(I-tGDRfuiV8aqf({d
z>+;QAS6SQ&MH4{@)i$lC3_|_a;bHy#pgZ%yfegM8Prvsfz3_&PhZ@HAj*j)_A<80U
z4bx7Aqp2sJ*ddOJD>4m77eC;L2IuKj>G`WKFM1a4s3U^^$~ZK%w3GdU*3)mhp^6#@
zw-yiu^;{I+QD$+GZ_d1&59pI~EQncYt&3zY2CP(d=?T?Ku1=?<_z209<}NFGzhPC6
z!~n+$Lr3h-{5M%eQfg~TXN;;rq?EA5i6+0qpA(jI8zEcClYDVWpZqW%5R{`A_yCRT
zIAAd&N*|K<UB0<kinw=)1%a|@ybFhOPL6JirIDxi2s_`oPNFuCEiH;YfwO|dyCNOG
z%ucWdZ_3c7eOklU@(}e~X5)t)2oxD@xfWWQW7>Fb!c`6_k#E<a-EXva--1;yv%fUm
zt4w<B+;NfR;96|U{2a^C=kF65><)qf+=!*%zFl3hZIDbrLT^C)=GBk61}0|-Mg9}`
z_sq6iYi)x!>(!Off2y(J5hgeo;!c%~<kF;Sa^BhiE`kN=&w;<C`)P#BHGayI`W1VP
zo;I1<TR+Ly`{>5+1y&a4>tHm3gSk5a(Y<owTI0L8$IDkg8D9vfx@h$!&-i`x&y>5}
z|EV_othqxaJ?msdrQZA@_WaC_$^Fn>u{(8<Cnq#~JL;kSp~D3s+-)!zgD=VgM)G2#
zK{!9-`?kU%o0k0w^{m+Xr87szX2<Pce-9nM_7|1wNlvwLJ6xaxN2aRyawL4w`XxU{
ztu1VPivxRbF-(5B>^gym!HDNjMEiq#6CPa*<zY7ba_X3I4ojli5zGmjqB~R=Kkno|
z3qxO!M`&!?-rdW+srM%Md2@a;xj3utag8zVN9u>{8iiMCzW<Nlr`J^{#?L?=XP9N6
zsBt+v1^Kl}_=K&igGq>$*B_hheG&pR_?FmH-%MD^R`609wrsXLMohxpTyYVDu8d!t
ztu|FHt?m70`<wsLgRpzx1gg1XJ^cclnCk|}&M9V0Sdq*8_Dvy)rz=ma?KCGGL-JC#
znwjqoR<^<+6TS4U&qb?Cm)U7T&Tp0&%55L?8vx;f$Xg{n@=z4Y26m6_Wg35L7>R=P
zGFV@xemJ((-2o9w|DFZ~ErAn{|0%`G0N&VL#I^zfzFF`-X>)g9L~1<DPE31G5>1<U
z!e%$_IAy0TueW1zCQTQr2KQa}<6O1lf<B(Kf6GphfmsU}Px7pl{Ln7}_dS!rhsn)s
zaNL0F-sG@i&`C*GdM>zlMw-qNkKO{F??}9YX~NcG7#R7%2u5$1?b{q2Z}p$>z7e`l
zeEewyAEX^HT9C4NRk1E<KlPz5iuFO-zLdyB1Y{vN@1O%G66ICG#TsRn8ysPZ*Dwc-
z<7nWHm~`-?&q}1`fygB|r}ONgN6+c1b)4x*VAK$s(CSGRfRi_wBJGhaZEJ1!*D&Cf
z^2uf>?ac&x5_Y!d$dti&BdiK*SKEoGmlk`iaFY1RU%pCW$M-$P#c3|!sU{QX$6dk#
zCxk+^W7ueo`Sj~k`~WBhTpft?gR@3_A*hMW1^G;SAZDiKzK6cO`JOIJRfrq0c)7ot
z`*{HOy$lIZ`JL^$Ru98Dm9bz-+`rKC|JVTB2lo4LPNta6f3L6mp_vX~!0Ljd-f?#N
zZ}lkL@RuXS1kW(&W?Uq*;m@H#pT$-uxcOz)nw?eh(m%E(KHzw)H#)K%{g!w3+Oxz>
zmSXsplEynwqqZ||7^@jfbkfbEU#I;<h!Oa=kyPt~Tm2L2m+ioP6ty<@!JpsJ?}~S-
zAKX$p+~`-Z(;;gKa+b(VG>3qhA{g4sL8J4|fm*&(-Y(4~rAr;H!T&e_R;o5d0CN3J
zdmDJ&keCXCpn-uOGg?6pIa>!y6Ta|5)xkC}v^Q?fuRe31?)84oYGB1x42a|y#r*58
z{<m*s|F(h?rq>oh-wEOKZ=RGMDlnv+zI2oDqpeM?DQj!*mmWnH;)1I|F4+R&#(WdZ
zKL7zMvRTy5x0Za+YIEmb$sa*%6>VSPj-Hp(D(e}EDpoqu@->{Dn?4QDwEYXls~dSN
z7WSd}SaCRi^+^Vy!IS#$EzbJqX`ubv!-pO=+fs!=aEAF)6_O_Zp>lI6h~{Ts^kcyU
zDx=;%=y6Nn+ZI_O(6b1M=eM^|Q}CatggIH4FnY{?fZz1LT=6VG-PskXC#W=`zhB|>
zy3I0LPk*#-fID8N^fb#Tf@X(eaKfASjmX!^5Vk$<X9_&GL2PoTqwnJ2G<H!Su#M&%
zrk#HIE&kpvDIbaRq>^F2LWRAtb)WEXc4NQ+dtwEn7i$9$lAgGW)ohYQJcb5vYHyL;
zs8#03L$p`V7-?9-uPuIO!9=y&>(QM{gXByjwM|SScJcEj_dLD9{1fg6O#NVW17IHY
z*NZTfXQdnR!RwnaK1grWx5dMm;s3REZU(E7SEZN4a&iucBIm3T^pMx%nuH`(7g_&P
z%CZ&=<tA9s@3b>Tzje9==N&KjFt>GL_4Ys9fT=}la6I{nO`OpGsv1E?NG~snNt2Pl
zt0)hy(O2|OaOSh!mZELCK7ca~24ZeplDdZs4|_dfPe{t@IUVb$mAw0xYtb4;`be70
zE7=kvoW*@JM)*UUNc)7-+kvIvABi6ghVzJ`5pk2vx21O$#ri7%{GWR?rWzSIp{&#N
zAe6=22j_4GZX47V9frUXcB~}Q-W6&4vRN<^eKA0x7}NlcToQ$Oc*(Or+vmvd-bfRT
zP66M?7Z}n{Fq>r>N8r48hhm|`c=dp&(OZ7-3d=U~Lx(tQW!K2kqW3Pz?{k@iu{sZ_
zPKmt!e^QaSFxdMIn>{fAXT#Bd@4iGDC0!X151{SG;eT5&`Zy2;Zt_&wEUX}$fHka$
z=_Gq@Hme%~&!wI*kdX#_tq-t-tO8Vf6~iO)CmQZ>5&=X_Nbpmf4q*HfEaA?&wu|qr
ztWL2kSpcGH&$+qaKw+d5;c^4#_Q_YzGNp+g^}xjqK}x#8c~}Z3e@njIk5GiUTZ9b^
zXk;`(+Cqf<kEHd<Q-RtG(cQv!qun?FbsSTh!G8i$MoDVsVX<DD)mZ`S(Qcf;+E*b!
z&uBEm`hZb~jqe8nzN~f(h<>h7a|ggl?pLg#O0Tq+C*f|!Bj6UGo&9f7EK3V`h~Ad7
zyZ~p9lwsvEWZlMo`=vn$Q|{;=g>lqjYOjHSR5}u-6L@iN<0wUV;wjv|el0Tq%DYKH
z7bw>nB`zj?&*7aykC;I}o;6jJs}lhh{z5aV-K*0eOp>#XiC@A=$|1~@<PpG>(Z?`S
zs@l%m|FE)lyp%AgjC6bWfncRK8niboM}{D)WfW}_VKTZm^EjtBQ<9t0o>&@8;yVS<
zxI=Nauv#pd#7Gj!(vl^N>%U-bq(NQ6iCUWK|5%5s!jQnx@#4IvWkm4YFzRS+Ni#4^
z!lCpqJ^$kvI$S~Nptd;$<@UL{%`p^b{=&}pVF#1+TwiAPMf=J;NXFez0gkmCrb<yZ
z4oJx<@~qU$lx%}}vT2ti06vv)Mp2d87h!9b{?H3@@io&=)ve&HG*H0f@My-7Mnt31
z!A!1<OBenn3Mc;R6nhPGB;X^5$MfVRLuD)>v!5%RWt&IA|FG@|tm-YnJYk5o^aE0z
zg6y;URd2Dx#WLdODHTW(CL;m~l8T&XaQ_>z%MY|e;Cgr4aVJOk!RvKgpSWVWkJca1
z(5<=~qdorZZM<Q&vZ&+%oHfyZc|<bx%%T$9jFPfGIZnM>ufWfB(<ST7VKw0DiGaw6
ziBD#vq~bMsloOhcTJS6B6uY7TK>jTD=N&}C1BX96#on|+(jE@|BbN`tTKW;z(o-&9
z+^!9y;3r>=;nkT8qdZf7z!Zz(`jiE(S8!<?>}p(3eY?3yCZ%235-V3n0USh#3AEtO
zK0SK)1mR5HUd-Jhsh|6XUSk08LBd(apN|@GoZBcV2rEUoWw1!Jkhh@s{f2EwAG!uz
z1)U~40Yd*IQ>+_q6;WTeJHvIC1yCnr#?42?PZ0WzZh;lxO;4^HuV*BI?@6Ouq$P0q
zVAH;<X#jS7HdAS1e?y*!qk*GzaFb6MIY9^tfic2}@09V*D$tZkldynag?rU%PzLo<
z;8%6k?nD0!*mv4=%;<>?|C{1zss^Rozy_a`qI9#+u15xpxSLITW>bX{O@OJO&~dmj
z-~nm#fLxn(c;6s_Q4u4;APl37_33heI_oQ;P>F!QMOmBhS;1*1Vg6_g@Rppr@6Z(p
zfEj=7kakGn&NZ3)*jYT1mK92Ej>{qT_O9{*Q2(_LxFs|_rSYGq-d!Tu$m-S=W(UM*
zm;d1D=v#~r>(>y^BPe?$F+hn~qXaGmuo|nxI9^cO?c9fD#0B_!uxzUY_<;?~##T%A
zoGr+0(GMZ-XTsN+O~#nxq)3Z!WyLL0^8c9W=ju^Ph_*u<a7=EGI4Y~BvdLqJnmGH1
zI~C^KXiOc-V7%*OC^LcjA7wr}9!HNp++s4aI^rWS+(zUbTACqhqM)bkGF_sSOE8-p
zbs&B<uk2XnMhhgIXiew={MFW2Ym<jt5%ARsOhs(eK&(njGsev6hV#;JWmi0DBR1`6
z?{N)Q<D{%!X^O4^ktoBMRt6qNN#K*R#&n^ufORqTbl`%d-qRnb)5!dfvjD+MI@^C;
z?36s<%99G#g110-7b$#Ff4yL+fXYtuq#p+d;A+E;=oKF}&P#)hOSY_@yLmsC*6|Kd
z7Ue;@af_g;5#|KgOQxI}0g1<@iM=}s4-n2RUJ{fhXo-}3FxT03U4vf}(l|b6AR}gY
z4AG0JLj8|}?G<nfwBt)}(Au#8;qnK#537OJZ_{wHu~n;7yXVVvmGFxEWX3~H%R&8z
zpfAM&<l>QlB-4_t#U4OxlsbqDjFe%-!bg|MLzs|cX&~IS0oK2XmLdq+AtE_jj@rjs
z(C@ec&&ya4A`tHs?=xo3eKOYb&n`HDR5~sP*vK$;YfP^ZQP6D)#-RL#(lUZz#gqyv
zA&L6o7L}#C1-7o3g7HE&V69D;KUAA){l99n;>SZKqwjY$rdr@L`DZ?&z|!k11xqo8
z>FzxTZ#VOmp&pu&+Z+Rvi4TqfLgh!0=0KjsALra`xKON|l@lo(lPBkdxrdNpz~w5Y
zQNyex8D0}4``SYg%UJ=Cv2D0d<FYdJs8fJx8VkY)x(Q{2(a39X)l!m`EwYWPMQ~e$
za*2Ue0ZdDWlc0UDB4&job5P7;+!+kJfYlW3+-;e3gg7S;`YYNINfTLNPfWoHlem!i
z$a?J^3q2J6%5iiLI?w!Xy`I3Hs*zWO4Mk&WC8gTs>csb>K>uNh0`~2|so)AjN*h3^
ztPt4dp_)@<z@>dzRiL=CUWtM*s9ur>;fjScn6G>YE=%eljpS|*xC0(X;Fkh<s21cw
zi7UZM#5&d_T#qAMaA<C3;uu`CggplZQ34<wa*KKRpnLo!95oQGi-^Ym>LlMi3YSEo
zNz5pim(G)MP)XqVc#~I(k$^mns@gg&h{D(Y$NdV}zU4xosL?_RUXeD=>QqNcHl%A#
z`_jo;k~x@$7DYI)>u_9UG4XQbFRYko2J;b8GK{&Kz~}oV&Hq6=2Ga%ZsQ;Bhh`5NY
zeP?J<6bpXOOpL-+XmC*)@|y~E4O#+g*QRA;BUt^l1D^J7fqP(kCwWJUbmM%b6aKWn
zXh0ox!g&i%STu@q)MIUdEAUPOjlYy6;W7Bm7O>>7=_D_RhpI9m2+3t^FPVLh5ATe}
zS?p)J0-p<qlki+{on0MN6w7%((o{;__?-9Oy)%~UPEl}+*&9!7>ZC}MUQi&3D1L_J
zo)zAz)du7=Xkx^*+qCKZbI(ACFC7{ehU+qfs3%&ijjST9NvbvPR_{@^II0=iJMLMC
z0{-vk0D}(&0z4sXIfsIZb#(}t>cC5JMd}VR;90^f{m6B|LyDQ16wT9tQIgDJZ6aLk
z_uxcolNb_THyLy;^7PDvDqKYP{0Q0&)hl$bi6tF_6>(DXXQ%o>>EJ%dM`Tw8-n?Z&
z380i@%-M3DWTT}-d;xp*aN%v1S6u{hoglC-eh#l4P)peWqq)10ku)hOco8z~Um|dT
zoH@O+msQ;2I7`m?Q5h<lLNZWJOtFxnoQ8<JBKw<X*5;!T;t6RhasZe33j~qrWV_jY
zt2}Fxc8pnMJ~}P%<4f%FS<l<>OXOZ4at)*?<&bNP*@L7jBlo7d#;dt!>5=)n8=XL+
zJ9GY#ZDC4)0iQ&*aN3n#MM_!wSGpgnxhB)1N)S*xh8~8CvXkMuh4}j#JV~#sk+h@s
z#woO)s0ZdWRp7bweY`+`H<bYKLojjPq`%P`bm9@%3QwP0x|h4H-VPLeIM1DNA%}OH
z9S+o*4w^i##2W8Ui2MGL*IrwKYvM(&p-F<Uoys6BnCA{o8pAsR0hcBiK*Lmxp2!0P
zzC++F#h~!GKgN<rQ+D|}VfR5DG!L$FckFFyt}TUf07AJe2#m`V`Dmz6KsdGiO|<mv
z5EBI#W5vjYd}Siz(-3&qK!5H=@HvwMqUU3;jHfCVlBNt8Fq73a*KQr7MOCiFieE&#
z@h(5gXM)RDFiOHnLf5&6E|}7s&_Ax1JHh_Bul;)#>la`S)r;MQx8*MnHPBRuEEkaD
zClX-U`;#OBIYRRH)FmPVZ6m&?F_rS}A@i785;fKP9))lkxmrq8&F_nRgWP3R*3xtS
z+9)vrgLVomK|I|k;-QupP2-{XF-(c;BJ(b|$}_)BWceewduL?xMHL6&^?0}+uWiW>
zS0iyj`mxQ-Z>bv=_fKr3$2#s$p!L{Cnf~&o0w()jEM!DQjn~-%Bh%eDk~=Cv#{7`!
zhZk^pJuqZ=Y<5qGDoF7?&TWm5iBwNP;FF7vprdf}bG$xLj3|5249wqRUDNV+ycED+
z>09|~9ITCPI9gkBn{+JPxcUf_cpiO~ONTua?JvZ`1be4aYeW9RcCzTUUQHX3*%HHI
zPRqIhlLew#Fz(0%CQ*~obMS_=^z~l4X~{pt=`E!=vvY{5;M|<tnnjwhA9Og*5(K0p
z6C__C-QkMwGXpR&iLDjVZ6Bs@fno@9K)+qB3h?~y`J)-EI!8lQzunvRE>xxPlClVx
zA(ofYKQ<Wx+v@cTHhibxi=x5dL-~hvl33952$L9P=cVf<@CKSXyst%WtE{~tv!C9O
zMR5RKX)GuogXnjL+`=qMNAGFzYae=1vm0A<uL4YkR!RAX_J<3S+g`(Z`{zI9KJ!0Z
zp)5SeBRm~!^R7h1pkeG#D>-MVi3tBQ0F_0%oWH3yOh8@Ku<AR9LOFj4n1bDnG58?i
z`DT-EY&(rlihfg{@qgPdy29$^YEcP>E3=dY=J3pM4q=_fATGR|J4WlmLaigg|8!j{
z>qR%Ns~0brFT5{mBJdyr{X@Vaa87~XMw<e;KuHUJ3(oywpVSz)2~YlGv}nnG!3gG@
zgVEooFxOoU{-<*{l;N3xI)@+gIVL@+D$Dsh)_AN<R}Z|jzxG8c^TzIa;|<NgPE;m;
zz$_m&hNscF?+<t$nRHO|0Fx5W9Pb<r8_TzeS!Y%q0B+3qH*Mi`-2;4!`2Uy1oDM%H
z$*^Q%mO8he$}EAiYQOk()Xc=<fJZR^_tFHEPOv?aQZK&s>+iEJ+V^Cg_rEu^&17M2
zDAC!vkJ<JB=aIWC!JQ5Td>ba*NT}c}yt`3KTT$(^wfmkmDyM!{0~am)?kwBm_v4bG
z1jCYzT>%$3ON0+5a2d?Ch%I0%<oU>xlz*`G%D!`Mb$fqqE#L5j!`{DR`7d6V{J-~w
z)8Cs53jg`w&3XQ@ck(lH#g%ed)tpwH0T(R47)_0EvzUJ)x_~Xv(qg7XuYt`?QMWw>
zC(dtPXZ7XriO$+5xA)GQ@x+`5xQK00&wgPGhm!lR)zyC0#q6H`YEkIEgC1wqofwZ?
zj}*T+b3^Tm<J%TaH}0Iw!QIi@kuLBsflW|kSKGh3!XvMxZXSMcp^lAJ>iXjarylyh
zIvH43UvcTZ>aOQs1^wUO?l@Z!-D&!(*Tw%Ymw~|-qd%W3Wc|JcIRibr<;pj4k<Nq*
zW{>{2*RS<pX{mJHZ{B^Qo?+`=j^MU``@LE^Sg-8o{lu`L?}lx>%D(bD-Zopm^ZuO~
zdc@U&`N*w5a!LX`Jbx`JPI!x6f4TI^pZb)Y5{=e{22+3sx2Tr5MwFx^mZVxG7o`Fz
z1|tJQOI-s)T?4ZaLlY|_11lqAZ39Cq1A}>|_K2fs$jwj5OsmAL;r(=$)j$p5RUr{2
zL5bxG1x5L3nK`KnC6xuK3Yi5Z$qWn?a~^-<;V2B#&^YCP`i$q(AO>b-ZoOn~VP#?O
z$s)|c3N8&Mhf|o9H-{*kzH#NmkuyhRj<BC@@L1rb$M8yAu;i1I=~SQ<44$rjF6*2U
FngFZC&Y1uJ

diff --git a/core/nginx/static/apple-touch-icon.png b/core/nginx/static/apple-touch-icon.png
index b4f92f33c5ee09e6b74fd27eb2cb2ae44d523c5d..d1b17a63d7ef82bee0ea19331c9c00d5581683ea 100644
GIT binary patch
delta 4390
zcmV+>5!vplEw&_(gntm%Nkl<Zc-rlq33L_J8OI-B!X}_70^)`XwJI)XQR-1~w|W#8
zj*5y)OV#6ELF$TDpjNF`+fzVmwN%uqEXo#8LBV2?giS!g64?X-k-Y4Ca{GPneaR%e
z_wu$`?#%q>oSz)UWaiENy*qdA_ucOX0yq*srWG=6h>pZz#D59Ixx^6SPGTf6j(ClD
zhj=drZ_EGlJn=i?4&rKJ5OKWx?hbN3+;<$Nh|6RWJ&6Itb;M)DBw`McLu@4qh*F}K
zXdqM)GzhiwJN6P=<af^^CJ>|K+^37^84w*uq5^j&`bm%b2Vy$0hWLr7Nm5obsgW-Z
zU&~bDS>hVvIDdIsKyXMLlHdU1Na9KvDtu1tAgUddH&OT+w-NJX=yC<ohiC`6{Uvdx
zjD2q>CKI_tr3(a(M+Nb{jL&Z+`pOp;?e0N|+Y(0*!{num$G&wQkhrxW%4Ye(-XuMD
zTgdJHG4X-KV3|=^=kPe#$)U+w;uYdNq7%m4?weNYEq~K!bBQ7!N*s$IF`F1Jvo{c1
zbCLP2e>Abur@e79Ly{bsH}5O=4jySFG6y5Z5F3bk2%9kV@=`oT?jgi>c#M3kG{(jh
zf*PP@fQRql)5Osjir6nQN6a3UX)1_pZja5un+J$PA-44*^Bek5Vu^%{A)$3+?5`x`
zj+_#U#(&9Y5L1XU2xl9dU-B>FRE)39>y^6`k4i8Ek~u>j@epwkdh7I}d%q;IFa@Vg
zfQB;w2cox5zE|!ldBQ(JB<<jYs0Sqqi{3f`nNKAC<C2UwzfwiKE2*}SI)=>cWYxxM
z2;&-7Na`(8R`-*+3-P!l(nAz?u~%N&JNsK|V}FRjsf}-8h~fGn$V8%-KZhWO%>8AR
z2%>%7h%)k8%b)v8YC~quQ(grTJV%bKg!h5eM%3?G;s-RoXW>MrtGqp5ZOmlwTE1Oq
zbkD;vgd4rN^vhUb{cBl{j|TS#1+sF;LsExj&XDL*5RL3Rcq;ZTZ%A$AWQ@StK1l6u
zsecWb??k`^$nayBJ6{xysks}7d^9Eyc1j5|7ftCIGG8K@S!hVGe{S{p?vUD$d4Lo*
zK?8zVNlpFrmpXib$H;m#G#qG+&m@mWYni*rx<51+NQ8e%rlq!X&Cg-E6i9Me*Asf>
zQyb&vVVG+MDX>q<C1^07He^0S%5b59Kz}Om1j5O>2z>}K6O97WWNK5H1c$Tdp7nU~
zaA04xrqRws5{;q8rLv|B4Fb$ymn{6Sc|09HA+H}>ghl`+^Mw@Sv_0u)EY<=7i`FJS
zZO_od7;0QV?7__k7Or*~WS7wVCOR889azjXYomxp?|d(6XaJjPecWl?3!<?F#D5yx
zY+w`11L2*1Eh|4T9yb}-2v0gZV}37fgtxcjCIbf+1e{`?&_)S@iMYAIA^u|C0^6|A
zXJc(3aF87`LNKj&o`jnU9Okw3d+D&y1JOGJO?v6mQy1C@alek62{hrQ)I;K7p}E%Y
z7Tidn37d%%k{8;D3O<FK2sE3Q9)Femyma^ndQ1HT+(@7kO9PGjkS8hhEy&pb8d4bu
zmzYaR=JvA23pWtx$P_7?kyMx)Q*}V+eCY(j;l|70lelR>a~_TVa%hzET8tY8G>5kX
zJTMWVc}uP!ZWz#<eG<ivJKPxK<b}2Yw%`$|ACEok2>(S_r%Dram{F)keScS>-rQ29
zCj9`c<R5g8Z&_C61);elZ|By8J}cnRekff&4XVXI)hZnJ94vNVs_TX3nYdG16Z#>i
zE)GIN=oCZYBO--1>N|f3p&_)(m>h_xFC7;82qG6kLui+=n&=r#=!=Om2o0fKMlo?-
zG@(a3d0`M5LZ`ulhS0{k!G8}RG=z33?-=V1!$Na@=_&{fp<T+i#KFyl=Ea8v5E??e
zl-+@*JzBy-4<%|LG=z33yb$H;=0ZE3E()O`befE86uONJsv$Ilb~A4@3e5>g3m`Ov
zb~#z0L?!yiQBFn(AvA<GF=E)eF~ct3>q6HyD7C4qUac*zQ|n4JhJUVaJ^fi(*8riD
zUuW2#g&snb`a$TwZLU&B&Mi{iX9d+E8p79g*zBNsVr_*gt%cA@!u!l$#zNm6&|oK6
zJBA!p^-8_6u~HpG=hCh*>3TA!7pjrpRj8tx1`Iiphj*eK-nitd!7pQI?)Z4c2KR*8
zG$>t1=TCy_`Sq2mtbeWnW9Za#qaS0TC+KiNcD@wWlQSRfs16N39B))Q|G_hZ>UA0p
z@e>3ug=z5$3;mJbgl;^t@@rJT`3_1==jA8GJ6o$&ZG){J-K#=R4oH0i<=1Ju#RawM
zv@eS7Z(KUxQS^kE`eSwIiGgW5Q<xc$YL3d!^U%wKb!yO;C4crcFrBC0{9-kqo)8Vn
znZu((e;LrFWUkYJmE4j#b=lXY);BW!etse>aX5(NQK7S0=uHqhd~7YRSJ(fq)Ve|}
zB+$8Em8exkb%+#NLk<g_2ceB4zp7r{kyEDHS@0Pz|8J?<Q0lzQ9u|5%gpP9Tt8P#a
zt||`&I?VWNZGVXymX@jQ74=G&!=pmyLFgDqNo|9AYF&lu_(?FW&vgKODej^ke@|6|
z(&>QEnhVXj4;3ay**HPyr45y;Yl@-r_A?6A!>h|x(Bx2d4R!Pj_SUMsX?#gc5qfHx
znD5ah&j`&y5-XB=Se}X0_?$eHa3e@4`)TUo%?@Q((|`4FRPn3@CF+N=dPjxsJFh4-
z-FZ%u@Xzo}PsR+>JzB{^uknJ=(|6W{Dwy84vOF{fHuGR7-``%X4xf`iRFVF^8-13S
zH&&V+$}Xo18J}CJI?<QqSdwW=xr0K}&%U~;GSq<-)+9$U@y)*4a6XL%vmDu85t?7V
zcy{8pWq)OASEac&@mFNl?wXKDF-4&N-h+DbH%S(=L)n~xH+oG)=u6AzIZgwi`FEsx
za9(;(?jX$dXbB7bm1l&WZWK+w=9|*A9?7weFKO(0^5;=P<@E1;<`$_Bc9<W^E}$pQ
zy(`K?FPM$zg3wW!9|*<2JtlPH4Zmn{iTb|8{C|1hWrekB;KF91a{BXl5^Og0;AS5?
z=}E)I$=mKH6NHY+hXEZ{d|M*4+;kQ%yU={8d8yRk#bK%YQ;)r<!2Bu4JbJ=h{Y{j}
zC4`Q}1Qz;5&k8L!{uGOZ<28!B!sOdR^M5xt_=SsOBuqi*SPA~mvCxlrVZ};Jp_>W7
zLw^FZ!y8tle)1RO7Yj>TeffmY5%4m?dsyh3i7HPE-T2Zr$C{TmGmnL_UOFLkJh-;`
zbu9E?+4IfYLQ5kYD${B;nn}%<Gjms*X+a3x8hePdS?GSmR$mA$4Z)%8KX0tGy!J&h
zftx9b25um9EH)Fzu+Tkp2(H*Bw7^M6V}I6JU;iR*Xq`?!AusvRI)skk>rjno`bQ=)
z&2K_8oF2-_Lxt7ONL@*T`4>}3euB`^_#m_!mXy<d*^fdq?IgW3zslZRWqvX|xwayd
zmywE05ITZ!&Fe#t@T<^`q4J?i%ha}Vd!#N*cL4!}jy4B<TXUf=AWHlybYlbY5`U@O
z5^I-8@sr^8>@p)S145fYkQmfl=%by^i*{V-W{X%?1g(*JI|+E58H;cs^!{);=);=}
z-6@o*<aeQ^q0U@TY<f6*Q)#`rlAZu&tsYNX=sXho<1|*A(9iPk&_rlXuxsC3Xvbd+
zwGmo`Iq9?FP}I(hV|7uTI&YDQg@0^J5SokYaB;}7DZ)RyJdG!r$wH5fwv+5lPVR)I
zmCzzh->f3_>8|whKX_%vfCVO(8Z$v?rw<c_t_g*_qX^CWyzPR}Eyd|gH=Uz+sRR{2
z-&3Pb{LF&7c@Vle+lik=6S_;NHW-ACkcXpq9L=jq(4Pjmo@25ss%#3O_kZ6ks8ckd
znHL~*bb<K#{<NVoZm9(R>&e@yRj=6=mg$Ai&3U%T-xf#sKVC&tK<F6xA2WiX=w3;T
z{0}ZM!27s#pK0;#01&!)%IGDLG8;noA-;#ut>=H-AEi_R_uS*?&A*Es`?o;oMph9$
zTNAo1@fL)Rlm9^s&n{EDrGHcc_t;G(25hP?4WVTXVR$FxK=dOl_02LB0-@vNe{kvD
zoM2t3xJ`zQ=Z4TBDv4`j%N%GC2G51iiB%QlX}t`a&kLbLtd${hT%mc`@g{^$qF~`P
z2<?E-e{FrZ(NgLmcF%UWR_JLE+5w??=i|%c%WMeE%d(b1Xb7#T(0@xp%dL_Snt297
zLuf07?v=XGqoW5?T9^7XJ99gD(JB`gpO;^w=I%}o-X4u>F}IoKAEEhWlsD|mO5uJv
z4PW!bysFR+x+#4AZNy25%WMdp5!#v4#)jgG_bhfQWX|x3%+00^JIn~Ce7~HgJzaZ>
z9nc%0#jr^UZAkqq8GnE)05qVOxF~s<TV~+R!;J)*@M&abU2;M*x9Cv&4)`9PMjo1)
z%q^wvu1l4F;A?oK(9H~?nc?WAffl`UT0*0j2A=7iBYWv#P9^^XUsFz8Z%*&rQtGb6
zY}{aAGh9ftvw1SNl=^ZhyM!AJ?4W?S(0rK<p);LGEd{=XQ-4GcutsP@>i$wK9XA|U
z2`@4^(K?x1z92s0#4;`58>)%>%zY7zKaH1#8xJfDad)#`=9azm`9wZ$J}?<B?RAbl
zy>sN+LtX?>heiM<!No#H*(-BPsShFMq9K4ue3JOmD(i+G1BoqY43H+9hyl*X94Ym0
z5f%q&)~LI~nSY^1bg4T^S*8Xw4oDJq=G8#cmJ&J~VX1l3mM_piAW7!LF1YCY(Bn*E
z0~!e=QO@ghJ%$>wrRD;9d(c=Q4!emf^^`ese)<6!=%e94G)iP5p^d&Wx0IR(_~Vi9
z0b=B7jFGx80e2k6f`ExcJsJ@R994eZnuL9Oq&}2*4}a5nKpc46xk#XSQuCC|R5YmX
zWqx13>ABQrK90hAM98f7j7IWOA1%oz7*j)L&q&=%J|Lv_#|z-Uy(e>|)IDUOZ7mwz
z(^GSQZ+ZdroXnA8^YWS(k)h|=%(=0|f!-E5QtA%Gqr^T);2HK3_v@88XRp*;iTy?*
z4>GtOPJc=pBB>7ne;&rTdJyq70x+(f$yg|vmI43D9DS~uBS|RR>mK+WXcBP*WR5O1
z$M_#6c0v|clpEk;Fr6TB{Pfcch((yM))H=$1;n}TNdMHQx9%-ddxell8-60jc{f;M
zz1SJDs$mIwYsaI0yo1A~)>Z@cS8x4Xz{Z_zL4OlFh$o4|&?}oiXU#RwJ_>}lDS&L&
zQYyLZXZm|?*`Aq@8)e=a`5@*~Bg2d9n`ST|vu#OEycl;S#@D8ela~{BOU*)v?2y<z
zsXtn3JfIS4Y9g;79+F}~5LpAUc|P<=X_RcNHcvRkbE!P#AhO0ic26n%H&5z6K;D)V
z$$xUVTV>b=kzFD-=i^>1iRO7eACB;6-xvt*DmA#Ni~vM-?R4L9^0G5aa(4ZY)yJQa
zw+!L^N=6WUG5zMfUb~|d)gCEBl6;TNkkm`fxViEfPm|A#-q;6n^Bn7`#683mV!cc2
z@$ogUBi@yIas4rW48b`+p^uEYe@}cYl79p>>%r?KS&OGAKa}apizPJxITko#_TCv%
za)Cqbw-YY}!kegPOKwB4#Zk&ynT_Cc<w)hJKN7bE!h72Eg1|V^l{{0XxlSUkAbvwU
zFRN^L6Vh*GUEOYxu`bT6Ly;s~<;r|8SF(RglCb!9Unb}3A?L;rB7x)o?*8r?Ap^BL
g9h2D=fdUAblUx=)5LTcvsQ>@~07*qoM6N<$f^~^q8vp<R

delta 5538
zcmV;T6<zAKB&sctgnt!FNkl<Zc-rlqd6-;PmB4?my1Ki%I-RA-N<tEnkg$b>j-rCh
zfDA5!GC*|36@?f?AOdbMhz_ebj0QwR77+ym+#MJc9R)u`V1OhfWFa95Az_k`&Ytet
zx~iUkoT|J^r<Yn@z58C(`F&q~`Fg9m@8wsg&O7(q`z(~=`G3_;01Jo!ZNM;KG%ykv
z0UVP1cS!DMP5nGm64;x2>;iV?9@~M=f}bS-nA>jp$OD6AdH}ve#03#@1TY?$1WW^_
z0*3)(5RqFE!6QHerJYkd_iqM~Hx6_IJAf^~CSX0V4tO2djJyGQ02RFtRA?v^xD}E2
zD4+wF2^;~81Am4BjfO_p1MC5|0;_>nfF-~RMDjSGf>X~zi^O3>)|tSGz&n5=ku;*I
z?C17|6e9R4;054WMD(pdre5W)FQG-^CM11$7jPOP@gyW=2r_YC1MocXXGHK#K)Rmf
zu6?0J;t+5sa5C^g;3QxIlJnLgJ-|lbZ@}+>XONscTYu|v*QU@;PCNv78*mnII+72Y
z%7aaj0$v0D0Q?qM1jK-v%(-hzXs4_;7I+`<uSjk@%=FNF!fqsL{|xve@D@;0V%LVy
zj>uDhxxmMOW2nDqTr54nGT>q0*GTSd*Miu=7TOVcD)4dO6G*K%WO`@;A&aCV59J=~
z2)Nk66o1;uk*5Hk%sr+B_IS)=18af%fd_y$fIy}q!4kj`c{Gw%d=9A_2kSWeOBPrO
z+yy*>OvMLE>|luCh#Up}8Mquc0ht(4+@}YrV}BR;Jpt+|@xRbco;(})5>kR|H9f34
zp$qsGun?Jr^nHHqU!k3-+zxyO_yRJcr+CkLB!61pkCgs=8?F5*v@^T+PT=dv6t$M%
z%#uQC*Vh9t;?rpDFQJ{NJQSFRq!{B(4@)_Kjlj2o`;e5xSJB!(LOU`a30wo5jsH8|
z>Xjt$3nW^v0emC1KZF*U8;}ad4Zv}xholt665wj2PsA53tLB9kncIMifiEM=n3Ukq
z34eSGsa<!QmfD=qPKq%exEA;nnqmZ%B$88Ki!3lOmV%fO+L3uCQsX?$*jN;|$O2Cw
zpR%g}BT{=Wkt6ddz^%Y6&&QxtlSRO#NSmtXQhVE#=FIw?1^ft=xfYp&q#tJhRzU#s
z1n-1)DjA;w?f?$=^hgyiIRd#z{0I>8Qh#c1gmzX~e;W7>veH_qZN>xN2hPPqsjDxv
z97rSZc|_)so*bFt2Sy^Zil4?KsjGWY==5ZqpF1#J+gG3L0KNkJgetE*ub$A3%;zF9
z>x4;tvmNP}e1s}CHdRMx=c8pVl1GiH%IhdWV>6O^J_=N&r02fSj?DiA+zU*s(tpWO
zg2{T|Jm6`-b*bGI+L5^fX$C*0$|pw&CQFbD#a94VrLIPmV=^+Gtuib9aXeD-a=q8x
zJ)tE!4@25N|IwopqXd`Jf$M-aH_LhM2<_CGFGsfDQj}u&Byb7P;Fi>t3+)W#!@y<e
z+CQaunvm|iGXdO?x-y}i0UVDkn}5=Y6Qxwzk)>R&TywdRavXv*c275WQj}nG4C2u6
zN~3i7LOb1ammq5a6{Ql+1TLV$mecZtc3$v3$XdW!-3edujz;7fOe$n$N?l3HF&0_z
zJIeH#P-=#8h*P7>eS*@3cAAbZM($anC~k5p6{H@e3GKYV$@^baQQRd2Tz`mc16S4`
zm&$OYx3%n#1w|Qz@ko8T<XObxg?66!qsX+SqEwSJkoMz}E)YwN&{L4ySvQ1Hs!cPn
z0J*Pv(G(}Nv;Dw4;8@c~s?-g~BYT4v9i>Z&(6f;(2o%LDEJWy{gXrKwJ6jN3K#AdB
zQCwgOk{J}WYP{G8JqOvZS$|PX@L`JFWouxeo#=cXy3kcI#{`Pp+oPBW-GS^yrzj?w
zOA#C4_b;?F#r+91IxFUxfZYCiz$x*;BJ>RMs|ggvJm(;{!0wm6g?8Qn=OC-N6~zxs
z0saN(w=O+UgdRtJ>QPbrfrV5&`rYtzAfZo1_tsGS$1DceCgWhCC4ZDRBk6|rY$$#s
zg3O6D_LX+@7om>^-fep1iqa3KAO(wqI8bQE_z$3^I>o<?2i^-DbaB{MgdPUG-}HzT
zWe`394C(#NzJxv&xqqOd_?ZqQH9i1GXeV@^hAgu(f~5~n9yLHavW><8X-Bx%FAYV6
z_MAuvE}0r(dRvIBZGY$#)d>w2Jk^=zp-m~%L#dSa0N(?;^WW$#^mGi>o*P3JXCB(f
z$%lk1e==oIGB!N4F%|T1eH<_qSeE}r?;QF>^yWTFa2O4oQ1}fI+S%XvB-0~QloGIz
zJ!1CnFI^a+$DsG#R)WWD3VJ&Vg`R=*oGMC?m`uS|&V@qH0e@Oek4{laWGE7)0cVX?
z7}*0sQG!SZIhXShdN^>D=}{?4nH){-b|`tFCs2iZ#wm(NOau-EN9bu7obFbX3Ta1{
zXYChyItR}hDoRjjB3J1MA;sw<Opi!WDrCRVZAcEHC_!c-&>BK=XT2a)g3h79&@j^A
zG2HZMs!iI44S%sL$&8KV=MFO)LKaMphKMxyd7!@I5MX2&iOzK~L-@qj9&TQfpgUvx
zvTM=?!WPV%+{{%oBBqBEG=>1<!bnq6i|Nr+o3I7*4{s)wwYh#(g55o~zj}dfXbQoC
zX%ViN9$`q>PlF2tQD96Mxq+q|_x$!f%^~>0v<O2REq}hYBF?siPo%b?HEeOkj0j&m
zqM24rHOe6jj13_|*UcFWTX6oQW^SJq<*;Z-KIcth!-yt}ZywviSEol*=JK(~2|cpX
zX9^l23qCTTiMu<ZOm8zNwGE>q77LGya?zA#n(N|ovZ{;>0V7P0!W8cx)5s4yTA4Mx
z!F#D~n12`zamVZ^=T2-wQ)X8fk)K$pTTUJs=0|f{dDkIf@1(Y2dRqhcbVNC4d=nv+
z*)7^a=!T4R3~%7RIZ@s_rm^}`+c2x(_0(lo8B+HVI?s%@2JY^Na?bcFN@l}JBg6dU
zZLOTB+ci`JD@2`??22JhG{hapM>%&=6Ae{({(tw4ZRAIDqRbjrjb~TL^>Qc$jA;(B
zaAuT?rZ&^$Qm76AbH_JvPe+vLLsaG}(xgK7L3@+MjmNa`l^GFQDy$2KE%@}LChnLW
z<**h#-PNXM&Tv=SCZ2KcimokearKM{*B%vNXxJ+2VzD^{7f)?w;c-z$H@laa_hjM8
z&VMwWNyD>3c7+f3$=1x3$um3BJiR^5RWsb{gNQU(TsAF2TcgF*E8^@(7CBX(o65fY
zh-R*w;qL5TDhqeMp5%cyQvCcKt&DQ<jZ!Ly4+$~0IaIQn77)wWtlXEOC+q5vy23!r
z*cow=cm{5HEy121o9mBmq1~kfxG@CtCx16HENt=RSK@4rX9t$rhGC5sS05E&!PJPW
zvwyLS&8=&b-1usOu@TE`8>|frrZzKwax*<88r=Y_*q7m~=epSD?x##93?vMm7FS7S
z;jZ;b_V(D^JhO#y5qE5Au;8PIHPO~+ap}?+>%01q+J;fhl7F8!x!Kj(zdb!R-+x@4
z;I_315*e_3P{EEiSY>}24h>samW9i?M>0gg-nxOuf(-D}O(`y1665u5_dd@o;Dciu
zxwoU0V}|uHRc^!hXo%ZpN15lc%-d5oS1ymU@U;X9cR!+Qjjj-|*Yqgd#s(hU+{0%V
zce83=#?|LOWmK5^=0rK6y<n=`hJR^8LfmzHl#fnucPe{xBFm*qW8D3ElC<g0K>xEl
z1ne+9imG72liSjK=A{@f?Q&P@w~r91PZ=#z&m7jky>nVQV{D_Vud}{8%Y{o~JiIA|
z2IivJ5dyZE9!1r#;Dw!O&Rf*Y)7#UoKK0Q<8@Q*Vl`l<?@WVM#{$ZrM1%IOzdoz4?
zaW{``?lIo79T03_TL{>K`8N0JVZrh}8O~qS&Es3$m1A0Kh?|dX;e-+H%KXBvH0Ldf
z@zl0-9WA}6m@Kd*1Z)KYfA^RHv0z<Smd`DY@v}EmuHKZ$?bgqyI@6rLD8`FBRpt^&
zkc-e;sijIse^~JU@hl5oj(>6QhGfaL(`sV_k8P0)*%f;-Ds$;{1Div@W?-M`(RhLd
z+mkk5ekGo(=la9yj13RvN{#*2xRt@!2fP&mb^)EHN8=e5>`mKzePx21Rww8(Tnp>5
z;qKRyT)H$i_$;I{5L<vfAz%-%(e!A%CZ4hR*6IXTuZ*)RWk%{m)_>-f*AiU0yo5dx
zr9a*T_J)xQ!u6&{V}g_ox380_@|%urVT^~%uDjAUH?2-^>)Ir-jLPf+>&W$T0IW7W
z8dGF!`0*Pl_NC!FGh3J#t-jQ|Qa1mwD$ZT&lNkDNs5NZhRdD*DU!z_w4Es47zkD;r
z1xsSAc6qA2H*Y1gTz|GK#t&3xH`#+k=>0-(pq?%a`@(`hZ0%v*;uuSIS4Zkiu`Hio
z661l5DecQ}m$!g7z!AC=SZjJz#<AdU+tbWn+|3KS+?^_4+a-M&zwygdcBQLLs<-N-
z9M+KQNy_KYG31W+?=?L#<5;k0SBCRmigEkwD5s99d|G?io_`FNERFHkPXEmQy}dom
zb;q`pJsdmt96n(wkYsK<Vdl2yZ(jcrkVbDF1Qx8^n_=FfZf>0w<wN7j->c)fooOz4
zImY5${+j*k7~Vj~@S0eG-UBSoe^Gczznpr{qYJU%^<4YrLz_~RGpYEeZ9Sa7$bT}|
z7+Zmr`7a8E-hW6Pm+$(-f-P~U!M@l9oi^~B%{|Ot9OKo!Dsz=t0c^^DQ7H62;Ca)d
z^BorKNZMSnJkG+ki9xqY$k_0}#uOJViLs$ur?NfZc?uSKi_ml1^Ity$#7&RTcUZ75
zZFB9)1UI~zU|&Bqw^SB>us+G<OJi(JsLUSF4g3w*?|*RbX|b1)nzYgf@vP0a*ChD&
z<#BfQniYv>Z2oIaf~!{Kex@>e!CK&z!f*5zdJFKZ=~4Qblnr;TPjcC^Togv4_cf~$
z-0*5#qPNQI70=RZ385pjgzPNvC!`dj^g{-CaAS&#UyiY8cZMsM$GJtf81R||@JGNd
zNSXVrIe$Ngbl=S|Jz_s&1Hawe!*e?`Y)@u=w*saPSO>h=`<s2WmTdx_Ha*%PkVVRR
zDzg!uL{?iJz=1+LX~*MewWByRUp7G(;^+bC2K2w3?z70up`!SaWxxx4{h&XgJAubc
zk6Nj1D)?~wZ)7d(K^%Nh=rk)m3Va?I=f%OLZGU)vN19mLE_vUK1`8JNPGi?mE*s0h
zUpmu_jaY#@Zp(rV-C2_5t-9X`{0~6ybOZW(lZeobzz>0Qy*kk55QNIy^f+VNr0S?_
zW&zD1!+S(mK-Pv-)-I=|`flJNAXB{1keB)cz|VmprcZ#PAUoxr4LsSG%rN*pR-Pe0
zSAVW3=J^YQG|&wu^giHzAZhwYl)5JlJOIS{i_S2R(9Rz{fwq+@=6M?U-@$&Vm`x~l
z0{5a(S}{i)DNyVg>=y?X+KJMSqfuHhhZCI#NH?JP8*lCe?n0--74L~5rMf|*GZZ8A
zfl>NN(?_S&9Zvv%00xcDP;7*jC)x{q4}aKg`UsV}VLNa;&|QqoQ2M>Tp8|ei`Y4sU
z;bGvfrTjthLd!cOg+%FfrjJyqc~%2=0O?|*Gn5{oK^7(6jxN(usz(aAjocQwrBIsC
z&O7CP;LoOyTB%u{0DcM-bs<<txx0Js1a3mMF;x^d*@U=NRGF?fr3-!FrZnG27Jor2
ziW{VnR6{25N{r4>ZiIH$9^Qd0C07(TcpPc7C`)E2Kjp}?1Gom=ZAqz|wZL`2u5x9D
zN`!V^^abFX=(M;}KHb0#6zua{E|o=SN9qTGALFN+6evN#MtU_K0m@D_^0>1iO_pmN
zij?zCGk9{8;PE@)eBiB0WroUg=zl^s16Lq7a8Z<ESOI(u7t6oy2<^PH79mn^EC0!q
zI$<mDRb&h2ic^g|?nP*4K#u~~BZ<DE^u<2l8^G@Y*JK8FQ;x#=^gY0L(S8r*U{b)h
z$rlk^lo{L>8uC&nf&WB`<aM<Di!ulq;7;H>K#$upLpAr#l*-3QBvOB@s(-Jg1OXd~
z%3q?w$&-Pou4E$h7^LT8ZdG4P@iR73XTBVl%5(kUe#&t$ZvkIK=INFC<3O3KOm&5J
z-iaH5i;-<mHK(p04wku!(HXpm(9Qw80bB_D43)Yb$RI5dp2-Z}q#T6@vK6=#seYtA
zd2Pi6DP$j)OYu-<Fj0As3xCC7z*WEkpvChsDAlAJxCJTOc6lXo9y6shkvf8GT>Uk`
z+oM*hMJI4AvJYL-Ynj1hZCIpkK+1VH0aJ{PMR9{QNN>htK-PrJV0yAcqy~5wa5Hd{
z@i8f-Vj~-oe+6ky^DJNP3vVt8`@=c#=YUTjGfBE_Z*Yhs&H3lz1Am#pFVWD6)UCj0
zk&muJO%F>MkWIk1kRTK@Epi@z2%Sg74gn`43nt%<=}!@*H(4ab_y%%=R@Xb`D#2eu
zLt(TY2V4fs2S%74mIBBs|2vWW4Lz+d7mNRd&g0xG@pPoL_f9lgn<9g3EOaBX18qqg
zD0+#1g@)eI`g6bqcz<+fTV+3Q0zW`%%d)i2r!s@zh0f#Dtly4w?wtWdO%JQa=|Yy%
zEd-Weu(n(Z!4MjHS3=G}rp@0;U-v6lDxn9t*t-qc1vCcuIw}_u9HH|#Vvhp;4VVWU
zhvwInk^z<?O+~*#E&u}~a-QG`oyQS-0`PI9xPK&)nkdDS0e_Yu_2ge7`>O;_<UGL@
zI**8LA!45md<vL_R7jNmNg=uMgTSu|xX5{eFLWL!Vvhmdk1WhR5oj|#G@r2tDZxFA
zY=ztj1YYDkwIg&MN9-ZMJAiW#!6#9_=|~1xk6h&a8hDZXMnE+pa-P}~x)7(_HyPPP
z@<WK^BWwQHrGE=<8}NTfOXr`FWpIHgzm-d^|ECI0)NTQe0!~F{AZH`hl3J;dWD$v%
zAOimh=~I@yyK7kFJoO=TA&%TpU>eekeKIfyI1H(C2Z?SZ@-9Yh^8P$>AIU(~kKLmF
zgzk+99!4%Ej|AS9dmN3lunxsP5j=}r)NMw#qFt1Gtbar<?tI&0;T0-$Ax`ve1P(!R
z@99XIG98!*j721mQoUKqG!l9DAzf`7kknyi?%$2beX#3Z;NGavgW*WtgsfH{g@`>K
zshmte8m8KT;fU-lNR_3(s!9gwm52d*f!)Z=+!mx6XjAU-CK7q~Aa&!qOCd_-@8sP3
k^au2iW|L(RfdY7(ljspX5b{Dbl>h($07*qoM6N<$g2cdk2mk;8

diff --git a/core/nginx/static/favicon-16x16.png b/core/nginx/static/favicon-16x16.png
index ff35d4b0a7618b3b4df63d27c6d0793ced5735d1..6affc1f31df4cb428670cc8f6411d827946f7333 100644
GIT binary patch
delta 212
zcmV;_04x8}2b>4690Gr)Nkl<Z7#Rh@p-ux)5J1s;r;|Ql4WQ7Z-A&MZI3GcASVWhk
z0)a!)zNIjnlc1_poU4kIrV{}Bzv?6{-2lM&E<J7c003+_T;_F00HEOKB4Z2%P?s7%
zQr4=fE)W?2P1S`vKNGl7RfpT(G*>XFs!|adOsc*<DjFGI!+tQ@Nj1f%%=E<_1<wL$
z9=6|C08ns@IhnU78vwnpX0n(cJS$ae-->@i;xX6Q%u6(r0Rw>o2$_?F13nN|pfafd
O0000<MNUMnLSTaGf>xLS

delta 266
zcmV+l0rmcz2hs<y90GsbNkl<Z7}H~5U|?ioW?^MxV`XP%Vq^ev896w)48ee#lY^0w
zfsuoU*ANPL`8XIEnD`BmfPf%_5VxTb6o7OIGl&=(o0x)tnYjf}NQ6Pu(9+7<#@5c>
z!O;mQAjTjL5^#2Lb#wP{GV=72010^e`1<(=1O^3%1cpj7NEv2YhJ{B&Mn%WO#>K_P
zOEbtACL|^$r=%LCrDtShX2~+h$!ELf0BttR&CAa(P*7x0QZ_V#I11zx6;%dCHFbnT
zHPnE9VN}!9f^fBz)fmD4)z;C~)7RJ2HP8lf0bMOF-=5jEFq6vyfdY7(lTHIZ5b{Db
Ql>h($07*qoM6N<$f-bOhmjD0&

diff --git a/core/nginx/static/favicon-32x32.png b/core/nginx/static/favicon-32x32.png
index 2b6b749b92a5d0f19c470f28ae0cc8eb70efec23..3b9362452f4349cd82f468dfb034fdca9ccd6560 100644
GIT binary patch
delta 514
zcmV+d0{#8-3(E_z9|M2VNkl<ZI1zQh|4S2b9LMqJ>+W-RJ5UNjlUU1<DE<-^6=7LM
zQeZy_(%&freRCKTg6U6M`jbP7Wt19yA?2n{-`#dI9lFOuG^q(QbGv3nMl?t{NfTry
z&8%uhok)pJX`JJpNxv{afQVx~q16j%69a+h)?-eZvJDI$(c^zT;uL+W2Q}fN3*IQF
z>igt&amq`y(V;VI9?p%>#>npwU5xI~-fY#yA|=s6`!x6+&IxdmIL5p%q0X1{uLEH%
zpoR8nxUt|oQhp8aB~sE3M}9bQD3F9wI~+Oht#YUuMbY2QF#JP99LIoMflQaQ-lM#<
z)|FEQ;$kh(YEpl8IWnCR-(68F1JX9BiWNHGvJ;s~Sj=@Vl?kK8Yf<H@umw_q=g~B{
z^fS82t-eK4TS2fzo#(uje%Pn3T+on~lNczIDLdx`_`{V;f;VGQ0((6V1=xpyWhXa#
z54ax;N(sCqmGr(JqVBd5|DE(ed59t5znDz&RnwB<r?g)4ZQ4AuyX&;E;mkZJ?apzk
z`PwTGh%uexq`Cg*7(SqK{$ReBR&UQnB@9GLjO+6ij{8{LE@6OZ(1cPsGF55MCXG7L
zq=}hPeJRW^tONh`@T8IX2VK;QVqEyOyptjYfdUAblcfbd5LTcvsQ>@~07*qoM6N<$
Eg1{5@=>Px#

delta 555
zcmV+`0@VG>3-b%G9|M2-Nkl<ZILl*TfC5G)W)@a9b`B19Hdan%CPoHSz{teK&BGfH
z1-v}mTqsHy8Tt4H;!%Krpb#S?LY_-lBpwZjh>F2fFfxiu#A5*x;t&;#jFM9ESb+o=
zSOufBOgs)C%m-A!C@UwAOM$$CEF%M>qEb9gAfU|1AgdCO2dIC_GN`G87zv4}APK5K
zLz6*E8%QUoq^2Q*)btF90&N`zT@am_nuQ9op$g*l81z9@4oE?6UOosE6e25-VlaR!
zC@L-~EiEgrs6<v^$iNF%kX2P(laW|k2el$21Ek1^K^v-|zM(Ozskx=KEvvr01E?UQ
zv$d-`Bc7MR7^;7ur?;;$E3bb-*2GDZ!3wgoI;LdA8!(ta737snoi-h4c)^T}nX|HH
z&zUnDtiY7P45naiM$5eUSqr9QfE4sET-Xm*V9sD+2?+<Fg7`&?mn;Rk4yXVOfC{Xv
z8EkApCM@e%z5?jzm8(|A$7f7gvvwU2tgTz0VQ0_4<N$wEuzJJBO`G8{w55707;M`f
z@5sc!=;RC(gLoPSGN2&d#TA$yn7DDrwi_t%GrD`=lK1oir%6U9b?ovQuCQe7?SoBT
z-4~HDocu5nuDrh!a@Gn6G(?p*402~g$(_L=p<&@L+3<+SkYJ4b9V`|VZ5Jai9}^oL
tCx(y)015|@L0tyc0cMl>1c3s0oRfV8J`nOkHI)DW002ovPDHLkV1l>b>3;wK

diff --git a/core/nginx/static/mstile-150x150.png b/core/nginx/static/mstile-150x150.png
index 04c609f70489bd0c6579c3fb4723a217eb24168a..71c4702d19e1aff3ba8befca74cbfcff6431648e 100644
GIT binary patch
delta 3618
zcmb_fX*d+@*C#zvi6>cWP>g+-7)wmHF-FRkJ^SvVVUVq%$TH1f#u`F{gk;}$#$?|r
zLTC)5$1)ki$Wm|h<^SRR@V~D2dhbu?zV6?B{eI^@=iKKy^<phTsd2~)b5Q+TmJjE)
zK8L4ruL=&p<!_ztVX=I_%#&f``&wzy^{TIQDLd3eD+&Bky}!a-X-8y0nddJwtKPHc
z{9HS-j=T@d$f*|Kzw|EzvDJc`J-n!q`=ivE&h*4e&1s@Z*UhCnA9hm+fQ?RS-OZbU
zU7xE2nf|ko|1tm1R*Zv`^afBJ9MtY!NS46Pi=`M1K*gb+#%o)dYQRfkcjl2tnuE@R
zOoMRjNe6{>ISN{zg~+1gj={=EU0S<)k$Zlz!_-xuv~1aFSK(Z2`Wz+7G^oivRjxGP
zn2Skm=q0}RZGJl*SSOYXL~9TA1kxK+=kV!iSeRHsB=rK=f9T~CvJAFj3zB5D@7>)G
z+{0#IYp^o@Nr+{>Gvrr_`x#L%<pI-?0sag^mLR$^Rm*og1wr9EizJsSa-<zwD&IC=
z1>4qV8V_z@uVJ4Y5Kc{U4-{eTfiU204!(gG7+qdy!2TmcrXucvTi9G6Ol<V5^s~=+
zo%uHG6=27A0?UtcZo-ku@JGEE#W`b~qb5z1`ja{4**U!#r#$&^Gjn@zd`+b9=3J^p
z$4?0+JGl#vvEjMyNIho0f$d3xZ&&6fk%@UfDqX3iTRYP|_>@&vU%`Mgv$h;set+YG
z`MH;)l{HRFp)SjXsW81RC4ql*#x2-$O6+KgOYMbsVJoKxE3hgasUcJQ_~9LPAh)>>
zy~&SPGS+!A-i@MMc$ZD$*51&ElpK1IM+3QyT^`t=LYMxCtN`ZbY!-Rp9c76ToWLrT
zr_e^FLDAuR_9N+MxOR8+8AG#U<S}Tt!(gEvSF&Ey)_iaA*jHjEOyJ>z78TaoYMH?E
zgfTCsUcwZ}mZpsZ1=^C{WH1Ay(c0M8CX4M5zFEPMn7H#LMMvIRW5s9#x+(`UV{^1y
ze*xvzT#Up(ujH=35TCiOc#$#%O6gE>ZF@zuWxv~Bqe3^H`D!vX>zQ24$HD`bzThYj
z!D-z(@FRJy&Bitv!~;RL`KFz{OkLkn9Czs!;V7B3Fz+o!h!Ykazr|?r5%(|)kJ6$-
z73PcB9msVm^s#SLC4u~5*FhI{XL1F|Q1NWOBa%N<lZF4gBzgrXtaLViG-z;=-JRSD
z+V-HS7qs!ed*|T;5Va-r2Wtx(W8A@_)&%$!oV*f6BftYJ%2!eZ8(wmm5)(fUJfmEF
zF$C@)@8jGnCLXf5j{(P(Oxn^!aB^?~iLd=k5K96a+p!osm|3}gkIl&~MzoyNoB>5<
z&f<#u1eOzDs<h7Cl+E!T904}+>vI#}LF)`ic*{thPTSOR@ITSFJpFy12-KEom@?d4
ztPyed0bSJz^+mkI5R{+EwW9=Xqi3pz0s~-3cFCj}&42w#1}V`3?)_tRYmGI|5|Ch&
zX$DAAz?5JY*&oJP0VptODNH{f1ldCNXVvPJ#(YU*w@eldAh<N2Io~Ud-p5KvVjfFj
zl-MKU%m6ombyB}}935(=YOLCic@wrfYMzrMvq?6CLV|2~5UY_nH>8J~$U(jL0^CjF
zzx-*7Q&$@E6tQig;NuH*hp%s4s`6YG^@i&=HF+Bml-%rb-+w%o4&Fg7NbhciPf|p}
z^LqlVb2+7-<7@z}8V4M|X^0kZ1<c$U?{4>y#&opqP<`arX$o4Fb{uVNzV>PFLaBNV
z1n`{5f52u35Q8glln7sWkq({R$aw$ilGaPc(Fdv3wGVP=s5Y@kV7wbLL9$ubg_qT*
z6VG3{JmP{I?o;4IhIisht+HDRRK!lmWu6=?!naUvEi!~6`g9+86up)$buBYNYuxs_
z%qZ3}_*ztjYx{h}DQ1-08yKNxI&bUtn!dU&n}ZPT;5_BtbDoURcv?v1&i2Ha)3O*j
zdENv&SqPigP}<`qnzzDapr5hdRD3-~&tmAen%RGS;m9)1RU?<>yv<=eo;(*;KAL%m
zD5ffu5^CaOQ~J3RmI8J55?v;arKxNpI7Y+FfpYN5)Mbm0v!o3G>e0;wE)Tf-;fI=^
zOQZK#wYe++b&YB{Ddi`E%>Grd+@7G*lQn3@`-bL`h3`vt7OTOw>yHI*d%pkmoY|OC
z5Pf3}i7!ph6?O8{bPRDsEzOHD{c<hZA$f%{?0fs?r;J4+r%tF!efAgX$A=K^$Owfa
zQ<I!D<*yr2Rhv_;nm_i=?XJXs5Kw@OH-ZpF^H1mMZSAKc=xlygR&!Co80xO3-=FBn
zte68BQ8pWI7PMB-#&u;QPT}im{enUI$eOSn$`X;8mUT=Oo;hm$p)X7uS~H{?ftQw6
z1FgK;%T?w{6Uc(EdzxA8wyRB`Or>uZ>p{H4a?mCv?4&$oKNN|op(m0aeII@U;XibU
z7SD==y_?oH))U^%)7qcNM~&S#)rZTv|IR)Wlp}nWC?tpc0#iM*|M7-$6**A(TJ6<X
znIca0#-YYeIYc65*lZ}aO+NUJAv|62H`j|Kk6)KIoDL~!2by*hv{}on{k_?U@QE@<
zj9qB-owJgdSAU!ob+ZTTtJ8CzN<_aX_=dN;zh33hu&AaOd6>g>7r^)<JRntt*a+I(
zrKffsb5@mKM_zn8L;D!IP+vcQ5L!AMCqIO%K&#w-i**orog4z6rTlA`rz}b~Dr{AM
zuE*(Upi%s$;p#RYB%Untr$&;nKM9>6f4b3fCd1dHTxo%3V~tbQaY*g?*Mfn<TTZ3K
zrW6t;VYEgWLd~uQ&IMII`tk6=keh*3U6Uiy*$_8zLdsV7RPYA|rRDuf?A@V{!@T!$
z_8NLjBieI)RlU4|<KG++c7y}8(A7gL95cyol--TB-iqk^OD|{g^OQS8Hf9j*phtZ%
zkZcK~jeHr7qstM|utrVnozHXYj$tIqUhS{%!#i-Hm34RIuo3@Lej0Tg#S1~oNf=)A
zgadd6O`TgLIgT`5jg~2%53BFcccdI0pwXq&iq%dhnOst0@;J#xRQ)k?N_8?G<z8Dy
zaB-?wdVlVEwEf0v5$<G(W__}ZwJe;0H-nPJ@&&%J)oE=bT0xr|f;)CCIn_I;nbLLI
zF2s5!_e8wpRM*o!LeKXLamf3ClP%KKFjQaX+BLD&wXY!spYKA$HV;>VBK2PV{bFg7
zG;zdIFbamu65ugpIm$2K_KzU<ou(Umi)-3lCxssoQXEvTpnA|6bl<H|G?{i_A(GtJ
z89JUM6+Bis^v$?$i`1OOj44ZAd3;x=id+W@{d~|=wv5u#Da{*3{%#DDddk<$2xj_l
zqf+D6>)jVU!WU$H&iY|bOp^7~rhH_K-$sQLfe>}B`OP`U4rT^-4jy^kHzcHG9w*15
z%TOyeZFeQplS&y6JJz=TRmC@{PULD6TUGoIJMRTl4J~^mD_aklr8IH+&QrrOnz}g?
zn?Z9h!-NRTwOk~(IyTEKb!2hl3A-=3Tx%@dKiHEC_c3tK#&SP|RVBy@5D6Vn-pL!k
zwAgqS%rU&8H7H@C?N#?dGw3w!!TTNVOB0{8#wJ;5Rzgdu{;pgaSr@Pt0^RSd;fO?f
zrwp)sffB9BO0LmD;0hQy&&J%7iWOM+;F2jtSPgNHO(fo)<$hm`fkQGrmmDtcxrx`z
z4)f?1F<ph%l10V6{OcToPW|fsvMDau%i=zp=5hifOa=}px4=O+llQY8^-W(?{$8Ph
z9F$Rmmvc>UbQkB|cp6Br_Bk|{QArk2ZN4Xz1($=}$6G6Kx?b&VAWc}6sKIMh6kgLp
z_gq7ek^s3B`Ni!|1|Ano*76LfJCRLc7e$sIgs+pT6M(l({(U#?{8rF4jgQMrs8#cj
ze@K)z#lOmPBej}#a9!A5<mjQU&(%p``|UbDd!;XZNiU*0A+?+=>`)z-h>GH8P+`zv
z2m_5BW0&RD4M(IqT(cb}Gx9%#zA-t&%6;w)5<HgH4n6D6(}7w91cu1p?OvUn35Xam
z1n2zIzZ(~J^KWo?`j+VTlH&9r?;FCfDlatax9_wGd)N#4oNntzCz}GZ{wi{J7GGi&
zqq%31y=4OC7Eh*NqXqcEo_|e^SE+tBi;1uK9MBmo%fkGwQ;Qw|=QFxrYaJ!tp(qVR
zD$LIN1!dj1>Ku#6a1fDd#K|PZ7p*>2lF*6uK1bGV8~vGix{^3C?}f==FIJ3Mh>BA;
zpq+{IQqKAqvmWUP6mSWY>gf~!W6tY$^=@tblV)wXUwp#*QoGdpt$Y)zsZ-)BL4h+7
zl7y(%tn^FL60vnwI0d5=NlxuIP+&sHMh|#)7@8x-MmULHFYNVn_O0rx`SX24dW(0B
z3S>N}uCJOz4p3yfqq&=(7?&Qj86gx>@nS5%8K_V-qb=W0hveVr^j(!&1fX|W&Eawm
z)7%=PH&6CkSZ68QhGze5sQLexfBqZC|2nTa(y3Kl8RXgE`3tvlG4>Q&4$hNH`|o>&
R%CCQ8p$4Y<Rl3fP{|EoM$@TyM

delta 4517
zcmcIoc{tS3*B@rYBx9#A*6drdjmA>Mh$uz2QXxWRG#R@wC@~DmzE-1RXfpQQw-JLx
z2$OXzMcK)&dgu2(@89oV?|Ywn|2XH|=bn4+`J8*sz4ek+@+q-6euoR^&)El$E>DD{
zU3b9K*H;%KE<6>&$LiV%u(hY~p~lfEC+N!yh~dP}7iuvx%+8r;;=;MLg%>kVPD?=A
zljQOOtUP-?$2$y;RUEy*MG%md=J(KZGkr#xZ2XZtW`IyDd0o0cT>3Y%w*<3+YB(5i
z7;0@;Z8=y0UwC#B#~S}vy*>RS?1hiLB{HfxDgqDwH>bs$#ofc^1<t>8(9M5KaqZ+9
zq?~`Zt<bOrgzTE{aQ~N(gOe0Nm8uj$zwk;xB-kXNO<cjo<t8srhC=1-mJeP)64}j7
zv+qG9*&@N?+=d`STVs8`1E0$tP7?2mQfdS(_&!BBve7{VC@H>IIegwXQNTjl50Av>
z;)eh!mJSaSb22YMZt<v(_)9e+$0Vpp!U^=Kov7z?Jos3h@Gedn&0UTUe;|uJHPk!P
zNj5zr9(-a=A6VpylOEJ17Y`{-r~H@)wt)OOOrv|;l`S=5nR3x4UY|`-z(Tar9YyZ9
zW$H0GflHn9dURM(x3h$^oh2{mFATvE4E@57ypo^Dz5|*9|IH77V77EtrElgg_VFVV
zCWQHjmYuqdW2B0C=AkWqs4(N^Fs|;L1DHxgj)TlHc#=I2e0buWHciR<SRHs*W$or1
zrk#QReNhBe30>680MGL$ko2)dmI(k4AP-E;VP3POLIhH_&_FYO2jnd%@&Gyv&SZCd
z-giG4Zh>#_KUN@i=Q`w2SbM&_=n5%TS6cKLuJ2s}+(HBu{<umU0j-NFM_czT^D_s5
zz&T7CwXMff1a)ybu}hIFPBDTy>-iCcmPb>)-Dao=cjY2Y_7<)t$-4x&qK871Fc30_
z@$-nwj#ncdKl;;;OEA*f1JzZR4j9Z~YCpnG4?0N<DqoCl5#BvIJt|-`amF;H>?scJ
zsX#@%v93$lf-pY;hl~K1o+C^%ptXL|BQ*G)5!}=#&lF)u)%mpwV)_9{MO2{gDFUgV
zCcc*sh;q4ZmuPLvsa-XZ!KP#bGk2S6`C*rSbihu7mpH@YP4_bx=UnpJ8Z1<b=wQcL
z8s+CU7g}X+{JlG;kAnz`Bs74N2XtebwRQen1Fy;!9@s2Nzw0zhw@@lN5EKb=7F$;X
zw^+*Liy|#mD-gfbmq_c%G~*Wui#&j$a*+`=rb>)J`fDqf7wQlWy**zQM28Ld=FJwr
zHQo1Rx{O<szLjy>N*6X7VN<S6KP9=*(kY_uJ~||`C~oDV0)h8}1RP0{*8N2rKhi;b
zHUIkzGlHV_j+a0(cH?Q1D(v$bK5{6ymcTLs@Bh0*r3e$1EO1SoT))hlryn9}XoGLp
z3S5<55+vUXmP<*7%Py)BOO%S@KvFOER=<(oJ_38Qu$Txx`H96h;BXQ^#*%A}jbJav
zx7(GP?wc~_7&tBa=McnW)BR}1xr*+Y;)x5uD~61HWgA}5Bd$}0KoWWU`*QeTb@X$k
zB5oE(mO#?;=M<sCUMeH=%KM*@Jp=4j)zopQrQ>7*1c5hgxU?kg>=9tUiZFaWV3ooC
zJ{~UXr$+P@8qlE4yreMf?DdU+G3BDkg~p>Is6ZSHOiY5C1_nv=Iy<z_6!+fbqXb>{
zGvGrQW1p%~5h@OrVe2_**U~}ng9snGL#{j4w*&owe~9u3>=ew_z|+e%yGjwN{{a5I
zF*)fYk-c0Zn2kwU5H3fk>>L$C|2({1IcgAbJ7{T2J%@Uw#5uvk7=26xWo~F+a$e@X
zA}+52vr{}gbVLGKpPSpgc7fc}61(}w_dW`&ailb=-7dQw_&_x)o)(#TOb}-6rxJp0
ztRL3rM4V>ruN=`0ZFFz^82$sHf{pqQnQK#*a7DXqT4>-eLnbG`-EOiaHvMtV37A6D
zk5Mpz)MSQ!6QPhz2%1&>#BuApIu4W*x^U*S)*q8fNR{H3{!mrdeW;Yke@~qsoU1jd
z+l$v~X?gH;=J?6MwKzk&=#UAh6tXN%ZpSzI&*F%y=yaQD*sXxHk>72@j&q~+7+221
zy=A^e3+tpCQ!dee!USz^4AA*2T`4-!hGCR%%55`B{%%X4@4ssl!-E5Gy!DjW%~f&F
zMRZIz2}1CyU9Wx}(G=izm6!I$H*yK|xwor-gB4Mi<B1U4n_oWPu|7bQ*Q#GM{dyJZ
zcKU6;e`{6ikTv-9Mh@LGAWdHp8)a23zebE{sM}aDhUGiZH<Uhn+WE<B)Lfn)I_P<N
z&ezLr(@BlEak{$Rn!O3<6R9}mHrbbo8GY*}DZl$E1Rm}kBK4_Y<QYb+?~Nul%FCN&
zoH+8VIx%0|f{VU1Xom?o35>y(=5kRx7$-m5SmVqL6OmjNR-1Y#_K5wE<?yf&Df+5o
zL`W5Q)wqbDnz2QF;os40b6U4M@pebETt!(1zKy?ftUfdZXM&43>)p=7$Of|Gu$x1q
z{j8B26Rt&&W5mo~#`*_|Qdhc2*z7;$SsL2zZ%Q4;s{#|jVPj5TZ%#;UMz`ouoQCO3
zz2_)5OlZ53fBpT%!_fh}QYK|_&bn&c&2sQrM^`!`$c{IkXV)obEd5lY_DlP7TKB{>
zv=DArV|3baZcje<usnjmMos+n-c(`%c{btBkY-EH)L_SJ>;0_3RP=XJTcYuw)e=Z0
zQqVXgnAcls)aFvy*6a0FS9<UiS=RbTmHs`BMU)$(?E+_zR!y9-CD*65J|`m}DVOeh
z!o*49j+4Z9o(@>K>odS6myXz?$YyFTd+bdPrQ=W()oBcByTZ|%<|rxVes@P#L%uUm
zF?_qdxyk!>(9lR>T9mLj${@@p6%}NQ{<=9Tt~WgOR(1Nt<c3*xDs-Xr<)H$Pu2SSD
zG?CPFg9<)0fgYZL&wfn@v(BpQmuBHmD*D5;QTQ+O=AIQxh0K)N^)1pqg7jn{OX))(
zu2pI}qBOy<!S9uW7bms@_GO8MjR6K*feikjKw`cs9bCphxNK$aRI%V{$15uJ?Ndeb
z*j`74v8`bpp+@E30^JHdwED!r&nA^8M*XT7$kl`ME>;8;lIzYHd<|+?;TNraO}Kt#
zonL{R2VS}tqb-81oJp??-aPE?tHUkn8QRUL^6~^sHpdwD7yEh4`1Fo6#Uto;lTxe&
zY@zp#=P}C~2}=^{0WRrrV)^&WahJ9V;b0GWjY#xUO%udNCgj~UF_5@BODz%69d>Lx
z_=q+IQUlA}?QD(--<p<rBHmQeSJN*b)rw289=6S}SUe&3Ki2_ns{g$AwE_orq=of$
z^gq7Bh+8T6(P53WYM<a}UW)R=y@uNsVhuD^vaATonPt@?UeO~?NfrMgUZC(M@}uI4
zl;^?Sh<_C$qKd))e#uU$Rz{U^+yh5SA<tJ<BD%*cpAbV(R_JeSZQ%<Avbk}KS0(*|
zk~Rw*%p-rt^>^Sj<o#jd=!aEmtngU|+Nfss9um8~9&%0pR@fp<+T))#)+S>{Z<t3?
zeX4{N&lP?)^Sm8<BD>v=Rf!!L7e`uDTb-R=x0`GvcQ)WhyJxo_B@SMLp~nPu)yI0t
zVO{esn9*9IA>1`vH`ec3g9m4c6}!n8qT8fQf_XD@8|P3hx2LI>{BU?8rfkAs^2-3?
z!IW*wzk$CAl>5pyE9ZyL#>9@eumGICr@n@wP4raC<8x~g1G;a3ueVesdprz_?6L-u
z^%Ebi<j5`(l5X-e6t^as|G7aed_D1(%kVhzyhw2Im24is-#xC_nZ2|o3G=I4wsm}C
ze55up6UPi&L?JL+KvkNBU_;zxNtL#l;`7G($HoPa9cd@m0AhgcO#^^OydVVY`G{Qu
z=b42W5&EX{^`UjAY9RMsUglRvV5WHdGeBg>yg7-dA5qw)51CV(O=v5D?lH6SEo)4^
z`6>O*?bH*lVq;zVacw#eiKK@+Y`h>%0^Ad4CBQ)Fd@%4!Sdvg(?~Q5LJ&ZBC-Vj#5
z-=oG8bpXXUlcVH_R^KtoYo8cezhv?E<>Y%?{ZnekYZglevc5%LFs?PiJ}oOpkT<m}
zBI_z#*)I{(>jD?EUh~7QMoJ>jXE;d=IrEeyz+X|kR$g`$HVBUR+p{vQg>fyot^jvt
zGQ0XbBl7(?xHz=3z{%=0+PC)ERH<F^`jwJb`Csr*X6Q!!k5So*E&~IX=0easNHc3A
z$covaPRa`(IlK2S2gq4Yy3y_|3LU4aFU5;(UiE2$_!X2b?746r>bQTsSb-q#oLVac
zzHRM#En;oTA2<qIbLKQ7xH6gVrEqtnzw@OVIqIkM8Hpi%hgq(A7fyj3f*4maS2OMR
zIum?x?=1|w#~{~54@$cKQ+||22~*APc0T|v^yfH9RCmr>;QiSyeI&lhxqpOGFs^sb
zp#tF>#5pZ!{q2!aIV(+<v1nlnxFd5Y&G|QCjRz%OU5R+(CBOEEA%nB8UInqrw$wW!
zbo*HK9~9{rSMJ_hrT9{XK4OUli}_d=bh87Q=lwx?O@5<(iyGs}%IZ=kkVpw+Z1=v*
z8i^s}axNo7NVnFs0ipyVxTE?jLqVO-`|bpBcPh-Vs=kf-uqd3&xasB3cR;&kukB1k
zP!Tt{!}YOTMs2uSt~h0~Ag{x(cPWyP>)^wXB_(!dEB<-c{B{4UC=ryL&_E`?Ml4bX
zn|5O59CMY$mvQlyB<q+O@Axr2g4L}rx<)0th$Y<)(COU*%n{CFZ5qt00PZ7ffUHKe
zfR<XlhqQ3%e4yxQcbr-aVdhd`_az9VR2rPw0t&~$*P_WC;%pl7WiWUW{7t&EL{df{
z52)}+3;uh*Wux`%;2b7~+E#Uj;Bh8)qQ8%`<w=}+(y5C|NdyIg3(t?AjGy+F2YB2O
z<72-&h=Z~Tv27o$JLmJB7AT0&AE_2i0NDTsFv)s5j0*yff%M5ck)h5KT0#R@ra!)q
z4ae<4?<x+Atv)?+so=waP6fhUrRY6GgU#&((&|ZCR4zXGqDIwKh%K=rt#9IJ9@q6G
zaW)5czPg0+#PNZro%|?mrJ@L+D>i<RgF35Ig2EH<eufibh3)-nM}64UIE|rA{0j;2
zk_(A^59;?$Y}5}?+my-?IW{sA+`*z~oJKhUo7Xuku#IWX2!G(cbSgBVy}#_}&uM^@
z3nN|62zc}D8m$JBnc8P0giI{xnz`%sxav8&<2x7-k8-BU=`vtUMc@vwJb9`lg!TBl
zY#D|hVPEASa&EJ<_F_RMig{Xl>CX#4_sw)ZyDa^leUhh1GD{RWAe0uB1mOC(g4!BC
z(>h@UIRZ_lhk&nT^XDLfLfz@)FMMc|=_eEVpw=yc-6blbLM@M$Z=J;%qP-?Y6WCs1
z^cQ$#mBVHgZgHSh_r`}AFYS>8l7rBI9uq`!Ntunx6ttaR`TYAmUje9wUyr*5UYClF
zSxK71%u)+gZ1UUt6KFU~Pfg|?U<dTan&m!@<+n2VV)wRC&w??FQC&mQZg;9MC22|?
zajv`7k^~P0F7p9Y*2NoV>+ZL`>cUAumbiOl@>Z5PMhmy$9nb@}CH4Y{9$1{qocds6
z{dhT4$wlaY|6joU@8bU_>6MH>Qls+dSSvsF<+|s0VR-i7yyuHBW4;Yj-E<JET`;#j
JPcgj}{a--EhI;@2


From 103918ba57454a639c087498b991f136339ca352 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 2 Sep 2021 20:46:56 +0200
Subject: [PATCH 23/53] pre-compress assets (*.ico for now)

---
 core/nginx/Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/core/nginx/Dockerfile b/core/nginx/Dockerfile
index 1906ed31..8b5be4f8 100644
--- a/core/nginx/Dockerfile
+++ b/core/nginx/Dockerfile
@@ -16,6 +16,8 @@ COPY conf /conf
 COPY static /static
 COPY *.py /
 
+RUN gzip -k9 /static/*.ico
+
 EXPOSE 80/tcp 443/tcp 110/tcp 143/tcp 465/tcp 587/tcp 993/tcp 995/tcp 25/tcp 10025/tcp 10143/tcp
 VOLUME ["/certs"]
 VOLUME ["/overrides"]

From f4e7ce099052486d64eafdfb112f4a4f4a68b358 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 2 Sep 2021 20:48:44 +0200
Subject: [PATCH 24/53] enabled caching, gzip and robots.txt

---
 core/nginx/conf/nginx.conf | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 9ce12980..616ddcc1 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -33,6 +33,17 @@ http {
       default $http_x_forwarded_proto;
       ''      $scheme;
     }
+    map $uri $expires {
+      default off;
+      ~*\.(ico|css|js|gif|jpeg|jpg|png|woff|ttf|otf|svg|woff2|eot)$ 97d;
+    }
+
+    # compression
+    gzip on;
+    gzip_static on;
+    gzip_types text/plain text/css application/xml application/javascript
+    gzip_min_length 1024;
+    # TODO: figure out how to server pre-compressed assets from admin container
 
     {% if KUBERNETES_INGRESS != 'true' and TLS_FLAVOR in [ 'letsencrypt', 'cert' ] %}
     # Enable the proxy for certbot if the flavor is letsencrypt and not on kubernetes
@@ -46,10 +57,16 @@ http {
           proxy_pass http://127.0.0.1:8008;
       }
       {% endif %}
+      # robots.txt
+      location = /robots.txt {
+        add_header Content-Type text/plain;
+        return 200 "User-agent: *\nDisallow: /\n";
+      }
       # redirect to https
       location / {
         return 301 https://$host$request_uri;
       }
+
     }
     {% endif %}
 
@@ -95,6 +112,8 @@ http {
       proxy_hide_header X-XSS-Protection;
       proxy_hide_header X-Powered-By;
       
+      expires $expires;
+
       add_header X-Frame-Options 'SAMEORIGIN';
       add_header X-Content-Type-Options 'nosniff';
       add_header X-Permitted-Cross-Domain-Policies 'none';
@@ -114,6 +133,12 @@ http {
       }
       {% else %}
 
+      # robots.txt
+      location = /robots.txt {
+        add_header Content-Type text/plain;
+        return 200 "User-agent: *\nDisallow: /\n";
+      }
+
       include /overrides/*.conf;
 
       # Actual logic

From 34df8b316832b43a2962c74ff7fd53c5ae725745 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 2 Sep 2021 22:49:36 +0200
Subject: [PATCH 25/53] AdminLTE3 optimizations & compression and caching

- fixed copy of qemu-arm-static for alpine
- added 'set -eu' safeguard
- silenced npm update notification
- added color to webpack call
- changed Admin-LTE default blue
  (core/admin/Dockerfile)

- AdminLTE 3 style tweaks
  (core/admin/assets/app.css)
  (core/admin/mailu/ui/templates/base.html)
  (core/admin/mailu/ui/templates/sidebar.html)

- localized datatables
  (core/admin/Dockerfile)
  (core/admin/assets/app.js)
  (core/admin/package.json)

- moved external javascript code to vendor.js
  (core/admin/assets/app.js)
  (core/admin/assets/vendor.js)
  (core/admin/webpack.config.js)

- added mailu logo
  (core/admin/assets/app.js)
  (core/admin/assets/app.css)
  (core/admin/assets/mailu.png)

- moved all inline javascript to app.js
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/templates/domain/create.html)
  (core/admin/mailu/ui/templates/user/create.html)

- added iframe display of rspamd page
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/views/base.py)
  (core/admin/mailu/ui/templates/sidebar.html)
  (core/admin/mailu/ui/templates/antispam.html)

- updated language-selector to display full language names and use post
  (core/admin/assets/app.js)
  (core/admin/mailu/__init__.py)
  (core/admin/mailu/utils.py)
  (core/admin/mailu/ui/views/languages.py)

- added fieldset to group and en/disable input fields
  (core/admin/assets/app.js)
  (core/admin/mailu/ui/templates/macros.html)
  (core/admin/mailu/ui/templates/user/settings.html)
  (core/admin/mailu/ui/templates/user/reply.html)

- added clipboard copy buttons
  (core/admin/assets/app.js)
  (core/admin/assets/vendor.js)
  (core/admin/mailu/ui/templates/macros.html)
  (core/admin/mailu/ui/templates/domain/details.html)

- cleaned external javascript imports
  (core/admin/assets/vendor.js)

- pre-split first hostname for further use
  (core/admin/mailu/__init__.py)
  (core/admin/mailu/models.py)
  (core/admin/mailu/ui/templates/client.html)
  (core/admin/mailu/ui/templates/domain/signup.html)

- cache dns_* properties of domain object (immutable during runtime)
  (core/admin/mailu/models.py)
  (core/admin/mailu/ui/templates/domain/details.html)

- fixed and splitted dns_dkim property of domain object (space missing)
- added autoconfig and tlsa properties to domain object
  (core/admin/mailu/models.py)

- suppressed extra vertical spacing in jinja2 templates
- improved accessibility for screen reader
  (core/admin/mailu/ui/templates/**.html)

- deleted unused/broken /user/forward route
  (core/admin/mailu/ui/templates/user/forward.html)
  (core/admin/mailu/ui/views/users.py)

- updated gunicorn to 20.1.0 to get rid of buffering error at startup
  (core/admin/requirements-prod.txt)

- switched webpack to production mode
  (core/admin/webpack.config.js)

- added css and javascript minimization
- added pre-compression of assets (gzip)
  (core/admin/webpack.config.js)
  (core/admin/package.json)

- removed obsolte dependencies
- switched from node-sass to dart-sass
  (core/admin/package.json)

- changed startup cleaning message from error to info
  (core/admin/mailu/utils.py)

- move client config to "my account" section when logged in
  (core/admin/mailu/ui/templates/sidebar.html)
---
 core/admin/Dockerfile                         |  35 +--
 core/admin/assets/app.css                     |  54 +++--
 core/admin/assets/app.js                      |  73 +++++-
 core/admin/assets/mailu.png                   | Bin 0 -> 4935 bytes
 core/admin/assets/vendor.js                   |  40 ++--
 core/admin/mailu/__init__.py                  |  16 +-
 core/admin/mailu/configuration.py             |   1 +
 core/admin/mailu/models.py                    |  47 +++-
 core/admin/mailu/ui/forms.py                  |   2 +-
 .../mailu/ui/templates/admin/create.html      |  14 +-
 core/admin/mailu/ui/templates/admin/list.html |  22 +-
 .../mailu/ui/templates/alias/create.html      |  18 +-
 core/admin/mailu/ui/templates/alias/edit.html |  10 +-
 core/admin/mailu/ui/templates/alias/list.html |  26 +--
 .../ui/templates/alternative/create.html      |  10 +-
 .../mailu/ui/templates/alternative/list.html  |  26 +--
 .../mailu/ui/templates/announcement.html      |  14 +-
 core/admin/mailu/ui/templates/antispam.html   |  15 ++
 core/admin/mailu/ui/templates/base.html       |  70 +++---
 core/admin/mailu/ui/templates/client.html     |  38 ++--
 core/admin/mailu/ui/templates/confirm.html    |  18 +-
 .../mailu/ui/templates/docker-error.html      |  16 +-
 .../mailu/ui/templates/domain/create.html     |  19 +-
 .../mailu/ui/templates/domain/details.html    |  71 +++---
 .../admin/mailu/ui/templates/domain/edit.html |  10 +-
 .../admin/mailu/ui/templates/domain/list.html |  34 +--
 .../mailu/ui/templates/domain/signup.html     |  26 +--
 .../mailu/ui/templates/fetch/create.html      |  26 +--
 core/admin/mailu/ui/templates/fetch/edit.html |  10 +-
 core/admin/mailu/ui/templates/fetch/list.html |  26 +--
 core/admin/mailu/ui/templates/form.html       |  10 +-
 core/admin/mailu/ui/templates/login.html      |  10 +-
 core/admin/mailu/ui/templates/macros.html     | 141 +++++++-----
 .../mailu/ui/templates/manager/create.html    |  18 +-
 .../mailu/ui/templates/manager/list.html      |  26 +--
 .../mailu/ui/templates/relay/create.html      |   6 +-
 core/admin/mailu/ui/templates/relay/edit.html |  10 +-
 core/admin/mailu/ui/templates/relay/list.html |  26 +--
 core/admin/mailu/ui/templates/sidebar.html    | 210 +++++++++---------
 .../mailu/ui/templates/token/create.html      |  10 +-
 core/admin/mailu/ui/templates/token/list.html |  26 +--
 .../admin/mailu/ui/templates/user/create.html |  27 ++-
 core/admin/mailu/ui/templates/user/edit.html  |  10 +-
 .../mailu/ui/templates/user/forward.html      |  25 ---
 core/admin/mailu/ui/templates/user/list.html  |  28 +--
 .../mailu/ui/templates/user/password.html     |  10 +-
 core/admin/mailu/ui/templates/user/reply.html |  35 ++-
 .../mailu/ui/templates/user/settings.html     |  46 ++--
 .../admin/mailu/ui/templates/user/signup.html |  22 +-
 .../ui/templates/user/signup_domain.html      |  22 +-
 core/admin/mailu/ui/templates/working.html    |   6 +-
 core/admin/mailu/ui/views/base.py             |   5 +
 core/admin/mailu/ui/views/languages.py        |   6 +-
 core/admin/mailu/ui/views/users.py            |  17 --
 core/admin/mailu/utils.py                     |  13 +-
 core/admin/package.json                       |  17 +-
 core/admin/requirements-prod.txt              |   2 +-
 core/admin/webpack.config.js                  | 101 +++++----
 58 files changed, 912 insertions(+), 760 deletions(-)
 create mode 100644 core/admin/assets/mailu.png
 create mode 100644 core/admin/mailu/ui/templates/antispam.html
 delete mode 100644 core/admin/mailu/ui/templates/user/forward.html

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index fa75e8dc..edb8c1fd 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -3,33 +3,40 @@ ARG DISTRO=alpine:3.14
 ARG ARCH=""
 
 FROM ${ARCH}node:16 as assets
-COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
 
 COPY package.json ./
-RUN npm install
+RUN set -eu \
+ && npm config set update-notifier false \
+ && npm install --no-fund
 
-COPY ./webpack.config.js ./
-COPY ./assets ./assets
-RUN mkdir static \
- && ./node_modules/.bin/webpack-cli
+COPY webpack.config.js ./
+COPY assets ./assets
+RUN set -eu \
+ && sed -i 's/#007bff/#367fa9/' node_modules/admin-lte/build/scss/_bootstrap-variables.scss \
+ && for l in ca da de:de_de en:en-gb es:es_es eu fr:fr_fr he hu is it:it_it ja nb_NO:no_nb nl:nl_nl pl pt:pt_pt ru sv:sv_se zh_CN:zh; do \
+      cp node_modules/datatables.net-plugins/i18n/${l#*:}.json assets/${l%:*}.json; \
+    done \
+ && node_modules/.bin/webpack-cli --color
 
 
 # Actual application
 FROM $DISTRO
+COPY --from=balenalib/rpi-alpine:3.14 /usr/bin/qemu-arm-static /usr/bin/qemu-arm-static
+
 # python3 shared with most images
-RUN apk add --no-cache \
-    python3 py3-pip git bash \
-  && pip3 install --upgrade pip
+RUN set -eu \
+ && apk add --no-cache python3 py3-pip git bash \
+ && pip3 install --upgrade pip
 
 RUN mkdir -p /app
 WORKDIR /app
 
 COPY requirements-prod.txt requirements.txt
-RUN apk add --no-cache openssl curl postgresql-libs mariadb-connector-c \
-  && apk add --no-cache --virtual build-dep \
-  openssl-dev libffi-dev python3-dev build-base postgresql-dev mariadb-connector-c-dev cargo \
-  && pip3 install -r requirements.txt \
-  && apk del --no-cache build-dep
+RUN set -eu \
+ && apk add --no-cache openssl curl postgresql-libs mariadb-connector-c \
+ && apk add --no-cache --virtual build-dep openssl-dev libffi-dev python3-dev build-base postgresql-dev mariadb-connector-c-dev cargo \
+ && pip3 install -r requirements.txt \
+ && apk del --no-cache build-dep
 
 COPY --from=assets static ./mailu/ui/static
 COPY mailu ./mailu
diff --git a/core/admin/assets/app.css b/core/admin/assets/app.css
index 8351eed8..12df605c 100644
--- a/core/admin/assets/app.css
+++ b/core/admin/assets/app.css
@@ -1,23 +1,51 @@
-.select2-search--inline .select2-search__field:focus {
-  border: none;
+/* mailu logo */
+.mailu-logo {
+  opacity: .8;
 }
 
-.sidebar h4 {
-  padding-left: 5px;
-  padding-right: 5px;
-  overflow: hidden;
-  text-overflow: ellipsis;
+/* user image */
+.div-circle {
+  position: relative;
+  width: 2.1rem;
+  height: 2.1rem;
+  opacity: .8;
+  background-color: white;
+  border-radius: 50%;
+}
+.div-circle > i {
+  display: block;
+  position: absolute;
+  top: 50%;
+  left: 50%;
+  transform: translate(-50%, -50%)
 }
 
-.sidebar-collapse .sidebar h4 {
-  display: none !important;
+/* nice round preformatted configuration display */
+.pre-config {
+  padding: 9px;
+  margin: 0;
+  white-space: pre-wrap;
+  word-wrap: anywhere;
+  border-radius: 4px;
 }
 
-.logo a {
-  color: #fff;
+/* fieldset */
+legend {
+  font-size: inherit;
+}
+fieldset:disabled :not(legend) label {
+  opacity: .5;
+}
+fieldset:disabled .form-control:disabled {
+  color: gray;
 }
 
-.sidebar-toggle {
-  padding: unset !important;
+/* fix animation for icons in menu text */
+.sidebar .nav-link p i {
+  transition: margin-left .3s linear,opacity .3s ease,visibility .3s ease;
 }
 
+/* fix select2 text color */
+.select2-container--default .select2-selection--multiple .select2-selection__choice {
+  color: black;
+}
diff --git a/core/admin/assets/app.js b/core/admin/assets/app.js
index 364f8429..dc3414f2 100644
--- a/core/admin/assets/app.js
+++ b/core/admin/assets/app.js
@@ -1,17 +1,70 @@
 require('./app.css');
 
-import 'admin-lte/plugins/select2/js/select2.js';
-import 'admin-lte/plugins/datatables/jquery.dataTables.js';
-import 'admin-lte/plugins/datatables-bs4/js/dataTables.bootstrap4.js';
-import 'admin-lte/plugins/datatables-responsive/js/dataTables.responsive.js';
-import 'admin-lte/plugins/datatables-responsive/js/responsive.bootstrap4.js';
+import logo from './mailu.png';
+import modules from "./*.json";
 
-jQuery("document").ready(function() {
-    jQuery(".mailselect").select2({
+// TODO: conditionally (or lazy) load select2 and dataTable
+$('document').ready(function() {
+
+    // intercept anchors with data-clicked attribute and open alternate location instead
+    $('[data-clicked]').click(function(e) {
+        e.preventDefault();
+        window.location.href = $(this).data('clicked');
+    });
+
+    // use post for language selection
+    $('#mailu-languages > a').click(function(e) {
+        e.preventDefault();
+        $.post({
+            url: $(this).attr('href'),
+            success: function() {
+                location.reload();
+            },
+        });
+    });
+
+    // allow en-/disabling of inputs in fieldset with checkbox in legend
+    $('fieldset legend input[type=checkbox]').change(function() {
+        var fieldset = $(this).parents('fieldset');
+        if (this.checked) {
+            fieldset.removeAttr('disabled');
+            fieldset.find('input').not(this).removeAttr('disabled');
+        } else {
+            fieldset.attr('disabled', '');
+            fieldset.find('input').not(this).attr('disabled', '');
+        }
+    });
+
+    // display of range input value
+    $('input[type=range]').each(function() {
+        var value_element = $('#'+this.id+'_value');
+        if (value_element.length) {
+            value_element = $(value_element[0]);
+            var infinity = $(this).data('infinity');
+            var step = $(this).attr('step');
+            $(this).on('input', function() {
+                value_element.text((infinity && this.value == 0) ? '∞' : this.value/step);
+            }).trigger('input');
+        }
+    });
+
+    // init select2
+    $('.mailselect').select2({
         tags: true,
-        tokenSeparators: [',', ' ']
+        tokenSeparators: [',', ' '],
     });
-    jQuery(".dataTable").DataTable({
-        "responsive": true,
+
+    // init dataTable
+    var d = $(document.documentElement);
+    $('.dataTable').DataTable({
+        'responsive': true,
+        language: {
+            url: d.data('static') + d.attr('lang') + '.json',
+        },
     });
+
+    // init clipboard.js
+    new ClipboardJS('.btn-clip');
+
 });
+
diff --git a/core/admin/assets/mailu.png b/core/admin/assets/mailu.png
new file mode 100644
index 0000000000000000000000000000000000000000..e4f5021f4665bf509f6bbbb5deedc399a7e65b1c
GIT binary patch
literal 4935
zcmV-N6S(Y&P)<h;3K|Lk000e1NJLTq00961009691ONa4_IqIM000vXNkl<Zc-rlq
zdvFz1p2vTQA-rEI<N+jsAa6}j*9E~5bVLM_fI3c<h&rW+kKJ)ynHg$as@U-nU0t=-
z1!rnz)L|Fdp|pmFLa75p<uNE*yUw_>z>JG1pdd*w<^g$p_K$R4aFcZR?e2TJ@9*3H
zP+ht7z32Nm=lss^oIXb+vSJX~WHX!}Q%WhNJi&+9(T6-?ed5OqC!1^ri7F(f_aTQ7
ze4mx9;v*_3r<_LIs*!Taso*14v6AmIf*ks2DVu0~CZl<tS1F^4Do*2vPE$n{WxUGs
zj3!e{J@K}ukk4PSj!hh<jv!UXVK(to#&LoAkO=Dsa0v_9!8e>CacblY2ieX-E@6PW
z5=@=%$K`BbKaFwp?cRgX$bL3(IsHgcm;A9lm3~a+We#Gp4)QWn=|`$M=51_0gQq!Q
zP@V6(JvhMA%+T?I7uNSChuiodp*_7jo#6v+BS*W0c+4+m7he))eaRyf(_7tiYJLuX
z$9vQg1=aE%C7iFW+Bg4EJ||kL<#Qe-N8Rn-{HOVXsOk%zRtP#be>g92gsAHXFECu)
zKHL0Ztl}8SqGPOLn7ZC#em2i0k@;;9JWIBk--GG=g=E!Vm`;!6HUB)WVmI|9v+CK+
zn50Y=F`Q*S&D)2sGgy{nVIjSl&By9|JAKUTBxwgoA&=b=$?<ucD*7pTk%xf3Eas@X
z-HDE}IMN7^#a6BRU8;(IA}gx)-@-0+*oJm-OZ3bi!Y`>*Z*8iQUos?0_K#t!y6R9{
z850%zucKW3bfI#t3%~gT*`Q5-99=<isF#~Fh%$9CE;UgW+BXv^(4OC;XrLgRJ^$D0
zok#jQbkP8FIHA6Is1wWyQ_sJY<La5mI?g<Lg(L1?t#0|EYF0DQeEZj^Q$A{q(Fibr
zb?TANT4!u#fc~ske*(~Y`kOh^zgfKrNSo<vn*IIQqP_&EE%Y<1@!zDL1guTQbOa3G
zHT5F_dd-M%kls4*OPHQ90e~B*Q700X9h{YT`@d2j5~#1ZA(8f9ul5^&!1al;{|dF=
z2pwc-V&?odYS|m2*8^WQ#6Y#*C~XXQl86#5bHh{;r2W%$p|^1=XIfD9k5>DQ)V@F>
z0S2>8%i2(F3t)ag7knA4dKUPf`P1g#>`1`R%pgP9sby@qcKY~UG0$oFhCt8xW&Z*y
zv~)wD3SS}tGI(FhHY9qV4DSJ0uH_mcE%!e9|3*tSMEb_l(Eyq3)iMp4cF@y103Oit
z44rDY)hqjlNB9hnDC-MP&Nn8F_p~fSsvml=?<iArZ_m)GmMQVqe;xgYJ0p-59{>;O
zp8lcMY5qFC?B8K6!;ouV99cnD(4-|8ay7BSefsA!Ex!opGnd0bp3?dskv8BdclBTU
z|ETD&i#C8#t^W~f14^CRpT!|9w+QKw!}kYSuJu1ss$sel`+MnzZ;{h_2OG^YlWHxo
zh^d;H_Ur!!Ew2b_gUvR8Yqb7HQpXu)4}eFstRkwVIsi;={n^I;qTH(G6yZSdyWQEJ
zuIGG3T4khn*8v>SQi`ySbaOPdE&z|b=6Brz?9&p8xOUQ`tF0gFw1gtAqYT#<K$BZ@
zJF~whpZM{-25P9GmRf45p@tf&skZ*r**zzB!}0lglRAOa*Z^GW$G2=^6Z0vdh+>K<
zVF5RC6F0Je`4m$`5yi}JcejLMiYcPRy4(Dh;s5*#oG}G}<K)B!V3r?GYvS(_y_jRt
zu?n$I8DNKh01RP_b&YMk#<aV-zH9$4&HQ{W!aS2^*mlISKbMpK0Wh4&Nqmh(C^89v
zljNQYKmm>Z0Pt|q127Ju*dzcNDL5AZpALOh0Ga_P;aii2g6qyb`R`)|AZc0vc>inw
z#?#;z02%{~Gc5*y3i3JvaI=2^JfuOOX`=wBr?4XcZ~FD5<`!T?(gQHpw1t+hwzof(
zcN74>0Wj=*&3D=*gc(Vt0+3_?R5G#+fXV)C1f>8p12D%l0BXr^1K?%<o};4xBZEL_
z;3sVWtW^M#Diz$UwJr7!<^TKyKoda*CV~LASi1?6=Vz8u0WdNZ4DhX$3}Tc55Cj0#
z#sct!pHI;kz}POJj;osic+p<~G!<;*C;;HaW&l?C-vVeJV6KS(tP&CWvfXq5CXt`e
zYitxVfdDTx?+09IHUNbTPVj=xo?H@50FIF%WSS4a0LzG3EaG<V<WBD74sPc*7P64r
zxScz!ySKB*y1S_L?j79DBI_@meg1pabJIKkV2+6ZRFWxV1pz>OLEtD-5roI7<aA(H
zEo<q4AY@P&%^<LnEa7f{PXzD+fI>#m3qknj!0J&0>&Zh%XAA|=Oa(&)*+Qwm&+sY{
zG>QHQ!jplVVAH@xMk4fJe01{waEALs13()BkNb{5Bb&+f%zk52!2qQp0$?&1TL?VH
z*FJvZll&ti5z;-f-`G@e_yA~Y1!ns;fq9a@K@idz7xh$dPyl#47chzbq#(@U&%W6I
zw+O=d9@=kk5D2BhmLLG|G8J6F2vQK{alj}0hsGWEha?pYrQ-J!{Fn<UB!?7)BL3II
zZ(43O{zKzT`-CVH2wOu5z+?)^B?Y0FeV*)U(a489;FJAE13*XtXhYy~ejWGDR*h`s
zVgzA`5B3|J3Jx;>lPM&R6a?WHaUsyiI}{+KdEWPjAO;8u0Dl&Q6f%~+2*SU*Mxc@3
zQ;3kp*f=x(p&SJS0f4`20w-DsJm+dkqmk`a?H}jcH#9mA5PkqAGl@P3!ZVH$XySb?
z@!fu-Q^BSIFo}s=>>7b*DR=PAPEpE4tMPZ9ix|rJT*xE^z)Juol7`TiiLMct&*!%7
ze;7gN!5A0zUtld2$<r>t%OG%qRjmD7A<!HP+-U2-lT$235C+9%zg+;F2Z4>$JGdIn
z2VjIF0GbhS8k1kbFa+UdKDAl<FLW{LA8*;egqe;2a54<6=ij-D#oS|Ei@D3X?q)If
zu!MV9%-yYbe;>ywpT+?&fyb=bxID)Q6fzt^_+FO?oZ?3a!UZnuA4@ud@F2%o;s^jI
ziJ%(hI9jy2B#vyTaR6M+aej>;q>$?Zfe{G8EqofYP@4GfIP4!oI>Km{QbD~#0OmRZ
zU@k&7BW+w4Mh}20YI&EraUw8<HRlWqo7l-zYr5C1{TH#7ItTy&dt;Nl_yE{y)O2t&
z0N((xpE(FA<hVxQJbu$*hwdhJawWofaWwuHvEABEt-&z>_G5r*#{jtA;?1lDArlb3
zV*vmMnT?Rb2p0&9p*Mo?t5yV>*lpQ=k*oi&+5WQDqHf?`-$nt|6gdLmUb6vs*bx9%
zw*mm4G7BMvp)Qg`6Rd^gFH#RQ@c~m2&T}>F8$v3=XtuU1=mzfhEe}vlF=8`2nTK$H
zlmM8)sdk?}#I*>*02c^Mv=I0?RqSDkRr{UWe<6Y}lD9e(vr_;{905?G0JI^{yiTWo
z90=S@FNE_L?b`mue12BC#W?`>Q^DURGXU+ofR>oJ)IwmAYXpQI<hyG8o5$JbE<=w<
z7x0)-uZDFD0^1|-jMWjiK_H7PhPn7;0YfeOPsI3L4cuo;5O|+k08TN%sFy=yw*buu
zJntF-ch>~V{>3rvcRmc9=Lmp#!3+Z{$ujEo@RmeS>_Yh$1fdtB0@>B4CxUQSr|%%u
z`<@C8AQ4narcoP2bOk^g0;!Dj-Tqz(!}wt*wciZ@MrHz!kzv#pF<k=y)okNh3xPu4
z?SG?7%OU~5ONMO{)p-oirav(gA=SlPp)>p6?50p7kqTaA*fw#UjRHDqAK&o_fkLbA
z&*qJ8>y*<}u%AJo>s0WIhHVsSrv(5wz?BH8WVlEUb!C4BsR$Wtu+gMC83y{D2XHwI
zY~3i*n5|-CWddXCAXi#Tx-Rz2{-M@7f!A#Hs1Zm7w{8`i7d`-BKT8mVfu11HV*f%8
z*$k*6kP2=Ez?kjgo4bHhw!i-hj}Ryz13|czuWbLW2&95rwu?9CzzBOmV0#1}^PnRr
zAj`4+kw^uvHSWk5yFp-^s;r43_Xre_ZQ1{&qu&+!Q9y?yV+=Vos=Gu`Yy_UPIs!L4
z`i{4DAzjEZhrcWIso)NWM&*YW0I1?|YYkw&WBZ#IjxFMd<KN{x6L^vuYN&3#YT8{L
z@16`I6WHO{xIum$9UTM!P{k8Wc8tITdL#7XH;!w+8vulP%%g}B=CgqLlu*n(>nd({
zw}^SnL;MGz{lSr@93AUC258Y4{*x;Z(rnKaHrwBabuO1fI7tPMxAr=Aa;4hbrO<UM
z_*DZBk9Il==%|ml3?a={D=?AX2<iNX>(ww$g1|z?G1lQV&Ss+9We|AI;n7AMA0Hn8
z@TXP;3c7iLta+i>zs0c_%E>U$&&%a7uz~R%0qE~n6yRSXD3<=nWe6!<y!lgTjrxU`
zI=nXGyaewz1^^d{ppWS<9mTuhN(FbO|KbV+VQ@?YTI`>5)>}hK2f#WxTYNXJ*USxR
z0icO5S=I>xh1Lt?3pg70?+P^ljTD><KrSc49s{)K6pzF}pylQ9`7TEN5sLv%k}Kzm
z52FGAoZ=tOLST|r`){<piHvun0KWlnJPOz$vBdM?%>%?rbTzjEeHg=JCRiKD+{9-d
z{VpeoAin`{oCul~8-Pna*>*PpnZV9kfo0Y^LAjRwcX>GP9by3LximHaJ^3U`0Kh5U
zWMXS>?G+FI=THOiN$Wa*a}Zb_oi3o|>ARR@jr!|6{ap=40pKVGST3E3D?BcxKvTh;
zJ%11PdTxJ+gTOkj=p2A__C;e9(D55I_>kfV?J#g3>C(A)Anb{tpcL9f&;!zynCA7l
z20^ES6@V^vgsiRsNT*C&fCvLn)@27EBEqdvivj!sAe1q{t<s&yvbEc?!%@HxTZ<q@
zh6;dt5i%Vw^zi!1bTSG!)J+FqA@GRzEr9*&>d*kN#PKpOzb@N(fJelRxW>z^?VH$W
zEr2Ydh+^imfCa4!Ae*m}c6XojJ{94M8u@L^?_W$2MeP=Pwk-g)_xs&^{<rpqxz$`_
z4}e~5@V2hh#9RU$``#JCqK0mMlassgecopM-#{<1CuSOYyoJiWs+lQv#f5&pE~-k1
z*4wWCA|kAa;}8m!d1~rn3Mh!dpen(#HvsH_K&iF?5vu>C;#6dESW7M<I!vZG7f)#$
z5Rv--l(-R@o~@u%B~qWcs{c9`h)n%oA#O#6#sLxN|1-qB_=%QasCAl$Bpxx8|Itzm
zvEC<5;uBN++doL<vuc?l@rpFw(~=CS-iy2bi->Tg*9%2ef#?f{i#PIqvA8M#Js@6*
zY>(clRt2ZMuG2p;5m>0*K&Vv14dSKf#oJn{A=2B9mVeknAeS$+TtgH7<%;)Wk!A!!
zGWuU6eu%!jp`{xFy+L2`M~rf~slF<B?PQ4fCrT*SGB#M{9!LK%5Lm6HY_L{~-(oO-
z)N(dd+ZZhVi|N`87~1@gmSDuRknG}+OghCh2}-2$x|X<MdcDIDFuo%&kd0dA25BP$
zC0KC*2ejM`(E%=y;Kj9$j@nfDrLVYF5+klx1PrkMdP$u4kvfo2Rr{X#>oypCMO{ds
zUh#b1-!TFMSff59NNX4%i5CNSO}$8fUNgde>(s$b>PNuZbk50t2}PhEThx;PwS|6S
zmgvi7^(7!}_HE5ioE^b>^(FwVH>&YJD;!*>{`jnQ#)N*I<OOt4=<mR9pqMQN>Y_2<
zwAy(4MMM~+2>76HS<N5`hZw|toKVj^)CuNvdfcO-5M0OC>YGRUn(HKdVx~U_(kGqv
zJJ{&mFa*YXeFj+)sw^};e<x#tcYQdvGg(y0hET-)-Q)*Ls8BCms3Md-e@qBwvse9e
zsJ+aV=!hY_#c6fbrcU#gukZLKXu|kTj;Xgcbc{QVo9y)nf_%2Czg?=9t>jB|MHVag
zR(<Y7M_Fv-OuwfHq)^0e-EAmF-QP_fDUuALH$UL0dfuV#|A5|-JR*gW?9_3A74z?8
zWRleV4iKbs75g>Q&sC&LvWhHzmc)a@WBknVfsPS`Ae&z#VP|lRXUP_ohzLEIMp+U;
zaGEkMR^QJa8BFJG>LPD`9d9!|sUm(y5X@k6gg2(IU^6q+{O%x_#j_DSpyG2LB~Q(_
zi$M;{BeOkyEr(c6j=Jg;f)U)!u8=2<YuQC{=vVb5xI<VL%00@@aFAup(nddi2vW)A
zCiaBrO@kBcVK#jN-MTUI7^E?ZBK8=*zOaHl6fw$^0~=K_Cz0~Gfj>}b*jnR8D)|F9
zke`H;Itc+GpUe0i`#F<f5E}W09sG{VBE62sSPTX;jtAMqr_=_VL#(5Q?QG&ft@9>;
zFqF|uWesaNN|lc&)KSGz*0P4Fj85W7T!T@_B8L)IvXZ@2P(e8jaarC#ITci}mzAuf
zgdCl|4GRhb$s(I<mQqS7rEGI#{5I=TOUWjitmvk4{vR!ktfWD}Ajtp#002ovPDHLk
FV1ikCHQxXL

literal 0
HcmV?d00001

diff --git a/core/admin/assets/vendor.js b/core/admin/assets/vendor.js
index fd43d918..906448cf 100644
--- a/core/admin/assets/vendor.js
+++ b/core/admin/assets/vendor.js
@@ -1,22 +1,24 @@
-// jQuery
-import jQuery from 'jquery';
-import 'admin-lte/plugins/select2/css/select2.css';
-
-// bootstrap
-// import 'bootstrap/less/bootstrap.less';
-// import 'bootstrap';
-
-// FontAwesome
-import 'admin-lte/plugins/fontawesome-free/css/fontawesome.css';
-import 'admin-lte/plugins/fontawesome-free/css/regular.css';
-import 'admin-lte/plugins/fontawesome-free/css/solid.css';
-
 // AdminLTE
+import 'admin-lte/plugins/jquery/jquery.min.js';
+import 'admin-lte/plugins/bootstrap/js/bootstrap.bundle.min.js';
 import 'admin-lte/build/scss/adminlte.scss';
-import 'admin-lte/plugins/datatables-bs4/css/dataTables.bootstrap4.css';
-import 'admin-lte/plugins/datatables-responsive/css/responsive.bootstrap4.css';
-import 'admin-lte/plugins/bootstrap/js/bootstrap.js';
 import 'admin-lte/build/js/AdminLTE.js';
-import 'admin-lte/build/js/Layout.js';
-import 'admin-lte/build/js/ControlSidebar.js';
-import 'admin-lte/build/js/PushMenu.js';
+
+// fontawesome plugin
+import 'admin-lte/plugins/fontawesome-free/css/all.min.css';
+
+// select2 plugin
+import 'admin-lte/plugins/select2/css/select2.min.css';
+import 'admin-lte/plugins/select2/js/select2.min.js';
+
+// dataTables plugin
+import 'admin-lte/plugins/datatables-bs4/css/dataTables.bootstrap4.min.css';
+import 'admin-lte/plugins/datatables-responsive/css/responsive.bootstrap4.min.css';
+import 'admin-lte/plugins/datatables/jquery.dataTables.min.js';
+import 'admin-lte/plugins/datatables-bs4/js/dataTables.bootstrap4.min.js';
+import 'admin-lte/plugins/datatables-responsive/js/dataTables.responsive.min.js';
+import 'admin-lte/plugins/datatables-responsive/js/responsive.bootstrap4.min.js';
+
+// clipboard.js
+import 'clipboard/dist/clipboard.min.js';
+
diff --git a/core/admin/mailu/__init__.py b/core/admin/mailu/__init__.py
index 8ab8ed0e..9b712512 100644
--- a/core/admin/mailu/__init__.py
+++ b/core/admin/mailu/__init__.py
@@ -14,8 +14,7 @@ def create_app_from_config(config):
     app = flask.Flask(__name__)
     app.cli.add_command(manage.mailu)
 
-    # Bootstrap is used for basic JS and CSS loading
-    # TODO: remove this and use statically generated assets instead
+    # Bootstrap is used for error display and flash messages
     app.bootstrap = flask_bootstrap.Bootstrap(app)
 
     # Initialize application extensions
@@ -31,6 +30,15 @@ def create_app_from_config(config):
 
     app.temp_token_key = hmac.new(bytearray(app.secret_key, 'utf-8'), bytearray('WEBMAIL_TEMP_TOKEN_KEY', 'utf-8'), 'sha256').digest()
 
+    # Initialize list of translations
+    config.translations = {
+        str(locale): locale
+        for locale in sorted(
+            utils.babel.list_translations(),
+            key=lambda l: l.get_language_name().title()
+        )
+    }
+
     # Initialize debugging tools
     if app.config.get("DEBUG"):
         debug.toolbar.init_app(app)
@@ -43,8 +51,8 @@ def create_app_from_config(config):
     def inject_defaults():
         signup_domains = models.Domain.query.filter_by(signup_enabled=True).all()
         return dict(
-            signup_domains=signup_domains,
-            config=app.config
+            signup_domains= signup_domains,
+            config        = app.config,
         )
 
     # Import views
diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 7cd3a56b..419dc18d 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -143,6 +143,7 @@ class ConfigManager(dict):
         self.config['SESSION_COOKIE_SAMESITE'] = 'Strict'
         self.config['SESSION_COOKIE_HTTPONLY'] = True
         self.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=int(self.config['SESSION_LIFETIME']))
+        self.config['HOSTNAME'] = self.config['HOSTNAMES'].split(',', 1)[0].strip()
         # update the app config itself
         app.config = self
 
diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index 5760c27f..6b0791ad 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -209,16 +209,16 @@ class Domain(Base):
                 os.unlink(file_path)
             self._dkim_key_on_disk = self._dkim_key
 
-    @property
+    @cached_property
     def dns_mx(self):
         """ return MX record for domain """
-        hostname = app.config['HOSTNAMES'].split(',', 1)[0]
+        hostname = app.config['HOSTNAME']
         return f'{self.name}. 600 IN MX 10 {hostname}.'
 
-    @property
+    @cached_property
     def dns_spf(self):
         """ return SPF record for domain """
-        hostname = app.config['HOSTNAMES'].split(',', 1)[0]
+        hostname = app.config['HOSTNAME']
         return f'{self.name}. 600 IN TXT "v=spf1 mx a:{hostname} ~all"'
 
     @property
@@ -226,12 +226,11 @@ class Domain(Base):
         """ return DKIM record for domain """
         if self.dkim_key:
             selector = app.config['DKIM_SELECTOR']
-            return (
-                f'{selector}._domainkey.{self.name}. 600 IN TXT'
-                f'"v=DKIM1; k=rsa; p={self.dkim_publickey}"'
-            )
+            txt = f'v=DKIM1; k=rsa; p={self.dkim_publickey}'
+            record = ' '.join(f'"{txt[p:p+250]}"' for p in range(0, len(txt), 250))
+            return f'{selector}._domainkey.{self.name}. 600 IN TXT {record}'
 
-    @property
+    @cached_property
     def dns_dmarc(self):
         """ return DMARC record for domain """
         if self.dkim_key:
@@ -242,6 +241,34 @@ class Domain(Base):
             ruf = f' ruf=mailto:{ruf}@{domain};' if ruf else ''
             return f'_dmarc.{self.name}. 600 IN TXT "v=DMARC1; p=reject;{rua}{ruf} adkim=s; aspf=s"'
 
+    @cached_property
+    def dns_autoconfig(self):
+        """ return list of auto configuration records (RFC6186) """
+        hostname = app.config['HOSTNAME']
+        protocols = [
+            ('submission', 587),
+            ('imap', 143),
+            ('pop3', 110),
+        ]
+        if app.config['TLS_FLAVOR'] != 'notls':
+            protocols.extend([
+                ('imaps', 993),
+                ('pop3s', 995),
+            ])
+        return list([
+            f'_{proto}._tcp.{self.name}. 600 IN SRV 1 1 {port} {hostname}.'
+            for proto, port
+            in protocols
+        ])
+
+    @cached_property
+    def dns_tlsa(self):
+        """ return TLSA record for domain when using letsencrypt """
+        hostname = app.config['HOSTNAME']
+        if True: #app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'):
+            # current ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) @20210902
+            return f'_25._tcp.{hostname}. 600 IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3'
+
     @property
     def dkim_key(self):
         """ return private DKIM key """
@@ -285,7 +312,7 @@ class Domain(Base):
     def check_mx(self):
         """ checks if MX record for domain points to mailu host """
         try:
-            hostnames = set(app.config['HOSTNAMES'].split(','))
+            hostnames = set(fqdn.strip() for fqdn in app.config['HOSTNAMES'].split(','))
             return any(
                 rset.exchange.to_text().rstrip('.') in hostnames
                 for rset in dns.resolver.query(self.name, 'MX')
diff --git a/core/admin/mailu/ui/forms.py b/core/admin/mailu/ui/forms.py
index 32bb31ab..60be1699 100644
--- a/core/admin/mailu/ui/forms.py
+++ b/core/admin/mailu/ui/forms.py
@@ -88,7 +88,7 @@ class UserForm(flask_wtf.FlaskForm):
     localpart = fields.StringField(_('E-mail'), [validators.DataRequired(), validators.Regexp(LOCALPART_REGEX)])
     pw = fields.PasswordField(_('Password'))
     pw2 = fields.PasswordField(_('Confirm password'), [validators.EqualTo('pw')])
-    quota_bytes = fields_.IntegerSliderField(_('Quota'), default=1000000000)
+    quota_bytes = fields_.IntegerSliderField(_('Quota'), default=10**9)
     enable_imap = fields.BooleanField(_('Allow IMAP access'), default=True)
     enable_pop = fields.BooleanField(_('Allow POP3 access'), default=True)
     displayed_name = fields.StringField(_('Displayed name'))
diff --git a/core/admin/mailu/ui/templates/admin/create.html b/core/admin/mailu/ui/templates/admin/create.html
index 6c2413bc..071cb77f 100644
--- a/core/admin/mailu/ui/templates/admin/create.html
+++ b/core/admin/mailu/ui/templates/admin/create.html
@@ -1,15 +1,15 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Add a global administrator{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
   {{ macros.form_field(form.admin, class_='mailselect') }}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/admin/list.html b/core/admin/mailu/ui/templates/admin/list.html
index f2f5d229..84d954a0 100644
--- a/core/admin/mailu/ui/templates/admin/list.html
+++ b/core/admin/mailu/ui/templates/admin/list.html
@@ -1,17 +1,17 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Global administrators{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.admin_create') }}">
   {% trans %}Add administrator{% endtrans %}
 </a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -19,14 +19,14 @@
   </tr>
 </thead>
 <tbody>
-  {% for admin in admins %}
+  {%- for admin in admins %}
   <tr>
     <td>
       <a href="{{ url_for('.admin_delete', admin=admin.email) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>
     </td>
     <td>{{ admin }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/alias/create.html b/core/admin/mailu/ui/templates/alias/create.html
index 2079d191..ce9f8167 100644
--- a/core/admin/mailu/ui/templates/alias/create.html
+++ b/core/admin/mailu/ui/templates/alias/create.html
@@ -1,15 +1,15 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Create alias{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
   {{ macros.form_field(form.localpart, append='<span class="input-group-text">@'+domain.name+'</span>') }}
@@ -18,5 +18,5 @@
   {{ macros.form_field(form.comment) }}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/alias/edit.html b/core/admin/mailu/ui/templates/alias/edit.html
index b28ea170..4dc13cce 100644
--- a/core/admin/mailu/ui/templates/alias/edit.html
+++ b/core/admin/mailu/ui/templates/alias/edit.html
@@ -1,9 +1,9 @@
-{% extends "alias/create.html" %}
+{%- extends "alias/create.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Edit alias{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ alias }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/alias/list.html b/core/admin/mailu/ui/templates/alias/list.html
index e8ddc862..0b784d52 100644
--- a/core/admin/mailu/ui/templates/alias/list.html
+++ b/core/admin/mailu/ui/templates/alias/list.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Alias list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.alias_create', domain_name=domain.name) }}">{% trans %}Add alias{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -25,7 +25,7 @@
   </tr>
 </thead>
 <tbody>
-  {% for alias in domain.aliases %}
+  {%- for alias in domain.aliases %}
   <tr>
     <td>
       <a href="{{ url_for('.alias_edit', alias=alias.email) }}" title="{% trans %}Edit{% endtrans %}"><i class="fa fa-pencil"></i></a>&nbsp;
@@ -37,7 +37,7 @@
     <td>{{ alias.created_at }}</td>
     <td>{{ alias.updated_at or '' }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/alternative/create.html b/core/admin/mailu/ui/templates/alternative/create.html
index 75461c67..f10cb718 100644
--- a/core/admin/mailu/ui/templates/alternative/create.html
+++ b/core/admin/mailu/ui/templates/alternative/create.html
@@ -1,9 +1,9 @@
-{% extends "form.html" %}
+{%- extends "form.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Create alternative domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/alternative/list.html b/core/admin/mailu/ui/templates/alternative/list.html
index f123eb9f..b56cd751 100644
--- a/core/admin/mailu/ui/templates/alternative/list.html
+++ b/core/admin/mailu/ui/templates/alternative/list.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Alternative domain list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.alternative_create', domain_name=domain.name) }}">{% trans %}Add alternative{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -22,7 +22,7 @@
   </tr>
 </thead>
 <tbody>
-  {% for alternative in domain.alternatives %}
+  {%- for alternative in domain.alternatives %}
   <tr>
     <td>
       <a href="{{ url_for('.alternative_delete', alternative=alternative.name) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>
@@ -30,7 +30,7 @@
     <td>{{ alternative }}</td>
     <td>{{ alternative.created_at }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/announcement.html b/core/admin/mailu/ui/templates/announcement.html
index acdbde1a..ed7fe772 100644
--- a/core/admin/mailu/ui/templates/announcement.html
+++ b/core/admin/mailu/ui/templates/announcement.html
@@ -1,16 +1,16 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Public announcement{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
   {{ macros.form_field(form.announcement_subject) }}
   {{ macros.form_field(form.announcement_body, rows=10) }}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/antispam.html b/core/admin/mailu/ui/templates/antispam.html
new file mode 100644
index 00000000..0b2713b9
--- /dev/null
+++ b/core/admin/mailu/ui/templates/antispam.html
@@ -0,0 +1,15 @@
+{%- extends "base.html" %}
+
+{%- block title %}
+{% trans %}Antispam{% endtrans %}
+{%- endblock %}
+
+{%- block subtitle %}
+{% trans %}RSPAMD status page{% endtrans %}
+{%- endblock %}
+
+{%- block content %}
+<div class="embed-responsive embed-responsive-1by1">
+  <iframe class="embed-responsive-item" src="{{ config["WEB_ADMIN"] }}/antispam/"></iframe>
+</div>
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/base.html b/core/admin/mailu/ui/templates/base.html
index 89695e50..acef4b86 100644
--- a/core/admin/mailu/ui/templates/base.html
+++ b/core/admin/mailu/ui/templates/base.html
@@ -1,65 +1,83 @@
-{% import "macros.html" as macros %}
-{% import "bootstrap/utils.html" as utils %}
+{%- import "macros.html" as macros %}
+{%- import "bootstrap/utils.html" as utils %}
 <!doctype html>
-<html>
+<html lang="{{ session['language'] }}" data-static="{{ url_for('.static', filename='') }}">
   <head>
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta name="description" content="{% trans %}Admin page for{% endtrans %} {{ config["SITENAME"] }}">
+    <meta http-equiv="x-ua-compatible" content="ie=edge">
+    <title>Mailu-Admin | {{ config["SITENAME"] }}</title>
     <link rel="stylesheet" href="{{ url_for('.static', filename='vendor.css') }}">
     <link rel="stylesheet" href="{{ url_for('.static', filename='app.css') }}">
-    <title>Mailu-Admin - {{ config["SITENAME"] }}</title>
   </head>
   <body class="hold-transition sidebar-mini layout-fixed">
     <div class="wrapper">
       <nav class="main-header navbar navbar-expand navbar-white navbar-light">
         <ul class="navbar-nav">
           <li class="nav-item">
-            <a class="nav-link" data-widget="pushmenu" href="#" role="button"><i class="fas fa-bars"></i></a>
+            <a class="nav-link" data-widget="pushmenu" href="#" role="button"><i class="fas fa-bars" title="{% trans %}toggle sidebar{% endtrans %}" aria-expanded="false"></i><span class="sr-only">{% trans %}toggle sidebar{% endtrans %}</span></a>
+          </li>
+          <li class="nav-item">
+            {%- for page, url in path %}
+            {%- if loop.index > 1 %}
+            <i class="fas fa-greater-than text-xs text-gray" aria-hidden="true"></i>
+            {%- endif %}
+            {%- if url %}
+            <a class="nav-link d-inline-block" href="{{ url }}" role="button">{{ page }}</a>
+            {%- else %}
+            <span class="nav-link d-inline-block">{{ page }}</span>
+            {%- endif %}
+            {%- endfor %}
           </li>
         </ul>
         <ul class="navbar-nav ml-auto">
           <li class="nav-item dropdown">
-            <a class="nav-link" data-toggle="dropdown" href="#" aria-expanded="false">{{ session['language'] }}</a>
-            <div class="dropdown-menu dropdown-menu-right p-0">
-                {% for language in session['available_languages'] %}
-                    <a class="dropdown-item {% if language == session['language'] %}active{% endif %} " href="{{ url_for('.set_language', language=language) }}">{{ language }}</a>
-                {% endfor %}
+            <a class="nav-link" data-toggle="dropdown" href="#" aria-expanded="false">
+                <i class="fas fa-language text-xl" aria-hidden="true" title="{% trans %}change language{% endtrans %}"></i><span class="sr-only">Language</span>
+                <span class="badge badge-primary navbar-badge">{{ session['language'] }}</span></a>
+            <div class="dropdown-menu dropdown-menu-right p-0" id="mailu-languages">
+              {%- for locale in config.translations.values() %}
+                <a class="dropdown-item{% if locale.language == session['language'] %} active{% endif %}" href="{{ url_for('.set_language', language=locale.language) }}">{{ locale.get_language_name().title() }}</a>
+              {%- endfor %}
             </div>
           </li>
         </ul>
       </nav>
-      <aside class="main-sidebar sidebar-dark-primary">
-        <a href="{{ config["WEB_ADMIN"] }}" class="brand-link">
-         <span class="brand-text font-weight-light">{{ config["SITENAME"] }}</span>
+      <aside class="main-sidebar sidebar-dark-primary nav-compact elevation-4">
+        <a href="{{ url_for('.domain_list') }}" class="brand-link bg-primary">
+          <img src="{{ url_for('.static', filename='mailu.png') }}" width="33" height="33" alt="Mailu" class="brand-image mailu-logo img-circle elevation-3">
+          <span class="brand-text font-weight-light">{{ config["SITENAME"] }}</span>
         </a>
-        {% block sidebar %}
-        {% include "sidebar.html" %}
-        {% endblock %}
+        {%- include "sidebar.html" %}
       </aside>
-      <div class="content-wrapper">
+      <div class="content-wrapper text-sm">
         <section class="content-header">
           <div class="container-fluid">
             <div class="row mb-2">
               <div class="col-sm-6">
-                <h1 class="m-0">{% block title %}{% endblock %}</h1>
+                <h1 class="m-0">{%- block title %}{%- endblock %}</h1>
                 <small>{% block subtitle %}{% endblock %}</small>
               </div>
               <div class="col-sm-6">
-                {% block main_action %}
-                {% endblock %}
+                {%- block main_action %}{%- endblock %}
               </div>
             </div>
           </div>
         </section>
-
         <div class="content">
           {{ utils.flashed_messages(container=False) }}
-          {% block content %}{% endblock %}
+          {%- block content %}{%- endblock %}
         </div>
       </div>
       <footer class="main-footer">
-        Built with <i class="fa fa-heart"></i> using <a class="white-text" href="http://flask.pocoo.org/">Flask</a> and
-        <a class="white-text" href="https://adminlte.io/themes/v3/index3.html">AdminLTE</a>
-        <span class="pull-right"><i class="fa fa-code-fork"></i>on <a class="white-text" href="https://github.com/Mailu/Mailu">Github</a></a></span>
+        Built with <i class="fa fa-heart text-danger" aria-hidden="true"></i><span class="sr-only">love</span>
+        using <a href="https://flask.palletsprojects.com/">Flask</a>
+        and <a href="https://adminlte.io/themes/v3/index3.html">AdminLTE</a>.
+        <span class="fa-pull-right">
+          <i class="fa fa-code-branch" aria-hidden="true"></i><span class="sr-only">fork</span>
+          on <a href="https://github.com/Mailu/Mailu">Github</a>
+        </span>
       </footer>
     </div>
     <script src="{{ url_for('.static', filename='vendor.js') }}"></script>
diff --git a/core/admin/mailu/ui/templates/client.html b/core/admin/mailu/ui/templates/client.html
index 668621af..cc4517ad 100644
--- a/core/admin/mailu/ui/templates/client.html
+++ b/core/admin/mailu/ui/templates/client.html
@@ -1,17 +1,15 @@
-<!--TODO add translations for: configure your client, Incoming mail and Outgoing mail-->
+{%- extends "base.html" %}
 
-{% extends "base.html" %}
-
-{% block title %}
+{%- block title %}
 {% trans %}Client setup{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
-configure your email client
-{% endblock %}
+{%- block subtitle %}
+{% trans %}configure your email client{% endtrans %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table(title="Incoming mail", datatable=False) %}
+{%- block content %}
+{%- call macros.table(title=_("Incoming mail"), datatable=False) %}
   <tbody>
     <tr>
       <th>{% trans %}Mail protocol{% endtrans %}</th>
@@ -23,20 +21,20 @@ configure your email client
     </tr>
     <tr>
       <th>{% trans %}Server name{% endtrans %}</th>
-      <td><pre>{{ config["HOSTNAMES"].split(',')[0] }}</pre></td>
+      <td><pre class="pre-config border bg-light">{{ config["HOSTNAMES"] }}</pre></td>
     </tr>
     <tr>
       <th>{% trans %}Username{% endtrans %}</th>
-      <td><pre>{{ current_user if current_user.is_authenticated else "******" }}</pre></td>
+      <td><pre class="pre-config border bg-light">{{ current_user if current_user.is_authenticated else "******" }}</pre></td>
     </tr>
     <tr>
       <th>{% trans %}Password{% endtrans %}</th>
-      <td><pre>*******</pre></td>
+      <td><pre class="pre-config border bg-light">*******</pre></td>
     </tr>
   </tbody>
-{% endcall %}
+{%- endcall %}
 
-{% call macros.table(title="Outgoing mail", datatable=False) %}
+{%- call macros.table(title=_("Outgoing mail"), datatable=False) %}
   <tbody>
     <tr>
       <th>{% trans %}Mail protocol{% endtrans %}</th>
@@ -48,16 +46,16 @@ configure your email client
     </tr>
     <tr>
       <th>{% trans %}Server name{% endtrans %}</th>
-      <td><pre>{{ config["HOSTNAMES"].split(',')[0] }}</pre></td>
+      <td><pre class="pre-config border bg-light">{{ config["HOSTNAMES"] }}</pre></td>
     </tr>
     <tr>
       <th>{% trans %}Username{% endtrans %}</th>
-      <td><pre>{{ current_user if current_user.is_authenticated else "******" }}</pre></td>
+      <td><pre class="pre-config border bg-light">{{ current_user if current_user.is_authenticated else "******" }}</pre></td>
     </tr>
     <tr>
       <th>{% trans %}Password{% endtrans %}</th>
-      <td><pre>*******</pre></td>
+      <td><pre class="pre-config border bg-light">*******</pre></td>
     </tr>
   </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/confirm.html b/core/admin/mailu/ui/templates/confirm.html
index d0f6acf3..ac1d4f98 100644
--- a/core/admin/mailu/ui/templates/confirm.html
+++ b/core/admin/mailu/ui/templates/confirm.html
@@ -1,16 +1,16 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Confirm action{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ action }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card(theme="warning") %}
+{%- block content %}
+{%- call macros.card(theme="warning") %}
 <p>{% trans action %}You are about to {{ action }}. Please confirm your action.{% endtrans %}</p>
 {{ macros.form(form) }}
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/docker-error.html b/core/admin/mailu/ui/templates/docker-error.html
index 248e8b27..10742b99 100644
--- a/core/admin/mailu/ui/templates/docker-error.html
+++ b/core/admin/mailu/ui/templates/docker-error.html
@@ -1,14 +1,14 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Docker error{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ action }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 <p>{% trans action %}An error occurred while talking to the Docker server.{% endtrans %}</p>
-<pre>{{ error }}</pre>
-{% endblock %}
+<pre class="pre-config border bg-light">{{ error }}</pre>
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/domain/create.html b/core/admin/mailu/ui/templates/domain/create.html
index 3fdd262a..bc407d27 100644
--- a/core/admin/mailu/ui/templates/domain/create.html
+++ b/core/admin/mailu/ui/templates/domain/create.html
@@ -1,21 +1,20 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}New domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
   {{ macros.form_field(form.name) }}
   {{ macros.form_fields((form.max_users, form.max_aliases)) }}
-  {{ macros.form_field(form.max_quota_bytes, step=1000000000, max=50000000000,
-      prepend='<span class="input-group-text"><span id="quota">'+((form.max_quota_bytes.data//1000000000).__str__() if form.max_quota_bytes.data else '∞')+'</span> GiB</span>',
-      oninput='$("#quota").text(this.value == 0  ? "∞" : this.value/1000000000);') }}
+  {{ macros.form_field(form.max_quota_bytes, step=10**9, max=50*10**9, data_infinity="true",
+      prepend='<span class="input-group-text"><span id="max_quota_bytes_value"></span>&nbsp;GB</span>') }}
   {{ macros.form_field(form.signup_enabled) }}
   {{ macros.form_field(form.comment) }}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/domain/details.html b/core/admin/mailu/ui/templates/domain/details.html
index 0560d5e0..b90ea3de 100644
--- a/core/admin/mailu/ui/templates/domain/details.html
+++ b/core/admin/mailu/ui/templates/domain/details.html
@@ -1,66 +1,69 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Domain details{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
-{% if current_user.global_admin %}
+{%- block main_action %}
+{%- if current_user.global_admin %}
 <a class="btn btn-primary float-right" href="{{ url_for(".domain_genkeys", domain_name=domain.name) }}">
-  {% if domain.dkim_publickey %}
+  {%- if domain.dkim_publickey %}
   {% trans %}Regenerate keys{% endtrans %}
-  {% else %}
+  {%- else %}
   {% trans %}Generate keys{% endtrans %}
-  {% endif %}
+  {%- endif %}
 </a>
-{% endif %}
-{% endblock %}
+{%- endif %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table(datatable=False) %}
-{% set hostname = config["HOSTNAMES"].split(",")[0] %}
+{%- block content %}
+{%- call macros.table(datatable=False) %}
 <tr>
   <th>{% trans %}Domain name{% endtrans %}</th>
   <td>{{ domain.name }}</td>
 </tr>
 <tr>
-  <th>{% trans %}DNS MX entry{% endtrans %} <i class="fa {{ 'fa-check-circle' if domain.check_mx() else 'fa-exclamation-circle' }}"></i></th>
-  <td><pre>{{ domain.name }}. 600 IN MX 10 {{ hostname }}.</pre></td>
+  <th>{% trans %}DNS MX entry{% endtrans %} <i class="fa {{ 'fa-check-circle text-success' if domain.check_mx() else 'fa-exclamation-circle text-danger' }}"></i></th>
+  <td>{{ macros.clip("dns_mx") }}<pre id="dns_mx" class="pre-config border bg-light">{{ domain.dns_mx }}</pre></td>
 </tr>
 <tr>
   <th>{% trans %}DNS SPF entries{% endtrans %}</th>
-  <td><pre>
-{{ domain.name }}. 600 IN TXT "v=spf1 mx a:{{ hostname }} -all"</pre></td>
+  <td>{{ macros.clip("dns_spf") }}<pre id="dns_spf" class="pre-config border bg-light">{{ domain.dns_spf }}</pre>
+  </td>
 </tr>
-{% if domain.dkim_publickey %}
+{%- if domain.dkim_publickey %}
 <tr>
   <th>{% trans %}DKIM public key{% endtrans %}</th>
-  <td><pre style="white-space: pre-wrap; word-wrap: break-word;">{{ domain.dkim_publickey }}</pre></td>
+  <td>{{ macros.clip("dkim_key") }}<pre id="dkim_key" class="pre-config border bg-light">{{ domain.dkim_publickey }}</pre></td>
 </tr>
 <tr>
   <th>{% trans %}DNS DKIM entry{% endtrans %}</th>
-  <td><pre style="white-space: pre-wrap; word-wrap: break-word;">{{ config["DKIM_SELECTOR"] }}._domainkey.{{ domain.name }}. 600 IN TXT "v=DKIM1; k=rsa; p={{ domain.dkim_publickey }}"</pre></td>
+  <td>{{ macros.clip("dns_dkim") }}<pre id="dns_dkim" class="pre-config border bg-light">{{ domain.dns_dkim }}</pre></td>
 </tr>
 <tr>
   <th>{% trans %}DNS DMARC entry{% endtrans %}</th>
-  <td><pre>_dmarc.{{ domain.name }}. 600 IN TXT "v=DMARC1; p=reject;{% if config["DMARC_RUA"] %} rua=mailto:{{ config["DMARC_RUA"] }}@{{ config["DOMAIN"] }};{% endif %}{% if config["DMARC_RUF"] %} ruf=mailto:{{ config["DMARC_RUF"] }}@{{ config["DOMAIN"] }};{% endif %} adkim=s; aspf=s"</pre></td>
+  <td>{{ macros.clip("dns_dmark") }}<pre id="dns_dmark" class="pre-config border bg-light">{{ domain.dns_dmarc }}</pre></td>
 </tr>
-{% endif %}
+{%- endif %}
+{%- set tlsa_record=domain.dns_tlsa %}
+{%- if tlsa_record %}
+<tr>
+  <th>{% trans %}DNS TLSA entry{% endtrans %}</br><span class="text-secondary text-xs font-weight-normal">Let's Encrypt</br>ISRG Root X1</span></th>
+  <td>{{ macros.clip("dns_tlsa") }}<pre id="dns_tlsa" class="pre-config border bg-light">{{ tlsa_record }}</pre></td>
+</tr>
+{%- endif %}
 <tr>
   <th>{% trans %}DNS client auto-configuration (RFC6186) entries{% endtrans %}</th>
   <td>
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_submission._tcp.{{ domain.name }}. 600 IN SRV 1 1 587 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_imap._tcp.{{ domain.name }}. 600 IN SRV 100 1 143 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_pop3._tcp.{{ domain.name }}. 600 IN SRV 100 1 110 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-{% if config["TLS_FLAVOR"] != "notls" %}
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_submissions._tcp.{{ domain.name }}. 600 IN SRV 10 1 465 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_imaps._tcp.{{ domain.name }}. 600 IN SRV 10 1 993 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-    <pre style="white-space: pre-wrap; word-wrap: break-word;">_pop3s._tcp.{{ domain.name }}. 600 IN SRV 10 1 995 {{ config["HOSTNAMES"].split(',')[0] }}.</pre>
-{% endif %}</td>
+    {{ macros.clip("dns_autoconfig") }}<pre id="dns_autoconfig" class="pre-config border bg-light">
+{%- for line in domain.dns_autoconfig %}
+{{ line }}
+{%- endfor -%}
+    </pre></td>
 </tr>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/domain/edit.html b/core/admin/mailu/ui/templates/domain/edit.html
index 13af23a5..736e43eb 100644
--- a/core/admin/mailu/ui/templates/domain/edit.html
+++ b/core/admin/mailu/ui/templates/domain/edit.html
@@ -1,9 +1,9 @@
-{% extends "domain/create.html" %}
+{%- extends "domain/create.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Edit domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/domain/list.html b/core/admin/mailu/ui/templates/domain/list.html
index c82647df..6f6bc467 100644
--- a/core/admin/mailu/ui/templates/domain/list.html
+++ b/core/admin/mailu/ui/templates/domain/list.html
@@ -1,17 +1,17 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Domain list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
-{% if current_user.global_admin %}
+{%- block main_action %}
+{%- if current_user.global_admin %}
 <a class="btn btn-primary float-right" href="{{ url_for('.domain_create') }}">{% trans %}New domain{% endtrans %}</a>
-{% endif %}
-{% endblock %}
+{%- endif %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -25,22 +25,22 @@
   </tr>
 </thead>
 <tbody>
-  {% for domain in current_user.get_managed_domains() %}
+  {%- for domain in current_user.get_managed_domains() %}
   <tr>
     <td>
       <a href="{{ url_for('.domain_details', domain_name=domain.name) }}" title="{% trans %}Details{% endtrans %}"><i class="fa fa-list"></i></a>&nbsp;
-      {% if current_user.global_admin %}
+      {%- if current_user.global_admin %}
       <a href="{{ url_for('.domain_edit', domain_name=domain.name) }}" title="{% trans %}Edit{% endtrans %}"><i class="fas fa-pencil-alt"></i></a>&nbsp;
       <a href="{{ url_for('.domain_delete', domain_name=domain.name) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>&nbsp;
-      {% endif %}
+      {%- endif %}
     </td>
     <td>
       <a href="{{ url_for('.user_list', domain_name=domain.name) }}" title="{% trans %}Users{% endtrans %}"><i class="far fa-envelope"></i></a>&nbsp;
       <a href="{{ url_for('.alias_list', domain_name=domain.name) }}" title="{% trans %}Aliases{% endtrans %}"><i class="fa fa-at"></i></a>&nbsp;
       <a href="{{ url_for('.manager_list', domain_name=domain.name) }}" title="{% trans %}Managers{% endtrans %}"><i class="fa fa-user"></i></a>&nbsp;
-      {% if current_user.global_admin %}
+      {%- if current_user.global_admin %}
       <a href="{{ url_for('.alternative_list', domain_name=domain.name) }}" title="{% trans %}Alternatives{% endtrans %}"><i class="fa fa-asterisk"></i></a>&nbsp;
-      {% endif %}
+      {%- endif %}
     </td>
     <td>{{ domain.name }}</td>
     <td>{{ domain.users | count }} / {{ '∞' if domain.max_users == -1 else domain.max_users }}</td>
@@ -49,7 +49,7 @@
     <td>{{ domain.created_at }}</td>
     <td>{{ domain.updated_at or '' }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/domain/signup.html b/core/admin/mailu/ui/templates/domain/signup.html
index e9dbd75f..083242e4 100644
--- a/core/admin/mailu/ui/templates/domain/signup.html
+++ b/core/admin/mailu/ui/templates/domain/signup.html
@@ -1,18 +1,18 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Register a domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
 
-  {% call macros.card(title="Requirements") %}
+  {%- call macros.card(title="Requirements") %}
   <p>{% trans %}In order to register a new domain, you must first setup the
     domain zone so that the domain <code>MX</code> points to this server{% endtrans %}
-    (<code>{{ config["HOSTNAMES"].split(",")[0] }}</code>).
+    (<code>{{ config["HOSTNAME"] }}</code>).
   </p>
   <p>
     {% trans %}If you do not know how to setup an <code>MX</code> record for your DNS zone,
@@ -20,17 +20,17 @@
     couple minutes after the <code>MX</code> is set so the local server cache
     expires.{% endtrans %}
   </p>
-  {% endcall %}
+  {%- endcall %}
 
-  {% call macros.card() %}
-  {% if form.localpart %}
+  {%- call macros.card() %}
+  {%- if form.localpart %}
   {{ macros.form_fields((form.localpart, form.name), append='<span class="input-group-text">@</span>') }}
   {{ macros.form_fields((form.pw, form.pw2)) }}
-  {% else %}
+  {%- else %}
   {{ macros.form_field(form.name) }}
-  {% endif %}
+  {%- endif %}
   {{ macros.form_field(form.captcha) }}
   {{ macros.form_field(form.submit) }}
-  {% endcall %}
+  {%- endcall %}
 </form>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/fetch/create.html b/core/admin/mailu/ui/templates/fetch/create.html
index 1b5bc194..00698329 100644
--- a/core/admin/mailu/ui/templates/fetch/create.html
+++ b/core/admin/mailu/ui/templates/fetch/create.html
@@ -1,31 +1,31 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Add a fetched account{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
-  {% call macros.card(title="Remote server") %}
+  {%- call macros.card(title="Remote server") %}
   {{ macros.form_field(form.protocol) }}
   {{ macros.form_fields((form.host, form.port)) }}
   {{ macros.form_field(form.tls) }}
-  {% endcall %}
+  {%- endcall %}
 
-  {% call macros.card(title="Authentication") %}
+  {%- call macros.card(title="Authentication") %}
   {{ macros.form_field(form.username) }}
   {{ macros.form_field(form.password) }}
-  {% endcall %}
+  {%- endcall %}
 
-  {% call macros.card(title="Settings") %}
+  {%- call macros.card(title="Settings") %}
   {{ macros.form_field(form.keep) }}
-  {% endcall %}
+  {%- endcall %}
 
   {{ macros.form_field(form.submit) }}
 </form>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/fetch/edit.html b/core/admin/mailu/ui/templates/fetch/edit.html
index 9d0f3918..62af51a9 100644
--- a/core/admin/mailu/ui/templates/fetch/edit.html
+++ b/core/admin/mailu/ui/templates/fetch/edit.html
@@ -1,9 +1,9 @@
-{% extends "fetch/create.html" %}
+{%- extends "fetch/create.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Update a fetched account{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/fetch/list.html b/core/admin/mailu/ui/templates/fetch/list.html
index 77f66bb1..d9374fc6 100644
--- a/core/admin/mailu/ui/templates/fetch/list.html
+++ b/core/admin/mailu/ui/templates/fetch/list.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Fetched accounts{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.fetch_create', user_email=user.email) }}">{% trans %}Add an account{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -27,7 +27,7 @@
   </tr>
 </thead>
 <tbody>
-  {% for fetch in user.fetches %}
+  {%- for fetch in user.fetches %}
   <tr>
     <td>
       <a href="{{ url_for('.fetch_edit', fetch_id=fetch.id) }}" title="{% trans %}Edit{% endtrans %}"><i class="fa fa-pencil"></i></a>&nbsp;
@@ -41,7 +41,7 @@
     <td>{{ fetch.created_at }}</td>
     <td>{{ fetch.updated_at or '' }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/form.html b/core/admin/mailu/ui/templates/form.html
index 0e65ce33..2c635aac 100644
--- a/core/admin/mailu/ui/templates/form.html
+++ b/core/admin/mailu/ui/templates/form.html
@@ -1,7 +1,7 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 {{ macros.form(form) }}
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/login.html b/core/admin/mailu/ui/templates/login.html
index 26c47c08..fb8e5bd4 100644
--- a/core/admin/mailu/ui/templates/login.html
+++ b/core/admin/mailu/ui/templates/login.html
@@ -1,9 +1,9 @@
-{% extends "form.html" %}
+{%- extends "form.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Sign in{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {% trans %}to access the administration tools{% endtrans %}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/macros.html b/core/admin/mailu/ui/templates/macros.html
index d1715c7a..4080c1e4 100644
--- a/core/admin/mailu/ui/templates/macros.html
+++ b/core/admin/mailu/ui/templates/macros.html
@@ -1,104 +1,127 @@
-{% macro form_errors(form) %}
-  {% if form.errors %}
-    {% for fieldname, errors in form.errors.items() %}
-      {% if bootstrap_is_hidden_field(form[fieldname]) %}
-        {% for error in errors %}
+{%- macro form_errors(form) %}
+  {%- if form.errors %}
+    {%- for fieldname, errors in form.errors.items() %}
+      {%- if bootstrap_is_hidden_field(form[fieldname]) %}
+        {%- for error in errors %}
           <p class="error">{{error}}</p>
-        {% endfor %}
-      {% endif %}
-    {% endfor %}
-  {% endif %}
-{% endmacro %}
+        {%- endfor %}
+      {%- endif %}
+    {%- endfor %}
+  {%- endif %}
+{%- endmacro %}
 
-{% macro form_field_errors(field) %}
-  {% if field.errors %}
-    {% for error in field.errors %}
+{%- macro form_field_errors(field) %}
+  {%- if field.errors %}
+    {%- for error in field.errors %}
       <p class="help-block inline">{{ error }}</p>
-    {% endfor %}
-  {% endif %}
-{% endmacro %}
+    {%- endfor %}
+  {%- endif %}
+{%- endmacro %}
 
-{% macro form_fields(fields, prepend='', append='', label=True) %}
-  {% set width = (12 / fields|length)|int %}
+{%- macro form_fields(fields, prepend='', append='', label=True) %}
+  {%- set width = (12 / fields|length)|int %}
   <div class="form-group">
     <div class="row">
-      {% for field in fields %}
+      {%- for field in fields %}
       <div class="col-lg-{{ width }} col-xs-12 {{ 'has-error' if field.errors else '' }}">
         {{ form_individual_field(field, prepend=prepend, append=append, label=label, **kwargs) }}
       </div>
-      {% endfor %}
+      {%- endfor %}
     </div>
   </div>
-{% endmacro %}
+{%- endmacro %}
 
-{% macro form_individual_field(field, prepend='', append='', label=True, class_="") %}
-  {% if field.type == "BooleanField" %}
-    {{ field(**kwargs) }}<span>&nbsp;&nbsp;</span>
-    {{ field.label if label else '' }}
-  {% else %}
+{%- macro form_individual_field(field, prepend='', append='', label=True, class_="") %}
+  {%- if field.type == "BooleanField" %}
+    {{ field(**kwargs) }}<span>&nbsp;&nbsp;</span>{{ field.label if label else '' }}
+  {%- else %}
     {{ field.label if label else '' }}{{ form_field_errors(field) }}
-      {% if prepend %}<div class="input-group-prepend">{% endif %}
-      {% if append %}<div class="input-group-append">{% endif %}
-        {{ prepend|safe }}{{ field(class_="form-control " + class_, **kwargs) }}{{ append|safe }}
-      {% if prepend or append %}</div>{% endif %}
-  {% endif %}
-{% endmacro %}
+    {%- if prepend %}<div class="input-group-prepend">{%- elif append %}<div class="input-group-append">{%- endif %}
+      {{ prepend|safe }}{{ field(class_=("form-control " + class_) if class_ else "form-control", **kwargs) }}{{ append|safe }}
+    {%- if prepend or append %}</div>{%- endif %}
+  {%- endif %}
+{%- endmacro %}
 
-{% macro form_field(field) %}
-  {% if field.type == 'SubmitField' %}
-  {{ form_fields((field,), label=False, class="btn btn-default", **kwargs) }}
-  {% else %}
-  {{ form_fields((field,), **kwargs) }}
-  {% endif %}
-{% endmacro %}
+{%- macro form_field(field) %}
+  {%- if field.type == 'SubmitField' %}
+  {{- form_fields((field,), label=False, class="btn btn-default", **kwargs) }}
+  {%- else %}
+  {{- form_fields((field,), **kwargs) }}
+  {%- endif %}
+{%- endmacro %}
 
-{% macro form(form) %}
+{%- macro form(form) %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
-  {% for field in form %}
-    {% if  bootstrap_is_hidden_field(field) %}
+  {%- for field in form %}
+    {%- if  bootstrap_is_hidden_field(field) %}
       {{ field() }}
-    {% else %}
+    {%- else %}
       {{ form_field(field) }}
-    {% endif %}
-  {% endfor %}
+    {%- endif %}
+  {%- endfor %}
 </form>
-{% endmacro %}
+{%- endmacro %}
 
-{% macro card(title=None, theme="primary", header=True) %}
+{%- macro card(title=None, theme="primary", header=True) %}
 <div class="row">
   <div class="col-lg-12">
     <div class="card card-outline card-{{ theme }}">
-      {% if header %}
+      {%- if header %}
       <div class="card-header border-0">
-        {% if title %}
+        {%- if title %}
         <h3 class="card-title">{{ title }}</h3>
-        {% endif %}
+        {%- endif %}
       </div>
-      {% endif %}
+      {%- endif %}
       <div class="card-body">
-       {{ caller() }}
+       {{- caller() }}
       </div>
     </div>
   </div>
 </div>
-{% endmacro %}
+{%- endmacro %}
 
-{% macro table(title=None, theme="primary", datatable=True) %}
+{%- macro table(title=None, theme="primary", datatable=True) %}
 <div class="row">
   <div class="col-lg-12">
     <div class="card card-outline card-{{ theme }}">
+      {%- if title %}
       <div class="card-header border-0">
-        {% if title %}
         <h3 class="card-title">{{ title }}</h3>
-        {% endif %}
       </div>
+      {%- endif %}
       <div class="card-body">
-        <table class="table table-bordered {% if datatable %} dataTable {% endif %}">
-          {{ caller() }}
+        <table class="table table-bordered{% if datatable %} dataTable{% endif %}">
+          {{- caller() }}
         </table>
       </div>
     </div>
   </div>
 </div>
-{% endmacro %}
+{%- endmacro %}
+
+{%- macro fieldset(title=None, field=None, enabled=None, fields=None) %}
+{%- if field or title %}
+<fieldset{% if not enabled %} disabled{% endif %}>
+{%- if field %}
+<legend>{{ form_individual_field(field) }}</legend>
+{%- else %}
+<legend>{{ title }}</legend>
+{%- endif %}
+{%- endif %}
+{{- caller() }}
+{%- if fields %}
+  {%- set kwargs = {"enabled" if enabled else "disabled": ""} %}
+  {%- for field in fields %}
+    {{ form_field(field, **kwargs) }}
+  {%- endfor %}
+{%- endif %}
+</fieldset>
+{%- endmacro %}
+
+{%- macro clip(target, title=_("copy to clipboard"), icon="copy", color="primary", action="copy") %}
+<button class="btn btn-{{ color }} btn-xs btn-clip float-right ml-2 mt-1" data-clipboard-action="{{ action }}" data-clipboard-target="#{{ target }}">
+<i class="fas fa-{{ icon }}" title="{{ title }}" aria-expanded="false"></i><span class="sr-only">{{ title }}</span>
+</button>
+{%- endmacro %}
diff --git a/core/admin/mailu/ui/templates/manager/create.html b/core/admin/mailu/ui/templates/manager/create.html
index bc5e6ca9..e5812b74 100644
--- a/core/admin/mailu/ui/templates/manager/create.html
+++ b/core/admin/mailu/ui/templates/manager/create.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Add a manager{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
   {{ macros.form_field(form.manager, class_='mailselect') }}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/manager/list.html b/core/admin/mailu/ui/templates/manager/list.html
index 9a78e3ca..706594c4 100644
--- a/core/admin/mailu/ui/templates/manager/list.html
+++ b/core/admin/mailu/ui/templates/manager/list.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Manager list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.manager_create', domain_name=domain.name) }}">{% trans %}Add manager{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -21,14 +21,14 @@
   </tr>
 </thead>
 <tbody>
-{% for manager in domain.managers %}
+{%- for manager in domain.managers %}
 <tr>
   <td>
     <a href="{{ url_for('.manager_delete', domain_name=domain.name, user_email=manager.email) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>
   </td>
   <td>{{ manager }}</td>
 </tr>
-{% endfor %}
+{%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/relay/create.html b/core/admin/mailu/ui/templates/relay/create.html
index b22cb001..b1e4e8e5 100644
--- a/core/admin/mailu/ui/templates/relay/create.html
+++ b/core/admin/mailu/ui/templates/relay/create.html
@@ -1,5 +1,5 @@
-{% extends "form.html" %}
+{%- extends "form.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}New relay domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/relay/edit.html b/core/admin/mailu/ui/templates/relay/edit.html
index 83dafcba..df2418a4 100644
--- a/core/admin/mailu/ui/templates/relay/edit.html
+++ b/core/admin/mailu/ui/templates/relay/edit.html
@@ -1,9 +1,9 @@
-{% extends "form.html" %}
+{%- extends "form.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Edit relayd domain{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ relay }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/relay/list.html b/core/admin/mailu/ui/templates/relay/list.html
index 6c8c9196..07838273 100644
--- a/core/admin/mailu/ui/templates/relay/list.html
+++ b/core/admin/mailu/ui/templates/relay/list.html
@@ -1,17 +1,17 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Relayed domain list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
-{% if current_user.global_admin %}
+{%- block main_action %}
+{%- if current_user.global_admin %}
 <a class="btn btn-primary float-right" href="{{ url_for('.relay_create') }}">{% trans %}New relayed domain{% endtrans %}</a>
-{% endif %}
-{% endblock %}
+{%- endif %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -23,7 +23,7 @@
   </tr>
 </thead>
 <tbody>
-  {% for relay in relays %}
+  {%- for relay in relays %}
   <tr>
     <td>
       <a href="{{ url_for('.relay_edit', relay_name=relay.name) }}" title="{% trans %}Edit{% endtrans %}"><i class="fa fa-pencil"></i></a>&nbsp;
@@ -35,7 +35,7 @@
     <td>{{ relay.created_at }}</td>
     <td>{{ relay.updated_at or '' }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/sidebar.html b/core/admin/mailu/ui/templates/sidebar.html
index 0fdae9db..1a597a5f 100644
--- a/core/admin/mailu/ui/templates/sidebar.html
+++ b/core/admin/mailu/ui/templates/sidebar.html
@@ -1,144 +1,156 @@
-<div class="sidebar">
-  {% if current_user.is_authenticated %}
+<div class="sidebar text-sm">
+  {%- if current_user.is_authenticated %}
   <div class="user-panel mt-3 pb-3 mb-3 d-flex">
+    <div class="image">
+      <div class="div-circle elevation-2"><i class="fa fa-user text-lg text-dark"></i></div>
+    </div>
     <div class="info">
-      <span class="text-center text-primary">{{ current_user }}</span>
+      <a href="{{ url_for('.user_settings') }}" class="d-block">{{ current_user }}</a>
     </div>
   </div>
-  {% endif %}
-
+  {%- endif %}
   <nav class="mt-2">
     <ul class="nav nav-pills nav-sidebar flex-column" role="menu">
-      {% if current_user.is_authenticated %}
-      <li class="nav-header">{% trans %}My account{% endtrans %}</li>
-      <li class="nav-item">
-        <a href="{{ url_for('.user_settings') }}" class="nav-link">
+      {%- if current_user.is_authenticated %}
+      <li class="nav-header text-uppercase text-primary" role="none">{% trans %}My account{% endtrans %}</li>
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.user_settings') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-wrench"></i>
-          <p class="text">{% trans %}Settings{% endtrans %}</p>
+          <p>{% trans %}Settings{% endtrans %}</p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.user_password') }}" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.user_password') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-lock"></i>
-          <p class="text">{% trans %}Update password{% endtrans %}</p>
+          <p>{% trans %}Update password{% endtrans %}</p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.user_reply') }}" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.user_reply') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-plane"></i>
-          <p class="text">{% trans %}Auto-reply{% endtrans %}</p>
+          <p>{% trans %}Auto-reply{% endtrans %}</p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.fetch_list') }}" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.fetch_list') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fas fa-download"></i>
-          <p class="text">{% trans %}Fetched accounts{% endtrans %}</p>
+          <p>{% trans %}Fetched accounts{% endtrans %}</p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.token_list') }}" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.token_list') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fas fa-ticket-alt"></i>
-          <p class="text">{% trans %}Authentication tokens{% endtrans %}</p>
+          <p>{% trans %}Authentication tokens{% endtrans %}</p>
         </a>
       </li>
-
-      {% if current_user.manager_of or current_user.global_admin %}
-      <li class="nav-header">{% trans %}Administration{% endtrans %}</li>
-      {% endif %}
-      {% if current_user.global_admin %}
-      <li class="nav-item">
-        <a href="{{ url_for('.announcement') }}" class="nav-link">
-          <i class="nav-icon fa fa-bullhorn"></i>
-          <p class="text">{% trans %}Announcement{% endtrans %}</p>
-        </a>
-      </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.admin_list') }}" class="nav-link">
-          <i class="nav-icon fa fa-user"></i>
-          <p class="text">{% trans %}Administrators{% endtrans %}</p>
-        </a>
-      </li>
-      <li class="nav-item">
-        <a href="{{ url_for('.relay_list') }}" class="nav-link">
-          <i class="nav-icon fa fa-reply-all"></i>
-          <p class="text">{% trans %}Relayed domains{% endtrans %}</p>
-        </a>
-      </li>
-      <li class="nav-item">
-        <a href="{{ config["WEB_ADMIN"] }}/antispam/" target="_blank" class="nav-link">
-        <i class="nav-icon fas fa-trash-alt"></i>
-        <p class="text">{% trans %}Antispam{% endtrans %}</p>
-        </a>
-      </li>
-      {% endif %}
-      {% if current_user.manager_of or current_user.global_admin %}
-      <li class="nav-item">
-        <a href="{{ url_for('.domain_list') }}" class="nav-link">
-          <i class="nav-icon fa fa-envelope"></i>
-          <p class="text">{% trans %}Mail domains{% endtrans %}</p>
-        </a>
-      </li>
-      {% endif %}
-      {% endif %}
-
-      <li class="nav-header">{% trans %}Go to{% endtrans %}</li>
-      {% if config["WEBMAIL"] != "none" %}
-      <li class="nav-item">
-        <a href="{{ config["WEB_WEBMAIL"] }}" target="_blank" class="nav-link">
-        <i class="nav-icon far fa-envelope"></i>
-        <p class="text">{% trans %}Webmail{% endtrans %}</p>
-        </a>
-      </li>
-      {% endif %}
-      <li class="nav-item">
-        <a href="{{ url_for('.client') }}" class="nav-link">
+      {%- if current_user.is_authenticated %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.client') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-laptop"></i>
-          <p class="text">{% trans %}Client setup{% endtrans %}</p>
+          <p>{% trans %}Client setup{% endtrans %}</p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="{{ config["WEBSITE"] }}" target="_blank" class="nav-link">
+      {%- endif %}
+
+      {%- if current_user.manager_of or current_user.global_admin %}
+      <li class="nav-header text-uppercase text-primary" role="none">{% trans %}Administration{% endtrans %}</li>
+      {%- endif %}
+      {%- if current_user.global_admin %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.announcement') }}" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-bullhorn"></i>
+          <p>{% trans %}Announcement{% endtrans %}</p>
+        </a>
+      </li>
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.admin_list') }}" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-user"></i>
+          <p>{% trans %}Administrators{% endtrans %}</p>
+        </a>
+      </li>
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.relay_list') }}" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-reply-all"></i>
+          <p>{% trans %}Relayed domains{% endtrans %}</p>
+        </a>
+      </li>
+      <li class="nav-item" role="none">
+        <a href="{{ config["WEB_ADMIN"] }}/antispam/" data-clicked="{{ url_for('.antispam') }}" target="_blank" class="nav-link" role="menuitem">
+        <i class="nav-icon fas fa-trash-alt"></i>
+        <p>{% trans %}Antispam{% endtrans %}</p>
+        </a>
+      </li>
+      {%- endif %}
+      {%- if current_user.manager_of or current_user.global_admin %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.domain_list') }}" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-envelope"></i>
+          <p>{% trans %}Mail domains{% endtrans %}</p>
+        </a>
+      </li>
+      {%- endif %}
+      {%- endif %}
+
+      <li class="nav-header text-uppercase text-primary" role="none">{% trans %}Go to{% endtrans %}</li>
+      {%- if config["WEBMAIL"] != "none" %}
+      <li class="nav-item" role="none">
+        <a href="{{ config["WEB_WEBMAIL"] }}" target="_blank" class="nav-link" role="menuitem">
+        <i class="nav-icon far fa-envelope"></i>
+        <p>{% trans %}Webmail{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
+        </a>
+      </li>
+      {%- endif %}
+      {%- if not current_user.is_authenticated %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.client') }}" class="nav-link" role="menuitem">
+          <i class="nav-icon fa fa-laptop"></i>
+          <p>{% trans %}Client setup{% endtrans %}</p>
+        </a>
+      </li>
+      {%- endif %}
+      <li class="nav-item" role="none">
+        <a href="{{ config["WEBSITE"] }}" target="_blank" class="nav-link" role="menuitem" rel="noreferrer">
         <i class="nav-icon fa fa-globe"></i>
-        <p class="text">{% trans %}Website{% endtrans %}</p>
+        <p>{% trans %}Website{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
         </a>
       </li>
-      <li class="nav-item">
-        <a href="https://mailu.io" target="_blank" class="nav-link">
+      <li class="nav-item" role="none">
+        <a href="https://mailu.io" target="_blank" class="nav-link" role="menuitem" rel="noreferrer">
           <i class="nav-icon fa fa-life-ring"></i>
-          <p class="text">{% trans %}Help{% endtrans %}</p>
+          <p>{% trans %}Help{% endtrans %} <i class="fas fa-external-link-alt text-xs"></i></p>
         </a>
       </li>
-      {% if config['DOMAIN_REGISTRATION'] %}
-      <li class="nav-item">
-        <a href="{{ url_for('.domain_signup') }}" class="nav-link">
+      {%- if config['DOMAIN_REGISTRATION'] %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.domain_signup') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-plus-square"></i>
-          <p class="text">{% trans %}Register a domain{% endtrans %}</p>
+          <p>{% trans %}Register a domain{% endtrans %}</p>
         </a>
       </li>
-      {% endif %}
-      {% if current_user.is_authenticated %}
-      <li class="nav-item">
-        <a href="{{ url_for('.logout') }}" class="nav-link">
+      {%- endif %}
+      {%- if current_user.is_authenticated %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.logout') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fas fa-sign-out-alt"></i>
-          <p class="text">{% trans %}Sign out{% endtrans %}</p>
+          <p>{% trans %}Sign out{% endtrans %}</p>
         </a>
       </li>
-      {% else %}
-      <li class="nav-item">
-        <a href="{{ url_for('.login') }}" class="nav-link">
+      {%- else %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.login') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fas fa-sign-in-alt"></i>
-          <p class="text">{% trans %}Sign in{% endtrans %}</p>
+          <p>{% trans %}Sign in{% endtrans %}</p>
         </a>
       </li>
-      {% if signup_domains %}
-      <li class="nav-item">
-        <a href="{{ url_for('.user_signup') }}" class="nav-link">
+      {%- if signup_domains %}
+      <li class="nav-item" role="none">
+        <a href="{{ url_for('.user_signup') }}" class="nav-link" role="menuitem">
           <i class="nav-icon fa fa-user-plus"></i>
-          <p class="text">{% trans %}Sign up{% endtrans %}</p>
+          <p>{% trans %}Sign up{% endtrans %}</p>
         </a>
       </li>
-      {% endif %}
-      {% endif %}
+      {%- endif %}
+      {%- endif %}
     </ul>
   </nav>
 </div>
diff --git a/core/admin/mailu/ui/templates/token/create.html b/core/admin/mailu/ui/templates/token/create.html
index a64e662c..ab9286d5 100644
--- a/core/admin/mailu/ui/templates/token/create.html
+++ b/core/admin/mailu/ui/templates/token/create.html
@@ -1,9 +1,9 @@
-{% extends "form.html" %}
+{%- extends "form.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Create an authentication token{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/token/list.html b/core/admin/mailu/ui/templates/token/list.html
index 09d0fe76..c3cc9b5c 100644
--- a/core/admin/mailu/ui/templates/token/list.html
+++ b/core/admin/mailu/ui/templates/token/list.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Authentication tokens{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.token_create', user_email=user.email) }}">{% trans %}New token{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -23,7 +23,7 @@
   </tr>
 </thead>
 <tbody>
-  {% for token in user.tokens %}
+  {%- for token in user.tokens %}
   <tr>
     <td>
       <a href="{{ url_for('.token_delete', token_id=token.id) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>
@@ -32,7 +32,7 @@
     <td>{{ token.ip or "any" }}</td>
     <td>{{ token.created_at }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/create.html b/core/admin/mailu/ui/templates/user/create.html
index 886cbb88..9a32243d 100644
--- a/core/admin/mailu/ui/templates/user/create.html
+++ b/core/admin/mailu/ui/templates/user/create.html
@@ -1,33 +1,32 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}New user{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
 
-  {% call macros.card(_("General")) %}
+  {%- call macros.card(_("General")) %}
   {{ macros.form_field(form.localpart, append='<span class="input-group-text">@'+domain.name+'</span>') }}
   {{ macros.form_fields((form.pw, form.pw2)) }}
   {{ macros.form_field(form.displayed_name) }}
   {{ macros.form_field(form.comment) }}
   {{ macros.form_field(form.enabled) }}
-  {% endcall %}
+  {%- endcall %}
 
-  {% call macros.card(_("Features and quotas"), theme="success") %}
-  {{ macros.form_field(form.quota_bytes, step=1000000000, max=(max_quota_bytes or domain.max_quota_bytes or 50000000000),
-      prepend='<span class="input-group-text"><span id="quota">'+((form.quota_bytes.data//1000000000).__str__() if form.quota_bytes.data else '∞')+'</span> GiB</span>',
-      oninput='$("#quota").text(this.value == 0  ? "∞" : this.value/1000000000);') }}
+  {%- call macros.card(_("Features and quotas"), theme="success") %}
+  {{ macros.form_field(form.quota_bytes, step=1000000000, max=(max_quota_bytes or domain.max_quota_bytes or 50*10**9), data_infinity="true",
+      prepend='<span class="input-group-text"><span id="quota_bytes_value"></span>&nbsp;GB</span>') }}
   {{ macros.form_field(form.enable_imap) }}
   {{ macros.form_field(form.enable_pop) }}
-  {% endcall %}
+  {%- endcall %}
 
   {{ macros.form_field(form.submit) }}
 </form>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/edit.html b/core/admin/mailu/ui/templates/user/edit.html
index 25da5486..1a0b2150 100644
--- a/core/admin/mailu/ui/templates/user/edit.html
+++ b/core/admin/mailu/ui/templates/user/edit.html
@@ -1,9 +1,9 @@
-{% extends "user/create.html" %}
+{%- extends "user/create.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Edit user{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/forward.html b/core/admin/mailu/ui/templates/user/forward.html
deleted file mode 100644
index 6059f0ed..00000000
--- a/core/admin/mailu/ui/templates/user/forward.html
+++ /dev/null
@@ -1,25 +0,0 @@
-{% extends "base.html" %}
-
-{% block title %}
-{% trans %}Forward emails{% endtrans %}
-{% endblock %}
-
-{% block subtitle %}
-{{ user }}
-{% endblock %}
-
-{% block content %}
-{% call macros.card() %}
-<form class="form" method="post" role="form">
-  {{ form.hidden_tag() }}
-  {{ macros.form_field(form.forward_enabled,
-      onchange="if(this.checked){$('#forward_destination,#forward_keep').removeAttr('disabled')}
-                else{$('#forward_destination,#forward_keep').attr('disabled', '')}") }}
-  {{ macros.form_field(form.forward_keep,
-      **{("enabled" if user.forward_enabled else "disabled"): ""}) }}
-  {{ macros.form_field(form.forward_destination,
-      **{("enabled" if user.forward_enabled else "disabled"): ""}) }}
-  {{ macros.form_field(form.submit) }}
-</form>
-{% endcall %}
-{% endblock %}
diff --git a/core/admin/mailu/ui/templates/user/list.html b/core/admin/mailu/ui/templates/user/list.html
index cfec6276..59a06ea7 100644
--- a/core/admin/mailu/ui/templates/user/list.html
+++ b/core/admin/mailu/ui/templates/user/list.html
@@ -1,19 +1,19 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}User list{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain.name }}
-{% endblock %}
+{%- endblock %}
 
-{% block main_action %}
+{%- block main_action %}
 <a class="btn btn-primary float-right" href="{{ url_for('.user_create', domain_name=domain.name) }}">{% trans %}Add user{% endtrans %}</a>
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <thead>
   <tr>
     <th>{% trans %}Actions{% endtrans %}</th>
@@ -27,8 +27,8 @@
   </tr>
 </thead>
 <tbody>
-  {% for user in domain.users %}
-  <tr {% if not user.enabled %}class="warning"{% endif %}>
+  {%- for user in domain.users %}
+  <tr{% if not user.enabled %} class="warning"{% endif %}>
     <td>
       <a href="{{ url_for('.user_edit', user_email=user.email) }}" title="{% trans %}Edit{% endtrans %}"><i class="fas fa-pencil-alt"></i></a>&nbsp;
       <a href="{{ url_for('.user_delete', user_email=user.email) }}" title="{% trans %}Delete{% endtrans %}"><i class="fa fa-trash"></i></a>
@@ -48,7 +48,7 @@
     <td>{{ user.created_at }}</td>
     <td>{{ user.updated_at or '' }}</td>
   </tr>
-  {% endfor %}
+  {%- endfor %}
 </tbody>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/password.html b/core/admin/mailu/ui/templates/user/password.html
index 0ccf8fe3..e7209f96 100644
--- a/core/admin/mailu/ui/templates/user/password.html
+++ b/core/admin/mailu/ui/templates/user/password.html
@@ -1,9 +1,9 @@
-{% extends "form.html" %}
+{%- extends "form.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Password update{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/reply.html b/core/admin/mailu/ui/templates/user/reply.html
index 74c604fa..44d09cb1 100644
--- a/core/admin/mailu/ui/templates/user/reply.html
+++ b/core/admin/mailu/ui/templates/user/reply.html
@@ -1,30 +1,23 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Automatic reply{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.card() %}
+{%- block content %}
+{%- call macros.card() %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
-  {{ macros.form_field(form.reply_enabled,
-      onchange="if(this.checked){$('#reply_subject,#reply_body,#reply_enddate,#reply_startdate').removeAttr('readonly')}
-                else{$('#reply_subject,#reply_body,#reply_enddate,#reply_startdate').attr('readonly', '')}") }}
-  {{ macros.form_field(form.reply_subject,
-      **{("rw" if user.reply_enabled else "readonly"): ""}) }}
-    {{ macros.form_field(form.reply_body, rows=10,
-        **{("rw" if user.reply_enabled else "readonly"): ""}) }}
-  {{ macros.form_field(form.reply_enddate,
-        **{("rw" if user.reply_enabled else "readonly"): ""}) }}
-  {{ macros.form_field(form.reply_startdate,
-        **{("rw" if user.reply_enabled else "readonly"): ""}) }}
-
+  {%- call macros.fieldset(
+      field=form.reply_enabled,
+      enabled=user.reply_enabled,
+      fields=[form.reply_subject, form.reply_body, form.reply_enddate, form.reply_startdate]) %}
+  {%- endcall %}
   {{ macros.form_field(form.submit) }}
 </form>
-{% endcall %}
-{% endblock %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/settings.html b/core/admin/mailu/ui/templates/user/settings.html
index 9aa672ca..c1eb47f3 100644
--- a/core/admin/mailu/ui/templates/user/settings.html
+++ b/core/admin/mailu/ui/templates/user/settings.html
@@ -1,38 +1,36 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}User settings{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ user }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
-  
-  {% call macros.card(title=_("Displayed name")) %}
+
+  {%- call macros.card(title=_("Displayed name")) %}
   {{ macros.form_field(form.displayed_name) }}
-  {% endcall %}
+  {%- endcall %}
 
-  {% call macros.card(title=_("Antispam")) %}
-  {{ macros.form_field(form.spam_enabled) }}
+  {%- call macros.card(title=_("Antispam")) %}
+  {%- call macros.fieldset(field=form.spam_enabled, enabled=user.spam_enabled) %}
   {{ macros.form_field(form.spam_threshold, step=1, max=100,
-      prepend='<span class="input-group-text"><span id="threshold">'+form.spam_threshold.data.__str__()+'</span>&nbsp;/&nbsp;100</span>',
-      oninput='$("#threshold").text(this.value);') }}
-  {% endcall %}
+     prepend='<span class="input-group-text"><span id="spam_threshold_value"></span>&nbsp;/&nbsp;100</span>') }}
+  {%- endcall %}
+  {%- endcall %}
 
-  {% call macros.card(title=_("Auto-forward")) %}
-  {{ macros.form_field(form.forward_enabled,
-      onchange="if(this.checked){$('#forward_destination,#forward_keep').removeAttr('disabled')}
-                else{$('#forward_destination,#forward_keep').attr('disabled', '')}") }}
-  {{ macros.form_field(form.forward_keep,
-      **{("enabled" if user.forward_enabled else "disabled"): ""}) }}
-  {{ macros.form_field(form.forward_destination,
-      **{("enabled" if user.forward_enabled else "disabled"): ""}) }}
-  {% endcall %}
+  {%- call macros.card(title=_("Auto-forward")) %}
+  {%- call macros.fieldset(
+      field=form.forward_enabled,
+      enabled=user.forward_enabled,
+      fields=[form.forward_keep, form.forward_destination]) %}
+  {%- endcall %}
+  {%- endcall %}
 
   {{ macros.form_field(form.submit) }}
 </form>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/signup.html b/core/admin/mailu/ui/templates/user/signup.html
index 1157cfa3..51f89686 100644
--- a/core/admin/mailu/ui/templates/user/signup.html
+++ b/core/admin/mailu/ui/templates/user/signup.html
@@ -1,23 +1,23 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Sign up{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {{ domain }}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
+{%- block content %}
 <form class="form" method="post" role="form">
   {{ form.hidden_tag() }}
-  {% call macros.card() %}
+  {%- call macros.card() %}
   {{ macros.form_field(form.localpart, append='<span class="input-group-text">@'+domain.name+'</span>') }}
   {{ macros.form_fields((form.pw, form.pw2)) }}
-  {% if form.captcha %}
+  {%- if form.captcha %}
     {{ macros.form_field(form.captcha) }}
-  {% endif %}
+  {%- endif %}
   {{ macros.form_field(form.submit) }}
-  {% endcall %}
+  {%- endcall %}
 </form>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/user/signup_domain.html b/core/admin/mailu/ui/templates/user/signup_domain.html
index 1cb65ae8..a7db4c97 100644
--- a/core/admin/mailu/ui/templates/user/signup_domain.html
+++ b/core/admin/mailu/ui/templates/user/signup_domain.html
@@ -1,26 +1,26 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block title %}
+{%- block title %}
 {% trans %}Sign up{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block subtitle %}
+{%- block subtitle %}
 {% trans %}pick a domain for the new account{% endtrans %}
-{% endblock %}
+{%- endblock %}
 
-{% block content %}
-{% call macros.table() %}
+{%- block content %}
+{%- call macros.table() %}
 <tr>
   <th>{% trans %}Domain{% endtrans %}</th>
   <th>{% trans %}Available slots{% endtrans %}</th>
   <th>{% trans %}Quota{% endtrans %}</th>
 </tr>
-{% for domain_name, domain in available_domains.items() %}
+{%- for domain_name, domain in available_domains.items() %}
 <tr>
   <td><a href="{{ url_for('.user_signup', domain_name=domain_name) }}">{{ domain_name }}</a></td>
   <td>{{ '∞' if domain.max_users == -1 else domain.max_users - (domain.users | count)}}</td>
   <td>{{ domain.max_quota_bytes or config['DEFAULT_QUOTA'] | filesizeformat }}</td>
 </tr>
-{% endfor %}
-{% endcall %}
-{% endblock %}
+{%- endfor %}
+{%- endcall %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/templates/working.html b/core/admin/mailu/ui/templates/working.html
index 29243e20..65c26530 100644
--- a/core/admin/mailu/ui/templates/working.html
+++ b/core/admin/mailu/ui/templates/working.html
@@ -1,5 +1,5 @@
-{% extends "base.html" %}
+{%- extends "base.html" %}
 
-{% block content %}
+{%- block content %}
 <div class="alert alert-warning" role="alert">{% trans %}We are still working on this feature!{% endtrans %}</div>
-{% endblock %}
+{%- endblock %}
diff --git a/core/admin/mailu/ui/views/base.py b/core/admin/mailu/ui/views/base.py
index eb5490bc..ecd3089a 100644
--- a/core/admin/mailu/ui/views/base.py
+++ b/core/admin/mailu/ui/views/base.py
@@ -57,3 +57,8 @@ def webmail():
 @ui.route('/client', methods=['GET'])
 def client():
     return flask.render_template('client.html')
+
+@ui.route('/antispam', methods=['GET'])
+def antispam():
+    return flask.render_template('antispam.html')
+
diff --git a/core/admin/mailu/ui/views/languages.py b/core/admin/mailu/ui/views/languages.py
index 9fb87d5c..121431b4 100644
--- a/core/admin/mailu/ui/views/languages.py
+++ b/core/admin/mailu/ui/views/languages.py
@@ -2,8 +2,8 @@ from mailu.ui import ui, forms, access
 
 import flask
 
-
-@ui.route('/language/<language>', methods=['GET'])
+@ui.route('/language/<language>', methods=['POST'])
 def set_language(language=None):
     flask.session['language'] = language
-    return flask.redirect(flask.url_for('.user_settings'))
+    return flask.Response(status=200)
+
diff --git a/core/admin/mailu/ui/views/users.py b/core/admin/mailu/ui/views/users.py
index 2784fe53..8790977b 100644
--- a/core/admin/mailu/ui/views/users.py
+++ b/core/admin/mailu/ui/views/users.py
@@ -129,23 +129,6 @@ def user_password(user_email):
     return flask.render_template('user/password.html', form=form, user=user)
 
 
-@ui.route('/user/forward', methods=['GET', 'POST'], defaults={'user_email': None})
-@ui.route('/user/forward/<path:user_email>', methods=['GET', 'POST'])
-@access.owner(models.User, 'user_email')
-def user_forward(user_email):
-    user_email_or_current = user_email or flask_login.current_user.email
-    user = models.User.query.get(user_email_or_current) or flask.abort(404)
-    form = forms.UserForwardForm(obj=user)
-    if form.validate_on_submit():
-        form.populate_obj(user)
-        models.db.session.commit()
-        flask.flash('Forward destination updated for %s' % user)
-        if user_email:
-            return flask.redirect(
-                flask.url_for('.user_list', domain_name=user.domain.name))
-    return flask.render_template('user/forward.html', form=form, user=user)
-
-
 @ui.route('/user/reply', methods=['GET', 'POST'], defaults={'user_email': None})
 @ui.route('/user/reply/<path:user_email>', methods=['GET', 'POST'])
 @access.owner(models.User, 'user_email')
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index b1279d9e..766a7abb 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -46,15 +46,10 @@ babel = flask_babel.Babel()
 @babel.localeselector
 def get_locale():
     """ selects locale for translation """
-    translations = list(map(str, babel.list_translations()))
-    flask.session['available_languages'] = translations
-
-    try:
-        language = flask.session['language']
-    except KeyError:
-        language = flask.request.accept_languages.best_match(translations)
+    language = flask.session.get('language')
+    if not language in flask.current_app.config.translations:
+        language = flask.request.accept_languages.best_match(flask.current_app.config.translations.keys())
         flask.session['language'] = language
-
     return language
 
 
@@ -450,7 +445,7 @@ class MailuSessionExtension:
                 with cleaned.get_lock():
                     if not cleaned.value:
                         cleaned.value = True
-                        flask.current_app.logger.error('cleaning')
+                        flask.current_app.logger.info('cleaning')
                         MailuSessionExtension.cleanup_sessions(app)
 
             app.before_first_request(cleaner)
diff --git a/core/admin/package.json b/core/admin/package.json
index d45dcb94..741482ab 100644
--- a/core/admin/package.json
+++ b/core/admin/package.json
@@ -12,20 +12,19 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
-    "@babel/core": "^7.15.0",
-    "@babel/preset-env": "^7.15.0",
     "admin-lte": "^3.1.0",
     "babel-loader": "^8.2.2",
+    "clipboard": "^2.0.8",
+    "compression-webpack-plugin": "^8.0.1",
     "css-loader": "^6.2.0",
-    "expose-loader": "^3.0.0",
-    "jquery": "^3.6.0",
-    "less": "^4.1.1",
+    "css-minimizer-webpack-plugin": "^3.0.2",
+    "datatables.net-plugins": "^1.10.24",
+    "import-glob": "^1.5.0",
     "less-loader": "^10.0.1",
     "mini-css-extract-plugin": "^2.2.0",
-    "node-sass": "^6.0.1",
+    "sass": "<1.33.0",
     "sass-loader": "^12.1.0",
-    "select2": "^4.0.13",
-    "webpack": "^5.50.0",
-    "webpack-cli": "^4.7.2"
+    "terser-webpack-plugin": "^5.2.0",
+    "webpack-cli": "^4.8.0"
   }
 }
diff --git a/core/admin/requirements-prod.txt b/core/admin/requirements-prod.txt
index 88ff2981..3406122d 100644
--- a/core/admin/requirements-prod.txt
+++ b/core/admin/requirements-prod.txt
@@ -20,7 +20,7 @@ Flask-Migrate==2.4.0
 Flask-Script==2.0.6
 Flask-SQLAlchemy==2.4.0
 Flask-WTF==0.14.2
-gunicorn==19.9.0
+gunicorn==20.1.0
 idna==2.8
 infinity==1.4
 intervals==0.8.1
diff --git a/core/admin/webpack.config.js b/core/admin/webpack.config.js
index 3e823fa9..25c966c1 100644
--- a/core/admin/webpack.config.js
+++ b/core/admin/webpack.config.js
@@ -1,65 +1,76 @@
-var path = require("path");
-var webpack = require("webpack");
-var css = require("mini-css-extract-plugin");
+const path = require('path');
+const webpack = require('webpack');
+const css = require('mini-css-extract-plugin');
+const mini = require('css-minimizer-webpack-plugin');
+const terse = require('terser-webpack-plugin');
+const compress = require('compression-webpack-plugin');
 
 module.exports = {
-    mode: "development",
+    mode: 'production',
     entry: {
-        app: "./assets/app.js",
-        vendor: "./assets/vendor.js"
+        app: {
+            import: './assets/app.js',
+            dependOn: 'vendor',
+        },
+        vendor: './assets/vendor.js',
     },
     output: {
-        path: path.resolve(__dirname, "static/"),
-        filename: "[name].js"
+        path: path.resolve(__dirname, 'static/'),
+        filename: '[name].js',
+        assetModuleFilename: '[name][ext]',
     },
     module: {
         rules: [
             {
                 test: /\.js$/,
-                use: ['babel-loader']
+                use: ['babel-loader', 'import-glob'],
             },
             {
-                test: /\.scss$/,
-                use: [css.loader, 'css-loader', 'sass-loader']
+                test: /\.s?css$/i,
+                use: [css.loader, 'css-loader', 'sass-loader'],
             },
             {
-                test: /\.less$/,
-                use: [css.loader, 'css-loader', 'less-loader']
+                test: /\.less$/i,
+                use: [css.loader, 'css-loader', 'less-loader'],
             },
             {
-                test: /\.css$/,
-                use: [css.loader, 'css-loader']
+                test: /\.(json|png|svg|jpg|jpeg|gif)$/i,
+                type: 'asset/resource',
             },
-            {
-                // Exposes jQuery for use outside Webpack build
-                test: require.resolve('jquery'),
-                use: [{
-                    loader: 'expose-loader',
-                    options: {
-                      exposes: [
-                        {
-                          globalName: '$',
-                          override: true,
-                        },
-                        {
-                          globalName: 'jQuery',
-                          override: true,
-                        },
-                      ] 
-                    },               
-                }]
-            }
-        ]
+        ],
     },
     plugins: [
-	      new css({
-	          filename: "[name].css",
-	          chunkFilename: "[id].css"
-	      }),
+        new css({
+            filename: '[name].css',
+            chunkFilename: '[id].css',
+        }),
         new webpack.ProvidePlugin({
-            $: "jquery",
-            jQuery: "jquery"
-        })
-    ]
-}
-
+            $: 'jquery',
+            jQuery: 'jquery',
+            ClipboardJS: 'clipboard',
+        }),
+        new compress({
+            filename: '[path][base].gz',
+            algorithm: "gzip",
+            exclude: /\.(png|gif|jpe?g)$/,
+            threshold: 5120,
+            minRatio: 0.8,
+            deleteOriginalAssets: false,
+        }),
+    ],
+    optimization: {
+        minimize: true,
+        minimizer: [
+            new terse(),
+            new mini({
+                minimizerOptions: {
+                    preset: [
+                        'default', {
+                            discardComments: { removeAll: true },
+                        },
+                    ],
+                },
+            }),
+        ],
+    },
+};

From 8cdd7e911d79ba941931c54f1ef4b3eb803de1e1 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 2 Sep 2021 23:36:49 +0200
Subject: [PATCH 26/53] duh. removed debug

---
 core/admin/mailu/models.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index 6b0791ad..86e285d0 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -265,7 +265,7 @@ class Domain(Base):
     def dns_tlsa(self):
         """ return TLSA record for domain when using letsencrypt """
         hostname = app.config['HOSTNAME']
-        if True: #app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'):
+        if app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'):
             # current ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) @20210902
             return f'_25._tcp.{hostname}. 600 IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3'
 

From 7fd605cc21394fd05f8c21b6adb80095a4e05c97 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Fri, 3 Sep 2021 13:41:33 +0200
Subject: [PATCH 27/53] fixed brand link target for normal users

---
 core/admin/mailu/ui/templates/base.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/ui/templates/base.html b/core/admin/mailu/ui/templates/base.html
index acef4b86..8571467d 100644
--- a/core/admin/mailu/ui/templates/base.html
+++ b/core/admin/mailu/ui/templates/base.html
@@ -45,7 +45,7 @@
         </ul>
       </nav>
       <aside class="main-sidebar sidebar-dark-primary nav-compact elevation-4">
-        <a href="{{ url_for('.domain_list') }}" class="brand-link bg-primary">
+        <a href="{{ url_for('.domain_list' if current_user.manager_of or current_user.global_admin else '.user_settings') }}" class="brand-link bg-primary">
           <img src="{{ url_for('.static', filename='mailu.png') }}" width="33" height="33" alt="Mailu" class="brand-image mailu-logo img-circle elevation-3">
           <span class="brand-text font-weight-light">{{ config["SITENAME"] }}</span>
         </a>

From 72ba5ca3f96d065957a2b1dafff92a86e6c76e59 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Fri, 3 Sep 2021 21:59:53 +0200
Subject: [PATCH 28/53] fix 1789: ensure that nginx resolves ipv4 addresses

---
 core/nginx/conf/nginx.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 9ce12980..76f88f21 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -18,7 +18,7 @@ http {
     keepalive_timeout  65;
     server_tokens off;
     absolute_redirect off;
-    resolver {{ RESOLVER }} valid=30s;
+    resolver {{ RESOLVER }} ipv6=off valid=30s;
 
     {% if REAL_IP_HEADER %}
     real_ip_header {{ REAL_IP_HEADER }};
@@ -233,7 +233,7 @@ mail {
     server_name {{ HOSTNAMES.split(",")[0] }};
     auth_http http://127.0.0.1:8000/auth/email;
     proxy_pass_error_message on;
-    resolver {{ RESOLVER }} valid=30s;
+    resolver {{ RESOLVER }} ipv6=off valid=30s;
 
     {% if TLS and not TLS_ERROR %}
     include /etc/nginx/tls.conf;

From a9a1b3e55e36f9dc90713c7bff1b24252da307c2 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 5 Sep 2021 15:28:59 +0200
Subject: [PATCH 29/53] Reduce the EDNS0 size to 1232

@see
https://github.com/dns-violations/dnsflagday/issues/125
---
 core/admin/mailu/utils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index e8e58100..b6495a53 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -41,7 +41,7 @@ def handle_needs_login():
 
 # DNS stub configured to do DNSSEC enabled queries
 resolver = dns.resolver.Resolver()
-resolver.use_edns(0, 0, 1500)
+resolver.use_edns(0, 0, 1232)
 resolver.flags = dns.flags.AD | dns.flags.RD
 
 def has_dane_record(domain, timeout=10):

From 4c4031ab7457205fac1075b58a05bed62839b2da Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Sun, 5 Sep 2021 17:48:02 +0200
Subject: [PATCH 30/53] added feature file

---
 towncrier/newsfragments/1966.feature | 33 ++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 towncrier/newsfragments/1966.feature

diff --git a/towncrier/newsfragments/1966.feature b/towncrier/newsfragments/1966.feature
new file mode 100644
index 00000000..e379df0b
--- /dev/null
+++ b/towncrier/newsfragments/1966.feature
@@ -0,0 +1,33 @@
+AdminLTE3 design optimizations, asset compression and caching
+
+- fixed copy of qemu-arm-static for alpine
+- added 'set -eu' safeguard
+- silenced npm update notification
+- added color to webpack call
+- changed Admin-LTE default blue
+- AdminLTE 3 style tweaks
+- localized datatables
+- moved external javascript code to vendor.js
+- added mailu logo
+- moved all inline javascript to app.js
+- added iframe display of rspamd page
+- updated language-selector to display full language names and use post
+- added fieldset to group and en/disable input fields
+- added clipboard copy buttons
+- cleaned external javascript imports
+- pre-split first hostname for further use
+- cache dns_* properties of domain object (immutable during runtime)
+- fixed and splitted dns_dkim property of domain object (space missing)
+- added autoconfig and tlsa properties to domain object
+- suppressed extra vertical spacing in jinja2 templates
+- improved accessibility for screen reader
+- deleted unused/broken /user/forward route
+- updated gunicorn to 20.1.0 to get rid of buffering error at startup
+- switched webpack to production mode
+- added css and javascript minimization
+- added pre-compression of assets (gzip)
+- removed obsolete dependencies
+- switched from node-sass to dart-sass
+- changed startup cleaning message from error to info
+- move client config to "my account" section when logged in
+

From 7bede55fce7bb7661987a3768f93becf1fe9e9bf Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Sun, 5 Sep 2021 17:48:20 +0200
Subject: [PATCH 31/53] more verbose cleaning message

---
 core/admin/mailu/utils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 766a7abb..ebb55e3b 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -445,7 +445,7 @@ class MailuSessionExtension:
                 with cleaned.get_lock():
                     if not cleaned.value:
                         cleaned.value = True
-                        flask.current_app.logger.info('cleaning')
+                        flask.current_app.logger.info('cleaning session store')
                         MailuSessionExtension.cleanup_sessions(app)
 
             app.before_first_request(cleaner)

From 9888efe55dddbb789e40be1bb7da5412361653fe Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 5 Sep 2021 18:23:08 +0200
Subject: [PATCH 32/53] Document as suggested on #mailu-dev

---
 core/postfix/start.py |  5 ++---
 docs/faq.rst          | 16 ++++++++++++++++
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/core/postfix/start.py b/core/postfix/start.py
index 19c23c19..9f35cf73 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -80,9 +80,8 @@ if os.path.exists("/overrides/mta-sts-daemon.yml"):
 conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
 
 if not os.path.exists("/etc/postfix/tls_policy.map.lmdb"):
-    with open("/etc/postfix/tls_policy.map", "w") as f:
-        for domain in ['example.com']:
-            f.write(f'{domain}\tsecure\n')
+    with open("/etc/postfix/tls_policy.map", "a") as f:
+        pass
     os.system("postmap /etc/postfix/tls_policy.map")
 
 if "RELAYUSER" in os.environ:
diff --git a/docs/faq.rst b/docs/faq.rst
index 43fb8606..01557237 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -422,6 +422,22 @@ Any mail related connection is proxied by nginx. Therefore the SMTP Banner is al
 
 .. _`1368`: https://github.com/Mailu/Mailu/issues/1368
 
+My emails are getting defered, what can I do?
+`````````````````````````````````````````````
+
+Emails are asynchronous and it's not abnormal for them to be defered sometimes. That being said, Mailu enforces secure connections where possible using DANE and MTA-STS, both of which have the potential to delay indefinitely delivery if something is misconfigured.
+
+If delivery to a specific domain fails because their DANE records are invalid or their TLS configuration inadequate (expired certificate, ...), you can assist delivery by downgrading the security level for that domain by creating an override at ``overrides/postfix/tls_policy.map`` as follow:
+
+.. code-block:: bash
+
+   domain.example.com   may
+   domain.example.org   encrypt
+
+The syntax and options are as described in `postfix's documentation`_. Re-creating the smtp container will be required for changes to take effect.
+
+.. _`postfix's documentation`: http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
+
 403 - Access Denied Errors
 ---------------------------
 

From 0f0459e9b2e445e27fead761d90460e68b3ea96c Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 5 Sep 2021 18:49:07 +0200
Subject: [PATCH 33/53] suggestions from @ghostwheel42

---
 core/admin/mailu/utils.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index b6495a53..96368b57 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -47,7 +47,7 @@ resolver.flags = dns.flags.AD | dns.flags.RD
 def has_dane_record(domain, timeout=10):
     try:
         result = resolver.query(f'_25._tcp.{domain}', dns.rdatatype.TLSA,dns.rdataclass.IN, lifetime=timeout)
-        if (result.response.flags & dns.flags.AD) == dns.flags.AD:
+        if result.response.flags & dns.flags.AD):
             for record in result:
                 if isinstance(record, dns.rdtypes.ANY.TLSA.TLSA):
                     record.validate()
@@ -57,8 +57,14 @@ def has_dane_record(domain, timeout=10):
         # If the DNSSEC data is invalid and the DNS resolver is DNSSEC enabled
         # we will receive this non-specific exception. The safe behaviour is to
         # accept to defer the email.
+        flask.current_app.logger.warn(f'Unable to lookup the TLSA record for {domain}. Is the DNSSEC zone okay on https://dnsviz.net/d/{domain}/dnssec/?')
         return app.config['DEFER_ON_TLS_ERROR']
-    except:
+    except dns.exception.Timeout:
+        flask.current_app.logger.warn(f'Timeout while resolving the TLSA record for {domain} ({timeout}s).')
+    except dns.resolver.NXDOMAIN:
+        pass # this is expected, not TLSA record is fine
+    except Exception as e:
+        flask.current_app.logger.error(f'Error while looking up the TLSA record for {domain} {e}')
         pass
 
 # Rate limiter

From 0ee52ba65b867b70fce9e2e276564823deb14de9 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 5 Sep 2021 19:03:54 +0200
Subject: [PATCH 34/53] Doh

---
 core/admin/mailu/utils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 96368b57..506b3e7e 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -47,7 +47,7 @@ resolver.flags = dns.flags.AD | dns.flags.RD
 def has_dane_record(domain, timeout=10):
     try:
         result = resolver.query(f'_25._tcp.{domain}', dns.rdatatype.TLSA,dns.rdataclass.IN, lifetime=timeout)
-        if result.response.flags & dns.flags.AD):
+        if result.response.flags & dns.flags.AD:
             for record in result:
                 if isinstance(record, dns.rdtypes.ANY.TLSA.TLSA):
                     record.validate()

From 7aa403573d61ed8a2492089d0bbeae8da7859bdd Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sun, 5 Sep 2021 19:06:20 +0200
Subject: [PATCH 35/53] no with here

---
 core/postfix/start.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/core/postfix/start.py b/core/postfix/start.py
index 9f35cf73..3de83a63 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -80,8 +80,7 @@ if os.path.exists("/overrides/mta-sts-daemon.yml"):
 conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
 
 if not os.path.exists("/etc/postfix/tls_policy.map.lmdb"):
-    with open("/etc/postfix/tls_policy.map", "a") as f:
-        pass
+    open("/etc/postfix/tls_policy.map", "a").close()
     os.system("postmap /etc/postfix/tls_policy.map")
 
 if "RELAYUSER" in os.environ:

From 90c96bdddc5377d9fc2216ef47bc2e09836d9a7b Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Sun, 5 Sep 2021 19:47:10 +0200
Subject: [PATCH 36/53] optimize handle_authentication

- catch decoding of nginx headers (utf-8 exception)
- re-ordered function
---
 core/admin/mailu/internal/nginx.py | 49 ++++++++++++++++--------------
 1 file changed, 26 insertions(+), 23 deletions(-)

diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index 5e60cd0c..167341e2 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -71,16 +71,6 @@ def handle_authentication(headers):
             }
     # Authenticated user
     elif method == "plain":
-        server, port = get_server(headers["Auth-Protocol"], True)
-        # According to RFC2616 section 3.7.1 and PEP 3333, HTTP headers should
-        # be ASCII and are generally considered ISO8859-1. However when passing
-        # the password, nginx does not transcode the input UTF string, thus
-        # we need to manually decode.
-        raw_user_email = urllib.parse.unquote(headers["Auth-User"])
-        user_email = raw_user_email.encode("iso8859-1").decode("utf8")
-        raw_password = urllib.parse.unquote(headers["Auth-Pass"])
-        password = raw_password.encode("iso8859-1").decode("utf8")
-        ip = urllib.parse.unquote(headers["Client-Ip"])
         service_port = int(urllib.parse.unquote(headers["Auth-Port"]))
         if service_port == 25:
             return {
@@ -88,20 +78,33 @@ def handle_authentication(headers):
                 "Auth-Error-Code": "502 5.5.1",
                 "Auth-Wait": 0
             }
-        user = models.User.query.get(user_email)
-        if check_credentials(user, password, ip, protocol):
-            return {
-                "Auth-Status": "OK",
-                "Auth-Server": server,
-                "Auth-Port": port
-            }
+        # According to RFC2616 section 3.7.1 and PEP 3333, HTTP headers should
+        # be ASCII and are generally considered ISO8859-1. However when passing
+        # the password, nginx does not transcode the input UTF string, thus
+        # we need to manually decode.
+        raw_user_email = urllib.parse.unquote(headers["Auth-User"])
+        raw_password = urllib.parse.unquote(headers["Auth-Pass"])
+        try:
+            user_email = raw_user_email.encode("iso8859-1").decode("utf8")
+            password = raw_password.encode("iso8859-1").decode("utf8")
+        except:
+            app.logger.warn(f'Received undecodable user/password from nginx: {raw_user_email!r}/{raw_password!r}')
         else:
-            status, code = get_status(protocol, "authentication")
-            return {
-                "Auth-Status": status,
-                "Auth-Error-Code": code,
-                "Auth-Wait": 0
-            }
+            user = models.User.query.get(user_email)
+            ip = urllib.parse.unquote(headers["Client-Ip"])
+            if check_credentials(user, password, ip, protocol):
+                server, port = get_server(headers["Auth-Protocol"], True)
+                return {
+                    "Auth-Status": "OK",
+                    "Auth-Server": server,
+                    "Auth-Port": port
+                }
+        status, code = get_status(protocol, "authentication")
+        return {
+            "Auth-Status": status,
+            "Auth-Error-Code": code,
+            "Auth-Wait": 0
+        }
     # Unexpected
     return {}
 

From d8b4a016af54bca227c929bf1745e6a9525191f2 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 6 Sep 2021 08:41:49 +0200
Subject: [PATCH 37/53] use blue color from https://mailu.io/

---
 core/admin/Dockerfile     | 2 +-
 core/admin/assets/app.css | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/admin/Dockerfile b/core/admin/Dockerfile
index edb8c1fd..3ac4fcd4 100644
--- a/core/admin/Dockerfile
+++ b/core/admin/Dockerfile
@@ -12,7 +12,7 @@ RUN set -eu \
 COPY webpack.config.js ./
 COPY assets ./assets
 RUN set -eu \
- && sed -i 's/#007bff/#367fa9/' node_modules/admin-lte/build/scss/_bootstrap-variables.scss \
+ && sed -i 's/#007bff/#55a5d9/' node_modules/admin-lte/build/scss/_bootstrap-variables.scss \
  && for l in ca da de:de_de en:en-gb es:es_es eu fr:fr_fr he hu is it:it_it ja nb_NO:no_nb nl:nl_nl pl pt:pt_pt ru sv:sv_se zh_CN:zh; do \
       cp node_modules/datatables.net-plugins/i18n/${l#*:}.json assets/${l%:*}.json; \
     done \
diff --git a/core/admin/assets/app.css b/core/admin/assets/app.css
index 12df605c..3886b5c1 100644
--- a/core/admin/assets/app.css
+++ b/core/admin/assets/app.css
@@ -2,6 +2,9 @@
 .mailu-logo {
   opacity: .8;
 }
+.bg-mailu-logo {
+  background-color: #2980b9!important;
+}
 
 /* user image */
 .div-circle {

From 0094268410ceeca3bfec7f04afb925215d58a22a Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 6 Sep 2021 09:08:51 +0200
Subject: [PATCH 38/53] allow to change logo. default color for flash msg

- two new environment variables allow to change logo background color
  and graphic
- flash messages are now green (not cyan)
---
 core/admin/mailu/configuration.py       |  2 ++
 core/admin/mailu/ui/templates/base.html | 20 ++++++++++----------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 419dc18d..1f13f896 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -56,6 +56,8 @@ DEFAULT_CONFIG = {
     'WEBMAIL': 'none',
     'RECAPTCHA_PUBLIC_KEY': '',
     'RECAPTCHA_PRIVATE_KEY': '',
+    'LOGO_URL': None,
+    'LOGO_BACKGROUND': None,
     # Advanced settings
     'LOG_LEVEL': 'WARNING',
     'SESSION_KEY_BITS': 128,
diff --git a/core/admin/mailu/ui/templates/base.html b/core/admin/mailu/ui/templates/base.html
index 8571467d..fc27d12b 100644
--- a/core/admin/mailu/ui/templates/base.html
+++ b/core/admin/mailu/ui/templates/base.html
@@ -19,7 +19,7 @@
             <a class="nav-link" data-widget="pushmenu" href="#" role="button"><i class="fas fa-bars" title="{% trans %}toggle sidebar{% endtrans %}" aria-expanded="false"></i><span class="sr-only">{% trans %}toggle sidebar{% endtrans %}</span></a>
           </li>
           <li class="nav-item">
-            {%- for page, url in path %}
+          {%- for page, url in path %}
             {%- if loop.index > 1 %}
             <i class="fas fa-greater-than text-xs text-gray" aria-hidden="true"></i>
             {%- endif %}
@@ -28,25 +28,25 @@
             {%- else %}
             <span class="nav-link d-inline-block">{{ page }}</span>
             {%- endif %}
-            {%- endfor %}
+          {%- endfor %}
           </li>
         </ul>
         <ul class="navbar-nav ml-auto">
           <li class="nav-item dropdown">
             <a class="nav-link" data-toggle="dropdown" href="#" aria-expanded="false">
-                <i class="fas fa-language text-xl" aria-hidden="true" title="{% trans %}change language{% endtrans %}"></i><span class="sr-only">Language</span>
-                <span class="badge badge-primary navbar-badge">{{ session['language'] }}</span></a>
+              <i class="fas fa-language text-xl" aria-hidden="true" title="{% trans %}change language{% endtrans %}"></i><span class="sr-only">Language</span>
+              <span class="badge badge-primary navbar-badge">{{ session['language'] }}</span></a>
             <div class="dropdown-menu dropdown-menu-right p-0" id="mailu-languages">
-              {%- for locale in config.translations.values() %}
-                <a class="dropdown-item{% if locale.language == session['language'] %} active{% endif %}" href="{{ url_for('.set_language', language=locale.language) }}">{{ locale.get_language_name().title() }}</a>
-              {%- endfor %}
+            {%- for locale in config.translations.values() %}
+              <a class="dropdown-item{% if locale.language == session['language'] %} active{% endif %}" href="{{ url_for('.set_language', language=locale.language) }}">{{ locale.get_language_name().title() }}</a>
+            {%- endfor %}
             </div>
           </li>
         </ul>
       </nav>
       <aside class="main-sidebar sidebar-dark-primary nav-compact elevation-4">
-        <a href="{{ url_for('.domain_list' if current_user.manager_of or current_user.global_admin else '.user_settings') }}" class="brand-link bg-primary">
-          <img src="{{ url_for('.static', filename='mailu.png') }}" width="33" height="33" alt="Mailu" class="brand-image mailu-logo img-circle elevation-3">
+        <a href="{{ url_for('.domain_list' if current_user.manager_of or current_user.global_admin else '.user_settings') }}" class="brand-link bg-mailu-logo"{% if config["LOGO_BACKGROUND"] %} style="background-color:{{ config["LOGO_BACKGROUND"] }}!important;"{% endif %}>
+          <img src="{{ config["LOGO_URL"] if config["LOGO_URL"] else url_for('.static', filename='mailu.png') }}" width="33" height="33" alt="Mailu" class="brand-image mailu-logo img-circle elevation-3">
           <span class="brand-text font-weight-light">{{ config["SITENAME"] }}</span>
         </a>
         {%- include "sidebar.html" %}
@@ -66,7 +66,7 @@
           </div>
         </section>
         <div class="content">
-          {{ utils.flashed_messages(container=False) }}
+          {{ utils.flashed_messages(container=False, default_category='success') }}
           {%- block content %}{%- endblock %}
         </div>
       </div>

From 698ee4e5211fe7f0d1c1b3ac24714023c2bc59e0 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 6 Sep 2021 09:10:59 +0200
Subject: [PATCH 39/53] added tiff and webp to list of cached content

---
 core/nginx/conf/nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 616ddcc1..5a86c34a 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -35,7 +35,7 @@ http {
     }
     map $uri $expires {
       default off;
-      ~*\.(ico|css|js|gif|jpeg|jpg|png|woff|ttf|otf|svg|woff2|eot)$ 97d;
+      ~*\.(ico|css|js|gif|jpeg|jpg|png|woff2?|ttf|otf|svg|tiff|eot|webp)$ 97d;
     }
 
     # compression

From b445d9ddd168948ccacb760ab96fd27c33033042 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 6 Sep 2021 13:45:48 +0200
Subject: [PATCH 40/53] set expire headers only for mailu content

also moved robots.txt from config to static folder.
---
 core/nginx/conf/nginx.conf   | 16 ++--------------
 core/nginx/static/robots.txt |  2 ++
 2 files changed, 4 insertions(+), 14 deletions(-)
 create mode 100644 core/nginx/static/robots.txt

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 5a86c34a..4c31674c 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -57,11 +57,6 @@ http {
           proxy_pass http://127.0.0.1:8008;
       }
       {% endif %}
-      # robots.txt
-      location = /robots.txt {
-        add_header Content-Type text/plain;
-        return 200 "User-agent: *\nDisallow: /\n";
-      }
       # redirect to https
       location / {
         return 301 https://$host$request_uri;
@@ -111,8 +106,6 @@ http {
       # Remove headers to prevent duplication and information disclosure
       proxy_hide_header X-XSS-Protection;
       proxy_hide_header X-Powered-By;
-      
-      expires $expires;
 
       add_header X-Frame-Options 'SAMEORIGIN';
       add_header X-Content-Type-Options 'nosniff';
@@ -132,18 +125,12 @@ http {
         return 403;
       }
       {% else %}
-
-      # robots.txt
-      location = /robots.txt {
-        add_header Content-Type text/plain;
-        return 200 "User-agent: *\nDisallow: /\n";
-      }
-
       include /overrides/*.conf;
 
       # Actual logic
       {% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %}
       location / {
+        expires $expires;
       {% if WEBROOT_REDIRECT %}
         try_files $uri {{ WEBROOT_REDIRECT }};
       {% else %}
@@ -198,6 +185,7 @@ http {
         include /etc/nginx/proxy.conf;
         proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
         proxy_pass http://$admin;
+        expires $expires;
       }
 
       location {{ WEB_ADMIN }}/antispam {
diff --git a/core/nginx/static/robots.txt b/core/nginx/static/robots.txt
new file mode 100644
index 00000000..1f53798b
--- /dev/null
+++ b/core/nginx/static/robots.txt
@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /

From 6c510e2e86bbb1ff782c0355d9671058f74805e3 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 6 Sep 2021 13:48:13 +0200
Subject: [PATCH 41/53] enabled caching via .htaccess

---
 webmails/roundcube/Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/webmails/roundcube/Dockerfile b/webmails/roundcube/Dockerfile
index 4d3e36df..f4399f70 100644
--- a/webmails/roundcube/Dockerfile
+++ b/webmails/roundcube/Dockerfile
@@ -38,7 +38,8 @@ RUN apt-get update && apt-get install -y \
  && sed -i 's,^php_value.*post_max_size,#&,g' .htaccess \
  && sed -i 's,^php_value.*upload_max_filesize,#&,g' .htaccess \
  && chown -R www-data: logs temp \
- && rm -rf /var/lib/apt/lists
+ && rm -rf /var/lib/apt/lists \
+ && a2enmod rewrite deflate expires headers
 
 COPY php.ini /php.ini
 COPY config.inc.php /var/www/html/config/

From a319ecde297c8840c26f43a35bd027a1802ee52d Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 6 Sep 2021 13:52:35 +0200
Subject: [PATCH 42/53] also precompress static txt files

---
 core/nginx/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/nginx/Dockerfile b/core/nginx/Dockerfile
index 8b5be4f8..3b10b8b8 100644
--- a/core/nginx/Dockerfile
+++ b/core/nginx/Dockerfile
@@ -16,7 +16,7 @@ COPY conf /conf
 COPY static /static
 COPY *.py /
 
-RUN gzip -k9 /static/*.ico
+RUN gzip -k9 /static/*.ico /static/*.txt
 
 EXPOSE 80/tcp 443/tcp 110/tcp 143/tcp 465/tcp 587/tcp 993/tcp 995/tcp 25/tcp 10025/tcp 10143/tcp
 VOLUME ["/certs"]

From 45a2be37663c3208cab131cc69a682c0596d5444 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 6 Sep 2021 18:42:50 +0200
Subject: [PATCH 43/53] Updated Polish translation.

Used pl/LC_MESSAGES/messages.po from PR#1751 created by martys71
---
 .../translations/pl/LC_MESSAGES/messages.po   | 680 +++++++++---------
 1 file changed, 347 insertions(+), 333 deletions(-)

diff --git a/core/admin/mailu/translations/pl/LC_MESSAGES/messages.po b/core/admin/mailu/translations/pl/LC_MESSAGES/messages.po
index cec7a4a0..664ff571 100644
--- a/core/admin/mailu/translations/pl/LC_MESSAGES/messages.po
+++ b/core/admin/mailu/translations/pl/LC_MESSAGES/messages.po
@@ -1,188 +1,287 @@
 msgid ""
 msgstr ""
-"Project-Id-Version: Mailu\n"
+"Project-Id-Version:  Mailu\n"
+"POT-Creation-Date: 2021-02-05 16:34+0100\n"
 "PO-Revision-Date: 2020-02-17 20:23+0000\n"
-"Last-Translator: NeroPcStation <dareknowacki2001@gmail.com>\n"
-"Language-Team: Polish <https://translate.tedomum.net/projects/mailu/admin/pl/"
-">\n"
+"Last-Translator: Marcin Siennicki <marcin@siennicki.eu>\n"
 "Language: pl\n"
+"Language-Team: Polish "
+"<https://translate.tedomum.net/projects/mailu/admin/pl/>\n"
+"Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && "
+"(n%100<10 || n%100>=20) ? 1 : 2\n"
 "MIME-Version: 1.0\n"
-"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 "
-"|| n%100>=20) ? 1 : 2;\n"
-"X-Generator: Weblate 3.3\n"
+"Generated-By: Babel 2.9.0\n"
 
-#: mailu/ui/forms.py:32
+#: mailu/ui/forms.py:33 mailu/ui/forms.py:36
 msgid "Invalid email address."
 msgstr "Nieprawidłowy adres e-mail."
 
-#: mailu/ui/forms.py:36
+#: mailu/ui/forms.py:45
 msgid "Confirm"
 msgstr "Zatwierdź"
 
-#: mailu/ui/forms.py:40 mailu/ui/forms.py:77
+#: mailu/ui/forms.py:49 mailu/ui/forms.py:86
 msgid "E-mail"
 msgstr "E-mail"
 
-#: mailu/ui/forms.py:41 mailu/ui/forms.py:78 mailu/ui/forms.py:90
-#: mailu/ui/forms.py:109 mailu/ui/forms.py:162
+#: mailu/ui/forms.py:50 mailu/ui/forms.py:87 mailu/ui/forms.py:100
+#: mailu/ui/forms.py:118 mailu/ui/forms.py:172
 #: mailu/ui/templates/client.html:32 mailu/ui/templates/client.html:59
 msgid "Password"
 msgstr "Hasło"
 
-#: mailu/ui/forms.py:42 mailu/ui/templates/login.html:4
-#: mailu/ui/templates/sidebar.html:111
+#: mailu/ui/forms.py:51 mailu/ui/templates/login.html:4
+#: mailu/ui/templates/sidebar.html:108
 msgid "Sign in"
 msgstr "Zaloguj"
 
-#: mailu/ui/forms.py:46 mailu/ui/forms.py:56
+#: mailu/ui/forms.py:55 mailu/ui/forms.py:65
 #: mailu/ui/templates/domain/details.html:27
 #: mailu/ui/templates/domain/list.html:18 mailu/ui/templates/relay/list.html:17
 msgid "Domain name"
 msgstr "Nazwa domeny"
 
-#: mailu/ui/forms.py:47
+#: mailu/ui/forms.py:56
 msgid "Maximum user count"
 msgstr "Maksymalna liczba użytkowników"
 
-#: mailu/ui/forms.py:48
+#: mailu/ui/forms.py:57
 msgid "Maximum alias count"
 msgstr "Maksymalna liczba aliasów"
 
-#. Needs more context - is that a verb or a noun?
-#: mailu/ui/forms.py:51 mailu/ui/forms.py:72 mailu/ui/forms.py:83
-#: mailu/ui/forms.py:128 mailu/ui/forms.py:140
+#: mailu/ui/forms.py:58
+msgid "Maximum user quota"
+msgstr "Maksymalny przydział użytkownika"
+
+#: mailu/ui/forms.py:59
+msgid "Enable sign-up"
+msgstr "Włącz rejestrację"
+
+#: mailu/ui/forms.py:60 mailu/ui/forms.py:81 mailu/ui/forms.py:93
+#: mailu/ui/forms.py:138 mailu/ui/forms.py:150
 #: mailu/ui/templates/alias/list.html:21 mailu/ui/templates/domain/list.html:21
 #: mailu/ui/templates/relay/list.html:19 mailu/ui/templates/token/list.html:19
 #: mailu/ui/templates/user/list.html:23
 msgid "Comment"
 msgstr "Komentarz"
 
-#: mailu/ui/forms.py:52 mailu/ui/forms.py:61 mailu/ui/forms.py:66
-#: mailu/ui/forms.py:73 mailu/ui/forms.py:132 mailu/ui/forms.py:141
-msgid "Create"
-msgstr "Utwórz"
+#: mailu/ui/forms.py:61 mailu/ui/forms.py:75 mailu/ui/forms.py:82
+#: mailu/ui/forms.py:95 mailu/ui/forms.py:142 mailu/ui/forms.py:151
+msgid "Save"
+msgstr "Zapisz"
 
-#: mailu/ui/forms.py:59 mailu/ui/forms.py:79 mailu/ui/forms.py:91
+#: mailu/ui/forms.py:66
+msgid "Initial admin"
+msgstr "Początkowy administrator"
+
+#: mailu/ui/forms.py:67
+msgid "Admin password"
+msgstr "Hasło administratora"
+
+#: mailu/ui/forms.py:68 mailu/ui/forms.py:88 mailu/ui/forms.py:101
 msgid "Confirm password"
 msgstr "Potwierdź hasło"
 
-#: mailu/ui/forms.py:80 mailu/ui/templates/user/list.html:22
+#: mailu/ui/forms.py:70
+msgid "Create"
+msgstr "Utwórz"
+
+#: mailu/ui/forms.py:74
+msgid "Alternative name"
+msgstr "Alternatywna nazwa"
+
+#: mailu/ui/forms.py:79
+msgid "Relayed domain name"
+msgstr "Domeny przekierowywane"
+
+#: mailu/ui/forms.py:80 mailu/ui/templates/relay/list.html:18
+msgid "Remote host"
+msgstr "Zdalny host"
+
+#: mailu/ui/forms.py:89 mailu/ui/templates/user/list.html:22
 #: mailu/ui/templates/user/signup_domain.html:16
 msgid "Quota"
 msgstr "Maksymalna przestrzeń na dysku"
 
-#: mailu/ui/forms.py:81
+#: mailu/ui/forms.py:90
 msgid "Allow IMAP access"
 msgstr "Zezwalaj na dostęp przez protokół IMAP"
 
-#: mailu/ui/forms.py:82
+#: mailu/ui/forms.py:91
 msgid "Allow POP3 access"
 msgstr "Zezwalaj na dostęp przez protokół POP3"
 
-#: mailu/ui/forms.py:85
-msgid "Save"
-msgstr "Zapisz"
-
-#: mailu/ui/forms.py:97
+#: mailu/ui/forms.py:92 mailu/ui/forms.py:108
+#: mailu/ui/templates/user/settings.html:15
 msgid "Displayed name"
 msgstr "Nazwa wyświetlana"
 
-#: mailu/ui/forms.py:98
+#: mailu/ui/forms.py:94
+msgid "Enabled"
+msgstr "Włączone"
+
+#: mailu/ui/forms.py:99
+msgid "Email address"
+msgstr "Adres e-mail"
+
+#: mailu/ui/forms.py:102 mailu/ui/templates/sidebar.html:114
+#: mailu/ui/templates/user/signup.html:4
+#: mailu/ui/templates/user/signup_domain.html:4
+msgid "Sign up"
+msgstr "Utwórz konto"
+
+#: mailu/ui/forms.py:109
 msgid "Enable spam filter"
 msgstr "Włącz filtr antyspamowy"
 
-#: mailu/ui/forms.py:80
-msgid "Spam filter threshold"
-msgstr "Próg filtra antyspamowego"
-
-#: mailu/ui/forms.py:105
-msgid "Save settings"
-msgstr "Zapisz ustawienia"
-
 #: mailu/ui/forms.py:110
-msgid "Password check"
-msgstr ""
+msgid "Spam filter tolerance"
+msgstr "Tolerancja filtra spamu"
 
-#: mailu/ui/forms.py:111 mailu/ui/templates/sidebar.html:16
-msgid "Update password"
-msgstr "Zaktualizuj hasło"
-
-#: mailu/ui/forms.py:100
+#: mailu/ui/forms.py:111
 msgid "Enable forwarding"
 msgstr "Włącz przekierowanie poczty"
 
-#: mailu/ui/forms.py:103 mailu/ui/forms.py:139
+#: mailu/ui/forms.py:112
+msgid "Keep a copy of the emails"
+msgstr "Przechowuj kopię wiadomości"
+
+#: mailu/ui/forms.py:113 mailu/ui/forms.py:149
 #: mailu/ui/templates/alias/list.html:20
 msgid "Destination"
 msgstr "Adres docelowy"
 
-#: mailu/ui/forms.py:120
-msgid "Update"
-msgstr "Aktualizuj"
+#: mailu/ui/forms.py:114
+msgid "Save settings"
+msgstr "Zapisz ustawienia"
 
-#: mailu/ui/forms.py:115
+#: mailu/ui/forms.py:119
+msgid "Password check"
+msgstr "Powtórz hasło"
+
+#: mailu/ui/forms.py:120 mailu/ui/templates/sidebar.html:16
+msgid "Update password"
+msgstr "Zaktualizuj hasło"
+
+#: mailu/ui/forms.py:124
 msgid "Enable automatic reply"
 msgstr "Włącz automatyczną odpowiedź"
 
-#: mailu/ui/forms.py:116
+#: mailu/ui/forms.py:125
 msgid "Reply subject"
 msgstr "Temat odpowiedzi"
 
-#: mailu/ui/forms.py:117
+#: mailu/ui/forms.py:126
 msgid "Reply body"
 msgstr "Treść odpowiedzi"
 
-#: mailu/ui/forms.py:136
+#: mailu/ui/forms.py:128
+#, fuzzy
+msgid "Start of vacation"
+msgstr "Rozpoczęcie nieobecności"
+
+#: mailu/ui/forms.py:129
+msgid "End of vacation"
+msgstr "Koniec nieobecności"
+
+#: mailu/ui/forms.py:130
+msgid "Update"
+msgstr "Aktualizuj"
+
+#: mailu/ui/forms.py:135
+msgid "Your token (write it down, as it will never be displayed again)"
+msgstr "Twój token (zapisz go, ponieważ nigdy więcej nie będzie wyświetlany)"
+
+#: mailu/ui/forms.py:140 mailu/ui/templates/token/list.html:20
+msgid "Authorized IP"
+msgstr "Autoryzowany adres IP"
+
+#: mailu/ui/forms.py:146
 msgid "Alias"
 msgstr "Alias"
 
-#: mailu/ui/forms.py:138
+#: mailu/ui/forms.py:148
 msgid "Use SQL LIKE Syntax (e.g. for catch-all aliases)"
 msgstr "Używaj składni SQL LIKE (np. do adresów catch-all)"
 
-#: mailu/ui/forms.py:145
+#: mailu/ui/forms.py:155
 msgid "Admin email"
 msgstr "E-mail administratora"
 
-#: mailu/ui/forms.py:146 mailu/ui/forms.py:151 mailu/ui/forms.py:164
+#: mailu/ui/forms.py:156 mailu/ui/forms.py:161 mailu/ui/forms.py:174
 msgid "Submit"
 msgstr "Prześlij"
 
-#: mailu/ui/forms.py:150
+#: mailu/ui/forms.py:160
 msgid "Manager email"
 msgstr "E-mail menedżera"
 
-#: mailu/ui/forms.py:155
+#: mailu/ui/forms.py:165
 msgid "Protocol"
 msgstr "Protokół"
 
-#: mailu/ui/forms.py:158
+#: mailu/ui/forms.py:168
 msgid "Hostname or IP"
 msgstr "Nazwa hosta lub adres IP"
 
-#: mailu/ui/forms.py:159 mailu/ui/templates/client.html:20
+#: mailu/ui/forms.py:169 mailu/ui/templates/client.html:20
 #: mailu/ui/templates/client.html:47
 msgid "TCP port"
 msgstr "Port TCP"
 
-#: mailu/ui/forms.py:160
+#: mailu/ui/forms.py:170
 msgid "Enable TLS"
 msgstr "Włącz TLS"
 
-#: mailu/ui/forms.py:161 mailu/ui/templates/client.html:28
+#: mailu/ui/forms.py:171 mailu/ui/templates/client.html:28
 #: mailu/ui/templates/client.html:55 mailu/ui/templates/fetch/list.html:20
 msgid "Username"
 msgstr "Nazwa użytkownika"
 
+#: mailu/ui/forms.py:173
+msgid "Keep emails on the server"
+msgstr "Przechowuj wiadomości na serwerze"
+
+#: mailu/ui/forms.py:178
+msgid "Announcement subject"
+msgstr "Temat ogłoszenia"
+
+#: mailu/ui/forms.py:180
+msgid "Announcement body"
+msgstr "Treść ogłoszenia"
+
+#: mailu/ui/forms.py:182
+msgid "Send"
+msgstr "Wyślij"
+
+#: mailu/ui/templates/announcement.html:4
+msgid "Public announcement"
+msgstr "Publiczne ogłoszenie"
+
+#: mailu/ui/templates/client.html:4 mailu/ui/templates/sidebar.html:79
+msgid "Client setup"
+msgstr "Konfiguracja klienta"
+
+#: mailu/ui/templates/client.html:16 mailu/ui/templates/client.html:43
+msgid "Mail protocol"
+msgstr "Protokół poczty"
+
+#: mailu/ui/templates/client.html:24 mailu/ui/templates/client.html:51
+msgid "Server name"
+msgstr "Nazwa serwera"
+
 #: mailu/ui/templates/confirm.html:4
 msgid "Confirm action"
 msgstr "Potwierdź wykonanie czynności"
 
 #: mailu/ui/templates/confirm.html:13
+#, python-format
 msgid "You are about to %(action)s. Please confirm your action."
-msgstr "Zamierzasz wykonać następujące czynności: %(action)s. Potwierdź wykonanie czynności."
+msgstr ""
+"Zamierzasz wykonać następujące czynności: %(action)s. Potwierdź wykonanie"
+" czynności."
 
 #: mailu/ui/templates/docker-error.html:4
 msgid "Docker error"
@@ -192,54 +291,19 @@ msgstr "Błąd Dockera"
 msgid "An error occurred while talking to the Docker server."
 msgstr "Wystąpił błąd komunikacji z serwerem Dockera."
 
-#: mailu/admin/templates/login.html:6
-msgid "Your account"
-msgstr "Twoje konto"
-
 #: mailu/ui/templates/login.html:8
 msgid "to access the administration tools"
 msgstr "aby uzyskać dostęp do narzędzi administracyjnych"
 
-#: mailu/ui/templates/services.html:4 mailu/ui/templates/sidebar.html:39
-msgid "Services status"
-msgstr "Status usług"
-
-#: mailu/ui/templates/services.html:10
-msgid "Service"
-msgstr "Usługa"
-
-#: mailu/ui/templates/fetch/list.html:23 mailu/ui/templates/services.html:11
-msgid "Status"
-msgstr "Status"
-
-#: mailu/ui/templates/services.html:12
-msgid "PID"
-msgstr "PID"
-
-#: mailu/ui/templates/services.html:13
-msgid "Image"
-msgstr "Obraz"
-
-#: mailu/ui/templates/services.html:14
-msgid "Started"
-msgstr ""
-
-#: mailu/ui/templates/services.html:15
-msgid "Last update"
-msgstr "Ostatnia aktualizacja"
-
 #: mailu/ui/templates/sidebar.html:8
+#, fuzzy
 msgid "My account"
-msgstr "Moje konto"
+msgstr "Dodaj konto"
 
 #: mailu/ui/templates/sidebar.html:11 mailu/ui/templates/user/list.html:34
 msgid "Settings"
 msgstr "Ustawienia"
 
-#: mailu/ui/templates/user/settings.html:22
-msgid "Auto-forward"
-msgstr "Automatyczne przekierowanie"
-
 #: mailu/ui/templates/sidebar.html:21 mailu/ui/templates/user/list.html:35
 msgid "Auto-reply"
 msgstr "Automatyczna odpowiedź"
@@ -247,28 +311,60 @@ msgstr "Automatyczna odpowiedź"
 #: mailu/ui/templates/fetch/list.html:4 mailu/ui/templates/sidebar.html:26
 #: mailu/ui/templates/user/list.html:36
 msgid "Fetched accounts"
-msgstr ""
+msgstr "Zewnętrzne konta e-mail"
 
-#: mailu/ui/templates/sidebar.html:105
-msgid "Sign out"
-msgstr "Wyloguj"
+#: mailu/ui/templates/sidebar.html:31 mailu/ui/templates/token/list.html:4
+msgid "Authentication tokens"
+msgstr "Tokeny uwierzytelnienia"
 
-#: mailu/ui/templates/sidebar.html:35
+#: mailu/ui/templates/sidebar.html:36
 msgid "Administration"
 msgstr "Administracja"
 
-#: mailu/ui/templates/sidebar.html:49
+#: mailu/ui/templates/sidebar.html:41
+msgid "Announcement"
+msgstr "Ogłoszenie"
+
+#: mailu/ui/templates/sidebar.html:46
 msgid "Administrators"
 msgstr "Administratorzy"
 
-#: mailu/ui/templates/sidebar.html:66
+#: mailu/ui/templates/sidebar.html:51
+msgid "Relayed domains"
+msgstr "Domeny przekierowywane"
+
+#: mailu/ui/templates/sidebar.html:56 mailu/ui/templates/user/settings.html:19
+msgid "Antispam"
+msgstr "Filtr antyspamowy"
+
+#: mailu/ui/templates/sidebar.html:63
 msgid "Mail domains"
 msgstr "Domeny pocztowe"
 
-#: mailu/ui/templates/sidebar.html:92
+#: mailu/ui/templates/sidebar.html:69
+msgid "Go to"
+msgstr "Przejdź do"
+
+#: mailu/ui/templates/sidebar.html:73
+msgid "Webmail"
+msgstr "Twoja poczta"
+
+#: mailu/ui/templates/sidebar.html:84
+msgid "Website"
+msgstr "Strona internetowa"
+
+#: mailu/ui/templates/sidebar.html:89
 msgid "Help"
 msgstr "Pomoc"
 
+#: mailu/ui/templates/domain/signup.html:4 mailu/ui/templates/sidebar.html:95
+msgid "Register a domain"
+msgstr "Zarejestruj domenę"
+
+#: mailu/ui/templates/sidebar.html:102
+msgid "Sign out"
+msgstr "Wyloguj"
+
 #: mailu/ui/templates/working.html:4
 msgid "We are still working on this feature!"
 msgstr "Nadal pracujemy nad tą funkcją!"
@@ -344,6 +440,22 @@ msgstr "Ostatnia edycja"
 msgid "Edit"
 msgstr "Edytuj"
 
+#: mailu/ui/templates/alternative/create.html:4
+msgid "Create alternative domain"
+msgstr "Utwórz alternatywną domenę"
+
+#: mailu/ui/templates/alternative/list.html:4
+msgid "Alternative domain list"
+msgstr "Alternatywna lista domen"
+
+#: mailu/ui/templates/alternative/list.html:12
+msgid "Add alternative"
+msgstr "Dodaj alternatywę"
+
+#: mailu/ui/templates/alternative/list.html:19
+msgid "Name"
+msgstr "Nazwa"
+
 #: mailu/ui/templates/domain/create.html:4
 #: mailu/ui/templates/domain/list.html:9
 msgid "New domain"
@@ -357,6 +469,10 @@ msgstr "Szczegóły domeny"
 msgid "Regenerate keys"
 msgstr "Wygeneruj ponownie klucze"
 
+#: mailu/ui/templates/domain/details.html:17
+msgid "Generate keys"
+msgstr "Wygeneruj klucze"
+
 #: mailu/ui/templates/domain/details.html:31
 msgid "DNS MX entry"
 msgstr "Wpis MX DNS"
@@ -365,15 +481,15 @@ msgstr "Wpis MX DNS"
 msgid "DNS SPF entries"
 msgstr "Wpisy SPF DNS"
 
-#: mailu/ui/templates/domain/details.html:42
+#: mailu/ui/templates/domain/details.html:41
 msgid "DKIM public key"
 msgstr "Publiczny klucz DKIM"
 
-#: mailu/ui/templates/domain/details.html:46
+#: mailu/ui/templates/domain/details.html:45
 msgid "DNS DKIM entry"
 msgstr "Wpis DKIM DNS"
 
-#: mailu/ui/templates/domain/details.html:50
+#: mailu/ui/templates/domain/details.html:49
 msgid "DNS DMARC entry"
 msgstr "Wpis DMARC DNS"
 
@@ -413,13 +529,42 @@ msgstr "Aliasy"
 msgid "Managers"
 msgstr "Menedżerowie"
 
+#: mailu/ui/templates/domain/list.html:39
+msgid "Alternatives"
+msgstr "Alternatywy"
+
+#: mailu/ui/templates/domain/signup.html:13
+msgid ""
+"In order to register a new domain, you must first setup the\n"
+"    domain zone so that the domain <code>MX</code> points to this server"
+msgstr ""
+"Aby zarejestrować nową domenę, musisz najpierw skonfigurować strefę "
+"domeny, aby domena <code> MX </code> wskazywała na ten serwer"
+
+#: mailu/ui/templates/domain/signup.html:18
+msgid ""
+"If you do not know how to setup an <code>MX</code> record for your DNS "
+"zone,\n"
+"    please contact your DNS provider or administrator. Also, please wait "
+"a\n"
+"    couple minutes after the <code>MX</code> is set so the local server "
+"cache\n"
+"    expires."
+msgstr ""
+"Jeśli nie wiesz, jak skonfigurować rekord <code> MX </code>  dla swojej "
+"strefy DNS,\n"
+"skontaktuj się z dostawcą DNS lub administratorem. Proszę również "
+"poczekać\n"
+"kilka minut po ustawieniu <code> MX </code> , żeby pamięć podręczna "
+"serwera lokalnego wygasła."
+
 #: mailu/ui/templates/fetch/create.html:4
 msgid "Add a fetched account"
-msgstr ""
+msgstr "Dodaj zewnętrzne konto pocztowe"
 
 #: mailu/ui/templates/fetch/edit.html:4
 msgid "Update a fetched account"
-msgstr ""
+msgstr "Zaktualizuj konto"
 
 #: mailu/ui/templates/fetch/list.html:12
 msgid "Add an account"
@@ -427,12 +572,28 @@ msgstr "Dodaj konto"
 
 #: mailu/ui/templates/fetch/list.html:19
 msgid "Endpoint"
-msgstr ""
+msgstr "Serwer"
+
+#: mailu/ui/templates/fetch/list.html:21
+msgid "Keep emails"
+msgstr "Przechowuj wiadomości"
 
 #: mailu/ui/templates/fetch/list.html:22
 msgid "Last check"
 msgstr "Ostatnie sprawdzenie"
 
+#: mailu/ui/templates/fetch/list.html:23
+msgid "Status"
+msgstr "Stan"
+
+#: mailu/ui/templates/fetch/list.html:35
+msgid "yes"
+msgstr "Tak"
+
+#: mailu/ui/templates/fetch/list.html:35
+msgid "no"
+msgstr "Nie"
+
 #: mailu/ui/templates/manager/create.html:4
 msgid "Add a manager"
 msgstr "Dodaj menedżera"
@@ -445,34 +606,43 @@ msgstr "Lista menedżerów"
 msgid "Add manager"
 msgstr "Dodaj menedżera"
 
-#: mailu/ui/forms.py:168
-msgid "Announcement subject"
-msgstr "Temat ogłoszenia"
+#: mailu/ui/templates/relay/create.html:4
+msgid "New relay domain"
+msgstr "Nowa domena do przekierowania"
 
-#: mailu/ui/forms.py:170
-msgid "Announcement body"
-msgstr "Treść ogłoszenia"
+#: mailu/ui/templates/relay/edit.html:4
+#, fuzzy
+msgid "Edit relayd domain"
+msgstr "Edycja domeny"
 
-#: mailu/ui/forms.py:172
-msgid "Send"
-msgstr "Wyślij"
+#: mailu/ui/templates/relay/list.html:4
+msgid "Relayed domain list"
+msgstr "Lista domen przekierowywanych"
 
-#: mailu/ui/templates/announcement.html:4
-msgid "Public announcement"
-msgstr "Publiczne ogłoszenie"
+#: mailu/ui/templates/relay/list.html:9
+msgid "New relayed domain"
+msgstr "Nowa domena do przekierowania"
 
-#: mailu/ui/templates/announcement.html:8
-msgid "from"
-msgstr "od"
+#: mailu/ui/templates/token/create.html:4
+msgid "Create an authentication token"
+msgstr "Utwórz token uwierzytelniający"
 
-#: mailu/ui/templates/sidebar.html:44
-msgid "Announcement"
-msgstr "Ogłoszenie"
+#: mailu/ui/templates/token/list.html:12
+msgid "New token"
+msgstr "Nowy token"
 
 #: mailu/ui/templates/user/create.html:4
 msgid "New user"
 msgstr "Nowy użytkownik"
 
+#: mailu/ui/templates/user/create.html:15
+msgid "General"
+msgstr "Ogólne"
+
+#: mailu/ui/templates/user/create.html:23
+msgid "Features and quotas"
+msgstr "Funkcje i limity"
+
 #: mailu/ui/templates/user/edit.html:4
 msgid "Edit user"
 msgstr "Edytuj użytkownika"
@@ -505,202 +675,9 @@ msgstr "Zmiana hasła"
 msgid "Automatic reply"
 msgstr "Automatyczna odpowiedź"
 
-#: mailu/ui/forms.py:49
-msgid "Maximum user quota"
-msgstr "Maksymalny przydział użytkownika"
-
-#: mailu/ui/forms.py:101
-msgid "Keep a copy of the emails"
-msgstr "Przechowuj kopię wiadomości"
-
-#: mailu/ui/forms.py:163
-msgid "Keep emails on the server"
-msgstr "Przechowuj wiadomości na serwerze"
-
-#: mailu/ui/templates/fetch/list.html:21
-msgid "Keep emails"
-msgstr "Przechowuj wiadomości"
-
-#: mailu/ui/templates/fetch/list.html:35
-msgid "yes"
-msgstr "Tak"
-
-#: mailu/ui/templates/fetch/list.html:35
-msgid "no"
-msgstr "Nie"
-
-#: mailu/ui/forms.py:65
-msgid "Alternative name"
-msgstr "Alternatywna nazwa"
-
-#: mailu/ui/forms.py:70
-msgid "Relayed domain name"
-msgstr ""
-
-#: mailu/ui/forms.py:71 mailu/ui/templates/relay/list.html:18
-msgid "Remote host"
-msgstr "Zdalny host"
-
-#: mailu/ui/templates/sidebar.html:54
-msgid "Relayed domains"
-msgstr ""
-
-#: mailu/ui/templates/alternative/create.html:4
-msgid "Create alternative domain"
-msgstr "Utwórz alternatywną domenę"
-
-#: mailu/ui/templates/alternative/list.html:4
-msgid "Alternative domain list"
-msgstr "Alternatywna lista domen"
-
-#: mailu/ui/templates/alternative/list.html:12
-msgid "Add alternative"
-msgstr "Dodaj alternatywę"
-
-#: mailu/ui/templates/alternative/list.html:19
-msgid "Name"
-msgstr "Nazwa"
-
-#: mailu/ui/templates/domain/list.html:39
-msgid "Alternatives"
-msgstr "Alternatywy"
-
-#: mailu/ui/templates/relay/create.html:4
-msgid "New relay domain"
-msgstr ""
-
-#: mailu/ui/templates/relay/edit.html:4
-msgid "Edit relayd domain"
-msgstr ""
-
-#: mailu/ui/templates/relay/list.html:4
-msgid "Relayed domain list"
-msgstr ""
-
-#: mailu/ui/templates/relay/list.html:9
-msgid "New relayed domain"
-msgstr ""
-
-#: mailu/ui/forms.py:125
-msgid "Your token (write it down, as it will never be displayed again)"
-msgstr "Twój token (zapisz go, ponieważ nigdy więcej nie będzie wyświetlany)"
-
-#: mailu/ui/forms.py:130 mailu/ui/templates/token/list.html:20
-msgid "Authorized IP"
-msgstr "Autoryzowany adres IP"
-
-#: mailu/ui/templates/sidebar.html:31 mailu/ui/templates/token/list.html:4
-msgid "Authentication tokens"
-msgstr "Tokeny uwierzytelnienia"
-
-#: mailu/ui/templates/sidebar.html:72
-msgid "Go to"
-msgstr "Przejdź do"
-
-#: mailu/ui/templates/sidebar.html:76
-msgid "Webmail"
-msgstr ""
-
-#: mailu/ui/templates/sidebar.html:87
-msgid "Website"
-msgstr "Strona internetowa"
-
-#: mailu/ui/templates/token/create.html:4
-msgid "Create an authentication token"
-msgstr "Utwórz token uwierzytelniający"
-
-#: mailu/ui/templates/token/list.html:12
-msgid "New token"
-msgstr "Nowy token"
-
-#: mailu/ui/templates/user/create.html:15
-msgid "General"
-msgstr ""
-
-#: mailu/ui/templates/user/create.html:22
-msgid "Features and quotas"
-msgstr ""
-
-#: mailu/ui/templates/user/settings.html:14
-msgid "General settings"
-msgstr "Ustawienia ogólne"
-
-#: mailu/ui/templates/sidebar.html:59 mailu/ui/templates/user/settings.html:15
-msgid "Antispam"
-msgstr "Filtr antyspamowy"
-
-#: mailu/ui/forms.py:99
-msgid "Spam filter tolerance"
-msgstr "Tolerancja filtra spamu"
-
-#: mailu/ui/forms.py:50
-msgid "Enable sign-up"
-msgstr "Włącz rejestrację"
-
-#: mailu/ui/forms.py:57
-msgid "Initial admin"
-msgstr "Początkowy administrator"
-
-#: mailu/ui/forms.py:58
-msgid "Admin password"
-msgstr "hasło administratora"
-
-#: mailu/ui/forms.py:84
-msgid "Enabled"
-msgstr "Włączone"
-
-#: mailu/ui/forms.py:89
-msgid "Email address"
-msgstr "Adres e-mail"
-
-#: mailu/ui/forms.py:93 mailu/ui/templates/sidebar.html:117
-#: mailu/ui/templates/user/signup.html:4
-#: mailu/ui/templates/user/signup_domain.html:4
-msgid "Sign up"
-msgstr ""
-
-#: mailu/ui/forms.py:119
-msgid "End of vacation"
-msgstr "Koniec wakacji"
-
-#: mailu/ui/templates/client.html:4 mailu/ui/templates/sidebar.html:82
-msgid "Client setup"
-msgstr "Konfiguracja klienta"
-
-#: mailu/ui/templates/client.html:16 mailu/ui/templates/client.html:43
-msgid "Mail protocol"
-msgstr "Protokół poczty"
-
-#: mailu/ui/templates/client.html:24 mailu/ui/templates/client.html:51
-msgid "Server name"
-msgstr "Nazwa serwera"
-
-#: mailu/ui/templates/domain/signup.html:4 mailu/ui/templates/sidebar.html:98
-msgid "Register a domain"
-msgstr "Zarejestruj domenę"
-
-#: mailu/ui/templates/domain/details.html:17
-msgid "Generate keys"
-msgstr "Wygeneruj klucze"
-
-#: mailu/ui/templates/domain/signup.html:13
-msgid "In order to register a new domain, you must first setup the\n"
-"    domain zone so that the domain <code>MX</code> points to this server"
-msgstr ""
-"Aby zarejestrować nową domenę, musisz najpierw skonfigurować strefę domeny, "
-"aby domena <code> MX </code> wskazywała na ten serwer"
-
-#: mailu/ui/templates/domain/signup.html:18
-msgid "If you do not know how to setup an <code>MX</code> record for your DNS zone,\n"
-"    please contact your DNS provider or administrator. Also, please wait a\n"
-"    couple minutes after the <code>MX</code> is set so the local server cache\n"
-"    expires."
-msgstr ""
-"Jeśli nie wiesz, jak skonfigurować rekord <code> MX </code>  dla swojej "
-"strefy DNS,\n"
-"skontaktuj się z dostawcą DNS lub administratorem. Proszę również poczekać\n"
-"kilka minut po ustawieniu <code> MX </code> , żeby pamięć podręczna serwera "
-"lokalnego wygasła."
+#: mailu/ui/templates/user/settings.html:26
+msgid "Auto-forward"
+msgstr "Automatyczne przekierowanie"
 
 #: mailu/ui/templates/user/signup_domain.html:8
 msgid "pick a domain for the new account"
@@ -713,3 +690,40 @@ msgstr "Domena"
 #: mailu/ui/templates/user/signup_domain.html:15
 msgid "Available slots"
 msgstr "Dostępne miejsca"
+
+#~ msgid "Spam filter threshold"
+#~ msgstr "Próg filtra antyspamowego"
+
+#~ msgid "Your account"
+#~ msgstr "Twoje konto"
+
+#~ msgid "Services status"
+#~ msgstr "Status usług"
+
+#~ msgid "Service"
+#~ msgstr "Usługa"
+
+#~ msgid "Status"
+#~ msgstr "Status"
+
+#~ msgid "PID"
+#~ msgstr "PID"
+
+#~ msgid "Image"
+#~ msgstr "Obraz"
+
+#~ msgid "Started"
+#~ msgstr "Uruchomione"
+
+#~ msgid "Last update"
+#~ msgstr "Ostatnia aktualizacja"
+
+#~ msgid "My account"
+#~ msgstr "Moje konto"
+
+#~ msgid "from"
+#~ msgstr "od"
+
+#~ msgid "General settings"
+#~ msgstr "Ustawienia ogólne"
+

From 5a1e6dfb6125ad727d1ee4d08094ea80cb2f0d53 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Wed, 8 Sep 2021 12:30:28 +0000
Subject: [PATCH 44/53] Added documentation for new LOGO_BACKGROUND and
 LOGO_URL env variables.

---
 docs/configuration.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/configuration.rst b/docs/configuration.rst
index 3d536fd4..9da0a14c 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -124,6 +124,13 @@ Both ``SITENAME`` and ``WEBSITE`` are customization options for the panel menu
 in the admin interface, while ``SITENAME`` is a customization option for
 every Web interface.
 
+- ``LOGO_BACKGROUND`` sets a custom background colour for the brand logo in the topleft of the main admin interface.
+  For a list of colour codes refer to this page of `w3schools`_.
+
+- ``LOGO_URL`` sets a URL for a custom logo. This logo replaces the Mailu logo in the topleft of the main admin interface.
+
+.. _`w3schools`: https://www.w3schools.com/cssref/css_colors.asp
+
 .. _admin_account:
 
 Admin account - automatic creation

From bb40ccc4b0476b1152eeba185ec754c85c334bc1 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 9 Sep 2021 11:58:27 +0200
Subject: [PATCH 45/53] normalize HOSTNAMES

should be moved to python lib and normalized in start.py
---
 core/admin/mailu/configuration.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 1f13f896..7405d81f 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -145,7 +145,9 @@ class ConfigManager(dict):
         self.config['SESSION_COOKIE_SAMESITE'] = 'Strict'
         self.config['SESSION_COOKIE_HTTPONLY'] = True
         self.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=int(self.config['SESSION_LIFETIME']))
-        self.config['HOSTNAME'] = self.config['HOSTNAMES'].split(',', 1)[0].strip()
+        hostnames = [host.strip() for host in self.config['HOSTNAMES'].split(',', 1)]
+        self.config['HOSTNAMES'] = ','.join(hostnames)
+        self.config['HOSTNAME'] = hostnames[0]
         # update the app config itself
         app.config = self
 

From b883e3c4a6865592f0398fd0aa209edd2cfe66e6 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 9 Sep 2021 12:10:34 +0200
Subject: [PATCH 46/53] duh.

---
 core/admin/mailu/configuration.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 7405d81f..196b0197 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -145,7 +145,7 @@ class ConfigManager(dict):
         self.config['SESSION_COOKIE_SAMESITE'] = 'Strict'
         self.config['SESSION_COOKIE_HTTPONLY'] = True
         self.config['PERMANENT_SESSION_LIFETIME'] = timedelta(hours=int(self.config['SESSION_LIFETIME']))
-        hostnames = [host.strip() for host in self.config['HOSTNAMES'].split(',', 1)]
+        hostnames = [host.strip() for host in self.config['HOSTNAMES'].split(',')]
         self.config['HOSTNAMES'] = ','.join(hostnames)
         self.config['HOSTNAME'] = hostnames[0]
         # update the app config itself

From b02ceab72f4a917cc8b543d20d31d634554dc9a9 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 9 Sep 2021 17:30:46 +0200
Subject: [PATCH 47/53] handle DEFER_ON_TLS_ERROR as bool

use /conf/mta-sts-daemon.yml when override is missing
---
 core/postfix/Dockerfile                    | 1 -
 core/postfix/conf/main.cf                  | 2 +-
 core/postfix/{ => conf}/mta-sts-daemon.yml | 2 +-
 core/postfix/start.py                      | 5 +++--
 4 files changed, 5 insertions(+), 5 deletions(-)
 rename core/postfix/{ => conf}/mta-sts-daemon.yml (68%)

diff --git a/core/postfix/Dockerfile b/core/postfix/Dockerfile
index e93a584c..bdf45e35 100644
--- a/core/postfix/Dockerfile
+++ b/core/postfix/Dockerfile
@@ -20,7 +20,6 @@ RUN apk add --no-cache postfix postfix-pcre cyrus-sasl-login
 
 COPY conf /conf
 COPY start.py /start.py
-COPY mta-sts-daemon.yml /etc/
 
 EXPOSE 25/tcp 10025/tcp
 VOLUME ["/queue"]
diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 6152388c..3f478ed5 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -59,7 +59,7 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
 smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
-smtp_tls_dane_insecure_mx_policy = {% if DEFER_ON_TLS_ERROR == 'false' %}may{% else %}dane{% endif %}
+smtp_tls_dane_insecure_mx_policy = {{ 'dane' if DEFER_ON_TLS_ERROR else 'may' }}
 smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy.map, ${podop}dane, socketmap:unix:/tmp/mta-sts.socket:postfix
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
diff --git a/core/postfix/mta-sts-daemon.yml b/core/postfix/conf/mta-sts-daemon.yml
similarity index 68%
rename from core/postfix/mta-sts-daemon.yml
rename to core/postfix/conf/mta-sts-daemon.yml
index 361bcbf9..1527b73f 100644
--- a/core/postfix/mta-sts-daemon.yml
+++ b/core/postfix/conf/mta-sts-daemon.yml
@@ -6,5 +6,5 @@ cache:
   options:
     cache_size: 10000
 default_zone:
-  strict_testing: {{ DEFER_ON_TLS_ERROR |default('true') }}
+  strict_testing: {{ 'true' if DEFER_ON_TLS_ERROR else 'false' }}
   timeout: 4
diff --git a/core/postfix/start.py b/core/postfix/start.py
index 3de83a63..361ef3ba 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -76,8 +76,9 @@ for map_file in glob.glob("/overrides/*.map"):
     os.remove(destination)
 
 if os.path.exists("/overrides/mta-sts-daemon.yml"):
-    shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml")
-conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
+	conf.jinja("/overrides/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
+else:
+	conf.jinja("/conf/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
 
 if not os.path.exists("/etc/postfix/tls_policy.map.lmdb"):
     open("/etc/postfix/tls_policy.map", "a").close()

From 05c79b0e3c31f3cdfbddc8f7ffe64d332eb6f128 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 9 Sep 2021 18:45:39 +0200
Subject: [PATCH 48/53] copy (and not parse) mta sts override config

---
 core/postfix/start.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/postfix/start.py b/core/postfix/start.py
index 361ef3ba..12610bd0 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -76,9 +76,9 @@ for map_file in glob.glob("/overrides/*.map"):
     os.remove(destination)
 
 if os.path.exists("/overrides/mta-sts-daemon.yml"):
-	conf.jinja("/overrides/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
+    shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml")
 else:
-	conf.jinja("/conf/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
+    conf.jinja("/conf/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
 
 if not os.path.exists("/etc/postfix/tls_policy.map.lmdb"):
     open("/etc/postfix/tls_policy.map", "a").close()

From 7bec8029a43a0d01ccd969d306d1146af8192e23 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 9 Sep 2021 21:41:03 +0200
Subject: [PATCH 49/53] strip not necessary anymore

---
 core/admin/mailu/models.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/admin/mailu/models.py b/core/admin/mailu/models.py
index 86e285d0..f93b158f 100644
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -312,7 +312,7 @@ class Domain(Base):
     def check_mx(self):
         """ checks if MX record for domain points to mailu host """
         try:
-            hostnames = set(fqdn.strip() for fqdn in app.config['HOSTNAMES'].split(','))
+            hostnames = set(app.config['HOSTNAMES'].split(','))
             return any(
                 rset.exchange.to_text().rstrip('.') in hostnames
                 for rset in dns.resolver.query(self.name, 'MX')

From b63081cb48969603ad572f4960b79fd6251c79be Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 13 Sep 2021 14:49:49 +0200
Subject: [PATCH 50/53] display error (not exception) when creating admin

repleace misleading python exception (mailu broken)
with error message stating that the admin user is
already present
---
 core/admin/mailu/manage.py | 37 +++++++++++++++++++------------------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/core/admin/mailu/manage.py b/core/admin/mailu/manage.py
index 5708327e..d83efa9d 100644
--- a/core/admin/mailu/manage.py
+++ b/core/admin/mailu/manage.py
@@ -48,44 +48,45 @@ def advertise():
 @click.argument('localpart')
 @click.argument('domain_name')
 @click.argument('password')
-@click.option('-m', '--mode')
+@click.option('-m', '--mode', default='create')
 @with_appcontext
-def admin(localpart, domain_name, password, mode='create'):
+def admin(localpart, domain_name, password, mode):
     """ Create an admin user
         'mode' can be:
-            - 'create' (default) Will try to create user and will raise an exception if present
+            - 'create': (default) create user. it's an error if user already exists
             - 'ifmissing': if user exists, nothing happens, else it will be created
             - 'update': user is created or, if it exists, its password gets updated
     """
+
+    if not mode in ('create', 'update', 'ifmissing'):
+        raise click.ClickException(f'invalid mode: {mode!r}')
+
     domain = models.Domain.query.get(domain_name)
     if not domain:
         domain = models.Domain(name=domain_name)
         db.session.add(domain)
 
-    user = None
-    if mode == 'ifmissing' or mode == 'update':
-        email = f'{localpart}@{domain_name}'
-        user = models.User.query.get(email)
-
-        if user and mode == 'ifmissing':
-            print('user %s exists, not updating' % email)
+    email = f'{localpart}@{domain_name}'
+    if user := models.User.query.get(email):
+        if mode == 'ifmissing':
+            print(f'user {email!r} exists, not updating')
             return
-
-    if not user:
+        elif mode == 'update':
+            user.set_password(password)
+            db.session.commit()
+            print("updated admin password")
+        else:
+            raise click.ClickException(f'user {email!r} exists, not created')
+    else:
         user = models.User(
             localpart=localpart,
             domain=domain,
             global_admin=True
         )
-        user.set_password(password)
         db.session.add(user)
+        user.set_password(password)
         db.session.commit()
         print("created admin user")
-    elif mode == 'update':
-        user.set_password(password)
-        db.session.commit()
-        print("updated admin password")
-
 
 
 @mailu.command()

From 25cf8b53589a746e8ad45757dcb747c4ca7215ee Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 13 Sep 2021 15:13:29 +0200
Subject: [PATCH 51/53] better help formatting

---
 core/admin/mailu/manage.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/core/admin/mailu/manage.py b/core/admin/mailu/manage.py
index d83efa9d..54f4b826 100644
--- a/core/admin/mailu/manage.py
+++ b/core/admin/mailu/manage.py
@@ -48,14 +48,13 @@ def advertise():
 @click.argument('localpart')
 @click.argument('domain_name')
 @click.argument('password')
-@click.option('-m', '--mode', default='create')
+@click.option('-m', '--mode', default='create', metavar='MODE', help='''\b'create' (default): create user. it's an error if user already exists
+'ifmissing': only update password if user is missing
+'update': create user or update password if user exists
+''')
 @with_appcontext
 def admin(localpart, domain_name, password, mode):
     """ Create an admin user
-        'mode' can be:
-            - 'create': (default) create user. it's an error if user already exists
-            - 'ifmissing': if user exists, nothing happens, else it will be created
-            - 'update': user is created or, if it exists, its password gets updated
     """
 
     if not mode in ('create', 'update', 'ifmissing'):

From d31b1380e5127db145951c7264091438a46cdb8d Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Mon, 13 Sep 2021 15:23:05 +0200
Subject: [PATCH 52/53] fix spelling

---
 PULL_REQUEST_TEMPLATE.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md
index 8fb3265d..fc3b6b61 100644
--- a/PULL_REQUEST_TEMPLATE.md
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -8,7 +8,7 @@
 - Mention an issue like: #001
 - Auto close an issue like: closes #001
 
-## Prerequistes
+## Prerequisites
 Before we can consider review and merge, please make sure the following list is done and checked.
 If an entry in not applicable, you can check it or remove it from the list.
 

From 447b237ecb12510c51d9ec2805e6f887b79dd8e1 Mon Sep 17 00:00:00 2001
From: Alexander Graf <ghostwheel42@users.noreply.github.com>
Date: Thu, 16 Sep 2021 09:03:44 +0200
Subject: [PATCH 53/53] fix freshclam startup

- create pid file in existing folder /run
- let freshclam log to stdout
- remove deprecated SafeBrowsing
---
 optional/clamav/conf/freshclam.conf | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/optional/clamav/conf/freshclam.conf b/optional/clamav/conf/freshclam.conf
index 88d12bef..828163a0 100644
--- a/optional/clamav/conf/freshclam.conf
+++ b/optional/clamav/conf/freshclam.conf
@@ -3,9 +3,9 @@
 ###############
 
 DatabaseDirectory /data
-LogSyslog yes
+UpdateLogFile /dev/stdout
 LogTime yes
-PidFile /run/clamav/freshclam.pid
+PidFile /run/freshclam.pid
 DatabaseOwner root
 
 ###############
@@ -15,5 +15,4 @@ DatabaseOwner root
 DatabaseMirror database.clamav.net
 ScriptedUpdates yes
 NotifyClamd /etc/clamav/clamd.conf
-SafeBrowsing yes
 Bytecode yes