From 5e32447f07a2148cc1800a49ce7c9c7a19049d31 Mon Sep 17 00:00:00 2001
From: Jon Wilson <toastboy@toastboy.co.uk>
Date: Mon, 21 Sep 2020 15:06:43 +0100
Subject: [PATCH 1/4] Change unbound logfile to the empty string

This is defined to send log messages to stderr, which is
what we want - fixes #1536 ("Could not open logfile /dev/stdout:
Permission denied")
---
 optional/unbound/unbound.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/optional/unbound/unbound.conf b/optional/unbound/unbound.conf
index 8abd4325..6c8fc64d 100644
--- a/optional/unbound/unbound.conf
+++ b/optional/unbound/unbound.conf
@@ -2,7 +2,7 @@ server:
   verbosity: 1
   interface: 0.0.0.0
   interface: ::0
-  logfile: /dev/stdout
+  logfile: ""
   do-ip4: yes
   do-ip6: yes
   do-udp: yes

From 1a365f469c85adfe125f04a4b29d6cdabe436709 Mon Sep 17 00:00:00 2001
From: lub <git@lubiland.de>
Date: Fri, 12 Feb 2021 12:18:22 +0100
Subject: [PATCH 2/4] check for `ipv6_enabled` in the compose template

Checking only `ipv6` isn't sufficient, because it has a default value.
---
 setup/flavors/compose/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml
index 3fbfb862..155e1180 100644
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@@ -26,7 +26,7 @@ services:
     {% if bind4 %}
       - "{{ bind4 }}:{{ port }}:{{ port }}"
     {% endif %}
-    {% if bind6 %}
+    {% if ipv6_enabled and bind6 %}
       - "{{ bind6 }}:{{ port }}:{{ port }}"
     {% endif %}
     {% endfor %}

From 75baa1da993363f1fe6bef10758956502369befd Mon Sep 17 00:00:00 2001
From: ronivay <roni@vayrynen.info>
Date: Thu, 18 Mar 2021 09:46:27 +0200
Subject: [PATCH 3/4] Update fail2ban documentation

---
 docs/faq.rst | 29 +++++++++++++++++++++++------
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/docs/faq.rst b/docs/faq.rst
index 59a841dc..14dcc4ed 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -528,25 +528,42 @@ The above will block flagged IPs for a week, you can of course change it to you
   
   actionstart = iptables -N f2b-bad-auth
                 iptables -A f2b-bad-auth -j RETURN
-                iptables -I FORWARD -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth
+                iptables -I DOCKER-USER -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth
   
-  actionstop = iptables -D FORWARD -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth
+  actionstop = iptables -D DOCKER-USER -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth
                iptables -F f2b-bad-auth
                iptables -X f2b-bad-auth
   
-  actioncheck = iptables -n -L FORWARD | grep -q 'f2b-bad-auth[ \t]'
+  actioncheck = iptables -n -L DOCKER-USER | grep -q 'f2b-bad-auth[ \t]'
   
   actionban = iptables -I f2b-bad-auth 1 -s <ip> -j DROP
   
   actionunban = iptables -D f2b-bad-auth -s <ip> -j DROP
 
-5. Restart Fail2Ban
+Using DOCKER-USER chain ensures that blocked IPs are processed in correct order with Docker. See more in: https://docs.docker.com/network/iptables/
+
+5. Configure and restart Fail2Ban service
+
+Make sure Fail2Ban is started after Docker service by adding partial override which appends this to existing configuration..
+
+.. code-block:: bash
+
+  sudo systemctl edit fail2ban
+
+Add override and save file.
+
+.. code-block:: bash
+
+  [Unit]
+  After=docker.service
+
+Restart service.
 
 .. code-block:: bash
 
   sudo systemctl restart fail2ban
 
-*Issue reference:* `85`_, `116`_, `171`_, `584`_, `592`_.
+*Issue reference:* `85`_, `116`_, `171`_, `584`_, `592`_, `1727`_.
 
 Users can't change their password from webmail
 ``````````````````````````````````````````````
@@ -670,7 +687,7 @@ iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT --to <your mx i
 .. _`1090`: https://github.com/Mailu/Mailu/issues/1090
 .. _`unbound`: https://nlnetlabs.nl/projects/unbound/about/
 .. _`1438`: https://github.com/Mailu/Mailu/issues/1438
-
+.. _`1727`: https://github.com/Mailu/Mailu/issues/1727
 
 A user gets ``Sender address rejected: Access denied. Please check the`` ``message recipient […] and try again`` even though the sender is legitimate?
 ``````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````

From 0bdf84dd25e1825211f63c407a278b693cc4f020 Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <52963853+Diman0@users.noreply.github.com>
Date: Fri, 19 Mar 2021 09:59:16 +0100
Subject: [PATCH 4/4] Update faq.rst

Some spelling improvements.
---
 docs/faq.rst | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/faq.rst b/docs/faq.rst
index 14dcc4ed..9c4f1d75 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -540,24 +540,24 @@ The above will block flagged IPs for a week, you can of course change it to you
   
   actionunban = iptables -D f2b-bad-auth -s <ip> -j DROP
 
-Using DOCKER-USER chain ensures that blocked IPs are processed in correct order with Docker. See more in: https://docs.docker.com/network/iptables/
+Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/
 
-5. Configure and restart Fail2Ban service
+5. Configure and restart the Fail2Ban service
 
-Make sure Fail2Ban is started after Docker service by adding partial override which appends this to existing configuration..
+Make sure Fail2Ban is started after the Docker service by adding a partial override which appends this to the existing configuration.
 
 .. code-block:: bash
 
   sudo systemctl edit fail2ban
 
-Add override and save file.
+Add the override and save the file.
 
 .. code-block:: bash
 
   [Unit]
   After=docker.service
 
-Restart service.
+Restart the Fail2Ban service.
 
 .. code-block:: bash