Merge branch 'staging' into feat/valkey

Add redis-to-valkey migratior
migrate from redis to valkey
2026-06-13 10:00:22 +00:00 · 2025-10-10 12:40:41 +02:00 · 2025-02-28 15:49:28 +01:00 · 2025-02-28 15:36:19 +01:00
561 changed files with 23210 additions and 28622 deletions
@@ -14,7 +14,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Mark/Close Stale Issues and Pull Requests 🗑️
-        uses: actions/stale@v10.2.0
+        uses: actions/stale@v10.1.0
        with:
          repo-token: ${{ secrets.STALE_ACTION_PAT }}
          days-before-stale: 60
@@ -27,7 +27,7 @@ jobs:
          - "watchdog-mailcow"
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
      - name: Setup Docker
        run: |
          curl -sSL https://get.docker.com/ | CHANNEL=stable sudo sh
@@ -8,11 +8,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0
      - name: Run the Action
-        uses: devops-infra/action-pull-request@v1.0.2
+        uses: devops-infra/action-pull-request@v0.6.1
        with:
          github_token: ${{ secrets.PRTONIGHTLY_ACTION_PAT }}
          title: Automatic PR to nightly from ${{ github.event.repository.updated_at}}
@@ -13,24 +13,24 @@ jobs:
      packages: write
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@v3

      - name: Login to GHCR
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v4
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: linux/amd64,linux/arm64
@@ -15,14 +15,14 @@ jobs:
   runs-on: ubuntu-latest
   steps:
    - name: Checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@v5

    - name: Generate postscreen_access.cidr
      run: |
          bash helper-scripts/update_postscreen_whitelist.sh

    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v8
+      uses: peter-evans/create-pull-request@v7
      with:
        token: ${{ secrets.mailcow_action_Update_postscreen_access_cidr_pat }}
        commit-message: update postscreen_access.cidr
@@ -51,7 +51,6 @@ data/conf/sogo/cron.creds
 data/conf/sogo/custom-fulllogo.svg
 data/conf/sogo/custom-shortlogo.svg
 data/conf/sogo/custom-fulllogo.png
-data/conf/acme/dns-01.conf
 data/gitea/
 data/gogs/
 data/hooks/dovecot/*
@@ -1,11 +1,11 @@
 # Contribution Guidelines
-**_Last modified on 12th November 2025_**
+**_Last modified on 15th August 2024_**

 First of all, thank you for wanting to provide a bugfix or a new feature for the mailcow community, it's because of your help that the project can continue to grow!

 As we want to keep mailcow's development structured we setup these Guidelines which helps you to create your issue/pull request accordingly.

-**PLEASE NOTE, THAT WE WILL CLOSE ISSUES/PULL REQUESTS IF THEY DON'T FULFILL OUR WRITTEN GUIDELINES WRITTEN INSIDE THIS DOCUMENT**. So please check this guidelines before you propose a Issue/Pull Request.
+**PLEASE NOTE, THAT WE MIGHT CLOSE ISSUES/PULL REQUESTS IF THEY DON'T FULLFIL OUR WRITTEN GUIDELINES WRITTEN INSIDE THIS DOCUMENT**. So please check this guidelines before you propose a Issue/Pull Request.

 ## Topics

@@ -27,18 +27,14 @@ However, please note the following regarding pull requests:
 6. Please **ALWAYS** create the actual pull request against the staging branch and **NEVER** directly against the master branch. *If you forget to do this, our moobot will remind you to switch the branch to staging.*
 7. Wait for a merge commit: It may happen that we do not accept your pull request immediately or sometimes not at all for various reasons. Please do not be disappointed if this is the case. We always endeavor to incorporate any meaningful changes from the community into the mailcow project.
 8. If you are planning larger and therefore more complex pull requests, it would be advisable to first announce this in a separate issue and then start implementing it after the idea has been accepted in order to avoid unnecessary frustration and effort!
-9. If your PR requires a Docker image rebuild (changes to Dockerfiles or files in data/Dockerfiles/), update the image tag in docker-compose.yml. Use the base-image versioning (e.g. ghcr.io/mailcow/sogo:5.12.4 → :5.12.5 for version bumps; append a letter for patch fixes, e.g. :5.12.4a). Follow this scheme.

 ---

 ## Issue Reporting
-**_Last modified on 12th November 2025_**
+**_Last modified on 15th August 2024_**

 If you plan to report a issue within mailcow please read and understand the following rules:

-### Security disclosures / Security-related fixes
- Security vulnerabilities and security fixes must always be reported confidentially first to the contact address specified in SECURITY.md before they are integrated, published, or publicly disclosed in issues/PRs. Please wait for a response from the specified contact to ensure coordinated and responsible disclosure.
-
 ### Issue Reporting Guidelines

 1. **ONLY** use the issue tracker for bug reports or improvement requests and NOT for support questions. For support questions you can either contact the [mailcow community on Telegram](https://docs.mailcow.email/#community-support-and-chat) or the mailcow team directly in exchange for a [support fee](https://docs.mailcow.email/#commercial-support).
@@ -38,45 +38,45 @@ get_docker_version(){
 }

 get_compose_type(){
-  if docker compose > /dev/null 2>&1; then
-    if docker compose version --short | grep -e "^[2-9]\." -e "^v[2-9]\." -e "^[1-9][0-9]\." -e "^v[1-9][0-9]\." > /dev/null 2>&1; then
-      COMPOSE_VERSION=native
-      COMPOSE_COMMAND="docker compose"
-      if [[ "$caller" == "update.sh" ]]; then
-        sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=native/' "$SCRIPT_DIR/mailcow.conf"
-      fi
-      echo -e "\e[33mFound Docker Compose Plugin (native).\e[0m"
-      echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to native\e[0m"
-      sleep 2
-      echo -e "\e[33mNotice: You'll have to update this Compose Version via your Package Manager manually!\e[0m"
-    else
-      echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m"
-      echo -e "\e[31mPlease update/install it manually regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
-      exit 1
+    if docker compose > /dev/null 2>&1; then
+        if docker compose version --short | grep -e "^2." -e "^v2." > /dev/null 2>&1; then
+            COMPOSE_VERSION=native
+            COMPOSE_COMMAND="docker compose"
+            if [[ "$caller" == "update.sh" ]]; then
+                sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=native/' "$SCRIPT_DIR/mailcow.conf"
+            fi
+            echo -e "\e[33mFound Docker Compose Plugin (native).\e[0m"
+            echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to native\e[0m"
+            sleep 2
+            echo -e "\e[33mNotice: You'll have to update this Compose Version via your Package Manager manually!\e[0m"
+        else
+            echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m"
+            echo -e "\e[31mPlease update/install it manually regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
+            exit 1
+        fi
+    elif docker-compose > /dev/null 2>&1; then
+    if ! [[ $(alias docker-compose 2> /dev/null) ]] ; then
+        if docker-compose version --short | grep "^2." > /dev/null 2>&1; then
+            COMPOSE_VERSION=standalone
+            COMPOSE_COMMAND="docker-compose"
+            if [[ "$caller" == "update.sh" ]]; then
+                sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=standalone/' "$SCRIPT_DIR/mailcow.conf"
+            fi
+            echo -e "\e[33mFound Docker Compose Standalone.\e[0m"
+            echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to standalone\e[0m"
+            sleep 2
+            echo -e "\e[33mNotice: For an automatic update of docker-compose please use the update_compose.sh scripts located at the helper-scripts folder.\e[0m"
+        else
+            echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m"
+            echo -e "\e[31mPlease update/install manually regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
+            exit 1
+        fi
    fi
-  elif docker-compose > /dev/null 2>&1; then
-  if ! [[ $(alias docker-compose 2> /dev/null) ]] ; then
-    if docker-compose version --short | grep -e "^[2-9]\." -e "^[1-9][0-9]\." > /dev/null 2>&1; then
-      COMPOSE_VERSION=standalone
-      COMPOSE_COMMAND="docker-compose"
-      if [[ "$caller" == "update.sh" ]]; then
-        sed -i 's/^DOCKER_COMPOSE_VERSION=.*/DOCKER_COMPOSE_VERSION=standalone/' "$SCRIPT_DIR/mailcow.conf"
-      fi
-      echo -e "\e[33mFound Docker Compose Standalone.\e[0m"
-      echo -e "\e[33mSetting the DOCKER_COMPOSE_VERSION Variable to standalone\e[0m"
-      sleep 2
-      echo -e "\e[33mNotice: For an automatic update of docker-compose please use the update_compose.sh scripts located at the helper-scripts folder.\e[0m"
    else
-      echo -e "\e[31mCannot find Docker Compose with a Version Higher than 2.X.X.\e[0m"
-      echo -e "\e[31mPlease update/install manually regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
-      exit 1
+        echo -e "\e[31mCannot find Docker Compose.\e[0m"
+        echo -e "\e[31mPlease install it regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
+        exit 1
    fi
-  fi
-  else
-    echo -e "\e[31mCannot find Docker Compose.\e[0m"
-    echo -e "\e[31mPlease install it regarding to this doc site: https://docs.mailcow.email/install/\e[0m"
-    exit 1
-  fi
 }

 detect_bad_asn() {
@@ -57,14 +57,11 @@ adapt_new_options() {
  "DISABLE_NETFILTER_ISOLATION_RULE"
  "HTTP_REDIRECT"
  "ENABLE_IPV6"
-  "ACME_DNS_CHALLENGE"
-  "ACME_DNS_PROVIDER"
-  "ACME_ACCOUNT_EMAIL"
  )

  sed -i --follow-symlinks '$a\' mailcow.conf
  for option in ${CONFIG_ARRAY[@]}; do
-    if grep -q "^#\?${option}=" mailcow.conf; then
+    if grep -q "${option}" mailcow.conf; then
      continue
    fi

@@ -295,20 +292,6 @@ adapt_new_options() {
            echo '# This key is used to encrypt email addresses within SOGo URLs' >> mailcow.conf
            echo "SOGO_URL_ENCRYPTION_KEY=$(LC_ALL=C </dev/urandom tr -dc A-Za-z0-9 2>/dev/null | head -c 16)" >> mailcow.conf
            ;;
-        ACME_DNS_CHALLENGE)
-            echo '# Enable DNS-01 challenge for ACME (acme-mailcow) - y/n' >> mailcow.conf
-            echo '# This requires you to set ACME_DNS_PROVIDER and ACME_ACCOUNT_EMAIL below' >> mailcow.conf
-            echo 'ACME_DNS_CHALLENGE=n' >> mailcow.conf
-            ;;
-        ACME_DNS_PROVIDER)
-            echo '# DNS provider for DNS-01 challenge (e.g. dns_cf, dns_azure, dns_gd, etc.)' >> mailcow.conf
-            echo '# See the dns-01 provider documentation for more information.' >> mailcow.conf
-            echo 'ACME_DNS_PROVIDER=dns_xxx' >> mailcow.conf
-            ;;
-        ACME_ACCOUNT_EMAIL)
-            echo '# Account email for ACME DNS-01 challenge registration' >> mailcow.conf
-            echo 'ACME_ACCOUNT_EMAIL=me@example.com' >> mailcow.conf
-            ;;
        *)
            echo "${option}=" >> mailcow.conf
            ;;
@@ -1,8 +1,4 @@
-ARG AGENT_IMAGE=ghcr.io/mailcow/agent:1.00
-
-FROM ${AGENT_IMAGE} AS mailcow-agent-src
-
-FROM alpine:3.23
+FROM alpine:3.21

 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"

@@ -18,35 +14,14 @@ RUN apk upgrade --no-cache \
  tini \
  tzdata \
  python3 \
-  acme-tiny \
-  git \
-  socat \
-  && git clone --depth 1 https://github.com/acmesh-official/acme.sh.git /opt/acme.sh \
-  && chmod +x /opt/acme.sh/acme.sh \
-  && mkdir -p /var/lib/acme/acme-sh
-
-ENV ACME_SH_BIN=/opt/acme.sh/acme.sh \
-    ACME_SH_HOME=/opt/acme.sh \
-    ACME_SH_CONFIG_HOME=/var/lib/acme/acme-sh
+  acme-tiny

 COPY acme.sh /srv/acme.sh
 COPY functions.sh /srv/functions.sh
 COPY obtain-certificate.sh /srv/obtain-certificate.sh
-COPY obtain-certificate-dns.sh /srv/obtain-certificate-dns.sh
-COPY load-dns-config.sh /srv/load-dns-config.sh
 COPY reload-configurations.sh /srv/reload-configurations.sh
 COPY expand6.sh /srv/expand6.sh

 RUN chmod +x /srv/*.sh

-COPY --from=mailcow-agent-src /out/mailcow-agent /usr/local/bin/mailcow-agent
-COPY --from=mailcow-agent-src /out/mailcow-agent-cli /usr/local/bin/mailcow-agent-cli
-
-ENV MAILCOW_AGENT_SERVICE=acme \
-    MAILCOW_AGENT_MAIN_CMD="/sbin/tini -g -- /srv/acme.sh"
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
-  CMD ["/usr/local/bin/mailcow-agent", "healthcheck"]
-
-ENTRYPOINT ["/usr/local/bin/mailcow-agent"]
-CMD []
+CMD ["/sbin/tini", "-g", "--", "/srv/acme.sh"]
@@ -3,28 +3,17 @@ set -o pipefail
 exec 5>&1

 # Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  export REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  export VALKEY_CMDLINE="redis-cli -h ${VALKEY_SLAVEOF_IP} -p ${VALKEY_SLAVEOF_PORT} -a ${VALKEYPASS} --no-auth-warning"
 else
-  export REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+  export VALKEY_CMDLINE="redis-cli -h valkey-mailcow -p 6379 -a ${VALKEYPASS} --no-auth-warning"
 fi

-until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
-  echo "Waiting for Redis..."
+until [[ $(${VALKEY_CMDLINE} PING) == "PONG" ]]; do
+  echo "Waiting for Valkey..."
  sleep 2
 done

-# Create DNS-01 configuration template if it doesn't exist
-if [[ ! -f /etc/acme/dns-01.conf ]]; then
-  mkdir -p /etc/acme
-  cat > /etc/acme/dns-01.conf <<'EOF'
-# Add here your DNS-01 challenge configuration
-# For more information, visit the acme.sh documentation:
-# https://github.com/acmesh-official/acme.sh/wiki/dnsapi
-EOF
-  echo "Created DNS-01 configuration template at /etc/acme/dns-01.conf"
-fi
-
 source /srv/functions.sh
 # Thanks to https://github.com/cvmiller -> https://github.com/cvmiller/expand6
 source /srv/expand6.sh
@@ -53,21 +42,17 @@ if [[ "${ENABLE_SSL_SNI}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  ENABLE_SSL_SNI=y
 fi

-if [[ "${ACME_DNS_CHALLENGE}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  ACME_DNS_CHALLENGE=y
-fi
-
 if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  log_f "SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..."
  sleep 365d
  exec $(readlink -f "$0")
 fi

-log_f "Waiting for Redis control bus..."
-until redis-cli -h "${REDIS_SLAVEOF_IP:-redis-mailcow}" -p "${REDIS_SLAVEOF_PORT:-6379}" -a "${REDISPASS}" --no-auth-warning ping > /dev/null 2>&1; do
+log_f "Waiting for Docker API..."
+until ping dockerapi -c1 > /dev/null; do
  sleep 1
 done
-log_f "Redis control bus OK"
+log_f "Docker API OK"

 log_f "Waiting for Postfix..."
 until ping postfix -c1 > /dev/null; do
@@ -253,46 +238,14 @@ while true; do
    unset VALIDATED_CONFIG_DOMAINS_SUBDOMAINS
    declare -a VALIDATED_CONFIG_DOMAINS_SUBDOMAINS
    for SUBDOMAIN in "${ADDITIONAL_WC_ARR[@]}"; do
-      FULL_SUBDOMAIN="${SUBDOMAIN}.${SQL_DOMAIN}"
-
-      # Skip if subdomain matches MAILCOW_HOSTNAME
-      if [[ "${FULL_SUBDOMAIN}" == "${MAILCOW_HOSTNAME}" ]]; then
-        continue
-      fi
-      # Skip if subdomain is covered by a wildcard in ADDITIONAL_SAN
-      if is_covered_by_wildcard "${FULL_SUBDOMAIN}"; then
-        log_f "Subdomain '${FULL_SUBDOMAIN}' is covered by wildcard - skipping explicit subdomain"
-        continue
-      fi
-      # Validate and add subdomain
-      if check_domain "${FULL_SUBDOMAIN}"; then
-        VALIDATED_CONFIG_DOMAINS_SUBDOMAINS+=("${FULL_SUBDOMAIN}")
+      if [[  "${SUBDOMAIN}.${SQL_DOMAIN}" != "${MAILCOW_HOSTNAME}" ]]; then
+        if check_domain "${SUBDOMAIN}.${SQL_DOMAIN}"; then
+          VALIDATED_CONFIG_DOMAINS_SUBDOMAINS+=("${SUBDOMAIN}.${SQL_DOMAIN}")
+        fi
      fi
    done
    VALIDATED_CONFIG_DOMAINS+=("${VALIDATED_CONFIG_DOMAINS_SUBDOMAINS[*]}")
  done
-
-  # Fetch alias domains where target domain has MTA-STS enabled
-  if [[ ${AUTODISCOVER_SAN} == "y" ]]; then
-    SQL_ALIAS_DOMAINS=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT ad.alias_domain FROM alias_domain ad INNER JOIN mta_sts m ON ad.target_domain = m.domain WHERE ad.active = 1 AND m.active = 1" -Bs)
-    if [[ $? -eq 0 ]]; then
-      while read alias_domain; do
-        if [[ -z "${alias_domain}" ]]; then
-          # ignore empty lines
-          continue
-        fi
-        # Only add mta-sts subdomain for alias domains
-        if [[ "mta-sts.${alias_domain}" != "${MAILCOW_HOSTNAME}" ]]; then
-          # Skip if mta-sts subdomain is covered by a wildcard
-          if is_covered_by_wildcard "mta-sts.${alias_domain}"; then
-            log_f "Alias domain mta-sts subdomain 'mta-sts.${alias_domain}' is covered by wildcard - skipping"
-          elif check_domain "mta-sts.${alias_domain}"; then
-            VALIDATED_CONFIG_DOMAINS+=("mta-sts.${alias_domain}")
-          fi
-        fi
-      done <<< "${SQL_ALIAS_DOMAINS}"
-    fi
-  fi
  fi

  if check_domain ${MAILCOW_HOSTNAME}; then
@@ -321,31 +274,13 @@ while true; do
  done
  fi

-  # Check if MAILCOW_HOSTNAME is covered by a wildcard in ADDITIONAL_SAN
-  MAILCOW_HOSTNAME_COVERED=0
-  if [[ ! -z ${VALIDATED_MAILCOW_HOSTNAME} ]]; then
-    if is_covered_by_wildcard "${VALIDATED_MAILCOW_HOSTNAME}"; then
-      MAILCOW_PARENT_DOMAIN=$(echo ${VALIDATED_MAILCOW_HOSTNAME} | cut -d. -f2-)
-      log_f "MAILCOW_HOSTNAME '${VALIDATED_MAILCOW_HOSTNAME}' is covered by wildcard '*.${MAILCOW_PARENT_DOMAIN}' - skipping explicit hostname"
-      MAILCOW_HOSTNAME_COVERED=1
-    fi
-  fi
-
  # Unique domains for server certificate
  if [[ ${ENABLE_SSL_SNI} == "y" ]]; then
    # create certificate for server name and fqdn SANs only
-    if [[ ${MAILCOW_HOSTNAME_COVERED} == "1" ]]; then
-      SERVER_SAN_VALIDATED=($(echo ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
-    else
-      SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
-    fi
+    SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
  else
    # create certificate for all domains, including all subdomains from other domains [*]
-    if [[ ${MAILCOW_HOSTNAME_COVERED} == "1" ]]; then
-      SERVER_SAN_VALIDATED=($(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
-    else
-      SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
-    fi
+    SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
  fi
  if [[ ! -z ${SERVER_SAN_VALIDATED[*]} ]]; then
    CERT_NAME=${SERVER_SAN_VALIDATED[0]}
@@ -413,7 +348,7 @@ while true; do
  if [[ -z ${VALIDATED_CERTIFICATES[*]} ]]; then
    log_f "Cannot validate any hostnames, skipping Let's Encrypt for 1 hour."
    log_f "Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently."
-    ${REDIS_CMDLINE} SET ACME_FAIL_TIME "$(date +%s)"
+    ${VALKEY_CMDLINE} SET ACME_FAIL_TIME "$(date +%s)"
    sleep 1h
    exec $(readlink -f "$0")
  fi
@@ -454,7 +389,7 @@ while true; do
      DOVECOT_CERT_SERIAL_NEW="$(echo | openssl s_client -connect dovecot:143 -starttls imap 2>/dev/null | openssl x509 -inform pem -noout -serial | cut -d "=" -f 2)"
      if [[ ${RELOAD_LOOP_C} -gt 3 ]]; then
        log_f "Some services do return old end dates, something went wrong!"
-        ${REDIS_CMDLINE} SET ACME_FAIL_TIME "$(date +%s)"
+        ${VALKEY_CMDLINE} SET ACME_FAIL_TIME "$(date +%s)"
        break;
      fi
    done
@@ -475,7 +410,7 @@ while true; do
      ;;
    *) # non-zero
      log_f "Some errors occurred, retrying in 30 minutes..."
-      ${REDIS_CMDLINE} SET ACME_FAIL_TIME "$(date +%s)"
+      ${VALKEY_CMDLINE} SET ACME_FAIL_TIME "$(date +%s)"
      sleep 30m
      exec $(readlink -f "$0")
      ;;
@@ -5,13 +5,13 @@ log_f() {
    echo -n "$(date) - ${1}"
  elif [[ ${2} == "no_date" ]]; then
    echo "${1}"
-  elif [[ ${2} != "redis_only" ]]; then
+  elif [[ ${2} != "valkey_only" ]]; then
    echo "$(date) - ${1}"
  fi
  if [[ ${3} == "b64" ]]; then
-    ${REDIS_CMDLINE} LPUSH ACME_LOG "{\"time\":\"$(date +%s)\",\"message\":\"base64,$(printf '%s' "${MAILCOW_HOSTNAME} - ${1}")\"}" > /dev/null
+    ${VALKEY_CMDLINE} LPUSH ACME_LOG "{\"time\":\"$(date +%s)\",\"message\":\"base64,$(printf '%s' "${MAILCOW_HOSTNAME} - ${1}")\"}" > /dev/null
  else
-    ${REDIS_CMDLINE} LPUSH ACME_LOG "{\"time\":\"$(date +%s)\",\"message\":\"$(printf '%s' "${MAILCOW_HOSTNAME} - ${1}" | \
+    ${VALKEY_CMDLINE} LPUSH ACME_LOG "{\"time\":\"$(date +%s)\",\"message\":\"$(printf '%s' "${MAILCOW_HOSTNAME} - ${1}" | \
      tr '%&;$"[]{}-\r\n' ' ')\"}" > /dev/null
  fi
 }
@@ -80,11 +80,6 @@ check_domain(){
        return 1
      fi
    fi
-
-    if [[ ${ACME_DNS_CHALLENGE} == "y" ]]; then
-      log_f "ACME_DNS_CHALLENGE=y - skipping IP and HTTP validation for ${DOMAIN}"
-      return 0
-    fi
    # Check if CNAME without v6 enabled target
    if [[ ! -z ${AAAA_DOMAIN} ]] && [[ -z $(echo ${AAAA_DOMAIN} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$") ]]; then
      AAAA_DOMAIN=
@@ -135,32 +130,3 @@ verify_challenge_path(){
    return 1
  fi
 }
-
-# Check if a domain is covered by a wildcard (*.example.com) in ADDITIONAL_SAN
-# Usage: is_covered_by_wildcard "subdomain.example.com"
-# Returns: 0 if covered, 1 if not covered
-# Note: Only returns 0 (covered) when DNS-01 challenge is enabled,
-#       as wildcards cannot be validated with HTTP-01 challenge
-is_covered_by_wildcard() {
-  local DOMAIN=$1
-
-  # Only skip if DNS challenge is enabled (wildcards require DNS-01)
-  if [[ ${ACME_DNS_CHALLENGE} != "y" ]]; then
-    return 1
-  fi
-
-  # Return early if no ADDITIONAL_SAN is set
-  if [[ -z ${ADDITIONAL_SAN} ]]; then
-    return 1
-  fi
-
-  # Extract parent domain (e.g., mail.example.com -> example.com)
-  local PARENT_DOMAIN=$(echo ${DOMAIN} | cut -d. -f2-)
-
-  # Check if ADDITIONAL_SAN contains a wildcard for this parent domain
-  if [[ "${ADDITIONAL_SAN}" == *"*.${PARENT_DOMAIN}"* ]]; then
-    return 0  # Covered by wildcard
-  fi
-
-  return 1  # Not covered
-}
@@ -1,57 +0,0 @@
-#!/bin/bash
-
-SCRIPT_SOURCE="${BASH_SOURCE[0]:-${0}}"
-if [[ "${SCRIPT_SOURCE}" == "${0}" ]]; then
-  __dns_loader_standalone=1
-else
-  __dns_loader_standalone=0
-fi
-
-CONFIG_PATH="${ACME_DNS_CONFIG_FILE:-/etc/acme/dns-01.conf}"
-
-if [[ ! -f "${CONFIG_PATH}" ]]; then
-  if [[ $__dns_loader_standalone -eq 1 ]]; then
-    exit 0
-  else
-    return 0
-  fi
-fi
-
-source /srv/functions.sh
-
-log_f "Loading DNS-01 configuration from ${CONFIG_PATH}"
-
-LINE_NO=0
-while IFS= read -r line || [[ -n "${line}" ]]; do
-  LINE_NO=$((LINE_NO+1))
-  line="${line%$'\r'}"
-  line_trimmed="$(printf '%s' "${line}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
-  [[ -z "${line_trimmed}" ]] && continue
-  [[ "${line_trimmed:0:1}" == "#" ]] && continue
-  if [[ "${line_trimmed}" != *=* ]]; then
-    log_f "Skipping invalid DNS config line ${LINE_NO} (missing key=value)"
-    continue
-  fi
-  KEY="${line_trimmed%%=*}"
-  VALUE="${line_trimmed#*=}"
-  KEY="$(printf '%s' "${KEY}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
-  VALUE="$(printf '%s' "${VALUE}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
-  if [[ -z "${KEY}" ]]; then
-    log_f "Skipping invalid DNS config line ${LINE_NO} (empty key)"
-    continue
-  fi
-  if [[ "${VALUE}" =~ ^\".*\"$ ]]; then
-    VALUE="${VALUE:1:-1}"
-  elif [[ "${VALUE}" =~ ^\'.*\'$ ]]; then
-    VALUE="${VALUE:1:-1}"
-  fi
-  export "${KEY}"="${VALUE}"
-  log_f "Exported DNS config key ${KEY}"
-
-done < "${CONFIG_PATH}"
-
-if [[ $__dns_loader_standalone -eq 1 ]]; then
-  exit 0
-else
-  return 0
-fi
@@ -1,177 +0,0 @@
-#!/bin/bash
-
-# Return values / exit codes
-# 0 = cert created successfully
-# 1 = cert renewed successfully
-# 2 = cert not due for renewal
-# * = errors
-
-source /srv/functions.sh
-
-CERT_DOMAINS=(${DOMAINS[@]})
-CERT_DOMAIN=${CERT_DOMAINS[0]}
-ACME_BASE=/var/lib/acme
-
-# Load optional DNS provider secrets from /etc/acme/dns-01.conf
-if [[ -f /srv/load-dns-config.sh ]]; then
-  source /srv/load-dns-config.sh
-  if declare -F log_f >/dev/null; then
-    log_f "ACME_DNS_CHALLENGE is enabled, DNS provider secrets loaded"
-  fi
-fi
-
-TYPE=${1}
-PREFIX=""
-# only support rsa certificates for now
-if [[ "${TYPE}" != "rsa" ]]; then
-  log_f "Unknown certificate type '${TYPE}' requested"
-  exit 5
-fi
-
-if [[ -z "${ACME_DNS_PROVIDER}" ]]; then
-  log_f "ACME_DNS_PROVIDER is required when ACME_DNS_CHALLENGE is enabled"
-  exit 6
-fi
-
-DOMAINS_FILE=${ACME_BASE}/${CERT_DOMAIN}/domains
-CERT=${ACME_BASE}/${CERT_DOMAIN}/${PREFIX}cert.pem
-SHARED_KEY=${ACME_BASE}/acme/${PREFIX}key.pem  # must already exist
-KEY=${ACME_BASE}/${CERT_DOMAIN}/${PREFIX}key.pem
-CSR=${ACME_BASE}/${CERT_DOMAIN}/${PREFIX}acme.csr
-
-if [[ -z ${CERT_DOMAINS[*]} ]]; then
-  log_f "Missing CERT_DOMAINS to obtain a certificate"
-  exit 3
-fi
-
-if [[ "${LE_STAGING}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  if [[ ! -z "${DIRECTORY_URL}" ]]; then
-    log_f "Cannot use DIRECTORY_URL with LE_STAGING=y - ignoring DIRECTORY_URL"
-  fi
-  log_f "Using Let's Encrypt staging servers"
-  ACME_SH_SERVER_ARGS=("--staging")
-elif [[ ! -z "${DIRECTORY_URL}" ]]; then
-  log_f "Using custom directory URL ${DIRECTORY_URL}"
-  ACME_SH_SERVER_ARGS=("--server" "${DIRECTORY_URL}")
-else
-  log_f "Using Let's Encrypt production servers"
-  ACME_SH_SERVER_ARGS=("--server" "letsencrypt")
-fi
-
-if [[ -f ${DOMAINS_FILE} && "$(cat ${DOMAINS_FILE})" ==  "${CERT_DOMAINS[*]}" ]]; then
-  if [[ ! -f ${CERT} || ! -f "${KEY}" || -f "${ACME_BASE}/force_renew" ]]; then
-    log_f "Certificate ${CERT} doesn't exist yet or forced renewal - start obtaining"
-  elif ! openssl x509 -checkend 2592000 -noout -in ${CERT} > /dev/null; then
-    log_f "Certificate ${CERT} is due for renewal (< 30 days) - start renewing"
-  else
-    log_f "Certificate ${CERT} validation done, neither changed nor due for renewal."
-    exit 2
-  fi
-else
-  log_f "Certificate ${CERT} missing or changed domains '${CERT_DOMAINS[*]}' - start obtaining"
-fi
-
-# Make backup
-if [[ -f ${CERT} ]]; then
-  DATE=$(date +%Y-%m-%d_%H_%M_%S)
-  BACKUP_DIR=${ACME_BASE}/backups/${CERT_DOMAIN}/${PREFIX}${DATE}
-  log_f "Creating backups in ${BACKUP_DIR} ..."
-  mkdir -p ${BACKUP_DIR}/
-  [[ -f ${DOMAINS_FILE} ]] && cp ${DOMAINS_FILE} ${BACKUP_DIR}/
-  [[ -f ${CERT} ]] && cp ${CERT} ${BACKUP_DIR}/
-  [[ -f ${KEY} ]] && cp ${KEY} ${BACKUP_DIR}/
-  [[ -f ${CSR} ]] && cp ${CSR} ${BACKUP_DIR}/
-fi
-
-mkdir -p ${ACME_BASE}/${CERT_DOMAIN}
-if [[ ! -f ${KEY} ]]; then
-  log_f "Copying shared private key for this certificate..."
-  cp ${SHARED_KEY} ${KEY}
-  chmod 600 ${KEY}
-fi
-
-# Generating CSR to keep layout parity with HTTP challenge flow
-printf "[SAN]\nsubjectAltName=" > /tmp/_SAN
-printf "DNS:%s," "${CERT_DOMAINS[@]}" >> /tmp/_SAN
-sed -i '$s/,$//' /tmp/_SAN
-openssl req -new -sha256 -key ${KEY} -subj "/" -reqexts SAN -config <(cat "$(openssl version -d | sed 's/.*\"\(.*\)\"/\1/g')/openssl.cnf" /tmp/_SAN) > ${CSR}
-
-log_f "Checking resolver..."
-until dig letsencrypt.org +time=3 +tries=1 @unbound > /dev/null; do
-  sleep 2
-done
-log_f "Resolver OK"
-
-ACME_SH_BIN_PATH=${ACME_SH_BIN:-/opt/acme.sh/acme.sh}
-ACME_SH_WORK_HOME=${ACME_SH_CONFIG_HOME:-/var/lib/acme/acme-sh}
-mkdir -p ${ACME_SH_WORK_HOME}
-
-if [[ ! -x ${ACME_SH_BIN_PATH} ]]; then
-  log_f "acme.sh binary not found at ${ACME_SH_BIN_PATH}"
-  exit 7
-fi
-
-if [[ ! -f ${ACME_SH_WORK_HOME}/account.conf ]]; then
-  if [[ -z "${ACME_ACCOUNT_EMAIL}" ]]; then
-    log_f "ACME_ACCOUNT_EMAIL is required to register a new acme.sh account"
-    exit 8
-  fi
-  log_f "Registering acme.sh account for ${ACME_ACCOUNT_EMAIL}"
-  REGISTER_CMD=("${ACME_SH_BIN_PATH}" "--home" "${ACME_SH_WORK_HOME}" "--config-home" "${ACME_SH_WORK_HOME}" "--cert-home" "${ACME_SH_WORK_HOME}" "--register-account" "-m" "${ACME_ACCOUNT_EMAIL}")
-  REGISTER_CMD+=("${ACME_SH_SERVER_ARGS[@]}")
-  REGISTER_RESPONSE=$("${REGISTER_CMD[@]}" 2>&1)
-  if [[ $? -ne 0 ]]; then
-    log_f "Failed to register acme.sh account: ${REGISTER_RESPONSE}"
-    exit 9
-  fi
-fi
-
-TMP_CERT=$(mktemp /tmp/acme-cert.XXXXXX)
-TMP_FULLCHAIN=$(mktemp /tmp/acme-fullchain.XXXXXX)
-
-ACME_CMD=("${ACME_SH_BIN_PATH}" "--home" "${ACME_SH_WORK_HOME}" "--config-home" "${ACME_SH_WORK_HOME}" "--cert-home" "${ACME_SH_WORK_HOME}")
-ACME_CMD+=("${ACME_SH_SERVER_ARGS[@]}")
-ACME_CMD+=("--issue" "--dns" "${ACME_DNS_PROVIDER}" "--key-file" "${KEY}" "--cert-file" "${TMP_CERT}" "--fullchain-file" "${TMP_FULLCHAIN}" "--force")
-for domain in "${CERT_DOMAINS[@]}"; do
-  ACME_CMD+=("-d" "${domain}")
-done
-
-log_f "Using command ${ACME_CMD[*]}"
-if [[ -n "${ACME_DNS_PROVIDER}" ]]; then
-  log_f "DNS provider: ${ACME_DNS_PROVIDER}"
-fi
-if compgen -A variable | grep -Eq "^DNS_|^ACME_"; then
-  LOG_KEYS=$(env | grep -E "^(DNS_|ACME_)" | cut -d= -f1 | tr '\n' ' ')
-  log_f "Available DNS/ACME env keys: ${LOG_KEYS}" redis_only
-fi
-ACME_RESPONSE=$("${ACME_CMD[@]}" 2>&1 | tee /dev/fd/5; exit ${PIPESTATUS[0]})
-SUCCESS="$?"
-ACME_RESPONSE_B64=$(echo "${ACME_RESPONSE}" | openssl enc -e -A -base64)
-log_f "${ACME_RESPONSE_B64}" redis_only b64
-
-case "$SUCCESS" in
-  0)
-    log_f "Deploying certificate ${CERT}..."
-    if verify_hash_match ${TMP_FULLCHAIN} ${KEY}; then
-      RETURN=0
-      if [[ -f ${CERT} ]]; then
-        RETURN=1
-      fi
-      mv -f ${TMP_FULLCHAIN} ${CERT}
-      rm -f ${TMP_CERT}
-      echo -n ${CERT_DOMAINS[*]} > ${DOMAINS_FILE}
-      log_f "Certificate successfully obtained via DNS challenge"
-      exit ${RETURN}
-    else
-      log_f "Certificate was requested, but key and certificate hashes do not match"
-      rm -f ${TMP_CERT} ${TMP_FULLCHAIN}
-      exit 4
-    fi
-    ;;
-  *)
-    log_f "Failed to obtain certificate ${CERT} for domains '${CERT_DOMAINS[*]}' via DNS challenge"
-    redis-cli -h redis -a ${REDISPASS} --no-auth-warning SET ACME_FAIL_TIME "$(date +%s)"
-    rm -f ${TMP_CERT} ${TMP_FULLCHAIN}
-    exit 100${SUCCESS}
-    ;;
-esac
@@ -20,10 +20,6 @@ if [[ "${TYPE}" != "rsa" ]]; then
  log_f "Unknown certificate type '${TYPE}' requested"
  exit 5
 fi
-
-if [[ "${ACME_DNS_CHALLENGE}" == "y" ]]; then
-  exec /srv/obtain-certificate-dns.sh "$@"
-fi
 DOMAINS_FILE=${ACME_BASE}/${CERT_DOMAIN}/domains
 CERT=${ACME_BASE}/${CERT_DOMAIN}/${PREFIX}cert.pem
 SHARED_KEY=${ACME_BASE}/acme/${PREFIX}key.pem  # must already exist
@@ -105,7 +101,7 @@ ACME_RESPONSE=$(acme-tiny ${DIRECTORY_URL} \
  --acme-dir /var/www/acme/ 2>&1 > /tmp/_cert.pem | tee /dev/fd/5; exit ${PIPESTATUS[0]})
 SUCCESS="$?"
 ACME_RESPONSE_B64=$(echo "${ACME_RESPONSE}" | openssl enc -e -A -base64)
-log_f "${ACME_RESPONSE_B64}" redis_only b64
+log_f "${ACME_RESPONSE_B64}" valkey_only b64
 case "$SUCCESS" in
  0) # cert requested
    log_f "Deploying certificate ${CERT}..."
@@ -128,7 +124,7 @@ case "$SUCCESS" in
    ;;
  *) # non-zero is non-fun
    log_f "Failed to obtain certificate ${CERT} for domains '${CERT_DOMAINS[*]}'"
-    redis-cli -h redis -a ${REDISPASS} --no-auth-warning SET ACME_FAIL_TIME "$(date +%s)"
+    redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning SET ACME_FAIL_TIME "$(date +%s)"
    exit 100${SUCCESS}
    ;;
 esac
@@ -1,29 +1,45 @@
 #!/bin/bash
-# Tell every live replica of nginx / dovecot / postfix to reload (or restart
-# on cert-amount change) via the mailcow-agent control bus. Replaces the old
-# dockerapi-based container_id lookup + exec dance.

-reload_service() {
-  local svc="$1"
-  echo "Reloading ${svc} via mailcow-agent..."
-  if ! mailcow-agent-cli send "${svc}" reload >/dev/null; then
-    echo "Could not publish reload to ${svc}, attempting restart..."
-    mailcow-agent-cli send "${svc}" restart >/dev/null || true
-  fi
+# Reading container IDs
+# Wrapping as array to ensure trimmed content when calling $NGINX etc.
+NGINX=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"nginx-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
+DOVECOT=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"dovecot-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
+POSTFIX=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"postfix-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
+
+reload_nginx(){
+  echo "Reloading Nginx..."
+  NGINX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${NGINX}/exec -d '{"cmd":"reload", "task":"nginx"}' --silent -H 'Content-type: application/json' | jq -r .type)
+  [[ ${NGINX_RELOAD_RET} != 'success' ]] && { echo "Could not reload Nginx, restarting container..."; restart_container ${NGINX} ; }
 }

-restart_service() {
-  local svc="$1"
-  echo "Restarting ${svc} via mailcow-agent..."
-  mailcow-agent-cli send "${svc}" restart >/dev/null || true
+reload_dovecot(){
+  echo "Reloading Dovecot..."
+  DOVECOT_RELOAD_RET=$(curl -X POST --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${DOVECOT}/exec -d '{"cmd":"reload", "task":"dovecot"}' --silent -H 'Content-type: application/json' | jq -r .type)
+  [[ ${DOVECOT_RELOAD_RET} != 'success' ]] && { echo "Could not reload Dovecot, restarting container..."; restart_container ${DOVECOT} ; }
+}
+
+reload_postfix(){
+  echo "Reloading Postfix..."
+  POSTFIX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${POSTFIX}/exec -d '{"cmd":"reload", "task":"postfix"}' --silent -H 'Content-type: application/json' | jq -r .type)
+  [[ ${POSTFIX_RELOAD_RET} != 'success' ]] && { echo "Could not reload Postfix, restarting container..."; restart_container ${POSTFIX} ; }
+}
+
+restart_container(){
+  for container in $*; do
+    echo "Restarting ${container}..."
+    C_REST_OUT=$(curl -X POST --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${container}/restart --silent | jq -r '.msg')
+    echo "${C_REST_OUT}"
+  done
 }

 if [[ "${CERT_AMOUNT_CHANGED}" == "1" ]]; then
-  restart_service nginx
-  restart_service dovecot
-  restart_service postfix
+  restart_container ${NGINX}
+  restart_container ${DOVECOT}
+  restart_container ${POSTFIX}
 else
-  reload_service nginx
-  restart_service dovecot
-  restart_service postfix
+  reload_nginx
+  #reload_dovecot
+  restart_container ${DOVECOT}
+  #reload_postfix
+  restart_container ${POSTFIX}
 fi
@@ -1,34 +0,0 @@
-# Builder image for mailcow-agent. Each service Dockerfile pulls the static
-# binary from here via:
-#
-#   COPY --from=ghcr.io/mailcow/agent:VERSION /out/mailcow-agent /usr/local/bin/mailcow-agent
-#
-# For local development: build this image first.
-#
-#   docker build -t ghcr.io/mailcow/agent:dev data/Dockerfiles/agent/
-#
-# CI publishes a versioned tag and the service Dockerfiles pin against it via
-# ARG AGENT_IMAGE.
-
-FROM golang:1.22-alpine AS build
-
-ENV CGO_ENABLED=0 \
-    GOOS=linux
-
-WORKDIR /src
-
-COPY go.mod go.sum* ./
-RUN go mod download
-
-COPY . .
-
-RUN mkdir -p /out \
- && go build -trimpath -ldflags="-s -w" \
-    -o /out/mailcow-agent ./cmd/mailcow-agent \
- && cp mailcow-agent-cli /out/mailcow-agent-cli \
- && chmod +x /out/mailcow-agent-cli
-
-# Final stage: tiny image whose only purpose is to be a COPY --from source.
-FROM scratch
-COPY --from=build /out/mailcow-agent /out/mailcow-agent
-COPY --from=build /out/mailcow-agent-cli /out/mailcow-agent-cli
@@ -1,16 +0,0 @@
-# mailcow-agent
-
-Each mailcow service container (postfix, dovecot, …) runs `mailcow-agent` as
-ENTRYPOINT. It supervises the original service main process and exposes its
-control commands over a Redis Pub/Sub bus:
-
- `mailcow.control.<service>` — request channel (Backend → Agent)
- `mailcow.reply.<request_id>` — per-request reply channel
- `mailcow.events.<topic>` — broadcast events
- `mailcow.nodes.<service>` (ZSET) + `mailcow.node.<service>.<node_id>` (HASH) — heartbeat registry
- `mailcow.stats.<service>.<node_id>` (HASH) — per-node cpu/memory stats
-
-Service behaviour is selected via `MAILCOW_AGENT_SERVICE=<service>`. The main
-process command is configured via `MAILCOW_AGENT_MAIN_CMD` (string, executed via
-`sh -c` so existing entrypoints/supervisord commands keep working).
-
@@ -1,278 +0,0 @@
-// Per-container control-bus subscriber. Subscribes to mailcow.control.<service>
-// on Redis, runs handlers from the per-service command table, publishes
-// heartbeats and stats. Optionally supervises a child process.
-package main
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"log"
-	"os"
-	"os/signal"
-	"strings"
-	"sync"
-	"sync/atomic"
-	"syscall"
-	"time"
-
-	"github.com/redis/go-redis/v9"
-
-	"github.com/mailcow/mailcow-dockerized/agent/internal/bus"
-	"github.com/mailcow/mailcow-dockerized/agent/internal/commands"
-	"github.com/mailcow/mailcow-dockerized/agent/internal/proc"
-	"github.com/mailcow/mailcow-dockerized/agent/internal/registry"
-	"github.com/mailcow/mailcow-dockerized/agent/internal/services"
-	"github.com/mailcow/mailcow-dockerized/agent/internal/stats"
-)
-
-const agentVersion = "0.1.0"
-
-// atomicSignal shares the last caught terminal signal between the handler
-// goroutine and main() so it can be forwarded to the supervised child.
-type atomicSignal struct{ v atomic.Int32 }
-
-func (a *atomicSignal) Store(s syscall.Signal) { a.v.Store(int32(s)) }
-func (a *atomicSignal) Load() os.Signal        { return syscall.Signal(a.v.Load()) }
-
-// healthState holds the latest health probe result. Written by the probe loop,
-// read by the heartbeat loop.
-type healthState struct {
-	mu     sync.RWMutex
-	ok     bool
-	detail string
-	at     time.Time
-}
-
-func (h *healthState) Set(ok bool, detail string) {
-	h.mu.Lock()
-	h.ok = ok
-	h.detail = detail
-	h.at = time.Now()
-	h.mu.Unlock()
-}
-
-func (h *healthState) Snapshot() (ok bool, detail string, at time.Time) {
-	h.mu.RLock()
-	defer h.mu.RUnlock()
-	return h.ok, h.detail, h.at
-}
-
-func main() {
-	service := strings.TrimSpace(os.Getenv("MAILCOW_AGENT_SERVICE"))
-	if service == "" {
-		fmt.Fprintf(os.Stderr, "mailcow-agent: MAILCOW_AGENT_SERVICE is required. Known: %v\n", services.Known())
-		os.Exit(2)
-	}
-
-	// `mailcow-agent healthcheck` runs the probe once and exits 0/1
-	if len(os.Args) > 1 && os.Args[1] == "healthcheck" {
-		runHealthcheckOnce(service)
-	}
-
-	nodeID := strings.TrimSpace(os.Getenv("MAILCOW_AGENT_NODE_ID"))
-	if nodeID == "" {
-		h, err := os.Hostname()
-		if err != nil {
-			log.Fatalf("mailcow-agent: hostname: %v", err)
-		}
-		nodeID = h
-	}
-
-	mainCmd := strings.TrimSpace(os.Getenv("MAILCOW_AGENT_MAIN_CMD"))
-	// host-agent has no supervised child; everything else runs one.
-	wantsSupervisor := service != "host" && mainCmd != ""
-
-	rdb, err := newRedis()
-	if err != nil {
-		log.Fatalf("mailcow-agent: redis: %v", err)
-	}
-	defer rdb.Close()
-
-	// Start the supervised process before serving bus requests — restart/stop
-	// handlers assume something is already running.
-	var sup *proc.Supervisor
-	if wantsSupervisor {
-		sup = proc.New(mainCmd)
-		if err := sup.Start(); err != nil {
-			log.Fatalf("mailcow-agent: start main: %v", err)
-		}
-	}
-
-	table, err := services.Build(service, sup)
-	if err != nil {
-		log.Fatalf("mailcow-agent: %v", err)
-	}
-
-	// We handle signals ourselves so we can (a) suppress the Go-runtime stack
-	// dump on SIGQUIT (php-fpm-alpine's STOPSIGNAL) and (b) remember which
-	// signal arrived to forward it to the child on shutdown.
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	sigCh := make(chan os.Signal, 1)
-	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT,
-		syscall.SIGHUP, syscall.SIGUSR1, syscall.SIGUSR2)
-	defer signal.Stop(sigCh)
-
-	stopSig := atomicSignal{}
-	stopSig.Store(syscall.SIGTERM)
-
-	go func() {
-		for sig := range sigCh {
-			switch sig {
-			case syscall.SIGTERM, syscall.SIGINT, syscall.SIGQUIT:
-				stopSig.Store(sig.(syscall.Signal))
-				log.Printf("mailcow-agent: caught %s, beginning graceful shutdown", sig)
-				cancel()
-				return
-			case syscall.SIGHUP, syscall.SIGUSR1, syscall.SIGUSR2:
-				if sup != nil {
-					sup.SignalChild(sig)
-				}
-			}
-		}
-	}()
-
-	// Initial state is "ok" so the service isn't flagged unhealthy before the
-	// first probe has run.
-	health := &healthState{ok: true, detail: "", at: time.Now()}
-	if table.HealthProbe != nil {
-		go runHealthLoop(ctx, table.HealthProbe, health, 10*time.Second)
-	}
-
-	hb := registry.Heartbeat{
-		Service:   service,
-		NodeID:    nodeID,
-		Version:   agentVersion,
-		StartedAt: time.Now(),
-		Image:     os.Getenv("MAILCOW_AGENT_IMAGE"),
-		Health:    health,
-	}
-	go registry.Loop(ctx, rdb, hb, 10*time.Second)
-
-	// cgroup stats for this container. Host metrics come from exec.host-stats.
-	pub := stats.NewPublisher(rdb, service, nodeID)
-	go pub.Run(ctx, 10*time.Second)
-
-	srv := bus.NewServer(rdb, table, nodeID)
-	busErrCh := make(chan error, 1)
-	go func() { busErrCh <- srv.Run(ctx) }()
-
-	log.Printf("mailcow-agent: service=%s node=%s ready (commands=%d)", service, nodeID, len(table.Handlers))
-
-	// Exit only on outside termination or fatal bus error. A crashed/stopped
-	// child should not tear down the container — the operator may want to
-	// issue `start` over the bus afterwards.
-	exitCode := 0
-	select {
-	case <-ctx.Done():
-		log.Println("mailcow-agent: shutdown signal received")
-	case err := <-busErrCh:
-		if err != nil && !errors.Is(err, context.Canceled) {
-			log.Printf("mailcow-agent: bus loop exited: %v", err)
-			exitCode = 1
-		}
-	}
-
-	// Graceful shutdown bounded at 35s.
-	shutCtx, shutCancel := context.WithTimeout(context.Background(), 35*time.Second)
-	defer shutCancel()
-	_ = srv.Shutdown(shutCtx)
-	_ = registry.Deregister(shutCtx, rdb, service, nodeID)
-	if sup != nil {
-		// Forward the exact signal we received so the child sees the same
-		// shutdown semantics it would without us in front (e.g. SIGQUIT →
-		// php-fpm graceful drain).
-		if err := sup.StopWithSignal(shutCtx, stopSig.Load()); err != nil {
-			log.Printf("mailcow-agent: stop main: %v", err)
-		}
-	}
-	os.Exit(exitCode)
-}
-
-// runHealthcheckOnce runs the local probe with a tight deadline and exits 0/1.
-// Used by the `healthcheck` sub-command path.
-func runHealthcheckOnce(service string) {
-	table, err := services.Build(service, nil)
-	if err != nil {
-		fmt.Fprintln(os.Stderr, "mailcow-agent healthcheck:", err)
-		os.Exit(2)
-	}
-	if table.HealthProbe == nil {
-		// Services without a probe are considered healthy.
-		os.Exit(0)
-	}
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	defer cancel()
-	if err := table.HealthProbe(ctx); err != nil {
-		fmt.Fprintln(os.Stderr, "unhealthy:", err)
-		os.Exit(1)
-	}
-	os.Exit(0)
-}
-
-// runHealthLoop ticks the probe and updates state. Same probe path as the
-// healthcheck sub-command.
-func runHealthLoop(ctx context.Context, probe commands.HealthProbe, state *healthState, interval time.Duration) {
-	t := time.NewTicker(interval)
-	defer t.Stop()
-	check := func() {
-		pctx, cancel := context.WithTimeout(ctx, 10*time.Second)
-		defer cancel()
-		if err := probe(pctx); err != nil {
-			state.Set(false, err.Error())
-		} else {
-			state.Set(true, "")
-		}
-	}
-	check()
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-t.C:
-			check()
-		}
-	}
-}
-
-func newRedis() (*redis.Client, error) {
-	addr := os.Getenv("REDIS_SLAVEOF_IP")
-	port := os.Getenv("REDIS_SLAVEOF_PORT")
-	if addr == "" {
-		addr = "redis-mailcow"
-		port = "6379"
-	}
-	if port == "" {
-		port = "6379"
-	}
-	pass := os.Getenv("REDISPASS")
-	cli := redis.NewClient(&redis.Options{
-		Addr:            addr + ":" + port,
-		Password:        pass,
-		DB:              0,
-		MaxRetries:      -1,
-		MinRetryBackoff: 200 * time.Millisecond,
-		MaxRetryBackoff: 5 * time.Second,
-	})
-	// Wait up to 2 minutes for Redis to come up before giving up
-	deadline := time.Now().Add(2 * time.Minute)
-	var lastErr error
-	for attempt := 1; time.Now().Before(deadline); attempt++ {
-		ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
-		err := cli.Ping(ctx).Err()
-		cancel()
-		if err == nil {
-			return cli, nil
-		}
-		lastErr = err
-		wait := time.Duration(attempt) * time.Second
-		if wait > 10*time.Second {
-			wait = 10 * time.Second
-		}
-		log.Printf("mailcow-agent: waiting for redis %s (attempt %d): %v", addr, attempt, err)
-		time.Sleep(wait)
-	}
-	return nil, fmt.Errorf("ping %s after 2m: %w", addr, lastErr)
-}
@@ -1,13 +0,0 @@
-module github.com/mailcow/mailcow-dockerized/agent
-
-go 1.22
-
-require (
-	github.com/oklog/ulid/v2 v2.1.0
-	github.com/redis/go-redis/v9 v9.7.0
-)
-
-require (
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-)
@@ -1,6 +0,0 @@
-github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
-github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
-github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa9E=
-github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw=
@@ -1,175 +0,0 @@
-// Package bus implements the Redis Pub/Sub control bus: subscribing to the
-// service's control channel, dispatching envelopes to a commands.Table, and
-// publishing responses back to env.ReplyTo.
-package bus
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"sync"
-	"time"
-
-	"github.com/redis/go-redis/v9"
-
-	"github.com/mailcow/mailcow-dockerized/agent/internal/commands"
-	"github.com/mailcow/mailcow-dockerized/agent/internal/envelope"
-)
-
-// ControlChannel assembles the per-service control channel.
-func ControlChannel(service string) string { return "mailcow.control." + service }
-
-// Server subscribes to a control channel and dispatches commands.
-type Server struct {
-	rdb     *redis.Client
-	table   *commands.Table
-	nodeID  string
-	dedupe  *lru
-	stop    chan struct{}
-	stopped sync.Once
-	wg      sync.WaitGroup
-}
-
-// NewServer wires a fresh server. nodeID is stamped into every Response and is
-// what the backend's fan-in aggregator uses to attribute results.
-func NewServer(rdb *redis.Client, table *commands.Table, nodeID string) *Server {
-	return &Server{
-		rdb:    rdb,
-		table:  table,
-		nodeID: nodeID,
-		dedupe: newLRU(1024),
-		stop:   make(chan struct{}),
-	}
-}
-
-// Run blocks, subscribing to ControlChannel(service) and dispatching incoming
-// envelopes concurrently. It returns when ctx is done or Shutdown is called.
-func (s *Server) Run(ctx context.Context) error {
-	channel := ControlChannel(s.table.Service)
-	sub := s.rdb.Subscribe(ctx, channel)
-	defer sub.Close()
-	if _, err := sub.Receive(ctx); err != nil {
-		return fmt.Errorf("bus: subscribe %s: %w", channel, err)
-	}
-	msgs := sub.Channel()
-	for {
-		select {
-		case <-ctx.Done():
-			s.wg.Wait()
-			return ctx.Err()
-		case <-s.stop:
-			s.wg.Wait()
-			return nil
-		case m, ok := <-msgs:
-			if !ok {
-				s.wg.Wait()
-				return errors.New("bus: subscription channel closed")
-			}
-			s.wg.Add(1)
-			go func(payload string) {
-				defer s.wg.Done()
-				s.dispatch(ctx, payload)
-			}(m.Payload)
-		}
-	}
-}
-
-// Shutdown signals Run to stop and waits for in-flight handlers (bounded by
-// ctx).
-func (s *Server) Shutdown(ctx context.Context) error {
-	s.stopped.Do(func() { close(s.stop) })
-	done := make(chan struct{})
-	go func() { s.wg.Wait(); close(done) }()
-	select {
-	case <-done:
-		return nil
-	case <-ctx.Done():
-		return ctx.Err()
-	}
-}
-
-func (s *Server) dispatch(parent context.Context, payload string) {
-	var req envelope.Request
-	if err := json.Unmarshal([]byte(payload), &req); err != nil {
-		// Malformed envelope: no RequestID/ReplyTo we can trust — drop.
-		return
-	}
-	if req.RequestID != "" && !s.dedupe.add(req.RequestID) {
-		// Duplicate (retry of an idempotent command): silently absorb.
-		return
-	}
-	// Per-node targeting: if args.target_node is set and doesn't match us,
-	// drop silently. The intended replica picks it up and replies.
-	if target, ok := req.Args["target_node"].(string); ok && target != "" && target != s.nodeID {
-		return
-	}
-
-	ctx, cancel := handlerContext(parent, req.Deadline)
-	defer cancel()
-
-	start := time.Now()
-	resp := envelope.Response{RequestID: req.RequestID, OK: true, Node: s.nodeID}
-
-	if h := s.table.Lookup(req.Cmd); h == nil {
-		resp.OK = false
-		resp.Error = fmt.Sprintf("no handler for cmd %q", req.Cmd)
-		resp.ErrorCode = envelope.ErrCodeUnsupportedCommand
-	} else {
-		result, err := runWithRecover(ctx, h, req.Args)
-		switch {
-		case err == nil:
-			resp.Result = result
-		case errors.Is(err, commands.ErrNotFound):
-			resp.OK = false
-			resp.Error = err.Error()
-			resp.ErrorCode = envelope.ErrCodeNotFound
-		case errors.Is(err, commands.ErrValidation):
-			resp.OK = false
-			resp.Error = err.Error()
-			resp.ErrorCode = envelope.ErrCodeValidation
-		case errors.Is(err, context.DeadlineExceeded), errors.Is(ctx.Err(), context.DeadlineExceeded):
-			resp.OK = false
-			resp.Error = err.Error()
-			resp.ErrorCode = envelope.ErrCodeTimeout
-		default:
-			resp.OK = false
-			resp.Error = err.Error()
-			resp.ErrorCode = envelope.ErrCodeInternal
-		}
-	}
-	resp.DurationMS = time.Since(start).Milliseconds()
-
-	if req.ReplyTo == "" {
-		return
-	}
-	data, err := json.Marshal(resp)
-	if err != nil {
-		return
-	}
-	// Replies go through a List (RPUSH + EXPIRE), not Pub/Sub. This sidesteps
-	// the "subscribe-before-publish" race and lets the backend fan-in via
-	// BLPOP — important because PhpRedis's subscribe() blocks, so we can't
-	// publish on the same connection after subscribing. Use parent ctx so a
-	// per-handler deadline can't stop us from delivering the timeout response.
-	pipe := s.rdb.Pipeline()
-	pipe.RPush(parent, req.ReplyTo, data)
-	pipe.Expire(parent, req.ReplyTo, 60*time.Second)
-	_, _ = pipe.Exec(parent)
-}
-
-func runWithRecover(ctx context.Context, h commands.Handler, args map[string]any) (out any, err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			err = fmt.Errorf("handler panic: %v", r)
-		}
-	}()
-	return h(ctx, args)
-}
-
-func handlerContext(parent context.Context, deadline time.Time) (context.Context, context.CancelFunc) {
-	if deadline.IsZero() {
-		return context.WithCancel(parent)
-	}
-	return context.WithDeadline(parent, deadline)
-}
@@ -1,38 +0,0 @@
-package bus
-
-import (
-	"container/list"
-	"sync"
-)
-
-// lru is a tiny request-id deduplication cache. The bus treats Pub/Sub
-// retries (same request_id) as no-ops. Not a security boundary — only a
-// best-effort guard against accidental double-execution.
-type lru struct {
-	mu   sync.Mutex
-	cap  int
-	idx  map[string]*list.Element
-	list *list.List
-}
-
-func newLRU(cap int) *lru {
-	return &lru{cap: cap, idx: make(map[string]*list.Element, cap), list: list.New()}
-}
-
-// add returns true if id is new and was inserted; false if it was already
-// known (caller should skip the duplicate).
-func (l *lru) add(id string) bool {
-	l.mu.Lock()
-	defer l.mu.Unlock()
-	if _, ok := l.idx[id]; ok {
-		return false
-	}
-	e := l.list.PushFront(id)
-	l.idx[id] = e
-	for l.list.Len() > l.cap {
-		old := l.list.Back()
-		l.list.Remove(old)
-		delete(l.idx, old.Value.(string))
-	}
-	return true
-}
@@ -1,83 +0,0 @@
-// Package commands defines the per-service handler table. The bus dispatcher
-// looks up handlers by name and wraps the result in an envelope.Response.
-package commands
-
-import (
-	"context"
-	"errors"
-)
-
-// ErrNotFound signals that the target (queue id, mailbox, …) doesn't live on
-// this node. For broadcast operations the aggregator still counts success if
-// any other node returns ok.
-var ErrNotFound = errors.New("not_found")
-
-// ErrValidation indicates a missing or malformed argument.
-var ErrValidation = errors.New("validation")
-
-// Handler executes a single command for a service.
-type Handler func(ctx context.Context, args map[string]any) (any, error)
-
-// HealthProbe returns nil if the supervised service is healthy, error otherwise.
-// Shared between the `healthcheck` sub-command and the agent's heartbeat loop.
-type HealthProbe func(ctx context.Context) error
-
-// Table is the per-service command registry built once at startup.
-type Table struct {
-	Service     string
-	Handlers    map[string]Handler
-	HealthProbe HealthProbe
-}
-
-// New constructs an empty table for a service.
-func New(service string) *Table {
-	return &Table{Service: service, Handlers: make(map[string]Handler)}
-}
-
-// Register adds a handler. Duplicate registration panics — wiring bugs should
-// be loud.
-func (t *Table) Register(cmd string, h Handler) {
-	if _, dup := t.Handlers[cmd]; dup {
-		panic("commands: duplicate handler " + t.Service + "/" + cmd)
-	}
-	t.Handlers[cmd] = h
-}
-
-// Lookup returns the handler for cmd or nil.
-func (t *Table) Lookup(cmd string) Handler {
-	return t.Handlers[cmd]
-}
-
-// ArgString extracts a required string argument.
-func ArgString(args map[string]any, key string) (string, error) {
-	v, ok := args[key]
-	if !ok {
-		return "", errArg(key, "missing")
-	}
-	s, ok := v.(string)
-	if !ok || s == "" {
-		return "", errArg(key, "must be non-empty string")
-	}
-	return s, nil
-}
-
-// ArgStringOpt returns an optional string argument with a default.
-func ArgStringOpt(args map[string]any, key, def string) string {
-	if v, ok := args[key]; ok {
-		if s, ok := v.(string); ok && s != "" {
-			return s
-		}
-	}
-	return def
-}
-
-func errArg(key, reason string) error {
-	return &validationError{key: key, reason: reason}
-}
-
-type validationError struct{ key, reason string }
-
-func (e *validationError) Error() string { return "arg " + e.key + ": " + e.reason }
-func (e *validationError) Is(target error) bool {
-	return target == ErrValidation
-}
@@ -1,60 +0,0 @@
-package commands
-
-import (
-	"bytes"
-	"context"
-	"fmt"
-	"os/exec"
-)
-
-// RunOptions configures a single Run invocation.
-type RunOptions struct {
-	// Stdin, if non-nil, is written to the process stdin.
-	Stdin []byte
-	// CombinedOutputCap limits the captured output (truncated at the end).
-	// 0 means unlimited. The agent uses ~1 MiB for cat-queue, smaller for
-	// status-style commands.
-	OutputCap int
-}
-
-// RunResult is what every shell-style command returns.
-type RunResult struct {
-	Stdout   string `json:"stdout,omitempty"`
-	Stderr   string `json:"stderr,omitempty"`
-	ExitCode int    `json:"exit_code"`
-}
-
-// Run executes argv[0] argv[1:] under ctx (the bus deadline). It does not
-// translate exit codes to errors — callers inspect r.ExitCode themselves so
-// they can map e.g. "queue id not found" exit codes to ErrNotFound.
-func Run(ctx context.Context, opts RunOptions, argv ...string) (*RunResult, error) {
-	if len(argv) == 0 {
-		return nil, fmt.Errorf("commands.Run: empty argv")
-	}
-	cmd := exec.CommandContext(ctx, argv[0], argv[1:]...)
-	var stdout, stderr bytes.Buffer
-	cmd.Stdout = &stdout
-	cmd.Stderr = &stderr
-	if opts.Stdin != nil {
-		cmd.Stdin = bytes.NewReader(opts.Stdin)
-	}
-	err := cmd.Run()
-
-	out := stdout.String()
-	errOut := stderr.String()
-	if opts.OutputCap > 0 {
-		if len(out) > opts.OutputCap {
-			out = out[:opts.OutputCap] + "\n…(truncated)"
-		}
-		if len(errOut) > opts.OutputCap {
-			errOut = errOut[:opts.OutputCap] + "\n…(truncated)"
-		}
-	}
-
-	exit := 0
-	if exitErr, ok := err.(*exec.ExitError); ok {
-		exit = exitErr.ExitCode()
-		err = nil
-	}
-	return &RunResult{Stdout: out, Stderr: errOut, ExitCode: exit}, err
-}
@@ -1,34 +0,0 @@
-// Package envelope defines the wire format for the mailcow-agent control bus.
-package envelope
-
-import "time"
-
-// Request is what the backend publishes on mailcow.control.<service>.
-type Request struct {
-	Cmd       string         `json:"cmd"`
-	RequestID string         `json:"request_id"`
-	Args      map[string]any `json:"args,omitempty"`
-	ReplyTo   string         `json:"reply_to,omitempty"`
-	Deadline  time.Time      `json:"deadline,omitempty"`
-	IssuedBy  string         `json:"issued_by,omitempty"`
-}
-
-// Response is what the agent publishes on the reply_to channel.
-type Response struct {
-	RequestID  string `json:"request_id"`
-	OK         bool   `json:"ok"`
-	Result     any    `json:"result,omitempty"`
-	Error      string `json:"error,omitempty"`
-	ErrorCode  string `json:"error_code,omitempty"`
-	DurationMS int64  `json:"duration_ms"`
-	Node       string `json:"node,omitempty"`
-}
-
-// Error codes returned in Response.ErrorCode. Keep in sync with the V2 schema.
-const (
-	ErrCodeValidation         = "validation"
-	ErrCodeNotFound           = "not_found"
-	ErrCodeTimeout            = "timeout"
-	ErrCodeUnsupportedCommand = "unsupported_command"
-	ErrCodeInternal           = "internal"
-)
@@ -1,253 +0,0 @@
-// Package proc supervises the service's main process — postfix, dovecot,
-// nginx, … — as a child of the agent. It exposes the high-level lifecycle
-// verbs (reload/restart/stop/start) used by the per-service command tables.
-//
-// "reload"  → SIGHUP
-// "restart" → SIGTERM, wait, exec again
-// "stop"    → SIGTERM, leave stopped
-// "start"   → exec again (only if currently stopped)
-package proc
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"os"
-	"os/exec"
-	"sync"
-	"syscall"
-	"time"
-)
-
-// Supervisor wraps a single child process.
-type Supervisor struct {
-	cmdLine    string // shell command (passed to `sh -c …`)
-	stopSignal os.Signal
-	stopGrace  time.Duration
-
-	mu       sync.Mutex
-	cmd      *exec.Cmd
-	stopped  bool
-	exitedCh chan struct{}
-}
-
-// New constructs a Supervisor. cmdLine is executed via `sh -c` so existing
-// docker-entrypoint.sh scripts keep working without quoting headaches.
-func New(cmdLine string) *Supervisor {
-	return &Supervisor{
-		cmdLine:    cmdLine,
-		stopSignal: syscall.SIGTERM,
-		stopGrace:  30 * time.Second,
-	}
-}
-
-// Start launches the child process. Returns an error if it cannot be spawned.
-// The agent's main() also blocks on Wait() to surface exit status.
-func (s *Supervisor) Start() error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if s.cmd != nil && s.cmd.Process != nil && !s.stopped {
-		return errors.New("proc: already running")
-	}
-	// `exec ` prefix tells the shell to replace itself with the command
-	// instead of forking and waiting. Without it, sh stays alive as the
-	// parent of the real service process, signals from us land on the
-	// shell instead of on the service, and SIGHUP for config reloads
-	// silently does nothing. With the prefix the supervised PID *is* the
-	// service after the script's own `exec "$@"` chains through.
-	cmd := exec.Command("/bin/sh", "-c", "exec "+s.cmdLine)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true}
-	if err := cmd.Start(); err != nil {
-		return fmt.Errorf("proc: start: %w", err)
-	}
-	s.cmd = cmd
-	s.stopped = false
-	s.exitedCh = make(chan struct{})
-	go func() {
-		_ = cmd.Wait()
-		close(s.exitedCh)
-	}()
-	return nil
-}
-
-// Wait blocks until the child exits and returns its exit code.
-func (s *Supervisor) Wait() int {
-	s.mu.Lock()
-	exited := s.exitedCh
-	cmd := s.cmd
-	s.mu.Unlock()
-	if exited == nil {
-		return -1
-	}
-	<-exited
-	if cmd == nil || cmd.ProcessState == nil {
-		return -1
-	}
-	return cmd.ProcessState.ExitCode()
-}
-
-// SignalChild forwards a single signal to the supervised child without
-// changing the supervisor's lifecycle state. Used to relay SIGHUP/USR1/USR2
-// from the agent's signal handler to the service so operators can still
-// `docker compose kill -s HUP postfix-mailcow` and see the expected effect.
-func (s *Supervisor) SignalChild(sig os.Signal) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if s.cmd == nil || s.cmd.Process == nil || s.stopped {
-		return errors.New("proc: not running")
-	}
-	return s.cmd.Process.Signal(sig)
-}
-
-// Reload sends SIGHUP. Returns nil if the signal was delivered.
-func (s *Supervisor) Reload() error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if s.cmd == nil || s.cmd.Process == nil || s.stopped {
-		return errors.New("proc: not running")
-	}
-	return s.cmd.Process.Signal(syscall.SIGHUP)
-}
-
-// Stop sends the configured stop signal and waits for the process to exit
-// (bounded by stopGrace). Marks the supervisor as stopped — Start must be
-// called again to relaunch.
-func (s *Supervisor) Stop(ctx context.Context) error {
-	return s.StopWithSignal(ctx, s.stopSignal)
-}
-
-// StopWithSignal is like Stop but lets the caller override the stop signal.
-// Used by main() to forward whatever signal Docker sent us (SIGTERM for
-// most containers, SIGQUIT for php-fpm-alpine which uses SIGQUIT for
-// graceful shutdown) so the child gets the same signal semantics it would
-// receive without the agent in front of it.
-func (s *Supervisor) StopWithSignal(ctx context.Context, sig os.Signal) error {
-	s.mu.Lock()
-	cmd := s.cmd
-	exited := s.exitedCh
-	if cmd == nil || cmd.Process == nil {
-		s.mu.Unlock()
-		return nil
-	}
-	s.stopped = true
-	s.mu.Unlock()
-
-	sysSig, ok := sig.(syscall.Signal)
-	if !ok {
-		sysSig = syscall.SIGTERM
-	}
-	pgid, err := syscall.Getpgid(cmd.Process.Pid)
-	if err == nil {
-		_ = syscall.Kill(-pgid, sysSig)
-	} else {
-		_ = cmd.Process.Signal(sysSig)
-	}
-
-	timer := time.NewTimer(s.stopGrace)
-	defer timer.Stop()
-	select {
-	case <-exited:
-		return nil
-	case <-timer.C:
-		// Last resort: SIGKILL the whole process group.
-		if pgid, err := syscall.Getpgid(cmd.Process.Pid); err == nil {
-			_ = syscall.Kill(-pgid, syscall.SIGKILL)
-		} else {
-			_ = cmd.Process.Kill()
-		}
-		<-exited
-		return errors.New("proc: forced kill after grace period")
-	case <-ctx.Done():
-		return ctx.Err()
-	}
-}
-
-// Restart performs Stop+Start using the supervisor's default stop signal.
-// Different from a Docker-initiated shutdown: here it's an explicit "restart
-// this service" command, so we want the standard SIGTERM semantics.
-func (s *Supervisor) Restart(ctx context.Context) error {
-	if err := s.Stop(ctx); err != nil {
-		return err
-	}
-	return s.Start()
-}
-
-// IsRunning reports whether the supervised child is currently alive (started
-// and not yet exited or stopped).
-func (s *Supervisor) IsRunning() bool {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if s.stopped || s.cmd == nil || s.cmd.Process == nil {
-		return false
-	}
-	// exitedCh is closed when the child exits. Non-blocking read.
-	select {
-	case <-s.exitedCh:
-		return false
-	default:
-		return true
-	}
-}
-
-// WaitStable blocks for `settle` and returns nil if the supervised child is
-// still running at the end, otherwise an error describing the exit. Used by
-// the `restart` command to give the operator real "did it come back up"
-// feedback instead of an immediate OK.
-func (s *Supervisor) WaitStable(ctx context.Context, settle time.Duration) error {
-	s.mu.Lock()
-	exited := s.exitedCh
-	s.mu.Unlock()
-	if exited == nil {
-		return errors.New("proc: not running")
-	}
-	select {
-	case <-exited:
-		// Child died within the settle window.
-		s.mu.Lock()
-		cmd := s.cmd
-		s.mu.Unlock()
-		code := -1
-		if cmd != nil && cmd.ProcessState != nil {
-			code = cmd.ProcessState.ExitCode()
-		}
-		return fmt.Errorf("proc: child exited within settle window (code=%d)", code)
-	case <-time.After(settle):
-		return nil
-	case <-ctx.Done():
-		return ctx.Err()
-	}
-}
-
-// Forward installs a signal forwarder: SIGINT/SIGTERM/SIGHUP/SIGUSR1/SIGUSR2
-// received by the agent are propagated to the child. Returns a cancel func
-// to release the handler.
-func (s *Supervisor) Forward(signals ...os.Signal) func() {
-	ch := make(chan os.Signal, len(signals)+1)
-	signalNotify(ch, signals...)
-	done := make(chan struct{})
-	go func() {
-		for {
-			select {
-			case <-done:
-				return
-			case sig := <-ch:
-				s.mu.Lock()
-				cmd := s.cmd
-				s.mu.Unlock()
-				if cmd != nil && cmd.Process != nil {
-					_ = cmd.Process.Signal(sig)
-				}
-				if sig == syscall.SIGTERM || sig == syscall.SIGINT {
-					// On terminal signals propagate and let main exit.
-					return
-				}
-			}
-		}
-	}()
-	return func() {
-		close(done)
-		signalStop(ch)
-	}
-}
@@ -1,14 +0,0 @@
-package proc
-
-import (
-	"os"
-	"os/signal"
-)
-
-// Indirection so tests can stub these out if ever needed.
-var (
-	signalNotify = signal.Notify
-	signalStop   = signal.Stop
-)
-
-var _ = os.Stdout // anchor import for go vet
@@ -1,97 +0,0 @@
-// Package registry publishes per-node heartbeats to Redis so the backend can
-// enumerate live containers. Two keys per service:
-//
-//	ZSET  mailcow.nodes.<service>          score=unix_ts member=node_id
-//	HASH  mailcow.node.<service>.<node_id> { version, started_at, image, health* }
-//
-// Both keys have a 30s TTL refreshed every 10s. Deregister clears them on
-// graceful shutdown.
-package registry
-
-import (
-	"context"
-	"fmt"
-	"strconv"
-	"time"
-
-	"github.com/redis/go-redis/v9"
-)
-
-// HealthSnapshotter returns the latest health probe result so the heartbeat
-// can attach it to each tick. Implemented by main.healthState.
-type HealthSnapshotter interface {
-	Snapshot() (ok bool, detail string, at time.Time)
-}
-
-// Heartbeat carries the metadata published with every refresh.
-type Heartbeat struct {
-	Service   string
-	NodeID    string
-	Version   string
-	StartedAt time.Time
-	Image     string
-	Health    HealthSnapshotter // optional; nil → omit health fields
-}
-
-func nodesKey(service string) string      { return "mailcow.nodes." + service }
-func nodeKey(service, node string) string { return "mailcow.node." + service + "." + node }
-
-// Publish writes one heartbeat tick. Callers run this in a loop.
-func Publish(ctx context.Context, rdb *redis.Client, h Heartbeat) error {
-	now := time.Now().Unix()
-	fields := map[string]any{
-		"version":    h.Version,
-		"started_at": h.StartedAt.UTC().Format(time.RFC3339),
-		"image":      h.Image,
-		"node_id":    h.NodeID,
-		"service":    h.Service,
-		"updated_at": strconv.FormatInt(now, 10),
-	}
-	if h.Health != nil {
-		ok, detail, at := h.Health.Snapshot()
-		if ok {
-			fields["health"] = "ok"
-		} else {
-			fields["health"] = "fail"
-		}
-		fields["health_detail"] = detail
-		fields["health_at"] = strconv.FormatInt(at.Unix(), 10)
-	}
-	pipe := rdb.Pipeline()
-	pipe.ZAdd(ctx, nodesKey(h.Service), redis.Z{Score: float64(now), Member: h.NodeID})
-	pipe.Expire(ctx, nodesKey(h.Service), 5*time.Minute)
-	pipe.HSet(ctx, nodeKey(h.Service, h.NodeID), fields)
-	pipe.Expire(ctx, nodeKey(h.Service, h.NodeID), 30*time.Second)
-	_, err := pipe.Exec(ctx)
-	if err != nil {
-		return fmt.Errorf("registry: heartbeat exec: %w", err)
-	}
-	return nil
-}
-
-// Deregister removes the node from the ZSET and deletes its detail hash.
-// Called on graceful shutdown so the dashboard reflects intentional stops
-// immediately rather than waiting for TTL.
-func Deregister(ctx context.Context, rdb *redis.Client, service, nodeID string) error {
-	pipe := rdb.Pipeline()
-	pipe.ZRem(ctx, nodesKey(service), nodeID)
-	pipe.Del(ctx, nodeKey(service, nodeID))
-	_, err := pipe.Exec(ctx)
-	return err
-}
-
-// Loop runs Publish on a ticker until ctx is done. It is the typical caller.
-func Loop(ctx context.Context, rdb *redis.Client, h Heartbeat, interval time.Duration) {
-	// Publish once immediately so the dashboard sees us right away.
-	_ = Publish(ctx, rdb, h)
-	t := time.NewTicker(interval)
-	defer t.Stop()
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-t.C:
-			_ = Publish(ctx, rdb, h)
-		}
-	}
-}
@@ -1,9 +0,0 @@
-package services
-
-import "time"
-
-// nowStamp returns a sortable timestamp used to suffix moved/garbage maildirs
-// so repeated cleanups don't collide.
-func nowStamp() string {
-	return time.Now().UTC().Format("20060102T150405Z")
-}
@@ -1,294 +0,0 @@
-package services
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"os"
-	"path/filepath"
-	"strings"
-	"syscall"
-	"time"
-
-	"github.com/mailcow/mailcow-dockerized/agent/internal/commands"
-	"github.com/mailcow/mailcow-dockerized/agent/internal/proc"
-)
-
-func init() { Register("dovecot", buildDovecot) }
-
-const vmailRoot = "/var/vmail"
-
-func dovecotHealthProbe(ctx context.Context) error {
-	// IMAP greeting on :143 — must be "* OK ..."
-	conn, err := net.DialTimeout("tcp", "127.0.0.1:143", 3*time.Second)
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-	buf := make([]byte, 64)
-	_ = conn.SetReadDeadline(time.Now().Add(3 * time.Second))
-	n, err := conn.Read(buf)
-	if err != nil {
-		return fmt.Errorf("read greeting: %w", err)
-	}
-	greeting := string(buf[:n])
-	if !strings.HasPrefix(greeting, "* OK") {
-		return fmt.Errorf("unexpected greeting: %s", strings.TrimSpace(greeting))
-	}
-	return nil
-}
-
-func buildDovecot(sup *proc.Supervisor) *commands.Table {
-	t := commands.New("dovecot")
-	t.HealthProbe = dovecotHealthProbe
-
-	// `dovecot reload` re-reads config without restarting the master process.
-	t.Register("reload", func(ctx context.Context, _ map[string]any) (any, error) {
-		r, err := commands.Run(ctx, commands.RunOptions{}, "dovecot", "reload")
-		return nil, asError(r, err)
-	})
-	addLifecycleExceptReload(t, sup)
-
-	t.Register("exec.fts-rescan", func(ctx context.Context, args map[string]any) (any, error) {
-		user := commands.ArgStringOpt(args, "user", "")
-		argv := []string{"doveadm", "fts", "rescan"}
-		if user != "" {
-			argv = append(argv, "-u", user)
-		} else {
-			argv = append(argv, "-A")
-		}
-		r, err := commands.Run(ctx, commands.RunOptions{}, argv...)
-		return nil, asError(r, err)
-	})
-
-	t.Register("exec.sieve-list", func(ctx context.Context, args map[string]any) (any, error) {
-		user, err := commands.ArgString(args, "user")
-		if err != nil {
-			return nil, err
-		}
-		r, err := commands.Run(ctx, commands.RunOptions{}, "doveadm", "sieve", "list", "-u", user)
-		if err != nil {
-			return nil, err
-		}
-		if r.ExitCode != 0 {
-			return nil, &runError{msg: strings.TrimSpace(r.Stderr)}
-		}
-		scripts := splitNonEmpty(r.Stdout)
-		return map[string]any{"scripts": scripts}, nil
-	})
-
-	t.Register("exec.sieve-print", func(ctx context.Context, args map[string]any) (any, error) {
-		user, err := commands.ArgString(args, "user")
-		if err != nil {
-			return nil, err
-		}
-		script, err := commands.ArgString(args, "script")
-		if err != nil {
-			return nil, err
-		}
-		r, err := commands.Run(ctx, commands.RunOptions{OutputCap: 1 << 20}, "doveadm", "sieve", "get", "-u", user, script)
-		if err != nil {
-			return nil, err
-		}
-		if r.ExitCode != 0 {
-			return nil, &runError{msg: strings.TrimSpace(r.Stderr)}
-		}
-		return map[string]any{"body": r.Stdout}, nil
-	})
-
-	t.Register("exec.acl-get", func(ctx context.Context, args map[string]any) (any, error) {
-		user, err := commands.ArgString(args, "user")
-		if err != nil {
-			return nil, err
-		}
-		// First enumerate mailboxes, then collect ACLs per mailbox.
-		boxes, err := commands.Run(ctx, commands.RunOptions{}, "doveadm", "mailbox", "list", "-u", user)
-		if err != nil {
-			return nil, err
-		}
-		if boxes.ExitCode != 0 {
-			return nil, &runError{msg: strings.TrimSpace(boxes.Stderr)}
-		}
-		out := []map[string]any{}
-		for _, mbx := range splitNonEmpty(boxes.Stdout) {
-			r, err := commands.Run(ctx, commands.RunOptions{}, "doveadm", "acl", "get", "-u", user, mbx)
-			if err != nil || r.ExitCode != 0 {
-				continue
-			}
-			for _, line := range strings.Split(strings.TrimSpace(r.Stdout), "\n") {
-				line = strings.TrimSpace(line)
-				if line == "" || strings.HasPrefix(line, "ID") {
-					continue
-				}
-				fields := strings.Fields(line)
-				if len(fields) >= 2 {
-					out = append(out, map[string]any{
-						"mailbox":    mbx,
-						"identifier": fields[0],
-						"rights":     strings.Join(fields[1:], " "),
-					})
-				}
-			}
-		}
-		return map[string]any{"acls": out}, nil
-	})
-
-	t.Register("exec.acl-set", func(ctx context.Context, args map[string]any) (any, error) {
-		user, err := commands.ArgString(args, "user")
-		if err != nil {
-			return nil, err
-		}
-		mailbox, err := commands.ArgString(args, "mailbox")
-		if err != nil {
-			return nil, err
-		}
-		identifier, err := commands.ArgString(args, "identifier")
-		if err != nil {
-			return nil, err
-		}
-		rights, err := commands.ArgString(args, "rights")
-		if err != nil {
-			return nil, err
-		}
-		r, err := commands.Run(ctx, commands.RunOptions{}, "doveadm", "acl", "set", "-u", user, mailbox, identifier, rights)
-		return nil, asError(r, err)
-	})
-
-	t.Register("exec.acl-delete", func(ctx context.Context, args map[string]any) (any, error) {
-		user, err := commands.ArgString(args, "user")
-		if err != nil {
-			return nil, err
-		}
-		mailbox, err := commands.ArgString(args, "mailbox")
-		if err != nil {
-			return nil, err
-		}
-		identifier, err := commands.ArgString(args, "identifier")
-		if err != nil {
-			return nil, err
-		}
-		r, err := commands.Run(ctx, commands.RunOptions{}, "doveadm", "acl", "delete", "-u", user, mailbox, identifier)
-		return nil, asError(r, err)
-	})
-
-	t.Register("exec.maildir-cleanup", func(ctx context.Context, args map[string]any) (any, error) {
-		maildir, err := commands.ArgString(args, "maildir")
-		if err != nil {
-			return nil, err
-		}
-		if err := assertSafeMaildirPath(maildir); err != nil {
-			return nil, err
-		}
-		src := filepath.Join(vmailRoot, maildir)
-		dst := filepath.Join(vmailRoot, "_garbage", maildir+"_"+nowStamp())
-		if _, err := os.Stat(src); os.IsNotExist(err) {
-			return nil, commands.ErrNotFound
-		}
-		if err := os.MkdirAll(filepath.Dir(dst), 0o770); err != nil {
-			return nil, err
-		}
-		return nil, os.Rename(src, dst)
-	})
-
-	t.Register("exec.df", func(ctx context.Context, args map[string]any) (any, error) {
-		dir := commands.ArgStringOpt(args, "dir", "/var/vmail")
-		var st syscall.Statfs_t
-		if err := syscall.Statfs(dir, &st); err != nil {
-			return nil, err
-		}
-		size := uint64(st.Blocks) * uint64(st.Bsize)
-		free := uint64(st.Bavail) * uint64(st.Bsize)
-		used := size - free
-		pct := 0
-		if size > 0 {
-			pct = int(float64(used) / float64(size) * 100)
-		}
-		// Format: Filesystem,Size,Used,Avail,Use%,Mounted-on
-		return fmt.Sprintf("%s,%s,%s,%s,%d%%,%s",
-			"local", humanBytes(size), humanBytes(used), humanBytes(free), pct, dir), nil
-	})
-
-	t.Register("exec.maildir-move", func(ctx context.Context, args map[string]any) (any, error) {
-		from, err := commands.ArgString(args, "from")
-		if err != nil {
-			return nil, err
-		}
-		to, err := commands.ArgString(args, "to")
-		if err != nil {
-			return nil, err
-		}
-		if err := assertSafeMaildirPath(from); err != nil {
-			return nil, err
-		}
-		if err := assertSafeMaildirPath(to); err != nil {
-			return nil, err
-		}
-		src := filepath.Join(vmailRoot, from)
-		dst := filepath.Join(vmailRoot, to)
-		if _, err := os.Stat(src); os.IsNotExist(err) {
-			return nil, commands.ErrNotFound
-		}
-		if err := os.MkdirAll(filepath.Dir(dst), 0o770); err != nil {
-			return nil, err
-		}
-		return nil, os.Rename(src, dst)
-	})
-
-	return t
-}
-
-// addLifecycleExceptReload wires restart/stop/start without overriding reload,
-// which postfix/dovecot define themselves (canonical CLI command).
-func addLifecycleExceptReload(t *commands.Table, sup *proc.Supervisor) {
-	if sup == nil {
-		return
-	}
-	t.Register("restart", func(ctx context.Context, _ map[string]any) (any, error) {
-		return nil, sup.Restart(ctx)
-	})
-	t.Register("stop", func(ctx context.Context, _ map[string]any) (any, error) {
-		return nil, sup.Stop(ctx)
-	})
-	t.Register("start", func(ctx context.Context, _ map[string]any) (any, error) {
-		return nil, sup.Start()
-	})
-}
-
-func splitNonEmpty(s string) []string {
-	out := []string{}
-	for _, line := range strings.Split(strings.TrimSpace(s), "\n") {
-		line = strings.TrimSpace(line)
-		if line != "" {
-			out = append(out, line)
-		}
-	}
-	return out
-}
-
-// assertSafeMaildirPath blocks path traversal and absolute paths — relative
-// names under /var/vmail only.
-func assertSafeMaildirPath(p string) error {
-	if p == "" || strings.HasPrefix(p, "/") || strings.Contains(p, "..") {
-		return &validationErr{msg: "unsafe maildir path"}
-	}
-	return nil
-}
-
-type validationErr struct{ msg string }
-
-func (e *validationErr) Error() string        { return e.msg }
-func (e *validationErr) Is(target error) bool { return target == commands.ErrValidation }
-
-// humanBytes renders a byte count in `df -H` style (1000-based units).
-func humanBytes(n uint64) string {
-	const unit = 1000
-	if n < unit {
-		return fmt.Sprintf("%dB", n)
-	}
-	div, exp := uint64(unit), 0
-	for x := n / unit; x >= unit; x /= unit {
-		div *= unit
-		exp++
-	}
-	return fmt.Sprintf("%.1f%c", float64(n)/float64(div), "KMGTPE"[exp])
-}
@@ -1,37 +0,0 @@
-package services
-
-import (
-	"context"
-	"time"
-
-	"github.com/mailcow/mailcow-dockerized/agent/internal/commands"
-	"github.com/mailcow/mailcow-dockerized/agent/internal/proc"
-)
-
-// Services without any exec.* commands of their own — lifecycle only.
-func init() {
-	Register("clamd", genericBuilder("clamd", tcpProbe("127.0.0.1:3310", 2*time.Second)))
-	Register("olefy", genericBuilder("olefy", tcpProbe("127.0.0.1:10055", 2*time.Second)))
-	Register("postfix-tlspol", genericBuilder("postfix-tlspol", tcpProbe("127.0.0.1:8642", 2*time.Second)))
-	Register("php-fpm", genericBuilder("php-fpm", tcpProbe("127.0.0.1:9001", 2*time.Second)))
-	Register("acme", genericBuilder("acme", nil))
-	Register("watchdog", genericBuilder("watchdog", nil))
-	Register("netfilter", genericBuilder("netfilter", nil))
-	Register("ofelia", genericBuilder("ofelia", nil))
-	Register("dovecot-fts", genericBuilder("dovecot-fts", nil))
-}
-
-func genericBuilder(name string, probe commands.HealthProbe) Builder {
-	return func(sup *proc.Supervisor) *commands.Table {
-		t := commands.New(name)
-		t.HealthProbe = probe
-		addLifecycle(t, sup)
-		return t
-	}
-}
-
-func tcpProbe(addr string, timeout time.Duration) commands.HealthProbe {
-	return func(ctx context.Context) error {
-		return probeTCP(addr, timeout)
-	}
-}
@@ -1,79 +0,0 @@
-package services
-
-import (
-	"strings"
-
-	"github.com/mailcow/mailcow-dockerized/agent/internal/commands"
-)
-
-// runError is what we return when a shell command exited non-zero but the
-// failure is not a "target not found" case. The bus maps it to
-// ErrCodeInternal.
-type runError struct{ msg string }
-
-func (e *runError) Error() string { return e.msg }
-
-// asError converts a (RunResult, err) pair from commands.Run into a single
-// error: pre-exec error → return as-is; non-zero exit → wrap stderr.
-func asError(r *commands.RunResult, err error) error {
-	if err != nil {
-		return err
-	}
-	if r.ExitCode != 0 {
-		msg := strings.TrimSpace(r.Stderr)
-		if msg == "" {
-			msg = "command exited " + itoa(r.ExitCode)
-		}
-		return &runError{msg: msg}
-	}
-	return nil
-}
-
-// asNotFoundOrError is the variant for queue/mailbox operations that may fail
-// because the target doesn't live on this node. Maps known stderr fragments
-// to commands.ErrNotFound so broadcast aggregation works.
-func asNotFoundOrError(r *commands.RunResult, err error) error {
-	if err != nil {
-		return err
-	}
-	if r.ExitCode == 0 {
-		return nil
-	}
-	if matchesAny(r.Stderr, notFoundFragments) {
-		return commands.ErrNotFound
-	}
-	return &runError{msg: strings.TrimSpace(r.Stderr)}
-}
-
-func matchesAny(haystack string, fragments []string) bool {
-	for _, f := range fragments {
-		if strings.Contains(haystack, f) {
-			return true
-		}
-	}
-	return false
-}
-
-func itoa(i int) string {
-	// avoid strconv import for a one-shot; small ints only
-	if i == 0 {
-		return "0"
-	}
-	neg := false
-	if i < 0 {
-		neg = true
-		i = -i
-	}
-	var b [20]byte
-	n := len(b)
-	for i > 0 {
-		n--
-		b[n] = byte('0' + i%10)
-		i /= 10
-	}
-	if neg {
-		n--
-		b[n] = '-'
-	}
-	return string(b[n:])
-}
@@ -1,236 +0,0 @@
-package services
-
-import (
-	"bufio"
-	"context"
-	"fmt"
-	"os"
-	"strconv"
-	"strings"
-	"syscall"
-	"time"
-
-	"github.com/mailcow/mailcow-dockerized/agent/internal/commands"
-	"github.com/mailcow/mailcow-dockerized/agent/internal/proc"
-)
-
-func init() { Register("host", buildHost) }
-
-// hostProcRoot is where the host-agent container mounts /proc. If we're not
-// running as host-agent, falling back to /proc still produces sensible numbers
-// (the container's own view) so dashboards don't blank out in unit tests.
-var hostProcRoot = "/host/proc"
-
-func resolveProc(p string) string {
-	if _, err := os.Stat(hostProcRoot); err == nil {
-		return hostProcRoot + p
-	}
-	return "/proc" + p
-}
-
-func buildHost(_ *proc.Supervisor) *commands.Table {
-	t := commands.New("host")
-	// No lifecycle — the host-agent container has no main process to manage.
-
-	t.Register("exec.df", func(ctx context.Context, args map[string]any) (any, error) {
-		path := commands.ArgStringOpt(args, "path", "/")
-		var stat syscall.Statfs_t
-		if err := syscall.Statfs(path, &stat); err != nil {
-			return nil, fmt.Errorf("statfs %s: %w", path, err)
-		}
-		size := int64(stat.Blocks) * int64(stat.Bsize)
-		free := int64(stat.Bavail) * int64(stat.Bsize)
-		used := size - free
-		return map[string]any{
-			"path":      path,
-			"size":      size,
-			"used":      used,
-			"available": free,
-		}, nil
-	})
-
-	t.Register("exec.host-stats", func(ctx context.Context, _ map[string]any) (any, error) {
-		return readHostStats()
-	})
-
-	return t
-}
-
-func readHostStats() (map[string]any, error) {
-	out := map[string]any{
-		"system_time":  time.Now().Format("2006-01-02 15:04:05"),
-		"architecture": readArchitecture(),
-	}
-
-	if uptime, err := readUptime(); err == nil {
-		out["uptime"] = int64(uptime)
-	} else {
-		out["uptime"] = int64(0)
-	}
-
-	cores := readCPUCores()
-	cpuUsage, _ := sampleHostCPU(500 * time.Millisecond)
-	out["cpu"] = map[string]any{
-		"cores": cores,
-		"usage": cpuUsage,
-	}
-
-	memTotal, memUsage := readMemoryTotalAndUsagePct()
-	out["memory"] = map[string]any{
-		"total": memTotal, // bytes
-		"usage": memUsage, // percent 0..100
-	}
-
-	return out, nil
-}
-
-// readArchitecture returns the host's machine architecture (e.g. "x86_64",
-// "aarch64"). Falls back to a single dash if syscall.Uname fails.
-func readArchitecture() string {
-	var u syscall.Utsname
-	if err := syscall.Uname(&u); err != nil {
-		return "-"
-	}
-	return charsToString(u.Machine[:])
-}
-
-func charsToString(b []int8) string {
-	out := make([]byte, 0, len(b))
-	for _, c := range b {
-		if c == 0 {
-			break
-		}
-		out = append(out, byte(c))
-	}
-	return string(out)
-}
-
-// readCPUCores counts `^processor` lines in /proc/cpuinfo. On a container
-// with /host/proc bind-mounted this gives the host's logical CPU count,
-// not the container's cgroup limits.
-func readCPUCores() int {
-	f, err := os.Open(resolveProc("/cpuinfo"))
-	if err != nil {
-		return 0
-	}
-	defer f.Close()
-	n := 0
-	sc := bufio.NewScanner(f)
-	for sc.Scan() {
-		if strings.HasPrefix(sc.Text(), "processor") {
-			n++
-		}
-	}
-	return n
-}
-
-// readMemoryTotalAndUsagePct reads /proc/meminfo and returns (total_bytes,
-// usage_pct_0_100). "Usage" is computed as (Total - Available)/Total which
-// matches what tools like `free` show as "used".
-func readMemoryTotalAndUsagePct() (int64, int) {
-	f, err := os.Open(resolveProc("/meminfo"))
-	if err != nil {
-		return 0, 0
-	}
-	defer f.Close()
-
-	var total, available int64
-	sc := bufio.NewScanner(f)
-	for sc.Scan() {
-		fields := strings.Fields(sc.Text())
-		if len(fields) < 2 {
-			continue
-		}
-		switch fields[0] {
-		case "MemTotal:":
-			total = parseInt64(fields[1]) * 1024
-		case "MemAvailable:":
-			available = parseInt64(fields[1]) * 1024
-		}
-	}
-	if total <= 0 {
-		return 0, 0
-	}
-	used := total - available
-	if available <= 0 {
-		used = total
-	}
-	pct := int(float64(used) / float64(total) * 100.0)
-	if pct < 0 {
-		pct = 0
-	}
-	if pct > 100 {
-		pct = 100
-	}
-	return total, pct
-}
-
-func readUptime() (float64, error) {
-	b, err := os.ReadFile(resolveProc("/uptime"))
-	if err != nil {
-		return 0, err
-	}
-	fields := strings.Fields(string(b))
-	if len(fields) < 1 {
-		return 0, fmt.Errorf("malformed uptime")
-	}
-	return strconv.ParseFloat(fields[0], 64)
-}
-
-// sampleHostCPU returns CPU utilization (0..100) sampled over `window`.
-func sampleHostCPU(window time.Duration) (float64, error) {
-	a, err := readCPULine()
-	if err != nil {
-		return 0, err
-	}
-	time.Sleep(window)
-	b, err := readCPULine()
-	if err != nil {
-		return 0, err
-	}
-	totalA, totalB := sum(a), sum(b)
-	idleA, idleB := a[3], b[3]
-	dTotal, dIdle := totalB-totalA, idleB-idleA
-	if dTotal == 0 {
-		return 0, nil
-	}
-	return 100.0 * float64(dTotal-dIdle) / float64(dTotal), nil
-}
-
-func readCPULine() ([]int64, error) {
-	f, err := os.Open(resolveProc("/stat"))
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-	sc := bufio.NewScanner(f)
-	if !sc.Scan() {
-		return nil, fmt.Errorf("empty /proc/stat")
-	}
-	fields := strings.Fields(sc.Text())
-	if len(fields) < 5 || fields[0] != "cpu" {
-		return nil, fmt.Errorf("unexpected /proc/stat first line")
-	}
-	out := make([]int64, 0, len(fields)-1)
-	for _, f := range fields[1:] {
-		n, err := strconv.ParseInt(f, 10, 64)
-		if err != nil {
-			return nil, err
-		}
-		out = append(out, n)
-	}
-	return out, nil
-}
-
-func sum(xs []int64) int64 {
-	var s int64
-	for _, x := range xs {
-		s += x
-	}
-	return s
-}
-
-func parseInt64(s string) int64 {
-	n, _ := strconv.ParseInt(s, 10, 64)
-	return n
-}
@@ -1,39 +0,0 @@
-package services
-
-import (
-	"context"
-	"time"
-
-	"github.com/mailcow/mailcow-dockerized/agent/internal/commands"
-	"github.com/mailcow/mailcow-dockerized/agent/internal/proc"
-)
-
-func init() { Register("nginx", buildNginx) }
-
-func nginxHealthProbe(ctx context.Context) error {
-	if err := probeShell(ctx, 3*time.Second, "nginx", "-t"); err != nil {
-		return err
-	}
-	return probeTCP("127.0.0.1:8081", 2*time.Second)
-}
-
-func buildNginx(sup *proc.Supervisor) *commands.Table {
-	t := commands.New("nginx")
-	t.HealthProbe = nginxHealthProbe
-	t.Register("reload", func(ctx context.Context, _ map[string]any) (any, error) {
-		r, err := commands.Run(ctx, commands.RunOptions{}, "nginx", "-s", "reload")
-		return nil, asError(r, err)
-	})
-	addLifecycleExceptReload(t, sup)
-	t.Register("exec.test-config", func(ctx context.Context, _ map[string]any) (any, error) {
-		r, err := commands.Run(ctx, commands.RunOptions{}, "nginx", "-t")
-		if err != nil {
-			return nil, err
-		}
-		return map[string]any{
-			"ok":     r.ExitCode == 0,
-			"output": r.Stderr + r.Stdout,
-		}, nil
-	})
-	return t
-}
@@ -1,142 +0,0 @@
-package services
-
-import (
-	"context"
-	"encoding/json"
-	"strings"
-	"time"
-
-	"github.com/mailcow/mailcow-dockerized/agent/internal/commands"
-	"github.com/mailcow/mailcow-dockerized/agent/internal/proc"
-)
-
-func init() { Register("postfix", buildPostfix) }
-
-// notFoundFragments are substrings emitted by postsuper/postqueue when the
-// requested queue id doesn't live on this node. Broadcast handlers map them
-// to commands.ErrNotFound so the backend can count partial success.
-var notFoundFragments = []string{
-	"No such file or directory",
-	"no such file",
-	"unknown",
-}
-
-func postfixHealthProbe(ctx context.Context) error {
-	if err := probeSMTPGreeting("127.0.0.1:25", 3*time.Second); err != nil {
-		return err
-	}
-	return probeShell(ctx, 5*time.Second, "postfix", "status")
-}
-
-func buildPostfix(sup *proc.Supervisor) *commands.Table {
-	t := commands.New("postfix")
-	t.HealthProbe = postfixHealthProbe
-
-	// Override generic reload — `postfix reload` is the canonical operation,
-	// not SIGHUP-to-supervisord (which would just rotate logs).
-	t.Register("reload", func(ctx context.Context, _ map[string]any) (any, error) {
-		r, err := commands.Run(ctx, commands.RunOptions{}, "postfix", "reload")
-		return nil, asError(r, err)
-	})
-	// Lifecycle: stop/start/restart still go through the supervisor.
-	if sup != nil {
-		t.Register("restart", func(ctx context.Context, _ map[string]any) (any, error) {
-			return nil, sup.Restart(ctx)
-		})
-		t.Register("stop", func(ctx context.Context, _ map[string]any) (any, error) {
-			return nil, sup.Stop(ctx)
-		})
-		t.Register("start", func(ctx context.Context, _ map[string]any) (any, error) {
-			return nil, sup.Start()
-		})
-	}
-
-	t.Register("exec.mailq", func(ctx context.Context, _ map[string]any) (any, error) {
-		r, err := commands.Run(ctx, commands.RunOptions{OutputCap: 8 << 20}, "postqueue", "-j")
-		if err != nil {
-			return nil, err
-		}
-		if r.ExitCode != 0 {
-			return nil, &runError{msg: "postqueue failed: " + r.Stderr}
-		}
-		// postqueue -j prints one JSON object per line.
-		entries := make([]map[string]any, 0)
-		for _, line := range strings.Split(strings.TrimSpace(r.Stdout), "\n") {
-			line = strings.TrimSpace(line)
-			if line == "" {
-				continue
-			}
-			var obj map[string]any
-			if err := json.Unmarshal([]byte(line), &obj); err == nil {
-				entries = append(entries, obj)
-			}
-		}
-		return map[string]any{"queue": entries}, nil
-	})
-
-	t.Register("exec.flush-queue", func(ctx context.Context, _ map[string]any) (any, error) {
-		r, err := commands.Run(ctx, commands.RunOptions{}, "postqueue", "-f")
-		return nil, asError(r, err)
-	})
-
-	t.Register("exec.delete-from-queue", func(ctx context.Context, args map[string]any) (any, error) {
-		qid, err := commands.ArgString(args, "queue_id")
-		if err != nil {
-			return nil, err
-		}
-		r, err := commands.Run(ctx, commands.RunOptions{}, "postsuper", "-d", qid)
-		return nil, asNotFoundOrError(r, err)
-	})
-
-	t.Register("exec.hold-queue", func(ctx context.Context, args map[string]any) (any, error) {
-		qid, err := commands.ArgString(args, "queue_id")
-		if err != nil {
-			return nil, err
-		}
-		r, err := commands.Run(ctx, commands.RunOptions{}, "postsuper", "-h", qid)
-		return nil, asNotFoundOrError(r, err)
-	})
-
-	t.Register("exec.unhold-queue", func(ctx context.Context, args map[string]any) (any, error) {
-		qid, err := commands.ArgString(args, "queue_id")
-		if err != nil {
-			return nil, err
-		}
-		r, err := commands.Run(ctx, commands.RunOptions{}, "postsuper", "-H", qid)
-		return nil, asNotFoundOrError(r, err)
-	})
-
-	t.Register("exec.deliver-now", func(ctx context.Context, args map[string]any) (any, error) {
-		qid, err := commands.ArgString(args, "queue_id")
-		if err != nil {
-			return nil, err
-		}
-		r, err := commands.Run(ctx, commands.RunOptions{}, "postqueue", "-i", qid)
-		return nil, asNotFoundOrError(r, err)
-	})
-
-	t.Register("exec.cat-queue", func(ctx context.Context, args map[string]any) (any, error) {
-		qid, err := commands.ArgString(args, "queue_id")
-		if err != nil {
-			return nil, err
-		}
-		r, err := commands.Run(ctx, commands.RunOptions{OutputCap: 2 << 20}, "postcat", "-q", qid)
-		if err != nil {
-			return nil, err
-		}
-		if r.ExitCode != 0 {
-			if matchesAny(r.Stderr, notFoundFragments) {
-				return nil, commands.ErrNotFound
-			}
-			return nil, &runError{msg: "postcat failed: " + r.Stderr}
-		}
-		return map[string]any{"body": r.Stdout}, nil
-	})
-
-	t.Register("exec.super-delete", func(ctx context.Context, _ map[string]any) (any, error) {
-		r, err := commands.Run(ctx, commands.RunOptions{}, "postsuper", "-d", "ALL")
-		return nil, asError(r, err)
-	})
-
-	return t
-}
@@ -1,81 +0,0 @@
-package services
-
-import (
-	"bufio"
-	"context"
-	"errors"
-	"fmt"
-	"net"
-	"net/http"
-	"strings"
-	"time"
-
-	"github.com/mailcow/mailcow-dockerized/agent/internal/commands"
-)
-
-// probeTCP opens a TCP connection to addr within timeout. Returns nil if the
-// port accepts a connection, otherwise the dial error.
-func probeTCP(addr string, timeout time.Duration) error {
-	conn, err := net.DialTimeout("tcp", addr, timeout)
-	if err != nil {
-		return err
-	}
-	_ = conn.Close()
-	return nil
-}
-
-// probeSMTPGreeting connects to addr and reads the SMTP greeting line. The
-// service is considered healthy if the line starts with "220".
-func probeSMTPGreeting(addr string, timeout time.Duration) error {
-	conn, err := net.DialTimeout("tcp", addr, timeout)
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-	_ = conn.SetReadDeadline(time.Now().Add(timeout))
-	line, err := bufio.NewReader(conn).ReadString('\n')
-	if err != nil {
-		return fmt.Errorf("read greeting: %w", err)
-	}
-	if !strings.HasPrefix(line, "220") {
-		return fmt.Errorf("unexpected greeting: %s", strings.TrimSpace(line))
-	}
-	return nil
-}
-
-// probeHTTP issues a GET to url, checks for a 2xx status.
-func probeHTTP(ctx context.Context, url string, timeout time.Duration) error {
-	cctx, cancel := context.WithTimeout(ctx, timeout)
-	defer cancel()
-	req, err := http.NewRequestWithContext(cctx, http.MethodGet, url, nil)
-	if err != nil {
-		return err
-	}
-	resp, err := http.DefaultClient.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		return fmt.Errorf("http %s", resp.Status)
-	}
-	return nil
-}
-
-// probeShell runs argv with a timeout and returns nil if exit code is 0.
-func probeShell(ctx context.Context, timeout time.Duration, argv ...string) error {
-	cctx, cancel := context.WithTimeout(ctx, timeout)
-	defer cancel()
-	r, err := commands.Run(cctx, commands.RunOptions{}, argv...)
-	if err != nil {
-		return err
-	}
-	if r.ExitCode != 0 {
-		msg := strings.TrimSpace(r.Stderr)
-		if msg == "" {
-			msg = fmt.Sprintf("exit %d", r.ExitCode)
-		}
-		return errors.New(msg)
-	}
-	return nil
-}
@@ -1,86 +0,0 @@
-package services
-
-import (
-	"context"
-	"os"
-	"path/filepath"
-	"strings"
-	"time"
-
-	"github.com/mailcow/mailcow-dockerized/agent/internal/commands"
-	"github.com/mailcow/mailcow-dockerized/agent/internal/proc"
-)
-
-func init() { Register("rspamd", buildRspamd) }
-
-func rspamdHealthProbe(ctx context.Context) error {
-	return probeHTTP(ctx, "http://127.0.0.1:11334/ping", 3*time.Second)
-}
-
-// Override file rspamd reads on startup for the controller's enable_password.
-const rspamdWorkerPasswordPath = "/etc/rspamd/override.d/worker-controller-password.inc"
-
-func buildRspamd(sup *proc.Supervisor) *commands.Table {
-	t := commands.New("rspamd")
-	t.HealthProbe = rspamdHealthProbe
-	addLifecycle(t, sup)
-
-	t.Register("exec.set-worker-password", func(ctx context.Context, args map[string]any) (any, error) {
-		password, err := commands.ArgString(args, "password")
-		if err != nil {
-			return nil, err
-		}
-		// rspamadm pw -e -p <pw> writes the hashed value to stdout.
-		r, err := commands.Run(ctx, commands.RunOptions{}, "rspamadm", "pw", "-e", "-p", password)
-		if err != nil {
-			return nil, err
-		}
-		if r.ExitCode != 0 {
-			return nil, &runError{msg: "rspamadm pw failed: " + strings.TrimSpace(r.Stderr)}
-		}
-		hash := strings.TrimSpace(r.Stdout)
-		// rspamd distinguishes `password` (read-only access to the controller)
-		// from `enable_password` (write access — restart, settings, learn).
-		content := "enable_password = \"" + hash + "\";\n"
-		if err := os.MkdirAll(filepath.Dir(rspamdWorkerPasswordPath), 0o755); err != nil {
-			return nil, err
-		}
-		if err := os.WriteFile(rspamdWorkerPasswordPath, []byte(content), 0o644); err != nil {
-			return nil, err
-		}
-		// Must do a full re-fork of workers (SIGHUP to rspamd master), not
-		// `rspamadm control reload`
-		if sup != nil {
-			return nil, sup.Reload()
-		}
-		return nil, nil
-	})
-
-	t.Register("exec.relearn-spam", func(ctx context.Context, args map[string]any) (any, error) {
-		path, err := commands.ArgString(args, "file")
-		if err != nil {
-			return nil, err
-		}
-		data, err := os.ReadFile(path)
-		if err != nil {
-			return nil, err
-		}
-		r, err := commands.Run(ctx, commands.RunOptions{Stdin: data}, "rspamc", "learn_spam")
-		return nil, asError(r, err)
-	})
-
-	t.Register("exec.relearn-ham", func(ctx context.Context, args map[string]any) (any, error) {
-		path, err := commands.ArgString(args, "file")
-		if err != nil {
-			return nil, err
-		}
-		data, err := os.ReadFile(path)
-		if err != nil {
-			return nil, err
-		}
-		r, err := commands.Run(ctx, commands.RunOptions{Stdin: data}, "rspamc", "learn_ham")
-		return nil, asError(r, err)
-	})
-
-	return t
-}
@@ -1,87 +0,0 @@
-// Package services registers per-service command tables. The agent selects
-// the right table at startup via MAILCOW_AGENT_SERVICE.
-//
-// A service "builder" receives a Supervisor for lifecycle commands; services
-// that don't supervise a main process (currently just "host") pass nil and
-// the generic lifecycle commands are skipped.
-package services
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	"github.com/mailcow/mailcow-dockerized/agent/internal/commands"
-	"github.com/mailcow/mailcow-dockerized/agent/internal/proc"
-)
-
-// Builder constructs a command table for a service. sup may be nil for
-// services without a supervised main process.
-type Builder func(sup *proc.Supervisor) *commands.Table
-
-var registry = map[string]Builder{}
-
-// Register installs a builder for a service name. Called from init() in each
-// per-service file.
-func Register(service string, b Builder) {
-	if _, dup := registry[service]; dup {
-		panic("services: duplicate registration for " + service)
-	}
-	registry[service] = b
-}
-
-// Build returns the table for service, or an error if no builder exists.
-func Build(service string, sup *proc.Supervisor) (*commands.Table, error) {
-	b, ok := registry[service]
-	if !ok {
-		return nil, fmt.Errorf("services: unknown service %q (set MAILCOW_AGENT_SERVICE correctly)", service)
-	}
-	return b(sup), nil
-}
-
-// Known returns the list of registered service names (sorted-ish, depends on
-// map iteration — for help output only).
-func Known() []string {
-	out := make([]string, 0, len(registry))
-	for k := range registry {
-		out = append(out, k)
-	}
-	return out
-}
-
-// restartSettle is how long we wait after a Start to verify the new child
-// didn't immediately crash. Gives the operator real "did the service come
-// back up?" feedback instead of an instant OK that hides flapping services.
-const restartSettle = 3 * time.Second
-
-// addLifecycle wires reload/restart/stop/start onto t backed by sup. Services
-// override these (e.g. postfix overrides reload to run `postfix reload`).
-func addLifecycle(t *commands.Table, sup *proc.Supervisor) {
-	if sup == nil {
-		return
-	}
-	t.Register("reload", func(ctx context.Context, _ map[string]any) (any, error) {
-		return nil, sup.Reload()
-	})
-	t.Register("restart", func(ctx context.Context, _ map[string]any) (any, error) {
-		if err := sup.Restart(ctx); err != nil {
-			return nil, err
-		}
-		if err := sup.WaitStable(ctx, restartSettle); err != nil {
-			return nil, err
-		}
-		return map[string]any{"status": "restarted", "settled_ms": int(restartSettle / time.Millisecond)}, nil
-	})
-	t.Register("stop", func(ctx context.Context, _ map[string]any) (any, error) {
-		return nil, sup.Stop(ctx)
-	})
-	t.Register("start", func(ctx context.Context, _ map[string]any) (any, error) {
-		if err := sup.Start(); err != nil {
-			return nil, err
-		}
-		if err := sup.WaitStable(ctx, restartSettle); err != nil {
-			return nil, err
-		}
-		return map[string]any{"status": "started", "settled_ms": int(restartSettle / time.Millisecond)}, nil
-	})
-}
@@ -1,36 +0,0 @@
-package services
-
-import (
-	"context"
-	"time"
-
-	"github.com/mailcow/mailcow-dockerized/agent/internal/commands"
-	"github.com/mailcow/mailcow-dockerized/agent/internal/proc"
-)
-
-func init() { Register("sogo", buildSogo) }
-
-func sogoHealthProbe(ctx context.Context) error {
-	return probeHTTP(ctx, "http://127.0.0.1:20000/SOGo.index/", 3*time.Second)
-}
-
-func buildSogo(sup *proc.Supervisor) *commands.Table {
-	t := commands.New("sogo")
-	t.HealthProbe = sogoHealthProbe
-	addLifecycle(t, sup)
-
-	t.Register("exec.rename-user", func(ctx context.Context, args map[string]any) (any, error) {
-		oldName, err := commands.ArgString(args, "old")
-		if err != nil {
-			return nil, err
-		}
-		newName, err := commands.ArgString(args, "new")
-		if err != nil {
-			return nil, err
-		}
-		r, err := commands.Run(ctx, commands.RunOptions{}, "sogo-tool", "rename-user", oldName, newName)
-		return nil, asError(r, err)
-	})
-
-	return t
-}
@@ -1,26 +0,0 @@
-package services
-
-import (
-	"context"
-	"time"
-
-	"github.com/mailcow/mailcow-dockerized/agent/internal/commands"
-	"github.com/mailcow/mailcow-dockerized/agent/internal/proc"
-)
-
-func init() { Register("unbound", buildUnbound) }
-
-func unboundHealthProbe(ctx context.Context) error {
-	return probeShell(ctx, 3*time.Second, "dig", "+time=2", "+tries=1", "@127.0.0.1", "mailcow.email", "A")
-}
-
-func buildUnbound(sup *proc.Supervisor) *commands.Table {
-	t := commands.New("unbound")
-	t.HealthProbe = unboundHealthProbe
-	addLifecycle(t, sup)
-	t.Register("exec.flush-cache", func(ctx context.Context, _ map[string]any) (any, error) {
-		r, err := commands.Run(ctx, commands.RunOptions{}, "unbound-control", "flush_zone", ".")
-		return nil, asError(r, err)
-	})
-	return t
-}
@@ -1,155 +0,0 @@
-// Package stats reads cgroup CPU + memory usage and publishes them to
-//
-//	HASH  mailcow.stats.<service>.<node_id>
-//
-// with a 30s TTL. Supports both cgroup v1 and v2. The numbers are intentionally
-// approximate — they replace what dockerapi exposed via /containers/<id>/stats.
-package stats
-
-import (
-	"context"
-	"os"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/redis/go-redis/v9"
-)
-
-// Sample is one observation. CPUPercent is the share of one host CPU consumed
-// since the previous sample (range 0..100*numCPU).
-type Sample struct {
-	CPUPercent  float64
-	MemoryBytes int64
-	MemoryLimit int64
-	Timestamp   time.Time
-}
-
-func statsKey(service, node string) string { return "mailcow.stats." + service + "." + node }
-
-// Publisher reads cgroup metrics and pushes them to Redis on a ticker.
-type Publisher struct {
-	rdb     *redis.Client
-	service string
-	node    string
-
-	// previous CPU sample to derive a delta-based percent
-	prevCPUNanos int64
-	prevAt       time.Time
-}
-
-// NewPublisher constructs a publisher. Caller drives it via Run.
-func NewPublisher(rdb *redis.Client, service, node string) *Publisher {
-	return &Publisher{rdb: rdb, service: service, node: node}
-}
-
-// Run blocks on a ticker until ctx is done.
-func (p *Publisher) Run(ctx context.Context, interval time.Duration) {
-	t := time.NewTicker(interval)
-	defer t.Stop()
-	// Prime the CPU sample so the first publish has a real delta.
-	if cpu, ok := readCPUNanos(); ok {
-		p.prevCPUNanos = cpu
-		p.prevAt = time.Now()
-	}
-	// Immediate first publish so the dashboard never sees a node without a
-	// stats hash. CPU is 0 in this first sample (no prev delta yet); memory
-	// is already accurate.
-	_ = p.publish(ctx, p.sample())
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-t.C:
-			_ = p.publish(ctx, p.sample())
-		}
-	}
-}
-
-func (p *Publisher) sample() Sample {
-	s := Sample{Timestamp: time.Now()}
-	if cpu, ok := readCPUNanos(); ok {
-		if !p.prevAt.IsZero() {
-			dCPU := cpu - p.prevCPUNanos
-			dT := s.Timestamp.Sub(p.prevAt).Nanoseconds()
-			if dT > 0 && dCPU >= 0 {
-				s.CPUPercent = (float64(dCPU) / float64(dT)) * 100.0
-			}
-		}
-		p.prevCPUNanos = cpu
-		p.prevAt = s.Timestamp
-	}
-	if mem, limit, ok := readMemory(); ok {
-		s.MemoryBytes = mem
-		s.MemoryLimit = limit
-	}
-	return s
-}
-
-func (p *Publisher) publish(ctx context.Context, s Sample) error {
-	pipe := p.rdb.Pipeline()
-	pipe.HSet(ctx, statsKey(p.service, p.node), map[string]any{
-		"cpu_percent":  strconv.FormatFloat(s.CPUPercent, 'f', 2, 64),
-		"memory_bytes": s.MemoryBytes,
-		"memory_limit": s.MemoryLimit,
-		"timestamp":    s.Timestamp.Unix(),
-		"node_id":      p.node,
-		"service":      p.service,
-	})
-	pipe.Expire(ctx, statsKey(p.service, p.node), 30*time.Second)
-	_, err := pipe.Exec(ctx)
-	return err
-}
-
-// --- cgroup readers --------------------------------------------------------
-
-// readCPUNanos returns total CPU-nanoseconds consumed by the current cgroup,
-// summed across all CPUs. Works for both cgroup v2 (cpu.stat) and v1
-// (cpuacct.usage).
-func readCPUNanos() (int64, bool) {
-	if data, err := os.ReadFile("/sys/fs/cgroup/cpu.stat"); err == nil {
-		// v2: lines like "usage_usec 12345"
-		for _, line := range strings.Split(string(data), "\n") {
-			if strings.HasPrefix(line, "usage_usec ") {
-				n, err := strconv.ParseInt(strings.TrimPrefix(line, "usage_usec "), 10, 64)
-				if err == nil {
-					return n * 1000, true // µs → ns
-				}
-			}
-		}
-	}
-	if data, err := os.ReadFile("/sys/fs/cgroup/cpuacct/cpuacct.usage"); err == nil {
-		n, err := strconv.ParseInt(strings.TrimSpace(string(data)), 10, 64)
-		if err == nil {
-			return n, true
-		}
-	}
-	return 0, false
-}
-
-// readMemory returns current usage and limit in bytes.
-func readMemory() (int64, int64, bool) {
-	// v2
-	if cur, err := readInt("/sys/fs/cgroup/memory.current"); err == nil {
-		limit, _ := readInt("/sys/fs/cgroup/memory.max")
-		return cur, limit, true
-	}
-	// v1
-	if cur, err := readInt("/sys/fs/cgroup/memory/memory.usage_in_bytes"); err == nil {
-		limit, _ := readInt("/sys/fs/cgroup/memory/memory.limit_in_bytes")
-		return cur, limit, true
-	}
-	return 0, 0, false
-}
-
-func readInt(path string) (int64, error) {
-	b, err := os.ReadFile(path)
-	if err != nil {
-		return 0, err
-	}
-	s := strings.TrimSpace(string(b))
-	if s == "max" {
-		return -1, nil
-	}
-	return strconv.ParseInt(s, 10, 64)
-}
@@ -1,58 +0,0 @@
-#!/bin/sh
-# mailcow-agent-cli — publish a control-bus command from inside a service
-# container, optionally collecting one reply. Same wire protocol as the Go
-# agent (see internal/envelope/envelope.go).
-#
-# Usage:
-#   mailcow-agent-cli send <service> <cmd> [json-args]
-#       Fire-and-forget. Prints the number of subscribers reached.
-#   mailcow-agent-cli call <service> <cmd> [json-args] [timeout-seconds]
-#       Publish + wait for one reply on its private reply list. Prints the
-#       reply envelope JSON on stdout.
-#
-# Requires the `redis-cli` binary to be present in the calling container.
-
-set -e
-
-op="${1:-}"
-svc="${2:-}"
-cmd="${3:-}"
-args="${4:-{\}}"
-tmo="${5:-10}"
-
-if [ -z "$op" ] || [ -z "$svc" ] || [ -z "$cmd" ]; then
-  echo "usage: $0 send|call <service> <cmd> [json-args] [timeout-seconds]" >&2
-  exit 2
-fi
-
-redis_host="${REDIS_SLAVEOF_IP:-redis-mailcow}"
-redis_port="${REDIS_SLAVEOF_PORT:-6379}"
-
-rcli() {
-  if [ -n "${REDISPASS:-}" ]; then
-    redis-cli -h "$redis_host" -p "$redis_port" -a "$REDISPASS" --no-auth-warning "$@"
-  else
-    redis-cli -h "$redis_host" -p "$redis_port" "$@"
-  fi
-}
-
-rid="$(date +%s%N)$$"
-issued_by="$(hostname 2>/dev/null || echo unknown)"
-
-case "$op" in
-  send)
-    payload="{\"cmd\":\"${cmd}\",\"request_id\":\"${rid}\",\"args\":${args},\"issued_by\":\"${issued_by}\"}"
-    rcli PUBLISH "mailcow.control.${svc}" "$payload"
-    ;;
-  call)
-    reply="mailcow.reply.${rid}"
-    payload="{\"cmd\":\"${cmd}\",\"request_id\":\"${rid}\",\"args\":${args},\"reply_to\":\"${reply}\",\"issued_by\":\"${issued_by}\"}"
-    rcli PUBLISH "mailcow.control.${svc}" "$payload" >/dev/null
-    # BLPOP returns two lines: the list name then the value. Print only the value.
-    rcli BLPOP "$reply" "$tmo" 2>/dev/null | tail -n1
-    ;;
-  *)
-    echo "usage: $0 send|call <service> <cmd> [json-args] [timeout-seconds]" >&2
-    exit 2
-    ;;
-esac
@@ -1,3 +1,3 @@
-FROM debian:trixie-slim
+FROM debian:bookworm-slim

-RUN apt update && apt install pigz zstd -y --no-install-recommends
+RUN apt update && apt install pigz -y --no-install-recommends
@@ -1,7 +1,3 @@
-ARG AGENT_IMAGE=ghcr.io/mailcow/agent:1.00
-
-FROM ${AGENT_IMAGE} AS mailcow-agent-src
-
 FROM alpine:3.21 AS builder

 WORKDIR /src
@@ -45,7 +41,7 @@ RUN wget -P /src https://www.clamav.net/downloads/production/clamav-${CLAMD_VERS
  -D ENABLE_MILTER=ON                                                                 \
  -D ENABLE_MAN_PAGES=OFF                                                             \
  -D ENABLE_STATIC_LIB=OFF                                                            \
-  -D ENABLE_JSON_SHARED=ON                                                            \
+  -D ENABLE_JSON_SHARED=ON                                                            \ 
  && cmake --build . \
  && make DESTDIR="/clamav" -j$(($(nproc) - 1)) install \
  && rm -r "/clamav/usr/lib/pkgconfig/" \
@@ -108,15 +104,7 @@ COPY healthcheck.sh /healthcheck.sh
 COPY clamdcheck.sh /usr/local/bin
 RUN chmod +x /healthcheck.sh
 RUN chmod +x /usr/local/bin/clamdcheck.sh
+HEALTHCHECK --start-period=6m CMD "/healthcheck.sh"

-COPY --from=mailcow-agent-src /out/mailcow-agent /usr/local/bin/mailcow-agent
-COPY --from=mailcow-agent-src /out/mailcow-agent-cli /usr/local/bin/mailcow-agent-cli
-
-ENV MAILCOW_AGENT_SERVICE=clamd \
-    MAILCOW_AGENT_MAIN_CMD="/sbin/tini -g -- /clamd.sh"
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
-  CMD ["/usr/local/bin/mailcow-agent", "healthcheck"]
-
-ENTRYPOINT ["/usr/local/bin/mailcow-agent"]
-CMD []
+ENTRYPOINT []
+CMD ["/sbin/tini", "-g", "--", "/clamd.sh"]
@@ -0,0 +1,27 @@
+FROM alpine:3.21
+
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
+
+ARG PIP_BREAK_SYSTEM_PACKAGES=1
+WORKDIR /app
+
+RUN apk add --update --no-cache python3 \
+  py3-pip \
+  openssl \
+  tzdata \
+  py3-psutil \
+  py3-redis \
+  py3-async-timeout \
+&& pip3 install --upgrade pip \
+  fastapi \
+  uvicorn \
+  aiodocker \
+  docker
+RUN mkdir /app/modules
+
+COPY docker-entrypoint.sh /app/
+COPY main.py /app/main.py
+COPY modules/ /app/modules/
+
+ENTRYPOINT ["/bin/sh", "/app/docker-entrypoint.sh"]
+CMD ["python", "main.py"]
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+`openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
+  -keyout /app/dockerapi_key.pem \
+  -out /app/dockerapi_cert.pem \
+  -subj /CN=dockerapi/O=mailcow \
+  -addext subjectAltName=DNS:dockerapi`
+
+exec "$@"
@@ -0,0 +1,261 @@
+import os
+import sys
+import uvicorn
+import json
+import uuid
+import async_timeout
+import asyncio
+import aiodocker
+import docker
+import logging
+from logging.config import dictConfig
+from fastapi import FastAPI, Response, Request
+from modules.DockerApi import DockerApi
+from redis import asyncio as aioredis
+from contextlib import asynccontextmanager
+
+dockerapi = None
+
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+  global dockerapi
+
+  # Initialize a custom logger
+  logger = logging.getLogger("dockerapi")
+  logger.setLevel(logging.INFO)
+  # Configure the logger to output logs to the terminal
+  handler = logging.StreamHandler()
+  handler.setLevel(logging.INFO)
+  formatter = logging.Formatter("%(levelname)s:     %(message)s")
+  handler.setFormatter(formatter)
+  logger.addHandler(handler)
+
+  logger.info("Init APP")
+
+  # Init valkey client
+  if os.environ['VALKEY_SLAVEOF_IP'] != "":
+    valkey_client = valkey = await aioredis.from_url(f"redis://{os.environ['VALKEY_SLAVEOF_IP']}:{os.environ['VALKEY_SLAVEOF_PORT']}/0", password=os.environ['VALKEYPASS'])
+  else:
+    valkey_client = valkey = await aioredis.from_url("redis://valkey-mailcow:6379/0", password=os.environ['VALKEYPASS'])
+
+  # Init docker clients
+  sync_docker_client = docker.DockerClient(base_url='unix://var/run/docker.sock', version='auto')
+  async_docker_client = aiodocker.Docker(url='unix:///var/run/docker.sock')
+
+  dockerapi = DockerApi(valkey_client, sync_docker_client, async_docker_client, logger)
+
+  logger.info("Subscribe to valkey channel")
+  # Subscribe to valkey channel
+  dockerapi.pubsub = valkey.pubsub()
+  await dockerapi.pubsub.subscribe("MC_CHANNEL")
+  asyncio.create_task(handle_pubsub_messages(dockerapi.pubsub))
+
+
+  yield
+
+  # Close docker connections
+  dockerapi.sync_docker_client.close()
+  await dockerapi.async_docker_client.close()
+
+  # Close valkey
+  await dockerapi.pubsub.unsubscribe("MC_CHANNEL")
+  await dockerapi.valkey_client.close()
+
+app = FastAPI(lifespan=lifespan)
+
+# Define Routes
+@app.get("/host/stats")
+async def get_host_update_stats():
+  global dockerapi
+
+  if dockerapi.host_stats_isUpdating == False:
+    asyncio.create_task(dockerapi.get_host_stats())
+    dockerapi.host_stats_isUpdating = True
+
+  while True:
+    if await dockerapi.valkey_client.exists('host_stats'):
+      break
+    await asyncio.sleep(1.5)
+
+  stats = json.loads(await dockerapi.valkey_client.get('host_stats'))
+  return Response(content=json.dumps(stats, indent=4), media_type="application/json")
+
+@app.get("/containers/{container_id}/json")
+async def get_container(container_id : str):
+  global dockerapi
+
+  if container_id and container_id.isalnum():
+    try:
+      for container in (await dockerapi.async_docker_client.containers.list()):
+        if container._id == container_id:
+          container_info = await container.show()
+          return Response(content=json.dumps(container_info, indent=4), media_type="application/json")
+
+      res = {
+        "type": "danger",
+        "msg": "no container found"
+      }
+      return Response(content=json.dumps(res, indent=4), media_type="application/json")
+    except Exception as e:
+      res = {
+        "type": "danger",
+        "msg": str(e)
+      }
+      return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  else:
+    res = {
+      "type": "danger",
+      "msg": "no or invalid id defined"
+    }
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+
+@app.get("/containers/json")
+async def get_containers():
+  global dockerapi
+
+  containers = {}
+  try:
+    for container in (await dockerapi.async_docker_client.containers.list()):
+      container_info = await container.show()
+      containers.update({container_info['Id']: container_info})
+    return Response(content=json.dumps(containers, indent=4), media_type="application/json")
+  except Exception as e:
+    res = {
+      "type": "danger",
+      "msg": str(e)
+    }
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+
+@app.post("/containers/{container_id}/{post_action}")
+async def post_containers(container_id : str, post_action : str, request: Request):
+  global dockerapi
+
+  try:
+    request_json = await request.json()
+  except Exception as err:
+    request_json = {}
+
+  if container_id and container_id.isalnum() and post_action:
+    try:
+      """Dispatch container_post api call"""
+      if post_action == 'exec':
+        if not request_json or not 'cmd' in request_json:
+          res = {
+            "type": "danger",
+            "msg": "cmd is missing"
+          }
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+        if not request_json or not 'task' in request_json:
+          res = {
+            "type": "danger",
+            "msg": "task is missing"
+          }
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+
+        api_call_method_name = '__'.join(['container_post', str(post_action), str(request_json['cmd']), str(request_json['task']) ])
+      else:
+        api_call_method_name = '__'.join(['container_post', str(post_action) ])
+
+      api_call_method = getattr(dockerapi, api_call_method_name, lambda container_id: Response(content=json.dumps({'type': 'danger', 'msg':'container_post - unknown api call' }, indent=4), media_type="application/json"))
+
+      dockerapi.logger.info("api call: %s, container_id: %s" % (api_call_method_name, container_id))
+      return api_call_method(request_json, container_id=container_id)
+    except Exception as e:
+      dockerapi.logger.error("error - container_post: %s" % str(e))
+      res = {
+        "type": "danger",
+        "msg": str(e)
+      }
+      return Response(content=json.dumps(res, indent=4), media_type="application/json")
+
+  else:
+    res = {
+      "type": "danger",
+      "msg": "invalid container id or missing action"
+    }
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+
+@app.post("/container/{container_id}/stats/update")
+async def post_container_update_stats(container_id : str):
+  global dockerapi
+
+  # start update task for container if no task is running
+  if container_id not in dockerapi.containerIds_to_update:
+    asyncio.create_task(dockerapi.get_container_stats(container_id))
+    dockerapi.containerIds_to_update.append(container_id)
+
+  while True:
+    if await dockerapi.valkey_client.exists(container_id + '_stats'):
+      break
+    await asyncio.sleep(1.5)
+
+  stats = json.loads(await dockerapi.valkey_client.get(container_id + '_stats'))
+  return Response(content=json.dumps(stats, indent=4), media_type="application/json")
+
+
+# PubSub Handler
+async def handle_pubsub_messages(channel: aioredis.client.PubSub):
+  global dockerapi
+
+  while True:
+    try:
+      async with async_timeout.timeout(60):
+        message = await channel.get_message(ignore_subscribe_messages=True, timeout=30)
+        if message is not None:
+          # Parse message
+          data_json = json.loads(message['data'].decode('utf-8'))
+          dockerapi.logger.info(f"PubSub Received - {json.dumps(data_json)}")
+
+          # Handle api_call
+          if 'api_call' in data_json:
+            # api_call: container_post
+            if data_json['api_call'] == "container_post":
+              if 'post_action' in data_json and 'container_name' in data_json:
+                try:
+                  """Dispatch container_post api call"""
+                  request_json = {}
+                  if data_json['post_action'] == 'exec':
+                    if 'request' in data_json:
+                      request_json = data_json['request']
+                      if 'cmd' in request_json:
+                        if 'task' in request_json:
+                          api_call_method_name = '__'.join(['container_post', str(data_json['post_action']), str(request_json['cmd']), str(request_json['task']) ])
+                        else:
+                          dockerapi.logger.error("api call: task missing")
+                      else:
+                        dockerapi.logger.error("api call: cmd missing")
+                    else:
+                      dockerapi.logger.error("api call: request missing")
+                  else:
+                    api_call_method_name = '__'.join(['container_post', str(data_json['post_action'])])
+
+                  if api_call_method_name:
+                    api_call_method = getattr(dockerapi, api_call_method_name)
+                    if api_call_method:
+                      dockerapi.logger.info("api call: %s, container_name: %s" % (api_call_method_name, data_json['container_name']))
+                      api_call_method(request_json, container_name=data_json['container_name'])
+                    else:
+                      dockerapi.logger.error("api call not found: %s, container_name: %s" % (api_call_method_name, data_json['container_name']))
+                except Exception as e:
+                  dockerapi.logger.error("container_post: %s" % str(e))
+              else:
+                dockerapi.logger.error("api call: missing container_name, post_action or request")
+            else:
+              dockerapi.logger.error("Unknown PubSub received - %s" % json.dumps(data_json))
+          else:
+            dockerapi.logger.error("Unknown PubSub received - %s" % json.dumps(data_json))
+
+        await asyncio.sleep(0.0)
+    except asyncio.TimeoutError:
+      pass
+
+if __name__ == '__main__':
+  uvicorn.run(
+    app,
+    host="0.0.0.0",
+    port=443,
+    ssl_certfile="/app/dockerapi_cert.pem",
+    ssl_keyfile="/app/dockerapi_key.pem",
+    log_level="info",
+    loop="none"
+  )
@@ -0,0 +1,626 @@
+import psutil
+import sys
+import os
+import re
+import time
+import json
+import asyncio
+import platform
+from datetime import datetime
+from fastapi import FastAPI, Response, Request
+
+class DockerApi:
+  def __init__(self, valkey_client, sync_docker_client, async_docker_client, logger):
+    self.valkey_client = valkey_client
+    self.sync_docker_client = sync_docker_client
+    self.async_docker_client = async_docker_client
+    self.logger = logger
+
+    self.host_stats_isUpdating = False
+    self.containerIds_to_update = []
+
+  # api call: container_post - post_action: stop
+  def container_post__stop(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(all=True, filters=filters):
+      container.stop()
+
+    res = { 'type': 'success', 'msg': 'command completed successfully'}
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: start
+  def container_post__start(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(all=True, filters=filters):
+      container.start()
+
+    res = { 'type': 'success', 'msg': 'command completed successfully'}
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: restart
+  def container_post__restart(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(all=True, filters=filters):
+      container.restart()
+
+    res = { 'type': 'success', 'msg': 'command completed successfully'}
+    return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: top
+  def container_post__top(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(all=True, filters=filters):
+      res = { 'type': 'success', 'msg': container.top()}
+      return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: stats
+  def container_post__stats(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(all=True, filters=filters):
+      for stat in container.stats(decode=True, stream=True):
+        res = { 'type': 'success', 'msg': stat}
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: mailq - task: delete
+  def container_post__exec__mailq__delete(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'items' in request_json:
+      r = re.compile("^[0-9a-fA-F]+$")
+      filtered_qids = filter(r.match, request_json['items'])
+      if filtered_qids:
+        flagged_qids = ['-d %s' % i for i in filtered_qids]
+        sanitized_string = str(' '.join(flagged_qids))
+        for container in self.sync_docker_client.containers.list(filters=filters):
+          postsuper_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postsuper " + sanitized_string])
+          return self.exec_run_handler('generic', postsuper_r)
+  # api call: container_post - post_action: exec - cmd: mailq - task: hold
+  def container_post__exec__mailq__hold(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'items' in request_json:
+      r = re.compile("^[0-9a-fA-F]+$")
+      filtered_qids = filter(r.match, request_json['items'])
+      if filtered_qids:
+        flagged_qids = ['-h %s' % i for i in filtered_qids]
+        sanitized_string = str(' '.join(flagged_qids))
+        for container in self.sync_docker_client.containers.list(filters=filters):
+          postsuper_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postsuper " + sanitized_string])
+          return self.exec_run_handler('generic', postsuper_r)
+  # api call: container_post - post_action: exec - cmd: mailq - task: cat
+  def container_post__exec__mailq__cat(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'items' in request_json:
+      r = re.compile("^[0-9a-fA-F]+$")
+      filtered_qids = filter(r.match, request_json['items'])
+      if filtered_qids:
+        sanitized_string = str(' '.join(filtered_qids))
+
+        for container in self.sync_docker_client.containers.list(filters=filters):
+          postcat_return = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postcat -q " + sanitized_string], user='postfix')
+        if not postcat_return:
+          postcat_return = 'err: invalid'
+        return self.exec_run_handler('utf8_text_only', postcat_return)
+  # api call: container_post - post_action: exec - cmd: mailq - task: unhold
+  def container_post__exec__mailq__unhold(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'items' in request_json:
+      r = re.compile("^[0-9a-fA-F]+$")
+      filtered_qids = filter(r.match, request_json['items'])
+      if filtered_qids:
+        flagged_qids = ['-H %s' % i for i in filtered_qids]
+        sanitized_string = str(' '.join(flagged_qids))
+        for container in self.sync_docker_client.containers.list(filters=filters):
+          postsuper_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postsuper " + sanitized_string])
+          return self.exec_run_handler('generic', postsuper_r)
+  # api call: container_post - post_action: exec - cmd: mailq - task: deliver
+  def container_post__exec__mailq__deliver(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'items' in request_json:
+      r = re.compile("^[0-9a-fA-F]+$")
+      filtered_qids = filter(r.match, request_json['items'])
+      if filtered_qids:
+        flagged_qids = ['-i %s' % i for i in filtered_qids]
+        for container in self.sync_docker_client.containers.list(filters=filters):
+          for i in flagged_qids:
+            postqueue_r = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postqueue " + i], user='postfix')
+            # todo: check each exit code
+          res = { 'type': 'success', 'msg': 'Scheduled immediate delivery'}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: mailq - task: list
+  def container_post__exec__mailq__list(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      mailq_return = container.exec_run(["/usr/sbin/postqueue", "-j"], user='postfix')
+      return self.exec_run_handler('utf8_text_only', mailq_return)
+  # api call: container_post - post_action: exec - cmd: mailq - task: flush
+  def container_post__exec__mailq__flush(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      postqueue_r = container.exec_run(["/usr/sbin/postqueue", "-f"], user='postfix')
+      return self.exec_run_handler('generic', postqueue_r)
+  # api call: container_post - post_action: exec - cmd: mailq - task: super_delete
+  def container_post__exec__mailq__super_delete(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      postsuper_r = container.exec_run(["/usr/sbin/postsuper", "-d", "ALL"])
+      return self.exec_run_handler('generic', postsuper_r)
+  # api call: container_post - post_action: exec - cmd: system - task: fts_rescan
+  def container_post__exec__system__fts_rescan(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'username' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        rescan_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/doveadm fts rescan -u '" + request_json['username'].replace("'", "'\\''") + "'"], user='vmail')
+        if rescan_return.exit_code == 0:
+          res = { 'type': 'success', 'msg': 'fts_rescan: rescan triggered'}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+        else:
+          res = { 'type': 'warning', 'msg': 'fts_rescan error'}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+    if 'all' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        rescan_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/doveadm fts rescan -A"], user='vmail')
+        if rescan_return.exit_code == 0:
+          res = { 'type': 'success', 'msg': 'fts_rescan: rescan triggered'}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+        else:
+          res = { 'type': 'warning', 'msg': 'fts_rescan error'}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: system - task: df
+  def container_post__exec__system__df(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'dir' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        df_return = container.exec_run(["/bin/bash", "-c", "/bin/df -H '" + request_json['dir'].replace("'", "'\\''") + "' | /usr/bin/tail -n1 | /usr/bin/tr -s [:blank:] | /usr/bin/tr ' ' ','"], user='nobody')
+        if df_return.exit_code == 0:
+          return df_return.output.decode('utf-8').rstrip()
+        else:
+          return "0,0,0,0,0,0"
+  # api call: container_post - post_action: exec - cmd: system - task: mysql_upgrade
+  def container_post__exec__system__mysql_upgrade(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      sql_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/mysql_upgrade -uroot -p'" + os.environ['DBROOT'].replace("'", "'\\''") + "'\n"], user='mysql')
+      if sql_return.exit_code == 0:
+        matched = False
+        for line in sql_return.output.decode('utf-8').split("\n"):
+          if 'is already upgraded to' in line:
+            matched = True
+        if matched:
+          res = { 'type': 'success', 'msg':'mysql_upgrade: already upgraded', 'text': sql_return.output.decode('utf-8')}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+        else:
+          container.restart()
+          res = { 'type': 'warning', 'msg':'mysql_upgrade: upgrade was applied', 'text': sql_return.output.decode('utf-8')}
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+      else:
+        res = { 'type': 'error', 'msg': 'mysql_upgrade: error running command', 'text': sql_return.output.decode('utf-8')}
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: system - task: mysql_tzinfo_to_sql
+  def container_post__exec__system__mysql_tzinfo_to_sql(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      sql_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/mysql_tzinfo_to_sql /usr/share/zoneinfo | /bin/sed 's/Local time zone must be set--see zic manual page/FCTY/' | /usr/bin/mysql -uroot -p'" + os.environ['DBROOT'].replace("'", "'\\''") + "' mysql \n"], user='mysql')
+      if sql_return.exit_code == 0:
+        res = { 'type': 'info', 'msg': 'mysql_tzinfo_to_sql: command completed successfully', 'text': sql_return.output.decode('utf-8')}
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+      else:
+        res = { 'type': 'error', 'msg': 'mysql_tzinfo_to_sql: error running command', 'text': sql_return.output.decode('utf-8')}
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: reload - task: dovecot
+  def container_post__exec__reload__dovecot(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      reload_return = container.exec_run(["/bin/bash", "-c", "/usr/sbin/dovecot reload"])
+      return self.exec_run_handler('generic', reload_return)
+  # api call: container_post - post_action: exec - cmd: reload - task: postfix
+  def container_post__exec__reload__postfix(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      reload_return = container.exec_run(["/bin/bash", "-c", "/usr/sbin/postfix reload"])
+      return self.exec_run_handler('generic', reload_return)
+  # api call: container_post - post_action: exec - cmd: reload - task: nginx
+  def container_post__exec__reload__nginx(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      reload_return = container.exec_run(["/bin/sh", "-c", "/usr/sbin/nginx -s reload"])
+      return self.exec_run_handler('generic', reload_return)
+  # api call: container_post - post_action: exec - cmd: sieve - task: list
+  def container_post__exec__sieve__list(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'username' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        sieve_return = container.exec_run(["/bin/bash", "-c", "/usr/bin/doveadm sieve list -u '" + request_json['username'].replace("'", "'\\''") + "'"])
+        return self.exec_run_handler('utf8_text_only', sieve_return)
+  # api call: container_post - post_action: exec - cmd: sieve - task: print
+  def container_post__exec__sieve__print(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'username' in request_json and 'script_name' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        cmd = ["/bin/bash", "-c", "/usr/bin/doveadm sieve get -u '" + request_json['username'].replace("'", "'\\''") + "' '" + request_json['script_name'].replace("'", "'\\''") + "'"]
+        sieve_return = container.exec_run(cmd)
+        return self.exec_run_handler('utf8_text_only', sieve_return)
+  # api call: container_post - post_action: exec - cmd: maildir - task: cleanup
+  def container_post__exec__maildir__cleanup(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'maildir' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        sane_name = re.sub(r'\W+', '', request_json['maildir'])
+        vmail_name = request_json['maildir'].replace("'", "'\\''")
+        cmd_vmail = "if [[ -d '/var/vmail/" + vmail_name + "' ]]; then /bin/mv '/var/vmail/" + vmail_name + "' '/var/vmail/_garbage/" + str(int(time.time())) + "_" + sane_name + "'; fi"
+        index_name = request_json['maildir'].split("/")
+        if len(index_name) > 1:
+          index_name = index_name[1].replace("'", "'\\''") + "@" + index_name[0].replace("'", "'\\''")
+          cmd_vmail_index = "if [[ -d '/var/vmail_index/" + index_name + "' ]]; then /bin/mv '/var/vmail_index/" + index_name + "' '/var/vmail/_garbage/" + str(int(time.time())) + "_" + sane_name + "_index'; fi"
+          cmd = ["/bin/bash", "-c", cmd_vmail + " && " + cmd_vmail_index]
+        else:
+          cmd = ["/bin/bash", "-c", cmd_vmail]
+        maildir_cleanup = container.exec_run(cmd, user='vmail')
+        return self.exec_run_handler('generic', maildir_cleanup)
+  # api call: container_post - post_action: exec - cmd: maildir - task: move
+  def container_post__exec__maildir__move(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'old_maildir' in request_json and 'new_maildir' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        vmail_name = request_json['old_maildir'].replace("'", "'\\''")
+        new_vmail_name = request_json['new_maildir'].replace("'", "'\\''")
+        cmd_vmail = f"if [[ -d '/var/vmail/{vmail_name}' ]]; then /bin/mv '/var/vmail/{vmail_name}' '/var/vmail/{new_vmail_name}'; fi"
+
+        index_name = request_json['old_maildir'].split("/")
+        new_index_name = request_json['new_maildir'].split("/")
+        if len(index_name) > 1 and len(new_index_name) > 1:
+          index_name = index_name[1].replace("'", "'\\''") + "@" + index_name[0].replace("'", "'\\''")
+          new_index_name = new_index_name[1].replace("'", "'\\''") + "@" + new_index_name[0].replace("'", "'\\''")
+          cmd_vmail_index = f"if [[ -d '/var/vmail_index/{index_name}' ]]; then /bin/mv '/var/vmail_index/{index_name}' '/var/vmail_index/{new_index_name}_index'; fi"
+          cmd = ["/bin/bash", "-c", cmd_vmail + " && " + cmd_vmail_index]
+        else:
+          cmd = ["/bin/bash", "-c", cmd_vmail]
+        maildir_move = container.exec_run(cmd, user='vmail')
+        return self.exec_run_handler('generic', maildir_move)
+  # api call: container_post - post_action: exec - cmd: rspamd - task: worker_password
+  def container_post__exec__rspamd__worker_password(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'raw' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        cmd = "/usr/bin/rspamadm pw -e -p '" + request_json['raw'].replace("'", "'\\''") + "' 2> /dev/null"
+        cmd_response = self.exec_cmd_container(container, cmd, user="_rspamd")
+
+        matched = False
+        for line in cmd_response.split("\n"):
+          if '$2$' in line:
+            hash = line.strip()
+            hash_out = re.search(r'\$2\$.+$', hash).group(0)
+            rspamd_passphrase_hash = re.sub(r'[^0-9a-zA-Z\$]+', '', hash_out.rstrip())
+            rspamd_password_filename = "/etc/rspamd/override.d/worker-controller-password.inc"
+            cmd = '''/bin/echo 'enable_password = "%s";' > %s && cat %s''' % (rspamd_passphrase_hash, rspamd_password_filename, rspamd_password_filename)
+            cmd_response = self.exec_cmd_container(container, cmd, user="_rspamd")
+            if rspamd_passphrase_hash.startswith("$2$") and rspamd_passphrase_hash in cmd_response:
+              container.restart()
+              matched = True
+        if matched:
+          res = { 'type': 'success', 'msg': 'command completed successfully' }
+          self.logger.info('success changing Rspamd password')
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+        else:
+          self.logger.error('failed changing Rspamd password')
+          res = { 'type': 'danger', 'msg': 'command did not complete' }
+          return Response(content=json.dumps(res, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: sogo - task: rename
+  def container_post__exec__sogo__rename_user(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    if 'old_username' in request_json and 'new_username' in request_json:
+      for container in self.sync_docker_client.containers.list(filters=filters):
+        old_username = request_json['old_username'].replace("'", "'\\''")
+        new_username = request_json['new_username'].replace("'", "'\\''")
+
+        sogo_return = container.exec_run(["/bin/bash", "-c", f"sogo-tool rename-user '{old_username}' '{new_username}'"], user='sogo')
+        return self.exec_run_handler('generic', sogo_return)
+  # api call: container_post - post_action: exec - cmd: doveadm - task: get_acl
+  def container_post__exec__doveadm__get_acl(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      id = request_json['id'].replace("'", "'\\''")
+
+      shared_folders = container.exec_run(["/bin/bash", "-c", f"doveadm mailbox list -u '{id}'"])
+      shared_folders = shared_folders.output.decode('utf-8')
+      shared_folders = shared_folders.splitlines()
+
+      formatted_acls = []
+      mailbox_seen = []
+      for shared_folder in shared_folders:
+        if "Shared" not in shared_folder:
+          mailbox = shared_folder.replace("'", "'\\''")
+          if mailbox in mailbox_seen:
+            continue
+
+          acls = container.exec_run(["/bin/bash", "-c", f"doveadm acl get -u '{id}' '{mailbox}'"])
+          acls = acls.output.decode('utf-8').strip().splitlines()
+          if len(acls) >= 2:
+            for acl in acls[1:]:
+              user_id, rights = acl.split(maxsplit=1)
+              user_id = user_id.split('=')[1]
+              mailbox_seen.append(mailbox)
+              formatted_acls.append({ 'user': id, 'id': user_id, 'mailbox': mailbox, 'rights': rights.split() })
+        elif "Shared" in shared_folder and "/" in shared_folder:
+          shared_folder = shared_folder.split("/")
+          if len(shared_folder) < 3:
+            continue
+
+          user = shared_folder[1].replace("'", "'\\''")
+          mailbox = '/'.join(shared_folder[2:]).replace("'", "'\\''")
+          if mailbox in mailbox_seen:
+            continue
+
+          acls = container.exec_run(["/bin/bash", "-c", f"doveadm acl get -u '{user}' '{mailbox}'"])
+          acls = acls.output.decode('utf-8').strip().splitlines()
+          if len(acls) >= 2:
+            for acl in acls[1:]:
+              user_id, rights = acl.split(maxsplit=1)
+              user_id = user_id.split('=')[1].replace("'", "'\\''")
+              if user_id == id and mailbox not in mailbox_seen:
+                mailbox_seen.append(mailbox)
+                formatted_acls.append({ 'user': user, 'id': id, 'mailbox': mailbox, 'rights': rights.split() })
+
+      return Response(content=json.dumps(formatted_acls, indent=4), media_type="application/json")
+  # api call: container_post - post_action: exec - cmd: doveadm - task: delete_acl
+  def container_post__exec__doveadm__delete_acl(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      user = request_json['user'].replace("'", "'\\''")
+      mailbox = request_json['mailbox'].replace("'", "'\\''")
+      id = request_json['id'].replace("'", "'\\''")
+
+      if user and mailbox and id:
+        acl_delete_return = container.exec_run(["/bin/bash", "-c", f"doveadm acl delete -u '{user}' '{mailbox}' 'user={id}'"])
+        return self.exec_run_handler('generic', acl_delete_return)
+  # api call: container_post - post_action: exec - cmd: doveadm - task: set_acl
+  def container_post__exec__doveadm__set_acl(self, request_json, **kwargs):
+    if 'container_id' in kwargs:
+      filters = {"id": kwargs['container_id']}
+    elif 'container_name' in kwargs:
+      filters = {"name": kwargs['container_name']}
+
+    for container in self.sync_docker_client.containers.list(filters=filters):
+      user = request_json['user'].replace("'", "'\\''")
+      mailbox = request_json['mailbox'].replace("'", "'\\''")
+      id = request_json['id'].replace("'", "'\\''")
+      rights = ""
+
+      available_rights = [
+        "admin",
+        "create",
+        "delete",
+        "expunge",
+        "insert",
+        "lookup",
+        "post",
+        "read",
+        "write",
+        "write-deleted",
+        "write-seen"
+      ]
+      for right in request_json['rights']:
+        right = right.replace("'", "'\\''").lower()
+        if right in available_rights:
+          rights += right + " "
+
+      if user and mailbox and id and rights:
+        acl_set_return = container.exec_run(["/bin/bash", "-c", f"doveadm acl set -u '{user}' '{mailbox}' 'user={id}' {rights}"])
+        return self.exec_run_handler('generic', acl_set_return)
+
+
+  # Collect host stats
+  async def get_host_stats(self, wait=5):
+    try:
+      system_time = datetime.now()
+      host_stats = {
+        "cpu": {
+          "cores": psutil.cpu_count(),
+          "usage": psutil.cpu_percent()
+        },
+        "memory": {
+          "total": psutil.virtual_memory().total,
+          "usage": psutil.virtual_memory().percent,
+          "swap": psutil.swap_memory()
+        },
+        "uptime": time.time() - psutil.boot_time(),
+        "system_time": system_time.strftime("%d.%m.%Y %H:%M:%S"),
+        "architecture": platform.machine()
+      }
+
+      await self.valkey_client.set('host_stats', json.dumps(host_stats), ex=10)
+    except Exception as e:
+      res = {
+        "type": "danger",
+        "msg": str(e)
+      }
+
+    await asyncio.sleep(wait)
+    self.host_stats_isUpdating = False
+  # Collect container stats
+  async def get_container_stats(self, container_id, wait=5, stop=False):
+    if container_id and container_id.isalnum():
+      try:
+        for container in (await self.async_docker_client.containers.list()):
+          if container._id == container_id:
+            res = await container.stats(stream=False)
+
+            if await self.valkey_client.exists(container_id + '_stats'):
+              stats = json.loads(await self.valkey_client.get(container_id + '_stats'))
+            else:
+              stats = []
+            stats.append(res[0])
+            if len(stats) > 3:
+              del stats[0]
+            await self.valkey_client.set(container_id + '_stats', json.dumps(stats), ex=60)
+      except Exception as e:
+        res = {
+          "type": "danger",
+          "msg": str(e)
+        }
+    else:
+      res = {
+        "type": "danger",
+        "msg": "no or invalid id defined"
+      }
+
+    await asyncio.sleep(wait)
+    if stop == True:
+      # update task was called second time, stop
+      self.containerIds_to_update.remove(container_id)
+    else:
+      # call update task a second time
+      await self.get_container_stats(container_id, wait=0, stop=True)
+
+  def exec_cmd_container(self, container, cmd, user, timeout=2, shell_cmd="/bin/bash"):
+    def recv_socket_data(c_socket, timeout):
+      c_socket.setblocking(0)
+      total_data=[]
+      data=''
+      begin=time.time()
+      while True:
+        if total_data and time.time()-begin > timeout:
+          break
+        elif time.time()-begin > timeout*2:
+          break
+        try:
+          data = c_socket.recv(8192)
+          if data:
+            total_data.append(data.decode('utf-8'))
+            #change the beginning time for measurement
+            begin=time.time()
+          else:
+            #sleep for sometime to indicate a gap
+            time.sleep(0.1)
+            break
+        except:
+          pass
+      return ''.join(total_data)
+
+    try :
+      socket = container.exec_run([shell_cmd], stdin=True, socket=True, user=user).output._sock
+      if not cmd.endswith("\n"):
+        cmd = cmd + "\n"
+      socket.send(cmd.encode('utf-8'))
+      data = recv_socket_data(socket, timeout)
+      socket.close()
+      return data
+    except Exception as e:
+      self.logger.error("error - exec_cmd_container: %s" % str(e))
+      traceback.print_exc(file=sys.stdout)
+
+  def exec_run_handler(self, type, output):
+    if type == 'generic':
+      if output.exit_code == 0:
+        res = { 'type': 'success', 'msg': 'command completed successfully' }
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+      else:
+        res = { 'type': 'danger', 'msg': 'command failed: ' + output.output.decode('utf-8') }
+        return Response(content=json.dumps(res, indent=4), media_type="application/json")
+    if type == 'utf8_text_only':
+      return Response(content=output.output.decode('utf-8'), media_type="text/plain")
@@ -1,13 +1,9 @@
-ARG AGENT_IMAGE=ghcr.io/mailcow/agent:1.00
-
-FROM ${AGENT_IMAGE} AS mailcow-agent-src
-
 FROM alpine:3.21

 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"

 # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
-ARG GOSU_VERSION=1.19
+ARG GOSU_VERSION=1.17

 ENV LANG=C.UTF-8
 ENV LC_ALL=C.UTF-8
@@ -122,7 +118,7 @@ RUN addgroup -g 5000 vmail \
 COPY trim_logs.sh /usr/local/bin/trim_logs.sh
 COPY clean_q_aged.sh /usr/local/bin/clean_q_aged.sh
 COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
-COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY syslog-ng-valkey_slave.conf /etc/syslog-ng/syslog-ng-valkey_slave.conf
 COPY imapsync /usr/local/bin/imapsync
 COPY imapsync_runner.pl /usr/local/bin/imapsync_runner.pl
 COPY report-spam.sieve /usr/lib/dovecot/sieve/report-spam.sieve
@@ -139,14 +135,5 @@ COPY quota_notify.py /usr/local/bin/quota_notify.py
 COPY repl_health.sh /usr/local/bin/repl_health.sh
 COPY optimize-fts.sh /usr/local/bin/optimize-fts.sh

-COPY --from=mailcow-agent-src /out/mailcow-agent /usr/local/bin/mailcow-agent
-COPY --from=mailcow-agent-src /out/mailcow-agent-cli /usr/local/bin/mailcow-agent-cli
-
-ENV MAILCOW_AGENT_SERVICE=dovecot \
-    MAILCOW_AGENT_MAIN_CMD="/docker-entrypoint.sh /usr/bin/supervisord -c /etc/supervisor/supervisord.conf"
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
-  CMD ["/usr/local/bin/mailcow-agent", "healthcheck"]
-
-ENTRYPOINT ["/usr/local/bin/mailcow-agent"]
-CMD []
+ENTRYPOINT ["/docker-entrypoint.sh"]
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
@@ -2,7 +2,7 @@

 source /source_env.sh

-MAX_AGE=$(redis-cli --raw -h redis-mailcow -a ${REDISPASS} --no-auth-warning GET Q_MAX_AGE)
+MAX_AGE=$(redis-cli --raw -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning GET Q_MAX_AGE)

 if [[ -z ${MAX_AGE} ]]; then
  echo "Max age for quarantine items not defined"
@@ -13,18 +13,18 @@ until dig +short mailcow.email > /dev/null; do
 done

 # Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  VALKEY_CMDLINE="redis-cli -h ${VALKEY_SLAVEOF_IP} -p ${VALKEY_SLAVEOF_PORT} -a ${VALKEYPASS} --no-auth-warning"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+  VALKEY_CMDLINE="redis-cli -h valkey-mailcow -p 6379 -a ${VALKEYPASS} --no-auth-warning"
 fi

-until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
-  echo "Waiting for Redis..."
+until [[ $(${VALKEY_CMDLINE} PING) == "PONG" ]]; do
+  echo "Waiting for Valkey..."
  sleep 2
 done

-${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
+${VALKEY_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null

 # Create missing directories
 [[ ! -d /etc/dovecot/sql/ ]] && mkdir -p /etc/dovecot/sql/
@@ -204,17 +204,16 @@ EOF
 # Create random master Password for SOGo SSO
 RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
 echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass
+# Creating additional creds file for SOGo notify crons (calendars, etc)
+echo -n ${RAND_USER}@mailcow.local:${RAND_PASS} > /etc/sogo/cron.creds
 cat <<EOF > /etc/dovecot/sogo-sso.conf
 # Autogenerated by mailcow
 passdb {
  driver = static
-  args = allow_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
+  args = allow_real_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
 }
 EOF

-# Creating additional creds file for SOGo notify crons (calendars, etc) (dummy user, sso password)
-echo -n ${RAND_USER}@mailcow.local:${RAND_PASS} > /etc/sogo/cron.creds
-
 if [[ "${MASTER}" =~ ^([nN][oO]|[nN])+$ ]]; then
  # Toggling MASTER will result in a rebuild of containers, so the quota script will be recreated
  cat <<'EOF' > /usr/local/bin/quota_notify.py
@@ -342,8 +341,8 @@ done
 # May be related to something inside Docker, I seriously don't know
 touch /etc/dovecot/auth/passwd-verify.lua

-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  cp /etc/syslog-ng/syslog-ng-valkey_slave.conf /etc/syslog-ng/syslog-ng.conf
 fi

 exec "$@"
@@ -32,7 +32,7 @@ try:

  while True:
    try:
-      r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0, password=os.environ['REDISPASS'])
+      r = redis.StrictRedis(host='valkey-mailcow', decode_responses=True, port=6379, db=0, password=os.environ['VALKEYPASS'])
      r.ping()
    except Exception as ex:
      print('%s - trying again...'  % (ex))
@@ -47,7 +47,7 @@ try:
  if max_score == "":
    max_score = 9999.0

-  def query_mysql(query, params = None, headers = True, update = False):
+  def query_mysql(query, headers = True, update = False):
    while True:
      try:
        cnx = MySQLdb.connect(user=os.environ.get('DBUSER'), password=os.environ.get('DBPASS'), database=os.environ.get('DBNAME'), charset="utf8mb4", collation="utf8mb4_general_ci")
@@ -57,10 +57,7 @@ try:
      else:
        break
    cur = cnx.cursor()
-    if params:
-      cur.execute(query, params)
-    else:
-      cur.execute(query)
+    cur.execute(query)
    if not update:
      result = []
      columns = tuple( [d[0] for d in cur.description] )
@@ -79,7 +76,7 @@ try:

  def notify_rcpt(rcpt, msg_count, quarantine_acl, category):
    if category == "add_header": category = "add header"
-    meta_query = query_mysql('SELECT `qhash`, id, subject, score, sender, created, action FROM quarantine WHERE notified = 0 AND rcpt = %s AND score < %s AND (action = %s OR "all" = %s)', (rcpt, max_score, category, category))
+    meta_query = query_mysql('SELECT `qhash`, id, subject, score, sender, created, action FROM quarantine WHERE notified = 0 AND rcpt = "%s" AND score < %f AND (action = "%s" OR "all" = "%s")' % (rcpt, max_score, category, category))
    print("%s: %d of %d messages qualify for notification" % (rcpt, len(meta_query), msg_count))
    if len(meta_query) == 0:
      return
@@ -133,7 +130,7 @@ try:
            server.sendmail(msg['From'], [str(redirect)] + [str(bcc)], text)
        server.quit()
        for res in meta_query:
-         query_mysql('UPDATE quarantine SET notified = 1 WHERE id = %s', (res['id'],), update = True)
+         query_mysql('UPDATE quarantine SET notified = 1 WHERE id = "%d"' % (res['id']), update = True)
        r.hset('Q_LAST_NOTIFIED', record['rcpt'], time_now)
        break
      except Exception as ex:
@@ -141,7 +138,7 @@ try:
        print('%s'  % (ex))
        time.sleep(3)

-  records = query_mysql('SELECT IFNULL(user_acl.quarantine, 0) AS quarantine_acl, count(id) AS counter, rcpt FROM quarantine LEFT OUTER JOIN user_acl ON user_acl.username = rcpt WHERE notified = 0 AND score < %s AND rcpt in (SELECT username FROM mailbox) GROUP BY rcpt', (max_score,))
+  records = query_mysql('SELECT IFNULL(user_acl.quarantine, 0) AS quarantine_acl, count(id) AS counter, rcpt FROM quarantine LEFT OUTER JOIN user_acl ON user_acl.username = rcpt WHERE notified = 0 AND score < %f AND rcpt in (SELECT username FROM mailbox) GROUP BY rcpt' % (max_score))

  for record in records:
    attrs = ''
@@ -159,7 +156,7 @@ try:
    except Exception as ex:
      print('Could not determine last notification for %s, assuming never' % (record['rcpt']))
      last_notification = 0
-    attrs_json = query_mysql('SELECT attributes FROM mailbox WHERE username = %s', (record['rcpt'],))
+    attrs_json = query_mysql('SELECT attributes FROM mailbox WHERE username = "%s"' % (record['rcpt']))
    attrs = attrs_json[0]['attributes']
    if isinstance(attrs, str):
      # if attr is str then just load it
@@ -23,7 +23,7 @@ else:

 while True:
  try:
-    r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0, username='quota_notify', password='')
+    r = redis.StrictRedis(host='valkey-mailcow', decode_responses=True, port=6379, db=0, username='quota_notify', password='')
    r.ping()
  except Exception as ex:
    print('%s - trying again...'  % (ex))
@@ -3,16 +3,16 @@
 source /source_env.sh

 # Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  VALKEY_CMDLINE="redis-cli -h ${VALKEY_SLAVEOF_IP} -p ${VALKEY_SLAVEOF_PORT} -a ${VALKEYPASS} --no-auth-warning"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+  VALKEY_CMDLINE="redis-cli -h valkey-mailcow -p 6379 -a ${VALKEYPASS} --no-auth-warning"
 fi

 # Is replication active?
 # grep on file is less expensive than doveconf
 if [ -n ${MAILCOW_REPLICA_IP} ]; then
-  ${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
+  ${VALKEY_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
  exit
 fi

@@ -22,7 +22,7 @@ FAILED_SYNCS=$(doveadm replicator status | grep "Waiting 'failed' requests" | gr
 # 1 failed job for mailcow.local is expected and healthy
 if [[ "${FAILED_SYNCS}" != 0 ]] && [[ "${FAILED_SYNCS}" != 1 ]]; then
  printf "Dovecot replicator has %d failed jobs\n" "${FAILED_SYNCS}"
-  ${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH "${FAILED_SYNCS}" > /dev/null
+  ${VALKEY_CMDLINE} SET DOVECOT_REPL_HEALTH "${FAILED_SYNCS}" > /dev/null
 else
-  ${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
+  ${VALKEY_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
 fi
@@ -24,12 +24,13 @@ fi
 sed -i -e 's/\([^\\]\)\$\([^\/]\)/\1\\$\2/g' /etc/rspamd/custom/sa-rules

 if [[ "$(cat /etc/rspamd/custom/sa-rules | md5sum | cut -d' ' -f1)" != "${HASH_SA_RULES}" ]]; then
-  REDIS_HOST="${REDIS_SLAVEOF_IP:-redis-mailcow}"
-  REDIS_PORT="${REDIS_SLAVEOF_PORT:-6379}"
-  REQ_ID="$(date +%s%N)"
-  PAYLOAD="{\"cmd\":\"restart\",\"request_id\":\"${REQ_ID}\",\"issued_by\":\"dovecot-sa-rules\"}"
-  redis-cli -h "${REDIS_HOST}" -p "${REDIS_PORT}" -a "${REDISPASS}" --no-auth-warning \
-    PUBLISH mailcow.control.rspamd "${PAYLOAD}" >/dev/null 2>&1 || true
+  CONTAINER_NAME=rspamd-mailcow
+  CONTAINER_ID=$(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | \
+    jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | \
+    jq -rc "select( .name | tostring | contains(\"${CONTAINER_NAME}\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id")
+  if [[ ! -z ${CONTAINER_ID} ]]; then
+    curl --silent --insecure -XPOST --connect-timeout 15 --max-time 120 https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/restart
+  fi
 fi

 # Cleanup
@@ -15,21 +15,21 @@ source s_dgram {
  internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
-destination d_redis_ui_log {
+destination d_valkey_ui_log {
  redis(
-    host("`REDIS_SLAVEOF_IP`")
-    persist-name("redis1")
-    port(`REDIS_SLAVEOF_PORT`)
-    auth("`REDISPASS`")
-    command("LPUSH" "DOVECOT_MAILLOG" "$(format-json node=\"$HOST\" time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
+    host("`VALKEY_SLAVEOF_IP`")
+    persist-name("valkey1")
+    port(`VALKEY_SLAVEOF_PORT`)
+    auth("`VALKEYPASS`")
+    command("LPUSH" "DOVECOT_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
-destination d_redis_f2b_channel {
+destination d_valkey_f2b_channel {
  redis(
-    host("`REDIS_SLAVEOF_IP`")
-    persist-name("redis2")
-    port(`REDIS_SLAVEOF_PORT`)
-    auth("`REDISPASS`")
+    host("`VALKEY_SLAVEOF_IP`")
+    persist-name("valkey2")
+    port(`VALKEY_SLAVEOF_PORT`)
+    auth("`VALKEYPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
@@ -48,6 +48,6 @@ log {
  filter(f_replica);
  destination(d_stdout);
  filter(f_mail);
-  destination(d_redis_ui_log);
-  destination(d_redis_f2b_channel);
+  destination(d_valkey_ui_log);
+  destination(d_valkey_f2b_channel);
 };
@@ -15,21 +15,21 @@ source s_dgram {
  internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
-destination d_redis_ui_log {
+destination d_valkey_ui_log {
  redis(
-    host("redis-mailcow")
-    persist-name("redis1")
+    host("valkey-mailcow")
+    persist-name("valkey1")
    port(6379)
-    auth("`REDISPASS`")
-    command("LPUSH" "DOVECOT_MAILLOG" "$(format-json node=\"$HOST\" time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
+    auth("`VALKEYPASS`")
+    command("LPUSH" "DOVECOT_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
-destination d_redis_f2b_channel {
+destination d_valkey_f2b_channel {
  redis(
-    host("redis-mailcow")
-    persist-name("redis2")
+    host("valkey-mailcow")
+    persist-name("valkey2")
    port(6379)
-    auth("`REDISPASS`")
+    auth("`VALKEYPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
@@ -48,6 +48,6 @@ log {
  filter(f_replica);
  destination(d_stdout);
  filter(f_mail);
-  destination(d_redis_ui_log);
-  destination(d_redis_f2b_channel);
+  destination(d_valkey_ui_log);
+  destination(d_valkey_f2b_channel);
 };
@@ -9,18 +9,17 @@ catch_non_zero() {
 }
 source /source_env.sh
 # Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  VALKEY_CMDLINE="redis-cli -h ${VALKEY_SLAVEOF_IP} -p ${VALKEY_SLAVEOF_PORT} -a ${VALKEYPASS} --no-auth-warning"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+  VALKEY_CMDLINE="redis-cli -h valkey-mailcow -p 6379 -a ${VALKEYPASS} --no-auth-warning"
 fi
-catch_non_zero "${REDIS_CMDLINE} LTRIM ACME_LOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM POSTFIX_MAILLOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM DOVECOT_MAILLOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM SOGO_LOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM NETFILTER_LOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM AUTODISCOVER_LOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM API_LOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM RL_LOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM WATCHDOG_LOG 0 ${LOG_LINES}"
-catch_non_zero "${REDIS_CMDLINE} LTRIM CRON_LOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM ACME_LOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM POSTFIX_MAILLOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM DOVECOT_MAILLOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM SOGO_LOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM NETFILTER_LOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM AUTODISCOVER_LOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM API_LOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM RL_LOG 0 ${LOG_LINES}"
+catch_non_zero "${VALKEY_CMDLINE} LTRIM WATCHDOG_LOG 0 ${LOG_LINES}"
@@ -1,21 +0,0 @@
-# host-agent: dedicated container that reads /host/proc to publish host-level
-# stats and answer exec.df / exec.host-stats commands. Reuses the same agent
-# binary; behaviour selected via MAILCOW_AGENT_SERVICE=host.
-#
-# Requires:
-#   volumes:
-#     - /proc:/host/proc:ro
-#     - /:/host/rootfs:ro
-
-ARG AGENT_IMAGE=ghcr.io/mailcow/agent:1.0
-
-FROM ${AGENT_IMAGE} AS agent
-
-FROM alpine:3.20
-RUN apk add --no-cache ca-certificates tzdata
-COPY --from=agent /out/mailcow-agent /usr/local/bin/mailcow-agent
-COPY --from=agent /out/mailcow-agent-cli /usr/local/bin/mailcow-agent-cli
-
-ENV MAILCOW_AGENT_SERVICE=host
-
-ENTRYPOINT ["/usr/local/bin/mailcow-agent"]
@@ -1,8 +1,4 @@
-ARG AGENT_IMAGE=ghcr.io/mailcow/agent:1.00
-
-FROM ${AGENT_IMAGE} AS mailcow-agent-src
-
-FROM alpine:3.23
+FROM alpine:3.21

 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"

@@ -44,14 +40,4 @@ COPY ./docker-entrypoint.sh /app/

 RUN chmod +x /app/docker-entrypoint.sh

-COPY --from=mailcow-agent-src /out/mailcow-agent /usr/local/bin/mailcow-agent
-COPY --from=mailcow-agent-src /out/mailcow-agent-cli /usr/local/bin/mailcow-agent-cli
-
-ENV MAILCOW_AGENT_SERVICE=netfilter \
-    MAILCOW_AGENT_MAIN_CMD="/app/docker-entrypoint.sh"
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
-  CMD ["/usr/local/bin/mailcow-agent", "healthcheck"]
-
-ENTRYPOINT ["/usr/local/bin/mailcow-agent"]
-CMD []
+CMD ["/bin/sh", "-c", "/app/docker-entrypoint.sh"]
@@ -44,25 +44,24 @@ def refreshF2boptions():
  global exit_code
  f2boptions = {}

-  if not r.get('F2B_OPTIONS'):
-    f2boptions['ban_time'] = r.get('F2B_BAN_TIME')
-    f2boptions['max_ban_time'] = r.get('F2B_MAX_BAN_TIME')
-    f2boptions['ban_time_increment'] = r.get('F2B_BAN_TIME_INCREMENT')
-    f2boptions['max_attempts'] = r.get('F2B_MAX_ATTEMPTS')
-    f2boptions['retry_window'] = r.get('F2B_RETRY_WINDOW')
-    f2boptions['netban_ipv4'] = r.get('F2B_NETBAN_IPV4')
-    f2boptions['netban_ipv6'] = r.get('F2B_NETBAN_IPV6')
+  if not valkey.get('F2B_OPTIONS'):
+    f2boptions['ban_time'] = valkey.get('F2B_BAN_TIME')
+    f2boptions['max_ban_time'] = valkey.get('F2B_MAX_BAN_TIME')
+    f2boptions['ban_time_increment'] = valkey.get('F2B_BAN_TIME_INCREMENT')
+    f2boptions['max_attempts'] = valkey.get('F2B_MAX_ATTEMPTS')
+    f2boptions['retry_window'] = valkey.get('F2B_RETRY_WINDOW')
+    f2boptions['netban_ipv4'] = valkey.get('F2B_NETBAN_IPV4')
+    f2boptions['netban_ipv6'] = valkey.get('F2B_NETBAN_IPV6')
  else:
    try:
-      f2boptions = json.loads(r.get('F2B_OPTIONS'))
-    except ValueError as e:
-      logger.logCrit(
-        'Error loading F2B options: F2B_OPTIONS is not json. Exception: %s' % e)
+      f2boptions = json.loads(valkey.get('F2B_OPTIONS'))
+    except ValueError:
+      logger.logCrit('Error loading F2B options: F2B_OPTIONS is not json')
      quit_now = True
      exit_code = 2

  verifyF2boptions(f2boptions)
-  r.set('F2B_OPTIONS', json.dumps(f2boptions, ensure_ascii=False))
+  valkey.set('F2B_OPTIONS', json.dumps(f2boptions, ensure_ascii=False))

 def verifyF2boptions(f2boptions):
  verifyF2boption(f2boptions, 'ban_time', 1800)
@@ -82,7 +81,7 @@ def refreshF2bregex():
  global f2bregex
  global quit_now
  global exit_code
-  if not r.get('F2B_REGEX'):
+  if not valkey.get('F2B_REGEX'):
    f2bregex = {}
    f2bregex[1] = r'mailcow UI: Invalid password for .+ by ([0-9a-f\.:]+)'
    f2bregex[2] = r'Rspamd UI: Invalid password by ([0-9a-f\.:]+)'
@@ -93,11 +92,11 @@ def refreshF2bregex():
    f2bregex[7] = r'\w+\([^,]+,([0-9a-f\.:]+),<[^>]+>\): unknown user \(SHA1 of given password: [a-f0-9]+\)'
    f2bregex[8] = r'SOGo.+ Login from \'([0-9a-f\.:]+)\' for user .+ might not have worked'
    f2bregex[9] = r'([0-9a-f\.:]+) \"GET \/SOGo\/.* HTTP.+\" 403 .+'
-    r.set('F2B_REGEX', json.dumps(f2bregex, ensure_ascii=False))
+    valkey.set('F2B_REGEX', json.dumps(f2bregex, ensure_ascii=False))
  else:
    try:
      f2bregex = {}
-      f2bregex = json.loads(r.get('F2B_REGEX'))
+      f2bregex = json.loads(valkey.get('F2B_REGEX'))
    except ValueError:
      logger.logCrit('Error loading F2B options: F2B_REGEX is not json')
      quit_now = True
@@ -176,7 +175,7 @@ def ban(address):

    logdebug("Updating F2B_ACTIVE_BANS[%s]=%d" %
              (net, cur_time + NET_BAN_TIME))
-    r.hset('F2B_ACTIVE_BANS', '%s' % net, cur_time + NET_BAN_TIME)
+    valkey.hset('F2B_ACTIVE_BANS', '%s' % net, cur_time + NET_BAN_TIME)
  else:
    logger.logWarn('%d more attempts in the next %d seconds until %s is banned' % (
      MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net))
@@ -187,7 +186,7 @@ def unban(net):
  if not net in bans:
    logger.logInfo(
      '%s is not banned, skipping unban and deleting from queue (if any)' % net)
-    r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
+    valkey.hdel('F2B_QUEUE_UNBAN', '%s' % net)
    return
  logger.logInfo('Unbanning %s' % net)
  if type(ipaddress.ip_network(net)) is ipaddress.IPv4Network:
@@ -198,8 +197,8 @@ def unban(net):
    with lock:
      logdebug("Calling tables.unbanIPv6(%s)" % net)
      tables.unbanIPv6(net)
-  r.hdel('F2B_ACTIVE_BANS', '%s' % net)
-  r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
+  valkey.hdel('F2B_ACTIVE_BANS', '%s' % net)
+  valkey.hdel('F2B_QUEUE_UNBAN', '%s' % net)
  if net in bans:
    logdebug("Unban for %s, setting attempts=0, ban_counter+=1" % net)
    bans[net]['attempts'] = 0
@@ -226,10 +225,10 @@ def permBan(net, unban=False):


  if is_unbanned:
-    r.hdel('F2B_PERM_BANS', '%s' % net)
+    valkey.hdel('F2B_PERM_BANS', '%s' % net)
    logger.logCrit('Removed host/network %s from denylist' % net)
  elif is_banned:
-    r.hset('F2B_PERM_BANS', '%s' % net, int(round(time.time())))
+    valkey.hset('F2B_PERM_BANS', '%s' % net, int(round(time.time())))
    logger.logCrit('Added host/network %s to denylist' % net)

 def clear():
@@ -244,17 +243,17 @@ def clear():
    tables.clearIPv6Table()
    try:
      if r is not None:
-        r.delete('F2B_ACTIVE_BANS')
-        r.delete('F2B_PERM_BANS')
+        valkey.delete('F2B_ACTIVE_BANS')
+        valkey.delete('F2B_PERM_BANS')
    except Exception as ex:
-      logger.logWarn('Error clearing redis keys F2B_ACTIVE_BANS and F2B_PERM_BANS: %s' % ex)
+      logger.logWarn('Error clearing valkey keys F2B_ACTIVE_BANS and F2B_PERM_BANS: %s' % ex)

 def watch():
  global pubsub
  global quit_now
  global exit_code

-  logger.logInfo('Watching Redis channel F2B_CHANNEL')
+  logger.logInfo('Watching Valkey channel F2B_CHANNEL')
  pubsub.subscribe('F2B_CHANNEL')

  while not quit_now:
@@ -306,7 +305,7 @@ def autopurge():
    time.sleep(10)
    refreshF2boptions()
    MAX_ATTEMPTS = int(f2boptions['max_attempts'])
-    QUEUE_UNBAN = r.hgetall('F2B_QUEUE_UNBAN')
+    QUEUE_UNBAN = valkey.hgetall('F2B_QUEUE_UNBAN')
    logdebug("QUEUE_UNBAN: %s" % QUEUE_UNBAN)
    if QUEUE_UNBAN:
      for net in QUEUE_UNBAN:
@@ -391,7 +390,7 @@ def whitelistUpdate():
  global WHITELIST
  while not quit_now:
    start_time = time.time()
-    list = r.hgetall('F2B_WHITELIST')
+    list = valkey.hgetall('F2B_WHITELIST')
    new_whitelist = []
    if list:
      new_whitelist = genNetworkList(list)
@@ -406,7 +405,7 @@ def blacklistUpdate():
  global BLACKLIST
  while not quit_now:
    start_time = time.time()
-    list = r.hgetall('F2B_BLACKLIST')
+    list = valkey.hgetall('F2B_BLACKLIST')
    new_blacklist = []
    if list:
      new_blacklist = genNetworkList(list)
@@ -467,35 +466,35 @@ if __name__ == '__main__':
    logger.logInfo(f"Setting {chain_name} isolation")
    tables.create_mailcow_isolation_rule("br-mailcow", [3306, 6379, 8983, 12345], os.getenv("MAILCOW_REPLICA_IP"))

-  # connect to redis
+  # connect to valkey
  while True:
    try:
-      redis_slaveof_ip = os.getenv('REDIS_SLAVEOF_IP', '')
-      redis_slaveof_port = os.getenv('REDIS_SLAVEOF_PORT', '')
+      valkey_slaveof_ip = os.getenv('VALKEY_SLAVEOF_IP', '')
+      valkey_slaveof_port = os.getenv('VALKEY_SLAVEOF_PORT', '')
      logdebug(
-        "Connecting redis (SLAVEOF_IP:%s, PORT:%s)" % (redis_slaveof_ip, redis_slaveof_port))
-      if "".__eq__(redis_slaveof_ip):
-        r = redis.StrictRedis(
-          host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0, password=os.environ['REDISPASS'])
+        "Connecting valkey (SLAVEOF_IP:%s, PORT:%s)" % (valkey_slaveof_ip, valkey_slaveof_port))
+      if "".__eq__(valkey_slaveof_ip):
+        valkey = redis.StrictRedis(
+          host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0, password=os.environ['VALKEYPASS'])
      else:
-        r = redis.StrictRedis(
-          host=redis_slaveof_ip, decode_responses=True, port=redis_slaveof_port, db=0, password=os.environ['REDISPASS'])
-      r.ping()
-      pubsub = r.pubsub()
+        valkey = redis.StrictRedis(
+          host=valkey_slaveof_ip, decode_responses=True, port=valkey_slaveof_port, db=0, password=os.environ['VALKEYPASS'])
+      valkey.ping()
+      pubsub = valkey.pubsub()
    except Exception as ex:
      logdebug(
        'Redis connection failed: %s - trying again in 3 seconds' % (ex))
      time.sleep(3)
    else:
      break
-  logger.set_redis(r)
-  logdebug("Redis connection established, setting up F2B keys")
+  logger.set_valkey(valkey)
+  logdebug("Valkey connection established, setting up F2B keys")

-  if r.exists('F2B_LOG'):
+  if valkey.exists('F2B_LOG'):
    logdebug("Renaming F2B_LOG to NETFILTER_LOG")
-    r.rename('F2B_LOG', 'NETFILTER_LOG')
-  r.delete('F2B_ACTIVE_BANS')
-  r.delete('F2B_PERM_BANS')
+    valkey.rename('F2B_LOG', 'NETFILTER_LOG')
+  valkey.delete('F2B_ACTIVE_BANS')
+  valkey.delete('F2B_PERM_BANS')

  refreshF2boptions()

@@ -4,19 +4,19 @@ import datetime

 class Logger:
  def __init__(self):
-    self.r = None
+    self.valkey = None

-  def set_redis(self, redis):
-    self.r = redis
+  def set_valkey(self, valkey):
+    self.valkey = valkey

  def _format_timestamp(self):
    # Local time with milliseconds
    return datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")

  def log(self, priority, message):
-    # build redis-friendly dict
+    # build valkey-friendly dict
    tolog = {
-      'time': int(round(time.time())),  # keep raw timestamp for Redis
+      'time': int(round(time.time())),  # keep raw timestamp for Valkey
      'priority': priority,
      'message': message
    }
@@ -26,11 +26,11 @@ class Logger:
    print(f"{ts} {priority.upper()}: {message}", flush=True)

    # also push JSON to Redis if connected
-    if self.r is not None:
+    if self.valkey is not None:
      try:
-        self.r.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False))
+        self.valkey.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False))
      except Exception as ex:
-        print(f'{ts} WARN: Failed logging to redis: {ex}', flush=True)
+        print(f'{ts} WARN: Failed logging to valkey: {ex}', flush=True)

  def logWarn(self, message):
    self.log('warn', message)
@@ -1,7 +1,3 @@
-ARG AGENT_IMAGE=ghcr.io/mailcow/agent:1.00
-
-FROM ${AGENT_IMAGE} AS mailcow-agent-src
-
 FROM nginx:alpine
 LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"

@@ -18,14 +14,5 @@ RUN mkdir -p /etc/nginx/includes
 COPY ./bootstrap.py /
 COPY ./docker-entrypoint.sh /

-COPY --from=mailcow-agent-src /out/mailcow-agent /usr/local/bin/mailcow-agent
-COPY --from=mailcow-agent-src /out/mailcow-agent-cli /usr/local/bin/mailcow-agent-cli
-
-ENV MAILCOW_AGENT_SERVICE=nginx \
-    MAILCOW_AGENT_MAIN_CMD="/docker-entrypoint.sh nginx -g 'daemon off;'"
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
-  CMD ["/usr/local/bin/mailcow-agent", "healthcheck"]
-
-ENTRYPOINT ["/usr/local/bin/mailcow-agent"]
-CMD []
+ENTRYPOINT ["/docker-entrypoint.sh"]
+CMD ["nginx", "-g", "daemon off;"]
@@ -1,7 +1,3 @@
-ARG AGENT_IMAGE=ghcr.io/mailcow/agent:1.00
-
-FROM ${AGENT_IMAGE} AS mailcow-agent-src
-
 FROM alpine:3.21

 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
@@ -22,16 +18,6 @@ ADD olefy.py /app/

 RUN chown -R nobody:nobody /app /tmp

-COPY --from=mailcow-agent-src /out/mailcow-agent /usr/local/bin/mailcow-agent
-COPY --from=mailcow-agent-src /out/mailcow-agent-cli /usr/local/bin/mailcow-agent-cli
-
 USER nobody

-ENV MAILCOW_AGENT_SERVICE=olefy \
-    MAILCOW_AGENT_MAIN_CMD="python3 -u /app/olefy.py"
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
-  CMD ["/usr/local/bin/mailcow-agent", "healthcheck"]
-
-ENTRYPOINT ["/usr/local/bin/mailcow-agent"]
-CMD []
+CMD ["python3", "-u", "/app/olefy.py"]
@@ -1,23 +1,19 @@
-ARG AGENT_IMAGE=ghcr.io/mailcow/agent:1.00
-
-FROM ${AGENT_IMAGE} AS mailcow-agent-src
-
 FROM php:8.2-fpm-alpine3.21

 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"

 # renovate: datasource=github-tags depName=krakjoe/apcu versioning=semver-coerced extractVersion=^v(?<version>.*)$
-ARG APCU_PECL_VERSION=5.1.28
+ARG APCU_PECL_VERSION=5.1.26
 # renovate: datasource=github-tags depName=Imagick/imagick versioning=semver-coerced extractVersion=(?<version>.*)$
-ARG IMAGICK_PECL_VERSION=3.8.1
+ARG IMAGICK_PECL_VERSION=3.8.0
 # renovate: datasource=github-tags depName=php/pecl-mail-mailparse versioning=semver-coerced extractVersion=^v(?<version>.*)$
-ARG MAILPARSE_PECL_VERSION=3.1.9
+ARG MAILPARSE_PECL_VERSION=3.1.8
 # renovate: datasource=github-tags depName=php-memcached-dev/php-memcached versioning=semver-coerced extractVersion=^v(?<version>.*)$
-ARG MEMCACHED_PECL_VERSION=3.4.0
+ARG MEMCACHED_PECL_VERSION=3.3.0
 # renovate: datasource=github-tags depName=phpredis/phpredis versioning=semver-coerced extractVersion=(?<version>.*)$
-ARG REDIS_PECL_VERSION=6.3.0
+ARG REDIS_PECL_VERSION=6.2.0
 # renovate: datasource=github-tags depName=composer/composer versioning=semver-coerced extractVersion=(?<version>.*)$
-ARG COMPOSER_VERSION=2.9.5
+ARG COMPOSER_VERSION=2.8.6

 RUN apk add -U --no-cache autoconf \
  aspell-dev \
@@ -76,7 +72,7 @@ RUN apk add -U --no-cache autoconf \
  && pecl clear-cache \
  && docker-php-ext-configure intl \
  && docker-php-ext-configure exif \
-  && docker-php-ext-configure gd --with-freetype=/usr/include/ \
+  && docker-php-ext-configure gd --with-freetype=/usr/include/ \  
    --with-jpeg=/usr/include/ \
    --with-webp \
    --with-xpm \
@@ -113,14 +109,6 @@ RUN apk add -U --no-cache autoconf \

 COPY ./docker-entrypoint.sh /

-COPY --from=mailcow-agent-src /out/mailcow-agent /usr/local/bin/mailcow-agent
-COPY --from=mailcow-agent-src /out/mailcow-agent-cli /usr/local/bin/mailcow-agent-cli
+ENTRYPOINT ["/docker-entrypoint.sh"]

-ENV MAILCOW_AGENT_SERVICE=php-fpm \
-    MAILCOW_AGENT_MAIN_CMD="/docker-entrypoint.sh php-fpm"
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
-  CMD ["/usr/local/bin/mailcow-agent", "healthcheck"]
-
-ENTRYPOINT ["/usr/local/bin/mailcow-agent"]
-CMD []
+CMD ["php-fpm"]
@@ -9,76 +9,104 @@ while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u
 done

 # Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_HOST=$REDIS_SLAVEOF_IP
-  REDIS_PORT=$REDIS_SLAVEOF_PORT
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  VALKEY_HOST=$VALKEY_SLAVEOF_IP
+  VALKEY_PORT=$VALKEY_SLAVEOF_PORT
 else
-  REDIS_HOST="redis"
-  REDIS_PORT="6379"
+  VALKEY_HOST="valkey-mailcow"
+  VALKEY_PORT="6379"
 fi
-REDIS_CMDLINE="redis-cli -h ${REDIS_HOST} -p ${REDIS_PORT} -a ${REDISPASS} --no-auth-warning"
+VALKEY_CMDLINE="redis-cli -h ${VALKEY_HOST} -p ${VALKEY_PORT} -a ${VALKEYPASS} --no-auth-warning"

-until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
-  echo "Waiting for Redis..."
+until [[ $(${VALKEY_CMDLINE} PING) == "PONG" ]]; do
+  echo "Waiting for Valkey..."
  sleep 2
 done

-# Set redis session store
+# Set valkey session store
 echo -n '
 session.save_handler = redis
-session.save_path = "tcp://'${REDIS_HOST}':'${REDIS_PORT}'?auth='${REDISPASS}'"
+session.save_path = "tcp://'${VALKEY_HOST}':'${VALKEY_PORT}'?auth='${VALKEYPASS}'"
 ' > /usr/local/etc/php/conf.d/session_store.ini

-# Wait for MariaDB. The upstream mariadb image already runs mariadb-upgrade
-# itself on startup when needed
-echo "Waiting for MariaDB socket at /var/run/mysqld/mysqld.sock..."
-WAIT_C=0
-until mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} -e "SELECT 1" >/dev/null 2>&1; do
-  WAIT_C=$((WAIT_C+1))
-  if [ ${WAIT_C} -gt 60 ]; then
-    echo "MariaDB did not respond after 60s — continuing anyway."
+# Check mysql_upgrade (master and slave)
+CONTAINER_ID=
+until [[ ! -z "${CONTAINER_ID}" ]] && [[ "${CONTAINER_ID}" =~ ^[[:alnum:]]*$ ]]; do
+  CONTAINER_ID=$(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" 2> /dev/null | jq -rc "select( .name | tostring | contains(\"mysql-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" 2> /dev/null)
+  echo "Could not get mysql-mailcow container id... trying again"
+  sleep 2
+done
+echo "MySQL @ ${CONTAINER_ID}"
+SQL_LOOP_C=0
+SQL_CHANGED=0
+until [[ ${SQL_UPGRADE_STATUS} == 'success' ]]; do
+  if [ ${SQL_LOOP_C} -gt 4 ]; then
+    echo "Tried to upgrade MySQL and failed, giving up after ${SQL_LOOP_C} retries and starting container (oops, not good)"
    break
  fi
-  sleep 1
+  SQL_FULL_UPGRADE_RETURN=$(curl --silent --insecure -XPOST https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/exec -d '{"cmd":"system", "task":"mysql_upgrade"}' --silent -H 'Content-type: application/json')
+  SQL_UPGRADE_STATUS=$(echo ${SQL_FULL_UPGRADE_RETURN} | jq -r .type)
+  SQL_LOOP_C=$((SQL_LOOP_C+1))
+  echo "SQL upgrade iteration #${SQL_LOOP_C}"
+  if [[ ${SQL_UPGRADE_STATUS} == 'warning' ]]; then
+    SQL_CHANGED=1
+    echo "MySQL applied an upgrade, debug output:"
+    echo ${SQL_FULL_UPGRADE_RETURN}
+    sleep 3
+    while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
+      echo "Waiting for SQL to return, please wait"
+      sleep 2
+    done
+    continue
+  elif [[ ${SQL_UPGRADE_STATUS} == 'success' ]]; then
+    echo "MySQL is up-to-date - debug output:"
+    echo ${SQL_FULL_UPGRADE_RETURN}
+  else
+    echo "No valid reponse for mysql_upgrade was received, debug output:"
+    echo ${SQL_FULL_UPGRADE_RETURN}
+  fi
 done
-echo "MariaDB is ready."

-# Timezone tables — check if CONVERT_TZ works, import if it returns NULL.
-# Some Alpine builds drop mariadb-tzinfo-to-sql; fall back to a Python
-# emitter that produces the same INSERT statements from /usr/share/zoneinfo.
+# doing post-installation stuff, if SQL was upgraded (master and slave)
+if [ ${SQL_CHANGED} -eq 1 ]; then
+  POSTFIX=$(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" 2> /dev/null | jq -rc "select( .name | tostring | contains(\"postfix-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" 2> /dev/null)
+  if [[ -z "${POSTFIX}" ]] || ! [[ "${POSTFIX}" =~ ^[[:alnum:]]*$ ]]; then
+    echo "Could not determine Postfix container ID, skipping Postfix restart."
+  else
+    echo "Restarting Postfix"
+    curl -X POST --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${POSTFIX}/restart | jq -r '.msg'
+    echo "Sleeping 5 seconds..."
+    sleep 5
+  fi
+fi
+
+# Check mysql tz import (master and slave)
 TZ_CHECK=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT CONVERT_TZ('2019-11-02 23:33:00','Europe/Berlin','UTC') AS time;" -BN 2> /dev/null)
 if [[ -z ${TZ_CHECK} ]] || [[ "${TZ_CHECK}" == "NULL" ]]; then
-  echo "Importing timezone data into mysql.time_zone_* …"
-  if command -v mariadb-tzinfo-to-sql >/dev/null 2>&1; then
-    mariadb-tzinfo-to-sql /usr/share/zoneinfo 2>/dev/null \
-      | mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -uroot -p${DBROOT} mysql
-  elif command -v mysql_tzinfo_to_sql >/dev/null 2>&1; then
-    mysql_tzinfo_to_sql /usr/share/zoneinfo 2>/dev/null \
-      | mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -uroot -p${DBROOT} mysql
-  else
-    echo "No tzinfo-to-sql tool available — skipping timezone import."
-  fi
+  SQL_FULL_TZINFO_IMPORT_RETURN=$(curl --silent --insecure -XPOST https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/exec -d '{"cmd":"system", "task":"mysql_tzinfo_to_sql"}' --silent -H 'Content-type: application/json')
+  echo "MySQL mysql_tzinfo_to_sql - debug output:"
+  echo ${SQL_FULL_TZINFO_IMPORT_RETURN}
 fi

 if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  echo "We are master, preparing..."
  # Set a default release format
-  if [[ -z $(${REDIS_CMDLINE} --raw GET Q_RELEASE_FORMAT) ]]; then
-    ${REDIS_CMDLINE} --raw SET Q_RELEASE_FORMAT raw
+  if [[ -z $(${VALKEY_CMDLINE} --raw GET Q_RELEASE_FORMAT) ]]; then
+    ${VALKEY_CMDLINE} --raw SET Q_RELEASE_FORMAT raw
  fi

  # Set max age of q items - if unset
-  if [[ -z $(${REDIS_CMDLINE} --raw GET Q_MAX_AGE) ]]; then
-    ${REDIS_CMDLINE} --raw SET Q_MAX_AGE 365
+  if [[ -z $(${VALKEY_CMDLINE} --raw GET Q_MAX_AGE) ]]; then
+    ${VALKEY_CMDLINE} --raw SET Q_MAX_AGE 365
  fi

  # Set default password policy - if unset
-  if [[ -z $(${REDIS_CMDLINE} --raw HGET PASSWD_POLICY length) ]]; then
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY length 6
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY chars 0
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY special_chars 0
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY lowerupper 0
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY numbers 0
+  if [[ -z $(${VALKEY_CMDLINE} --raw HGET PASSWD_POLICY length) ]]; then
+    ${VALKEY_CMDLINE} --raw HSET PASSWD_POLICY length 6
+    ${VALKEY_CMDLINE} --raw HSET PASSWD_POLICY chars 0
+    ${VALKEY_CMDLINE} --raw HSET PASSWD_POLICY special_chars 0
+    ${VALKEY_CMDLINE} --raw HSET PASSWD_POLICY lowerupper 0
+    ${VALKEY_CMDLINE} --raw HSET PASSWD_POLICY numbers 0
  fi

  # Trigger db init
@@ -86,9 +114,9 @@ if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  php -c /usr/local/etc/php -f /web/inc/init_db.inc.php

  # Recreating domain map
-  echo "Rebuilding domain map in Redis..."
+  echo "Rebuilding domain map in Valkey..."
  declare -a DOMAIN_ARR
-    ${REDIS_CMDLINE} DEL DOMAIN_MAP > /dev/null
+    ${VALKEY_CMDLINE} DEL DOMAIN_MAP > /dev/null
  while read line
  do
    DOMAIN_ARR+=("$line")
@@ -100,7 +128,7 @@ if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then

  if [[ ! -z ${DOMAIN_ARR} ]]; then
  for domain in "${DOMAIN_ARR[@]}"; do
-    ${REDIS_CMDLINE} HSET DOMAIN_MAP ${domain} 1 > /dev/null
+    ${VALKEY_CMDLINE} HSET DOMAIN_MAP ${domain} 1 > /dev/null
  done
  fi

@@ -139,7 +167,7 @@ DELIMITER //
 CREATE EVENT clean_spamalias
 ON SCHEDULE EVERY 1 DAY DO
 BEGIN
-  DELETE FROM spamalias WHERE validity < UNIX_TIMESTAMP() AND permanent = 0;
+  DELETE FROM spamalias WHERE validity < UNIX_TIMESTAMP();
 END;
 //
 DELIMITER ;
@@ -1,14 +1,10 @@
-ARG AGENT_IMAGE=ghcr.io/mailcow/agent:1.00
-
-FROM ${AGENT_IMAGE} AS mailcow-agent-src
-
 FROM golang:1.25-bookworm AS builder
 WORKDIR /src

 ENV CGO_ENABLED=0 \
    GO111MODULE=on \
 		NOOPT=1 \
-    VERSION=1.8.22
+    VERSION=1.8.14

 RUN git clone --branch v${VERSION} https://github.com/Zuplu/postfix-tlspol && \
    cd /src/postfix-tlspol && \
@@ -38,7 +34,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \

 COPY supervisord.conf /etc/supervisor/supervisord.conf
 COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
-COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY syslog-ng-valkey_slave.conf /etc/syslog-ng/syslog-ng-valkey_slave.conf
 COPY postfix-tlspol.sh /opt/postfix-tlspol.sh
 COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
 COPY docker-entrypoint.sh /docker-entrypoint.sh
@@ -49,14 +45,6 @@ RUN chmod +x /opt/postfix-tlspol.sh \
  /docker-entrypoint.sh
 RUN rm -rf /tmp/* /var/tmp/*

-COPY --from=mailcow-agent-src /out/mailcow-agent /usr/local/bin/mailcow-agent
-COPY --from=mailcow-agent-src /out/mailcow-agent-cli /usr/local/bin/mailcow-agent-cli
+ENTRYPOINT ["/docker-entrypoint.sh"]

-ENV MAILCOW_AGENT_SERVICE=postfix-tlspol \
-    MAILCOW_AGENT_MAIN_CMD="/docker-entrypoint.sh /usr/bin/supervisord -c /etc/supervisor/supervisord.conf"
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
-  CMD ["/usr/local/bin/mailcow-agent", "healthcheck"]
-
-ENTRYPOINT ["/usr/local/bin/mailcow-agent"]
-CMD []
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
@@ -1,7 +1,7 @@
 #!/bin/bash

-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  cp /etc/syslog-ng/syslog-ng-valkey_slave.conf /etc/syslog-ng/syslog-ng.conf
 fi

 exec "$@"
@@ -17,14 +17,14 @@ until dig +short mailcow.email > /dev/null; do
 done

 # Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  export REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  export VALKEY_CMDLINE="redis-cli -h ${VALKEY_SLAVEOF_IP} -p ${VALKEY_SLAVEOF_PORT} -a ${VALKEYPASS} --no-auth-warning"
 else
-  export REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+  export VALKEY_CMDLINE="redis-cli -h valkey -p 6379 -a ${VALKEYPASS} --no-auth-warning"
 fi

-until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
-  echo "Waiting for Redis..."
+until [[ $(${VALKEY_CMDLINE} PING) == "PONG" ]]; do
+  echo "Waiting for Valkey..."
  sleep 2
 done

@@ -15,13 +15,13 @@ source s_src {
  internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
-destination d_redis_ui_log {
+destination d_valkey_ui_log {
  redis(
-    host("`REDIS_SLAVEOF_IP`")
-    persist-name("redis1")
-    port(`REDIS_SLAVEOF_PORT`)
-    auth("`REDISPASS`")
-    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json node=\"$HOST\" time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
+    host("`VALKEY_SLAVEOF_IP`")
+    persist-name("valkey1")
+    port(`VALKEY_SLAVEOF_PORT`)
+    auth("`VALKEYPASS`")
+    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
 filter f_mail { facility(mail); };
@@ -41,5 +41,5 @@ log {
  filter(f_ignore);
  destination(d_stdout);
  filter(f_mail);
-  destination(d_redis_ui_log);
+  destination(d_valkey_ui_log);
 };
@@ -15,13 +15,13 @@ source s_src {
  internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
-destination d_redis_ui_log {
+destination d_valkey_ui_log {
  redis(
-    host("redis-mailcow")
-    persist-name("redis1")
+    host("valkey-mailcow")
+    persist-name("valkey1")
    port(6379)
-    auth("`REDISPASS`")
-    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json node=\"$HOST\" time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
+    auth("`VALKEYPASS`")
+    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
 filter f_mail { facility(mail); };
@@ -41,5 +41,5 @@ log {
  filter(f_ignore);
  destination(d_stdout);
  filter(f_mail);
-  destination(d_redis_ui_log);
+  destination(d_valkey_ui_log);
 };
@@ -1,7 +1,3 @@
-ARG AGENT_IMAGE=ghcr.io/mailcow/agent:1.00
-
-FROM ${AGENT_IMAGE} AS mailcow-agent-src
-
 FROM debian:bookworm-slim

 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
@@ -45,7 +41,7 @@ RUN groupadd -g 102 postfix \

 COPY supervisord.conf /etc/supervisor/supervisord.conf
 COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
-COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY syslog-ng-valkey_slave.conf /etc/syslog-ng/syslog-ng-valkey_slave.conf
 COPY postfix.sh /opt/postfix.sh
 COPY rspamd-pipe-ham /usr/local/bin/rspamd-pipe-ham
 COPY rspamd-pipe-spam /usr/local/bin/rspamd-pipe-spam
@@ -62,14 +58,6 @@ RUN rm -rf /tmp/* /var/tmp/*

 EXPOSE 588

-COPY --from=mailcow-agent-src /out/mailcow-agent /usr/local/bin/mailcow-agent
-COPY --from=mailcow-agent-src /out/mailcow-agent-cli /usr/local/bin/mailcow-agent-cli
+ENTRYPOINT ["/docker-entrypoint.sh"]

-ENV MAILCOW_AGENT_SERVICE=postfix \
-    MAILCOW_AGENT_MAIN_CMD="/docker-entrypoint.sh /usr/bin/supervisord -c /etc/supervisor/supervisord.conf"
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
-  CMD ["/usr/local/bin/mailcow-agent", "healthcheck"]
-
-ENTRYPOINT ["/usr/local/bin/mailcow-agent"]
-CMD []
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
@@ -8,8 +8,8 @@ for file in /hooks/*; do
  fi
 done

-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  cp /etc/syslog-ng/syslog-ng-valkey_slave.conf /etc/syslog-ng/syslog-ng.conf
 fi

 # Fix OpenSSL 3.X TLS1.0, 1.1 support (https://community.mailcow.email/d/4062-hi-all/20)
@@ -21,6 +21,6 @@ if grep -qE '\!SSLv2|\!SSLv3|>=TLSv1(\.[0-1])?$' /opt/postfix/conf/main.cf /opt/
    echo "[tls_system_default]" >> /etc/ssl/openssl.cnf
    echo "MinProtocol = TLSv1" >> /etc/ssl/openssl.cnf
    echo "CipherString = DEFAULT@SECLEVEL=0" >> /etc/ssl/openssl.cnf
-fi  
+fi

 exec "$@"
@@ -329,17 +329,14 @@ query = SELECT goto FROM alias
          SELECT id FROM alias
            WHERE address='%s'
            AND (active='1' OR active='2')
-            AND sender_allowed='1'
        ), (
          SELECT id FROM alias
            WHERE address='@%d'
            AND (active='1' OR active='2')
-            AND sender_allowed='1'
        )
      )
    )
    AND active='1'
-    AND sender_allowed='1'
    AND (domain IN
      (SELECT domain FROM domain
        WHERE domain='%d'
@@ -393,7 +390,7 @@ hosts = unix:/var/run/mysqld/mysqld.sock
 dbname = ${DBNAME}
 query = SELECT goto FROM spamalias
  WHERE address='%s'
-    AND (validity >= UNIX_TIMESTAMP() OR permanent != 0)
+    AND validity >= UNIX_TIMESTAMP()
 EOF

 if [ ! -f /opt/postfix/conf/dns_blocklists.cf ]; then
@@ -527,4 +524,4 @@ if [[ $? != 0 ]]; then
 else
  postfix -c /opt/postfix/conf start
  sleep 126144000
-fi
+fi
@@ -15,21 +15,21 @@ source s_src {
  internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
-destination d_redis_ui_log {
+destination d_valkey_ui_log {
  redis(
-    host("`REDIS_SLAVEOF_IP`")
-    persist-name("redis1")
-    port(`REDIS_SLAVEOF_PORT`)
-    auth("`REDISPASS`")
-    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json node=\"$HOST\" time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
+    host("`VALKEY_SLAVEOF_IP`")
+    persist-name("valkey1")
+    port(`VALKEY_SLAVEOF_PORT`)
+    auth("`VALKEYPASS`")
+    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
-destination d_redis_f2b_channel {
+destination d_valkey_f2b_channel {
  redis(
-    host("`REDIS_SLAVEOF_IP`")
-    persist-name("redis2")
-    port(`REDIS_SLAVEOF_PORT`)
-    auth("`REDISPASS`")
+    host("`VALKEY_SLAVEOF_IP`")
+    persist-name("valkey2")
+    port(`VALKEY_SLAVEOF_PORT`)
+    auth("`VALKEYPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
@@ -50,6 +50,6 @@ log {
  filter(f_ignore);
  destination(d_stdout);
  filter(f_mail);
-  destination(d_redis_ui_log);
-  destination(d_redis_f2b_channel);
+  destination(d_valkey_ui_log);
+  destination(d_valkey_f2b_channel);
 };
@@ -15,21 +15,21 @@ source s_src {
  internal();
 };
 destination d_stdout { pipe("/dev/stdout"); };
-destination d_redis_ui_log {
+destination d_valkey_ui_log {
  redis(
-    host("redis-mailcow")
-    persist-name("redis1")
+    host("valkey-mailcow")
+    persist-name("valkey1")
    port(6379)
-    auth("`REDISPASS`")
-    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json node=\"$HOST\" time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
+    auth("`VALKEYPASS`")
+    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
-destination d_redis_f2b_channel {
+destination d_valkey_f2b_channel {
  redis(
-    host("redis-mailcow")
-    persist-name("redis2")
+    host("valkey-mailcow")
+    persist-name("valkey2")
    port(6379)
-    auth("`REDISPASS`")
+    auth("`VALKEYPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
@@ -50,6 +50,6 @@ log {
  filter(f_ignore);
  destination(d_stdout);
  filter(f_mail);
-  destination(d_redis_ui_log);
-  destination(d_redis_f2b_channel);
+  destination(d_valkey_ui_log);
+  destination(d_valkey_f2b_channel);
 };
@@ -1,13 +1,9 @@
-ARG AGENT_IMAGE=ghcr.io/mailcow/agent:1.00
-
-FROM ${AGENT_IMAGE} AS mailcow-agent-src
-
-FROM debian:trixie-slim
+FROM debian:bookworm-slim
 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"

 ARG DEBIAN_FRONTEND=noninteractive
-ARG RSPAMD_VER=rspamd_3.14.3-1~236eb65
-ARG CODENAME=trixie
+ARG RSPAMD_VER=rspamd_3.12.1-1~6dbfca2fa
+ARG CODENAME=bookworm
 ENV LC_ALL=C

 RUN apt-get update && apt-get install -y --no-install-recommends \
@@ -18,8 +14,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
  dnsutils \
  netcat-traditional \
  wget \
-  redis-tools \
-  procps \
+  redis-tools \ 
+  procps \ 
  nano \
  lua-cjson \
  && arch=$(arch | sed s/aarch64/arm64/ | sed s/x86_64/amd64/) \
@@ -37,16 +33,8 @@ COPY settings.conf /etc/rspamd/settings.conf
 COPY set_worker_password.sh /set_worker_password.sh
 COPY docker-entrypoint.sh /docker-entrypoint.sh

+ENTRYPOINT ["/docker-entrypoint.sh"]
+
 STOPSIGNAL SIGTERM

-COPY --from=mailcow-agent-src /out/mailcow-agent /usr/local/bin/mailcow-agent
-COPY --from=mailcow-agent-src /out/mailcow-agent-cli /usr/local/bin/mailcow-agent-cli
-
-ENV MAILCOW_AGENT_SERVICE=rspamd \
-    MAILCOW_AGENT_MAIN_CMD="/docker-entrypoint.sh /usr/bin/rspamd -f -u _rspamd -g _rspamd"
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
-  CMD ["/usr/local/bin/mailcow-agent", "healthcheck"]
-
-ENTRYPOINT ["/usr/local/bin/mailcow-agent"]
-CMD []
+CMD ["/usr/bin/rspamd", "-f", "-u", "_rspamd", "-g", "_rspamd"]
@@ -52,33 +52,33 @@ if [[ ! -z ${RSPAMD_V6} ]]; then
  echo ${RSPAMD_V6}/128 >> /etc/rspamd/custom/rspamd_trusted.map
 fi

-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
  cat <<EOF > /etc/rspamd/local.d/redis.conf
-read_servers = "redis:6379";
-write_servers = "${REDIS_SLAVEOF_IP}:${REDIS_SLAVEOF_PORT}";
-password = "${REDISPASS}";
+read_servers = "valkey-mailcow:6379";
+write_servers = "${VALKEY_SLAVEOF_IP}:${VALKEY_SLAVEOF_PORT}";
+password = "${VALKEYPASS}";
 timeout = 10;
 EOF
-  until [[ $(redis-cli -h redis-mailcow -a ${REDISPASS} --no-auth-warning PING) == "PONG" ]]; do
-    echo "Waiting for Redis @redis-mailcow..."
+  until [[ $(redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning PING) == "PONG" ]]; do
+    echo "Waiting for Valkey @valkey-mailcow..."
    sleep 2
  done
-  until [[ $(redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning PING) == "PONG" ]]; do
-    echo "Waiting for Redis @${REDIS_SLAVEOF_IP}..."
+  until [[ $(redis-cli -h ${VALKEY_SLAVEOF_IP} -p ${VALKEY_SLAVEOF_PORT} -a ${VALKEYPASS} --no-auth-warning PING) == "PONG" ]]; do
+    echo "Waiting for Valkey @${VALKEY_SLAVEOF_IP}..."
    sleep 2
  done
-  redis-cli -h redis-mailcow -a ${REDISPASS} --no-auth-warning SLAVEOF ${REDIS_SLAVEOF_IP} ${REDIS_SLAVEOF_PORT}
+  redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning SLAVEOF ${VALKEY_SLAVEOF_IP} ${VALKEY_SLAVEOF_PORT}
 else
  cat <<EOF > /etc/rspamd/local.d/redis.conf
-servers = "redis:6379";
-password = "${REDISPASS}";
+servers = "valkey-mailcow:6379";
+password = "${VALKEYPASS}";
 timeout = 10;
 EOF
-  until [[ $(redis-cli -h redis-mailcow -a ${REDISPASS} --no-auth-warning PING) == "PONG" ]]; do
-    echo "Waiting for Redis slave..."
+  until [[ $(redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning PING) == "PONG" ]]; do
+    echo "Waiting for Valkey slave..."
    sleep 2
  done
-  redis-cli -h redis-mailcow -a ${REDISPASS} --no-auth-warning SLAVEOF NO ONE
+  redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning SLAVEOF NO ONE
 fi

 if [[ "${SKIP_OLEFY}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
@@ -1,174 +1,50 @@
-# SOGo built from source to enable security patch application
-# Repository: https://github.com/Alinto/sogo
-# Version: SOGo-5.12.8
-#
-# Applied security patches:
-# -
-#
-# To add new patches, modify SOGO_SECURITY_PATCHES ARG below with space-separated commit hashes
-
-ARG AGENT_IMAGE=ghcr.io/mailcow/agent:1.00
-
-FROM ${AGENT_IMAGE} AS mailcow-agent-src
-
-FROM debian:bookworm
+FROM debian:bookworm-slim

 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"

 ARG DEBIAN_FRONTEND=noninteractive
-ARG SOGO_VERSION=SOGo-5.12.8
-ARG SOPE_VERSION=SOPE-5.12.8
-# Security patches to apply (space-separated commit hashes)
-ARG SOGO_SECURITY_PATCHES=""
+ARG DEBIAN_VERSION=bookworm
+ARG SOGO_DEBIAN_REPOSITORY=https://packagingv2.sogo.nu/sogo-nightly-debian/
 # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
-ARG GOSU_VERSION=1.19
+ARG GOSU_VERSION=1.17
 ENV LC_ALL=C

-# Install dependencies, build SOPE and SOGo, then clean up (all in one layer to minimize image size)
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    # Build dependencies
-    git \
-    build-essential \
-    gobjc \
-    pkg-config \
-    gnustep-make \
-    gnustep-base-runtime \
-    libgnustep-base-dev \
-    libxml2-dev \
-    libldap2-dev \
-    libssl-dev \
-    zlib1g-dev \
-    libpq-dev \
-    libmariadb-dev-compat \
-    libmemcached-dev \
-    libsodium-dev \
-    libcurl4-openssl-dev \
-    libzip-dev \
-    libytnef0-dev \
-    libwbxml2-dev \
-    curl \
-    ca-certificates \
-    # Runtime dependencies
-    apt-transport-https \
-    gettext \
-    gnupg \
-    mariadb-client \
-    rsync \
-    supervisor \
-    syslog-ng \
-    syslog-ng-core \
-    syslog-ng-mod-redis \
-    dirmngr \
-    netcat-traditional \
-    psmisc \
-    wget \
-    patch \
-    libobjc4 \
-    libxml2 \
-    libldap-2.5-0 \
-    libssl3 \
-    zlib1g \
-    libmariadb3 \
-    libmemcached11 \
-    libsodium23 \
-    libcurl4 \
-    libzip4 \
-    libytnef0 \
-    libwbxml2-1 \
-  # Download gosu
+# Prerequisites
+RUN echo "Building from repository $SOGO_DEBIAN_REPOSITORY" \
+  && apt-get update && apt-get install -y --no-install-recommends \
+  apt-transport-https \
+  ca-certificates \
+  gettext \
+  gnupg \
+  mariadb-client \
+  rsync \
+  supervisor \
+  syslog-ng \
+  syslog-ng-core \
+  syslog-ng-mod-redis \
+  dirmngr \
+  netcat-traditional \
+  psmisc \
+  wget \
+  patch \
  && dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
  && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
  && chmod +x /usr/local/bin/gosu \
  && gosu nobody true \
-  # Build SOPE
-  && git clone --depth 1 --branch ${SOPE_VERSION} https://github.com/Alinto/sope.git /tmp/sope \
-  && cd /tmp/sope \
-  && rm -rf .git \
-  && . /usr/share/GNUstep/Makefiles/GNUstep.sh \
-  && ./configure --prefix=/usr --disable-debug --disable-strip \
-  && make -j$(nproc) \
-  && make install \
-  && cd / \
-  && rm -rf /tmp/sope \
-  # Build SOGo with security patches
-  && git clone --depth 1 --branch ${SOGO_VERSION} https://github.com/Alinto/sogo.git /tmp/sogo \
-  && cd /tmp/sogo \
-  && git config user.email "builder@mailcow.local" \
-  && git config user.name "SOGo Builder" \
-  && for patch in ${SOGO_SECURITY_PATCHES}; do \
-       echo "Applying security patch: ${patch}"; \
-       git fetch origin ${patch} && git cherry-pick ${patch}; \
-     done \
-  && rm -rf .git \
-  && . /usr/share/GNUstep/Makefiles/GNUstep.sh \
-  && ./configure --disable-debug --disable-strip \
-  && make -j$(nproc) \
-  && make install \
-  && cd /tmp/sogo/ActiveSync \
-  && . /usr/share/GNUstep/Makefiles/GNUstep.sh \
-  && make -j$(nproc) install \
-  && cd / \
-  && rm -rf /tmp/sogo \
-  # Strip binaries
-  && strip --strip-unneeded /usr/local/sbin/sogod 2>/dev/null || true \
-  && strip --strip-unneeded /usr/local/sbin/sogo-tool 2>/dev/null || true \
-  && strip --strip-unneeded /usr/local/sbin/sogo-ealarms-notify 2>/dev/null || true \
-  && strip --strip-unneeded /usr/local/sbin/sogo-slapd-sockd 2>/dev/null || true \
-  # Remove build dependencies and clean up
-  && apt-get purge -y --auto-remove \
-    git \
-    build-essential \
-    gobjc \
-    gnustep-make \
-    libgnustep-base-dev \
-    libxml2-dev \
-    libldap2-dev \
-    libssl-dev \
-    zlib1g-dev \
-    libpq-dev \
-    libmariadb-dev-compat \
-    libmemcached-dev \
-    libsodium-dev \
-    libcurl4-openssl-dev \
-    libzip-dev \
-    libytnef0-dev \
-    curl \
-  && apt-get autoremove -y \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/* \
-  && rm -rf /usr/share/doc/* \
-  && rm -rf /usr/share/man/* \
-  && rm -rf /var/cache/debconf/* \
-  && rm -rf /tmp/* \
-  && rm -rf /root/.cache \
-  && find /usr/local/lib -name '*.a' -delete \
-  && find /usr/lib -name '*.a' -delete \
-  && mkdir -p /usr/share/doc/sogo \
+  && mkdir /usr/share/doc/sogo \
  && touch /usr/share/doc/sogo/empty.sh \
+  && wget -O- https://keys.openpgp.org/vks/v1/by-fingerprint/74FFC6D72B925A34B5D356BDF8A27B36A6E2EAE9 | gpg --dearmor | apt-key add - \
+  && echo "deb [trusted=yes] ${SOGO_DEBIAN_REPOSITORY} ${DEBIAN_VERSION} main" > /etc/apt/sources.list.d/sogo.list \
+  && apt-get update && apt-get install -y --no-install-recommends \
+    sogo \
+    sogo-activesync \
+  && apt-get autoclean \
+  && rm -rf /var/lib/apt/lists/* \
  && touch /etc/default/locale

-# Configure library paths
-RUN echo "/usr/lib64" > /etc/ld.so.conf.d/sogo.conf \
-  && echo "/usr/local/lib/sogo" >> /etc/ld.so.conf.d/sogo.conf \
-  && echo "/usr/local/lib/GNUstep/Frameworks/SOGo.framework/Versions/5/sogo" >> /etc/ld.so.conf.d/sogo.conf \
-  && ldconfig
-
-# Create sogo user and group
-RUN groupadd -r -g 999 sogo \
-  && useradd -r -u 999 -g sogo -d /var/lib/sogo -s /bin/bash -c "SOGo Daemon" sogo \
-  && mkdir -p /var/lib/sogo /var/run/sogo /var/log/sogo /var/spool/sogo \
-  && chown -R sogo:sogo /var/lib/sogo /var/run/sogo /var/log/sogo /var/spool/sogo
-
-# Create symlinks for SOGo binaries
-RUN ln -s /usr/local/sbin/sogod /usr/sbin/sogod \
-  && ln -s /usr/local/sbin/sogo-tool /usr/sbin/sogo-tool \
-  && ln -s /usr/local/sbin/sogo-ealarms-notify /usr/sbin/sogo-ealarms-notify \
-  && ln -s /usr/local/sbin/sogo-slapd-sockd /usr/sbin/sogo-slapd-sockd
-
-# Copy configuration files and scripts
 COPY ./bootstrap-sogo.sh /bootstrap-sogo.sh
 COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
-COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY syslog-ng-valkey_slave.conf /etc/syslog-ng/syslog-ng-valkey_slave.conf
 COPY supervisord.conf /etc/supervisor/supervisord.conf
 COPY acl.diff /acl.diff
 COPY navMailcowBtns.diff /navMailcowBtns.diff
@@ -178,14 +54,6 @@ COPY docker-entrypoint.sh /
 RUN chmod +x /bootstrap-sogo.sh \
  /usr/local/sbin/stop-supervisor.sh

-COPY --from=mailcow-agent-src /out/mailcow-agent /usr/local/bin/mailcow-agent
-COPY --from=mailcow-agent-src /out/mailcow-agent-cli /usr/local/bin/mailcow-agent-cli
+ENTRYPOINT ["/docker-entrypoint.sh"]

-ENV MAILCOW_AGENT_SERVICE=sogo \
-    MAILCOW_AGENT_MAIN_CMD="/docker-entrypoint.sh /usr/bin/supervisord -c /etc/supervisor/supervisord.conf"
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
-  CMD ["/usr/local/bin/mailcow-agent", "healthcheck"]
-
-ENTRYPOINT ["/usr/local/bin/mailcow-agent"]
-CMD []
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
@@ -1,5 +1,5 @@
--- /usr/local/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox    2018-08-17 18:29:57.987504204 +0200
-+++ /usr/local/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox    2018-08-17 18:29:35.918291298 +0200
+--- /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox    2018-08-17 18:29:57.987504204 +0200
+++ /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox    2018-08-17 18:29:35.918291298 +0200
@@ -46,7 +46,7 @@
           </md-item-template>
         </md-autocomplete>
@@ -50,6 +50,10 @@ cat <<EOF > /var/lib/sogo/GNUstep/Defaults/sogod.plist
    <string>YES</string>
    <key>SOGoEncryptionKey</key>
    <string>${RAND_PASS}</string>
+    <key>SOGoURLEncryptionEnabled</key>
+    <string>YES</string>
+    <key>SOGoURLEncryptionPassphrase</key>
+    <string>${SOGO_URL_ENCRYPTION_KEY}</string>
    <key>OCSAdminURL</key>
    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_admin</string>
    <key>OCSCacheFolderURL</key>
@@ -130,22 +134,18 @@ chmod 600 /var/lib/sogo/GNUstep/Defaults/sogod.plist
 # Patch ACLs
 #if [[ ${ACL_ANYONE} == 'allow' ]]; then
 #  #enable any or authenticated targets for ACL
-#  if patch -R -sfN --dry-run /usr/local/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff > /dev/null; then
-#    patch -R /usr/local/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff;
+#  if patch -R -sfN --dry-run /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff > /dev/null; then
+#    patch -R /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff;
 #  fi
 #else
 #  #disable any or authenticated targets for ACL
-#  if patch -sfN --dry-run /usr/local/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff > /dev/null; then
-#    patch /usr/local/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff;
+#  if patch -sfN --dry-run /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff > /dev/null; then
+#    patch /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff;
 #  fi
 #fi

-# Apply custom UI patch (reverse patch to ADD buttons)
-if patch -R -sfN --dry-run /usr/local/lib/GNUstep/SOGo/Templates/UIxTopnavToolbar.wox < /navMailcowBtns.diff > /dev/null; then
-  echo "Applying navMailcowBtns patch (reverse to add buttons)..."
-  patch -R /usr/local/lib/GNUstep/SOGo/Templates/UIxTopnavToolbar.wox < /navMailcowBtns.diff;
-else
-  echo "navMailcowBtns patch already applied or cannot be applied"
+if patch -R -sfN --dry-run /usr/lib/GNUstep/SOGo/Templates/UIxTopnavToolbar.wox < /navMailcowBtns.diff > /dev/null; then
+  patch -R /usr/lib/GNUstep/SOGo/Templates/UIxTopnavToolbar.wox < /navMailcowBtns.diff;
 fi

 # Rename custom logo, if any
@@ -153,7 +153,7 @@ fi

 # Rsync web content
 echo "Syncing web content with named volume"
-rsync -a /usr/local/lib/GNUstep/SOGo/. /sogo_web/
+rsync -a /usr/lib/GNUstep/SOGo/. /sogo_web/

 # Chown backup path
 chown -R sogo:sogo /sogo_backup
@@ -6,8 +6,8 @@ if [[ "${SKIP_SOGO}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  exit 0
 fi

-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  cp /etc/syslog-ng/syslog-ng-valkey_slave.conf /etc/syslog-ng/syslog-ng.conf
 fi

 echo "$TZ" > /etc/timezone
@@ -17,28 +17,28 @@ source s_sogo {
  pipe("/dev/sogo_log" owner(sogo) group(sogo));
 };
 destination d_stdout { pipe("/dev/stdout"); };
-destination d_redis_ui_log {
+destination d_valkey_ui_log {
  redis(
-    host("`REDIS_SLAVEOF_IP`")
-    persist-name("redis1")
-    port(`REDIS_SLAVEOF_PORT`)
-    auth("`REDISPASS`")
-    command("LPUSH" "SOGO_LOG" "$(format-json node=\"$HOST\" time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
+    host("`VALKEY_SLAVEOF_IP`")
+    persist-name("valkey1")
+    port(`VALKEY_SLAVEOF_PORT`)
+    auth("`VALKEYPASS`")
+    command("LPUSH" "SOGO_LOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
-destination d_redis_f2b_channel {
+destination d_valkey_f2b_channel {
  redis(
-    host("`REDIS_SLAVEOF_IP`")
-    persist-name("redis2")
-    port(`REDIS_SLAVEOF_PORT`)
-    auth("`REDISPASS`")
+    host("`VALKEY_SLAVEOF_IP`")
+    persist-name("valkey2")
+    port(`VALKEY_SLAVEOF_PORT`)
+    auth("`VALKEYPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
 log {
  source(s_sogo);
-  destination(d_redis_ui_log);
-  destination(d_redis_f2b_channel);
+  destination(d_valkey_ui_log);
+  destination(d_valkey_f2b_channel);
 };
 log {
  source(s_sogo);
@@ -17,28 +17,28 @@ source s_sogo {
  pipe("/dev/sogo_log" owner(sogo) group(sogo));
 };
 destination d_stdout { pipe("/dev/stdout"); };
-destination d_redis_ui_log {
+destination d_valkey_ui_log {
  redis(
-    host("redis-mailcow")
-    persist-name("redis1")
+    host("valkey-mailcow")
+    persist-name("valkey1")
    port(6379)
-    auth("`REDISPASS`")
-    command("LPUSH" "SOGO_LOG" "$(format-json node=\"$HOST\" time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
+    auth("`VALKEYPASS`")
+    command("LPUSH" "SOGO_LOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
-destination d_redis_f2b_channel {
+destination d_valkey_f2b_channel {
  redis(
-    host("redis-mailcow")
-    persist-name("redis2")
+    host("valkey-mailcow")
+    persist-name("valkey2")
    port(6379)
-    auth("`REDISPASS`")
+    auth("`VALKEYPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
 log {
  source(s_sogo);
-  destination(d_redis_ui_log);
-  destination(d_redis_f2b_channel);
+  destination(d_valkey_ui_log);
+  destination(d_valkey_f2b_channel);
 };
 log {
  source(s_sogo);
@@ -1,8 +1,4 @@
-ARG AGENT_IMAGE=ghcr.io/mailcow/agent:1.00
-
-FROM ${AGENT_IMAGE} AS mailcow-agent-src
-
-FROM alpine:3.23
+FROM alpine:3.21

 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"

@@ -33,15 +29,8 @@ COPY supervisord.conf /etc/supervisor/supervisord.conf
 COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh

 RUN chmod +x /healthcheck.sh
+HEALTHCHECK --interval=30s --timeout=10s \
+  CMD sh -c '[ -f /tmp/healthcheck_status ] && [ "$(cat /tmp/healthcheck_status)" -eq 0 ] || exit 1'

-COPY --from=mailcow-agent-src /out/mailcow-agent /usr/local/bin/mailcow-agent
-COPY --from=mailcow-agent-src /out/mailcow-agent-cli /usr/local/bin/mailcow-agent-cli
-
-ENV MAILCOW_AGENT_SERVICE=unbound \
-    MAILCOW_AGENT_MAIN_CMD="/docker-entrypoint.sh /usr/bin/supervisord -c /etc/supervisor/supervisord.conf"
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
-  CMD ["/usr/local/bin/mailcow-agent", "healthcheck"]
-
-ENTRYPOINT ["/usr/local/bin/mailcow-agent"]
-CMD []
+ENTRYPOINT ["/docker-entrypoint.sh"]
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
@@ -0,0 +1,8 @@
+FROM python:3.13.2-alpine3.21
+
+WORKDIR /app
+
+COPY migrate.py /app/migrate.py
+RUN pip install --no-cache-dir redis
+
+CMD ["python", "/app/migrate.py"]
@@ -0,0 +1,78 @@
+import subprocess
+import redis
+import time
+import os
+
+# Container names
+SOURCE_CONTAINER = "redis-old-mailcow"
+DEST_CONTAINER = "valkey-mailcow"
+VALKEYPASS = os.getenv("VALKEYPASS")
+
+
+def migrate_redis():
+    src_redis = redis.StrictRedis(host=SOURCE_CONTAINER, port=6379, db=0, password=VALKEYPASS, decode_responses=False)
+    dest_redis = redis.StrictRedis(host=DEST_CONTAINER, port=6379, db=0, password=VALKEYPASS, decode_responses=False)
+
+    cursor = 0
+    batch_size = 100
+    migrated_count = 0
+
+    print("Starting migration...")
+
+    while True:
+        cursor, keys = src_redis.scan(cursor=cursor, match="*", count=batch_size)
+        keys_to_migrate = [key for key in keys if not key.startswith(b"PHPREDIS_SESSION:")]
+
+        for key in keys_to_migrate:
+            key_type = src_redis.type(key)
+            print(f"Import {key} of type {key_type}")
+
+            if key_type == b"string":
+                value = src_redis.get(key)
+                dest_redis.set(key, value)
+
+            elif key_type == b"hash":
+                value = src_redis.hgetall(key)
+                dest_redis.hset(key, mapping=value)
+
+            elif key_type == b"list":
+                value = src_redis.lrange(key, 0, -1)
+                for v in value:
+                    dest_redis.rpush(key, v)
+
+            elif key_type == b"set":
+                value = src_redis.smembers(key)
+                for v in value:
+                    dest_redis.sadd(key, v)
+
+            elif key_type == b"zset":
+                value = src_redis.zrange(key, 0, -1, withscores=True)
+                for v, score in value:
+                    dest_redis.zadd(key, {v: score})
+
+            # Preserve TTL if exists
+            ttl = src_redis.ttl(key)
+            if ttl > 0:
+                dest_redis.expire(key, ttl)
+
+            migrated_count += 1
+
+        if cursor == 0:
+            break  # No more keys to scan
+
+    print(f"Migration completed! {migrated_count} keys migrated.")
+
+    print("Forcing Valkey to save data...")
+    try:
+        dest_redis.save()  # Immediate RDB save (blocking)
+        dest_redis.bgrewriteaof()  # Rewrites the AOF file in the background
+        print("Data successfully saved to disk.")
+    except Exception as e:
+        print(f"Failed to save data: {e}")
+
+# Main script execution
+if __name__ == "__main__":
+    try:
+        migrate_redis()
+    finally:
+        pass
@@ -1,8 +1,4 @@
-ARG AGENT_IMAGE=ghcr.io/mailcow/agent:1.00
-
-FROM ${AGENT_IMAGE} AS mailcow-agent-src
-
-FROM alpine:3.23
+FROM alpine:3.21

 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"

@@ -41,16 +37,5 @@ RUN apk add --update \
 COPY watchdog.sh /watchdog.sh
 COPY check_mysql_slavestatus.sh /usr/lib/nagios/plugins/check_mysql_slavestatus.sh
 COPY check_dns.sh /usr/lib/mailcow/check_dns.sh
-COPY client.cnf /etc/my.cnf.d/client.cnf

-COPY --from=mailcow-agent-src /out/mailcow-agent /usr/local/bin/mailcow-agent
-COPY --from=mailcow-agent-src /out/mailcow-agent-cli /usr/local/bin/mailcow-agent-cli
-
-ENV MAILCOW_AGENT_SERVICE=watchdog \
-    MAILCOW_AGENT_MAIN_CMD="/watchdog.sh"
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
-  CMD ["/usr/local/bin/mailcow-agent", "healthcheck"]
-
-ENTRYPOINT ["/usr/local/bin/mailcow-agent"]
-CMD []
+CMD ["/watchdog.sh"]
@@ -19,19 +19,19 @@ if [ -z "$HOST" ]; then
 fi

 # run dig and measure the time it takes to run
-START_TIME=$(perl -MTime::HiRes -e 'print Time::HiRes::time')
+START_TIME=$(date +%s%3N)
 dig_output=$(dig +short +timeout=2 +tries=1 "$HOST" @"$SERVER" 2>/dev/null)
 dig_rc=$?
-END_TIME=$(perl -MTime::HiRes -e 'print Time::HiRes::time')
 dig_output_ips=$(echo "$dig_output" | grep -E '^[0-9.]+$' | sort | paste -sd ',' -)
-ELAPSED_TIME=$(perl -e "printf('%.3f', $END_TIME - $START_TIME)")
+END_TIME=$(date +%s%3N)
+ELAPSED_TIME=$((END_TIME - START_TIME))

 # validate and perform nagios like output and exit codes
 if [ $dig_rc -ne 0 ] || [ -z "$dig_output" ]; then
  echo "Domain $HOST was not found by the server"
  exit 2
 elif [ $dig_rc -eq 0 ]; then
-  echo "DNS OK: $ELAPSED_TIME seconds response time. $HOST returns $dig_output_ips"
+  echo "DNS OK: $ELAPSED_TIME ms response time. $HOST returns $dig_output_ips"
  exit 0
 else
  echo "Unknown error"
@@ -1,3 +0,0 @@
-[client]
-ssl = false
-ssl-verify-server-cert = false
@@ -38,24 +38,24 @@ if [[ ! -p /tmp/com_pipe ]]; then
 fi

 # Wait for containers
-while ! mariadb-admin status --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
+while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
  echo "Waiting for SQL..."
  sleep 2
 done

 # Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
+if [[ ! -z ${VALKEY_SLAVEOF_IP} ]]; then
+  VALKEY_CMDLINE="redis-cli -h ${VALKEY_SLAVEOF_IP} -p ${VALKEY_SLAVEOF_PORT} -a ${VALKEYPASS} --no-auth-warning"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
+  VALKEY_CMDLINE="redis-cli -h valkey-mailcow -p 6379 -a ${VALKEYPASS} --no-auth-warning"
 fi

-until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
-  echo "Waiting for Redis..."
+until [[ $(${VALKEY_CMDLINE} PING) == "PONG" ]]; do
+  echo "Waiting for Valkey..."
  sleep 2
 done

-${REDIS_CMDLINE} DEL F2B_RES > /dev/null
+${VALKEY_CMDLINE} DEL F2B_RES > /dev/null

 # Common functions
 get_ipv6(){
@@ -90,15 +90,15 @@ progress() {
  [[ ${CURRENT} -gt ${TOTAL} ]] && return
  [[ ${CURRENT} -lt 0 ]] && CURRENT=0
  PERCENT=$(( 200 * ${CURRENT} / ${TOTAL} % 2 + 100 * ${CURRENT} / ${TOTAL} ))
-  ${REDIS_CMDLINE} LPUSH WATCHDOG_LOG "{\"time\":\"$(date +%s)\",\"service\":\"${SERVICE}\",\"lvl\":\"${PERCENT}\",\"hpnow\":\"${CURRENT}\",\"hptotal\":\"${TOTAL}\",\"hpdiff\":\"${DIFF}\"}" > /dev/null
-  log_msg "${SERVICE} health level: ${PERCENT}% (${CURRENT}/${TOTAL}), health trend: ${DIFF}" no_redis
+  ${VALKEY_CMDLINE} LPUSH WATCHDOG_LOG "{\"time\":\"$(date +%s)\",\"service\":\"${SERVICE}\",\"lvl\":\"${PERCENT}\",\"hpnow\":\"${CURRENT}\",\"hptotal\":\"${TOTAL}\",\"hpdiff\":\"${DIFF}\"}" > /dev/null
+  log_msg "${SERVICE} health level: ${PERCENT}% (${CURRENT}/${TOTAL}), health trend: ${DIFF}" no_valkey
  # Return 10 to indicate a dead service
  [ ${CURRENT} -le 0 ] && return 10
 }

 log_msg() {
-  if [[ ${2} != "no_redis" ]]; then
-    ${REDIS_CMDLINE} LPUSH WATCHDOG_LOG "{\"time\":\"$(date +%s)\",\"message\":\"$(printf '%s' "${1}" | \
+  if [[ ${2} != "no_valkey" ]]; then
+    ${VALKEY_CMDLINE} LPUSH WATCHDOG_LOG "{\"time\":\"$(date +%s)\",\"message\":\"$(printf '%s' "${1}" | \
      tr '\r\n%&;$"_[]{}-' ' ')\"}" > /dev/null
  fi
  echo $(date) $(printf '%s\n' "${1}")
@@ -114,10 +114,10 @@ function notify_error() {
  # If exists, mail will be throttled by argument in seconds
  [[ ! -z ${3} ]] && THROTTLE=${3}
  if [[ ! -z ${THROTTLE} ]]; then
-    TTL_LEFT="$(${REDIS_CMDLINE} TTL THROTTLE_${1} 2> /dev/null)"
+    TTL_LEFT="$(${VALKEY_CMDLINE} TTL THROTTLE_${1} 2> /dev/null)"
    if [[ "${TTL_LEFT}" == "-2" ]]; then
      # Delay key not found, setting a delay key now
-      ${REDIS_CMDLINE} SET THROTTLE_${1} 1 EX ${THROTTLE}
+      ${VALKEY_CMDLINE} SET THROTTLE_${1} 1 EX ${THROTTLE}
    else
      log_msg "Not sending notification email now, blocked for ${TTL_LEFT} seconds..."
      return 1
@@ -188,6 +188,44 @@ function notify_error() {
  fi
 }

+get_container_ip() {
+  # ${1} is container
+  CONTAINER_ID=()
+  CONTAINER_IPS=()
+  CONTAINER_IP=
+  LOOP_C=1
+  until [[ ${CONTAINER_IP} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] || [[ ${LOOP_C} -gt 5 ]]; do
+    if [ ${IP_BY_DOCKER_API} -eq 0 ]; then
+      CONTAINER_IP=$(dig a "${1}" +short)
+    else
+      sleep 0.5
+      # get long container id for exact match
+      CONTAINER_ID=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring == \"${1}\") | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id"))
+      # returned id can have multiple elements (if scaled), shuffle for random test
+      CONTAINER_ID=($(printf "%s\n" "${CONTAINER_ID[@]}" | shuf))
+      if [[ ! -z ${CONTAINER_ID} ]]; then
+        for matched_container in "${CONTAINER_ID[@]}"; do
+          CONTAINER_IPS=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${matched_container}/json | jq -r '.NetworkSettings.Networks[].IPAddress'))
+          for ip_match in "${CONTAINER_IPS[@]}"; do
+            # grep will do nothing if one of these vars is empty
+            [[ -z ${ip_match} ]] && continue
+            [[ -z ${IPV4_NETWORK} ]] && continue
+            # only return ips that are part of our network
+            if ! grep -q ${IPV4_NETWORK} <(echo ${ip_match}); then
+              continue
+            else
+              CONTAINER_IP=${ip_match}
+              break
+            fi
+          done
+          [[ ! -z ${CONTAINER_IP} ]] && break
+        done
+      fi
+    fi
+    LOOP_C=$((LOOP_C + 1))
+  done
+  [[ ${LOOP_C} -gt 5 ]] && echo 240.0.0.0 || echo ${CONTAINER_IP}
+}

 # One-time check
 if grep -qi "$(echo ${IPV6_NETWORK} | cut -d: -f1-3)" <<< "$(ip a s)"; then
@@ -229,6 +267,295 @@ external_checks() {
  return 1
 }

+nginx_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=${NGINX_THRESHOLD}
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    touch /tmp/nginx-mailcow; echo "$(tail -50 /tmp/nginx-mailcow)" > /tmp/nginx-mailcow
+    host_ip=$(get_container_ip nginx-mailcow)
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_http -4 -H ${host_ip} -u / -p 8081 2>> /tmp/nginx-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "Nginx" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    if [[ $? == 10 ]]; then
+      diff_c=0
+      sleep 1
+    else
+      diff_c=0
+      sleep $(( ( RANDOM % 60 ) + 20 ))
+    fi
+  done
+  return 1
+}
+
+unbound_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=${UNBOUND_THRESHOLD}
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    touch /tmp/unbound-mailcow; echo "$(tail -50 /tmp/unbound-mailcow)" > /tmp/unbound-mailcow
+    host_ip=$(get_container_ip unbound-mailcow)
+    err_c_cur=${err_count}
+    /usr/lib/mailcow/check_dns.sh -s ${host_ip} -H stackoverflow.com 2>> /tmp/unbound-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    DNSSEC=$(dig com +dnssec | egrep 'flags:.+ad')
+    if [[ -z ${DNSSEC} ]]; then
+      echo "DNSSEC failure" 2>> /tmp/unbound-mailcow 1>&2
+      err_count=$(( ${err_count} + 1))
+    else
+      echo "DNSSEC check succeeded" 2>> /tmp/unbound-mailcow 1>&2
+    fi
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "Unbound" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    if [[ $? == 10 ]]; then
+      diff_c=0
+      sleep 1
+    else
+      diff_c=0
+      sleep $(( ( RANDOM % 60 ) + 20 ))
+    fi
+  done
+  return 1
+}
+
+valkey_checks() {
+  # A check for the local valkey container
+  err_count=0
+  diff_c=0
+  THRESHOLD=${VALKEY_THRESHOLD}
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    touch /tmp/valkey-mailcow; echo "$(tail -50 /tmp/valkey-mailcow)" > /tmp/valkey-mailcow
+    host_ip=$(get_container_ip valkey-mailcow)
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_tcp -4 -H valkey-mailcow -p 6379 -E -s "AUTH ${VALKEYPASS}\nPING\n" -q "QUIT" -e "PONG" 2>> /tmp/valkey-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "Valkey" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    if [[ $? == 10 ]]; then
+      diff_c=0
+      sleep 1
+    else
+      diff_c=0
+      sleep $(( ( RANDOM % 60 ) + 20 ))
+    fi
+  done
+  return 1
+}
+
+mysql_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=${MYSQL_THRESHOLD}
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    touch /tmp/mysql-mailcow; echo "$(tail -50 /tmp/mysql-mailcow)" > /tmp/mysql-mailcow
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_mysql -s /var/run/mysqld/mysqld.sock -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} 2>> /tmp/mysql-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_mysql_query -s /var/run/mysqld/mysqld.sock -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} -q "SELECT COUNT(*) FROM information_schema.tables" 2>> /tmp/mysql-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "MySQL/MariaDB" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    if [[ $? == 10 ]]; then
+      diff_c=0
+      sleep 1
+    else
+      diff_c=0
+      sleep $(( ( RANDOM % 60 ) + 20 ))
+    fi
+  done
+  return 1
+}
+
+mysql_repl_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=${MYSQL_REPLICATION_THRESHOLD}
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    touch /tmp/mysql_repl_checks; echo "$(tail -50 /tmp/mysql_repl_checks)" > /tmp/mysql_repl_checks
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_mysql_slavestatus.sh -S /var/run/mysqld/mysqld.sock -u root -p ${DBROOT} 2>> /tmp/mysql_repl_checks 1>&2; err_count=$(( ${err_count} + $? ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "MySQL/MariaDB replication" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    if [[ $? == 10 ]]; then
+      diff_c=0
+      sleep 60
+    else
+      diff_c=0
+      sleep $(( ( RANDOM % 60 ) + 20 ))
+    fi
+  done
+  return 1
+}
+
+sogo_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=${SOGO_THRESHOLD}
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    touch /tmp/sogo-mailcow; echo "$(tail -50 /tmp/sogo-mailcow)" > /tmp/sogo-mailcow
+    host_ip=$(get_container_ip sogo-mailcow)
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_http -4 -H ${host_ip} -u /SOGo.index/ -p 20000 2>> /tmp/sogo-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "SOGo" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    if [[ $? == 10 ]]; then
+      diff_c=0
+      sleep 1
+    else
+      diff_c=0
+      sleep $(( ( RANDOM % 60 ) + 20 ))
+    fi
+  done
+  return 1
+}
+
+postfix_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=${POSTFIX_THRESHOLD}
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    touch /tmp/postfix-mailcow; echo "$(tail -50 /tmp/postfix-mailcow)" > /tmp/postfix-mailcow
+    host_ip=$(get_container_ip postfix-mailcow)
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_smtp -4 -H ${host_ip} -p 589 -f "watchdog@invalid" -C "RCPT TO:watchdog@localhost" -C DATA -C . -R 250 2>> /tmp/postfix-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_smtp -4 -H ${host_ip} -p 589 -S 2>> /tmp/postfix-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "Postfix" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    if [[ $? == 10 ]]; then
+      diff_c=0
+      sleep 1
+    else
+      diff_c=0
+      sleep $(( ( RANDOM % 60 ) + 20 ))
+    fi
+  done
+  return 1
+}
+
+postfix-tlspol_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=${POSTFIX_TLSPOL_THRESHOLD}
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    touch /tmp/postfix-tlspol-mailcow; echo "$(tail -50 /tmp/postfix-tlspol-mailcow)" > /tmp/postfix-tlspol-mailcow
+    host_ip=$(get_container_ip postfix-tlspol-mailcow)
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_tcp -4 -H ${host_ip} -p 8642 2>> /tmp/postfix-tlspol-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "Postfix TLS Policy companion" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    if [[ $? == 10 ]]; then
+      diff_c=0
+      sleep 1
+    else
+      diff_c=0
+      sleep $(( ( RANDOM % 60 ) + 20 ))
+    fi
+  done
+  return 1
+}
+
+clamd_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=${CLAMD_THRESHOLD}
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    touch /tmp/clamd-mailcow; echo "$(tail -50 /tmp/clamd-mailcow)" > /tmp/clamd-mailcow
+    host_ip=$(get_container_ip clamd-mailcow)
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_clamd -4 -H ${host_ip} 2>> /tmp/clamd-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "Clamd" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    if [[ $? == 10 ]]; then
+      diff_c=0
+      sleep 1
+    else
+      diff_c=0
+      sleep $(( ( RANDOM % 120 ) + 20 ))
+    fi
+  done
+  return 1
+}
+
+dovecot_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=${DOVECOT_THRESHOLD}
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    touch /tmp/dovecot-mailcow; echo "$(tail -50 /tmp/dovecot-mailcow)" > /tmp/dovecot-mailcow
+    host_ip=$(get_container_ip dovecot-mailcow)
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_smtp -4 -H ${host_ip} -p 24 -f "watchdog@invalid" -C "RCPT TO:<watchdog@invalid>" -L -R "User doesn't exist" 2>> /tmp/dovecot-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_imap -4 -H ${host_ip} -p 993 -S -e "OK " 2>> /tmp/dovecot-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_imap -4 -H ${host_ip} -p 143 -e "OK " 2>> /tmp/dovecot-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_tcp -4 -H ${host_ip} -p 10001 -e "VERSION" 2>> /tmp/dovecot-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_tcp -4 -H ${host_ip} -p 4190 -e "Dovecot ready" 2>> /tmp/dovecot-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "Dovecot" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    if [[ $? == 10 ]]; then
+      diff_c=0
+      sleep 1
+    else
+      diff_c=0
+      sleep $(( ( RANDOM % 60 ) + 20 ))
+    fi
+  done
+  return 1
+}
+
+dovecot_repl_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=${DOVECOT_REPL_THRESHOLD}
+  D_REPL_STATUS=$(redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning -r GET DOVECOT_REPL_HEALTH)
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    err_c_cur=${err_count}
+    D_REPL_STATUS=$(redis-cli --raw -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning GET DOVECOT_REPL_HEALTH)
+    if [[ "${D_REPL_STATUS}" != "1" ]]; then
+      err_count=$(( ${err_count} + 1 ))
+    fi
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "Dovecot replication" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    if [[ $? == 10 ]]; then
+      diff_c=0
+      sleep 60
+    else
+      diff_c=0
+      sleep $(( ( RANDOM % 60 ) + 20 ))
+    fi
+  done
+  return 1
+}
+
 cert_checks() {
  err_count=0
  diff_c=0
@@ -237,9 +564,11 @@ cert_checks() {
  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    touch /tmp/certcheck; echo "$(tail -50 /tmp/certcheck)" > /tmp/certcheck
+    host_ip_postfix=$(get_container_ip postfix)
+    host_ip_dovecot=$(get_container_ip dovecot)
    err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_smtp -H postfix -p 589 -4 -S -D 7 2>> /tmp/certcheck 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_imap -H dovecot -p 993 -4 -S -D 7 2>> /tmp/certcheck 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_smtp -H ${host_ip_postfix} -p 589 -4 -S -D 7 2>> /tmp/certcheck 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_imap -H ${host_ip_dovecot} -p 993 -4 -S -D 7 2>> /tmp/certcheck 1>&2; err_count=$(( ${err_count} + $? ))
    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
    progress "Primary certificate expiry check" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
@@ -249,24 +578,49 @@ cert_checks() {
  return 1
 }

+phpfpm_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=${PHPFPM_THRESHOLD}
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    touch /tmp/php-fpm-mailcow; echo "$(tail -50 /tmp/php-fpm-mailcow)" > /tmp/php-fpm-mailcow
+    host_ip=$(get_container_ip php-fpm-mailcow)
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_tcp -H ${host_ip} -p 9001 2>> /tmp/php-fpm-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_tcp -H ${host_ip} -p 9002 2>> /tmp/php-fpm-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "PHP-FPM" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    if [[ $? == 10 ]]; then
+      diff_c=0
+      sleep 1
+    else
+      diff_c=0
+      sleep $(( ( RANDOM % 60 ) + 20 ))
+    fi
+  done
+  return 1
+}

 ratelimit_checks() {
  err_count=0
  diff_c=0
  THRESHOLD=${RATELIMIT_THRESHOLD}
-  RL_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning LRANGE RL_LOG 0 0 | jq .qid)
+  RL_LOG_STATUS=$(redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning LRANGE RL_LOG 0 0 | jq .qid)
  # Reduce error count by 2 after restarting an unhealthy container
  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    err_c_cur=${err_count}
    RL_LOG_STATUS_PREV=${RL_LOG_STATUS}
-    RL_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning LRANGE RL_LOG 0 0 | jq .qid)
+    RL_LOG_STATUS=$(redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning LRANGE RL_LOG 0 0 | jq .qid)
    if [[ ${RL_LOG_STATUS_PREV} != ${RL_LOG_STATUS} ]]; then
      err_count=$(( ${err_count} + 1 ))
      echo 'Last 10 applied ratelimits (may overlap with previous reports).' > /tmp/ratelimit
      echo 'Full ratelimit buckets can be emptied by deleting the ratelimit hash from within mailcow UI (see /debug -> Protocols -> Ratelimit):' >> /tmp/ratelimit
      echo >> /tmp/ratelimit
-      redis-cli --raw -h redis -a ${REDISPASS} --no-auth-warning LRANGE RL_LOG 0 10 | jq . >> /tmp/ratelimit
+      redis-cli --raw -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning LRANGE RL_LOG 0 10 | jq . >> /tmp/ratelimit
    fi
    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
@@ -315,20 +669,20 @@ fail2ban_checks() {
  err_count=0
  diff_c=0
  THRESHOLD=${FAIL2BAN_THRESHOLD}
-  F2B_LOG_STATUS=($(${REDIS_CMDLINE} --raw HKEYS F2B_ACTIVE_BANS))
+  F2B_LOG_STATUS=($(${VALKEY_CMDLINE} --raw HKEYS F2B_ACTIVE_BANS))
  F2B_RES=
  # Reduce error count by 2 after restarting an unhealthy container
  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    err_c_cur=${err_count}
    F2B_LOG_STATUS_PREV=(${F2B_LOG_STATUS[@]})
-    F2B_LOG_STATUS=($(${REDIS_CMDLINE} --raw HKEYS F2B_ACTIVE_BANS))
+    F2B_LOG_STATUS=($(${VALKEY_CMDLINE} --raw HKEYS F2B_ACTIVE_BANS))
    array_diff F2B_RES F2B_LOG_STATUS F2B_LOG_STATUS_PREV
    if [[ ! -z "${F2B_RES}" ]]; then
      err_count=$(( ${err_count} + 1 ))
-      echo -n "${F2B_RES[@]}" | tr -cd "[a-fA-F0-9.:/] " | timeout 3s ${REDIS_CMDLINE} -x SET F2B_RES > /dev/null
+      echo -n "${F2B_RES[@]}" | tr -cd "[a-fA-F0-9.:/] " | timeout 3s ${VALKEY_CMDLINE} -x SET F2B_RES > /dev/null
      if [ $? -ne 0 ]; then
-         ${REDIS_CMDLINE} -x DEL F2B_RES
+         ${VALKEY_CMDLINE} -x DEL F2B_RES
      fi
    fi
    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
@@ -349,9 +703,9 @@ acme_checks() {
  err_count=0
  diff_c=0
  THRESHOLD=${ACME_THRESHOLD}
-  ACME_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning GET ACME_FAIL_TIME)
+  ACME_LOG_STATUS=$(redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning GET ACME_FAIL_TIME)
  if [[ -z "${ACME_LOG_STATUS}" ]]; then
-    ${REDIS_CMDLINE} SET ACME_FAIL_TIME 0
+    ${VALKEY_CMDLINE} SET ACME_FAIL_TIME 0
    ACME_LOG_STATUS=0
  fi
  # Reduce error count by 2 after restarting an unhealthy container
@@ -361,7 +715,7 @@ acme_checks() {
    ACME_LOG_STATUS_PREV=${ACME_LOG_STATUS}
    ACME_LC=0
    until [[ ! -z ${ACME_LOG_STATUS} ]] || [ ${ACME_LC} -ge 3 ]; do
-      ACME_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning GET ACME_FAIL_TIME 2> /dev/null)
+      ACME_LOG_STATUS=$(redis-cli -h valkey-mailcow -a ${VALKEYPASS} --no-auth-warning GET ACME_FAIL_TIME 2> /dev/null)
      sleep 3
      ACME_LC=$((ACME_LC+1))
    done
@@ -382,63 +736,90 @@ acme_checks() {
  return 1
 }

+rspamd_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=${RSPAMD_THRESHOLD}
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    touch /tmp/rspamd-mailcow; echo "$(tail -50 /tmp/rspamd-mailcow)" > /tmp/rspamd-mailcow
+    host_ip=$(get_container_ip rspamd-mailcow)
+    err_c_cur=${err_count}
+    SCORE=$(echo 'To: null@localhost
+From: watchdog@localhost

+Empty
+' | usr/bin/curl --max-time 10 -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/scan | jq -rc .default.required_score | sed 's/\..*//' )
+    if [[ ${SCORE} -ne 9999 ]]; then
+      echo "Rspamd settings check failed, score returned: ${SCORE}" 2>> /tmp/rspamd-mailcow 1>&2
+      err_count=$(( ${err_count} + 1))
+    else
+      echo "Rspamd settings check succeeded, score returned: ${SCORE}" 2>> /tmp/rspamd-mailcow 1>&2
+    fi
+    # A dirty hack until a PING PONG event is implemented to worker proxy
+    # We expect an empty response, not a timeout
+    if [ "$(curl -s --max-time 10 ${host_ip}:9900 2> /dev/null ; echo $?)" == "28" ]; then
+      echo "Milter check failed" 2>> /tmp/rspamd-mailcow 1>&2; err_count=$(( ${err_count} + 1 ));
+    else
+      echo "Milter check succeeded" 2>> /tmp/rspamd-mailcow 1>&2
+    fi
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "Rspamd" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    if [[ $? == 10 ]]; then
+      diff_c=0
+      sleep 1
+    else
+      diff_c=0
+      sleep $(( ( RANDOM % 60 ) + 20 ))
+    fi
+  done
+  return 1
+}
+
+olefy_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=${OLEFY_THRESHOLD}
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    touch /tmp/olefy-mailcow; echo "$(tail -50 /tmp/olefy-mailcow)" > /tmp/olefy-mailcow
+    host_ip=$(get_container_ip olefy-mailcow)
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_tcp -4 -H ${host_ip} -p 10055 -s "PING\n" 2>> /tmp/olefy-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "Olefy" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    if [[ $? == 10 ]]; then
+      diff_c=0
+      sleep 1
+    else
+      diff_c=0
+      sleep $(( ( RANDOM % 60 ) + 20 ))
+    fi
+  done
+  return 1
+}

 # Notify about start
 if [[ ${WATCHDOG_NOTIFY_START} =~ ^([yY][eE][sS]|[yY])+$ ]]; then
  notify_error "watchdog-mailcow" "Watchdog started monitoring mailcow."
 fi

-# Health checks run inside each container (mailcow-agent healthcheck + heartbeat).
-# We just read the per-node health field from Redis and restart on N consecutive fails.
-REDIS_HOST="${REDIS_SLAVEOF_IP:-redis-mailcow}"
-REDIS_PORT="${REDIS_SLAVEOF_PORT:-6379}"
-REDIS_CMDLINE_FULL="redis-cli -h ${REDIS_HOST} -p ${REDIS_PORT} -a ${REDISPASS} --no-auth-warning"
-
-HEALTH_WATCHED_SERVICES=(
-  postfix dovecot sogo rspamd nginx
-  clamd unbound olefy phpfpm postfix-tlspol
-)
-
-declare -A HEALTH_FAIL_COUNT
-HEALTH_FAIL_THRESHOLD=3
-
-[[ "${SKIP_SOGO}" =~ ^([yY][eE][sS]|[yY])+$ ]] && HEALTH_WATCHED_SERVICES=("${HEALTH_WATCHED_SERVICES[@]/sogo}")
-[[ "${SKIP_CLAMD}" =~ ^([yY][eE][sS]|[yY])+$ ]] && HEALTH_WATCHED_SERVICES=("${HEALTH_WATCHED_SERVICES[@]/clamd}")
-[[ "${SKIP_OLEFY}" =~ ^([yY][eE][sS]|[yY])+$ ]] && HEALTH_WATCHED_SERVICES=("${HEALTH_WATCHED_SERVICES[@]/olefy}")
+# Create watchdog agents

 (
-# Counters are per-node in an associative array reset on restart, so absorb USR1
-# instead of dying (other tasks trap it to decrement their own err_count).
-trap '' USR1
-declare -A HEALTH_FAIL_COUNT
 while true; do
-  for svc in "${HEALTH_WATCHED_SERVICES[@]}"; do
-    [[ -z "$svc" ]] && continue
-    nodes=$(${REDIS_CMDLINE_FULL} ZRANGEBYSCORE "mailcow.nodes.${svc}" "$(( $(date +%s) - 30 ))" "+inf" 2>/dev/null)
-    [[ -z "${nodes}" ]] && continue
-    while IFS= read -r node; do
-      [[ -z "${node}" ]] && continue
-      health=$(${REDIS_CMDLINE_FULL} HGET "mailcow.node.${svc}.${node}" health 2>/dev/null)
-      key="${svc}|${node}"
-      if [[ "${health}" == "fail" ]]; then
-        HEALTH_FAIL_COUNT[$key]=$(( ${HEALTH_FAIL_COUNT[$key]:-0} + 1 ))
-        if [[ ${HEALTH_FAIL_COUNT[$key]} -ge ${HEALTH_FAIL_THRESHOLD} ]]; then
-          detail=$(${REDIS_CMDLINE_FULL} HGET "mailcow.node.${svc}.${node}" health_detail 2>/dev/null)
-          log_msg "Service ${svc} node ${node} unhealthy (${detail:-no detail}) — sending restart"
-          echo "${svc}-mailcow|${node}" > /tmp/com_pipe
-          HEALTH_FAIL_COUNT[$key]=0
-        fi
-      else
-        HEALTH_FAIL_COUNT[$key]=0
-      fi
-    done <<< "${nodes}"
-  done
-  sleep 15
+  if ! nginx_checks; then
+    log_msg "Nginx hit error limit"
+    echo nginx-mailcow > /tmp/com_pipe
+  fi
 done
 ) &
 PID=$!
-echo "Spawned registry-based health monitor with PID ${PID}"
+echo "Spawned nginx_checks with PID ${PID}"
 BACKGROUND_TASKS+=(${PID})

 if [[ ${WATCHDOG_EXTERNAL_CHECKS} =~ ^([yY][eE][sS]|[yY])+$ ]]; then
@@ -455,6 +836,110 @@ echo "Spawned external_checks with PID ${PID}"
 BACKGROUND_TASKS+=(${PID})
 fi

+if [[ ${WATCHDOG_MYSQL_REPLICATION_CHECKS} =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+(
+while true; do
+  if ! mysql_repl_checks; then
+    log_msg "MySQL replication check hit error limit"
+    echo mysql_repl_checks > /tmp/com_pipe
+  fi
+done
+) &
+PID=$!
+echo "Spawned mysql_repl_checks with PID ${PID}"
+BACKGROUND_TASKS+=(${PID})
+fi
+
+(
+while true; do
+  if ! mysql_checks; then
+    log_msg "MySQL hit error limit"
+    echo mysql-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+PID=$!
+echo "Spawned mysql_checks with PID ${PID}"
+BACKGROUND_TASKS+=(${PID})
+
+(
+while true; do
+  if ! valkey_checks; then
+    log_msg "Local Valkey hit error limit"
+    echo valkey-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+PID=$!
+echo "Spawned valkey_checks with PID ${PID}"
+BACKGROUND_TASKS+=(${PID})
+
+(
+while true; do
+  if ! phpfpm_checks; then
+    log_msg "PHP-FPM hit error limit"
+    echo php-fpm-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+PID=$!
+echo "Spawned phpfpm_checks with PID ${PID}"
+BACKGROUND_TASKS+=(${PID})
+
+if [[ "${SKIP_SOGO}" =~ ^([nN][oO]|[nN])+$ ]]; then
+(
+while true; do
+  if ! sogo_checks; then
+    log_msg "SOGo hit error limit"
+    echo sogo-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+PID=$!
+echo "Spawned sogo_checks with PID ${PID}"
+BACKGROUND_TASKS+=(${PID})
+fi
+
+if [ ${CHECK_UNBOUND} -eq 1 ]; then
+(
+while true; do
+  if ! unbound_checks; then
+    log_msg "Unbound hit error limit"
+    echo unbound-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+PID=$!
+echo "Spawned unbound_checks with PID ${PID}"
+BACKGROUND_TASKS+=(${PID})
+fi
+
+if [[ "${SKIP_CLAMD}" =~ ^([nN][oO]|[nN])+$ ]]; then
+(
+while true; do
+  if ! clamd_checks; then
+    log_msg "Clamd hit error limit"
+    echo clamd-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+PID=$!
+echo "Spawned clamd_checks with PID ${PID}"
+BACKGROUND_TASKS+=(${PID})
+fi
+
+(
+while true; do
+  if ! postfix_checks; then
+    log_msg "Postfix hit error limit"
+    echo postfix-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+PID=$!
+echo "Spawned postfix_checks with PID ${PID}"
+BACKGROUND_TASKS+=(${PID})
+
 (
 while true; do
  if ! mailq_checks; then
@@ -467,6 +952,54 @@ PID=$!
 echo "Spawned mailq_checks with PID ${PID}"
 BACKGROUND_TASKS+=(${PID})

+(
+while true; do
+  if ! postfix-tlspol_checks; then
+    log_msg "Postfix TLS Policy hit error limit"
+    echo postfix-tlspol-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+PID=$!
+echo "Spawned postfix-tlspol_checks with PID ${PID}"
+BACKGROUND_TASKS+=(${PID})
+
+(
+while true; do
+  if ! dovecot_checks; then
+    log_msg "Dovecot hit error limit"
+    echo dovecot-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+PID=$!
+echo "Spawned dovecot_checks with PID ${PID}"
+BACKGROUND_TASKS+=(${PID})
+
+(
+while true; do
+  if ! dovecot_repl_checks; then
+    log_msg "Dovecot hit error limit"
+    echo dovecot_repl_checks > /tmp/com_pipe
+  fi
+done
+) &
+PID=$!
+echo "Spawned dovecot_repl_checks with PID ${PID}"
+BACKGROUND_TASKS+=(${PID})
+
+(
+while true; do
+  if ! rspamd_checks; then
+    log_msg "Rspamd hit error limit"
+    echo rspamd-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+PID=$!
+echo "Spawned rspamd_checks with PID ${PID}"
+BACKGROUND_TASKS+=(${PID})
+
 (
 while true; do
  if ! ratelimit_checks; then
@@ -503,6 +1036,20 @@ PID=$!
 echo "Spawned cert_checks with PID ${PID}"
 BACKGROUND_TASKS+=(${PID})

+if [[ "${SKIP_OLEFY}" =~ ^([nN][oO]|[nN])+$ ]]; then
+(
+while true; do
+  if ! olefy_checks; then
+    log_msg "Olefy hit error limit"
+    echo olefy-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+PID=$!
+echo "Spawned olefy_checks with PID ${PID}"
+BACKGROUND_TASKS+=(${PID})
+fi
+
 (
 while true; do
  if ! acme_checks; then
@@ -528,19 +1075,15 @@ while true; do
 done
 ) &

-# Pause background checks while Redis (the control bus) is unreachable, otherwise
-# we'd flag every service as unhealthy at once.
+# Monitor dockerapi
 (
-REDIS_HOST="${REDIS_SLAVEOF_IP:-redis-mailcow}"
-REDIS_PORT="${REDIS_SLAVEOF_PORT:-6379}"
-ping_bus() { redis-cli -h "${REDIS_HOST}" -p "${REDIS_PORT}" -a "${REDISPASS}" --no-auth-warning ping > /dev/null 2>&1; }
 while true; do
-  while ping_bus; do
+  while nc -z dockerapi 443; do
    sleep 3
  done
-  log_msg "Cannot reach redis-mailcow (control bus), waiting to recover..."
+  log_msg "Cannot find dockerapi-mailcow, waiting to recover..."
  kill -STOP ${BACKGROUND_TASKS[*]}
-  until ping_bus; do
+  until nc -z dockerapi 443; do
    sleep 3
  done
  kill -CONT ${BACKGROUND_TASKS[*]}
@@ -586,9 +1129,9 @@ while true; do
    # Define $2 to override message text, else print service was restarted at ...
    notify_error "${com_pipe_answer}" "Please check acme-mailcow for further information."
  elif [[ ${com_pipe_answer} == "fail2ban" ]]; then
-    F2B_RES=($(timeout 4s ${REDIS_CMDLINE} --raw GET F2B_RES 2> /dev/null))
+    F2B_RES=($(timeout 4s ${VALKEY_CMDLINE} --raw GET F2B_RES 2> /dev/null))
    if [[ ! -z "${F2B_RES}" ]]; then
-      ${REDIS_CMDLINE} DEL F2B_RES > /dev/null
+      ${VALKEY_CMDLINE} DEL F2B_RES > /dev/null
      host=
      for host in "${F2B_RES[@]}"; do
        log_msg "Banned ${host}"
@@ -600,33 +1143,24 @@ while true; do
  elif [[ ${com_pipe_answer} =~ .+-mailcow ]]; then
    kill -STOP ${BACKGROUND_TASKS[*]}
    sleep 10
-    # "<service>-mailcow|<node>" restarts a single replica; bare "<service>-mailcow"
-    # broadcasts the restart to every replica of the service.
-    AGENT_NODE=""
-    AGENT_SVC="${com_pipe_answer%-mailcow}"
-    if [[ "${com_pipe_answer}" == *"|"* ]]; then
-      AGENT_NODE="${com_pipe_answer#*|}"
-      AGENT_SVC="${com_pipe_answer%|*}"
-      AGENT_SVC="${AGENT_SVC%-mailcow}"
-    fi
-    STARTED_AT_RAW=$(redis-cli -h "${REDIS_SLAVEOF_IP:-redis-mailcow}" -p "${REDIS_SLAVEOF_PORT:-6379}" -a "${REDISPASS}" --no-auth-warning HGET "mailcow.node.${AGENT_SVC}.${AGENT_NODE:-$(hostname)}" started_at 2>/dev/null)
-    S_RUNNING=999
-    if [[ -n "${STARTED_AT_RAW}" ]]; then
-      S_RUNNING=$(( $(date +%s) - $(date -d "${STARTED_AT_RAW}" +%s 2>/dev/null || echo 0) ))
-    fi
-    if [ ${S_RUNNING} -lt 360 ]; then
-      log_msg "Container is running for less than 360 seconds, skipping action..."
-    else
-      if [[ -n "${AGENT_NODE}" ]]; then
-        log_msg "Sending restart to ${AGENT_SVC} node ${AGENT_NODE} via control bus..."
-        mailcow-agent-cli send "${AGENT_SVC}" restart "{\"target_node\":\"${AGENT_NODE}\"}" >/dev/null || true
-      else
-        log_msg "Sending restart broadcast to ${AGENT_SVC} via control bus..."
-        mailcow-agent-cli send "${AGENT_SVC}" restart >/dev/null || true
+    CONTAINER_ID=$(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"${com_pipe_answer}\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id")
+    if [[ ! -z ${CONTAINER_ID} ]]; then
+      if [[ "${com_pipe_answer}" == "php-fpm-mailcow" ]]; then
+        HAS_INITDB=$(curl --silent --insecure -XPOST https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/top | jq '.msg.Processes[] | contains(["php -c /usr/local/etc/php -f /web/inc/init_db.inc.php"])' | grep true)
+      fi
+      S_RUNNING=$(($(date +%s) - $(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/json | jq .State.StartedAt | xargs -n1 date +%s -d)))
+      if [ ${S_RUNNING} -lt 360 ]; then
+        log_msg "Container is running for less than 360 seconds, skipping action..."
+      elif [[ ! -z ${HAS_INITDB} ]]; then
+        log_msg "Database is being initialized by php-fpm-mailcow, not restarting but delaying checks for a minute..."
+        sleep 60
+      else
+        log_msg "Sending restart command to ${CONTAINER_ID}..."
+        curl --silent --insecure -XPOST https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/restart
+        notify_error "${com_pipe_answer}"
+        log_msg "Wait for restarted container to settle and continue watching..."
+        sleep 35
      fi
-      notify_error "${com_pipe_answer}"
-      log_msg "Wait for restarted container to settle and continue watching..."
-      sleep 35
    fi
    kill -CONT ${BACKGROUND_TASKS[*]}
    sleep 1
@@ -23,16 +23,16 @@ if (file_exists('../../../web/inc/vars.local.inc.php')) {
 require_once '../../../web/inc/lib/vendor/autoload.php';


-// Init Redis
-$redis = new Redis();
+// Init Valkey
+$valkey = new Redis();
 try {
-  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
-    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
+  if (!empty(getenv('VALKEY_SLAVEOF_IP'))) {
+    $valkey->connect(getenv('VALKEY_SLAVEOF_IP'), getenv('VALKEY_SLAVEOF_PORT'));
  }
  else {
-    $redis->connect('redis-mailcow', 6379);
+    $valkey->connect('valkey-mailcow', 6379);
  }
-  $redis->auth(getenv("REDISPASS"));
+  $valkey->auth(getenv("VALKEYPASS"));
 }
 catch (Exception $e) {
  error_log("MAILCOWAUTH: " . $e . PHP_EOL);
@@ -80,21 +80,14 @@ if ($isSOGoRequest) {
 }
 if ($result === false){
  // If it's a SOGo Request, don't check for protocol access
-  if ($isSOGoRequest) {
-    $service = 'SOGO';
-    $post['service'] = 'NONE';
-  } else {
-    $service = $post['service'];
-  }
-
-  $result = apppass_login($post['username'], $post['password'], array(
-    'service' => $post['service'],
+  $service = ($isSOGoRequest) ? false : array($post['service'] => true);
+  $result = apppass_login($post['username'], $post['password'], $service, array(
    'is_internal' => true,
    'remote_addr' => $post['real_rip']
  ));
  if ($result) {
-    error_log('MAILCOWAUTH: App auth for user ' . $post['username'] . " with service " . $service . " from IP " . $post['real_rip']);
-    set_sasl_log($post['username'], $post['real_rip'], $service);
+    error_log('MAILCOWAUTH: App auth for user ' . $post['username'] . " with service " . $post['service'] . " from IP " . $post['real_rip']);
+    set_sasl_log($post['username'], $post['real_rip'], $post['service']);
  }
 }
 if ($result === false){
@@ -13,7 +13,6 @@ events {
 http {
    include /etc/nginx/mime.types;
    default_type  application/octet-stream;
-    server_tokens off;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
@@ -14,6 +14,7 @@ ssl_session_tickets off;

 add_header Strict-Transport-Security "max-age=15768000;";
 add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
 add_header X-Robots-Tag none;
 add_header X-Download-Options noopen;
 add_header X-Frame-Options "SAMEORIGIN" always;
@@ -261,19 +262,19 @@ location ~* /sogo$ {
 }

 location /SOGo.woa/WebServerResources/ {
-    alias /usr/local/lib/GNUstep/SOGo/WebServerResources/;
+    alias /usr/lib/GNUstep/SOGo/WebServerResources/;
 }

 location /.woa/WebServerResources/ {
-    alias /usr/local/lib/GNUstep/SOGo/WebServerResources/;
+    alias /usr/lib/GNUstep/SOGo/WebServerResources/;
 }

 location /SOGo/WebServerResources/ {
-    alias /usr/local/lib/GNUstep/SOGo/WebServerResources/;
+    alias /usr/lib/GNUstep/SOGo/WebServerResources/;
 }

 location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
-    alias /usr/local/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
+    alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
 }
 {% endif %}

@@ -23,16 +23,16 @@ catch (PDOException $e) {
  exit;
 }

-// Init Redis
-$redis = new Redis();
+// Init Valkey
+$valkey = new Redis();
 try {
-  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
-    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
+  if (!empty(getenv('VALKEY_SLAVEOF_IP'))) {
+    $valkey->connect(getenv('VALKEY_SLAVEOF_IP'), getenv('VALKEY_SLAVEOF_PORT'));
  }
  else {
-    $redis->connect('redis-mailcow', 6379);
+    $valkey->connect('valkey-mailcow', 6379);
  }
-  $redis->auth(getenv("REDISPASS"));
+  $valkey->auth(getenv("VALKEYPASS"));
 }
 catch (Exception $e) {
  echo "Exiting: " . $e->getMessage();
@@ -41,7 +41,7 @@ catch (Exception $e) {
 }

 function logMsg($priority, $message, $task = "Keycloak Sync") {
-  global $redis;
+  global $valkey;

  $finalMsg = array(
    "time" => time(),
@@ -49,7 +49,7 @@ function logMsg($priority, $message, $task = "Keycloak Sync") {
    "task" => $task,
    "message" => $message
  );
-  $redis->lPush('CRON_LOG', json_encode($finalMsg));
+  $valkey->lPush('CRON_LOG', json_encode($finalMsg));
 }

 // Load core functions first
@@ -23,16 +23,16 @@ catch (PDOException $e) {
  exit;
 }

-// Init Redis
-$redis = new Redis();
+// Init Valkey
+$valkey = new Redis();
 try {
-  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
-    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
+  if (!empty(getenv('VALKEY_SLAVEOF_IP'))) {
+    $valkey->connect(getenv('VALKEY_SLAVEOF_IP'), getenv('VALKEY_SLAVEOF_PORT'));
  }
  else {
-    $redis->connect('redis-mailcow', 6379);
+    $valkey->connect('valkey-mailcow', 6379);
  }
-  $redis->auth(getenv("REDISPASS"));
+  $valkey->auth(getenv("VALKEYPASS"));
 }
 catch (Exception $e) {
  echo "Exiting: " . $e->getMessage();
@@ -41,7 +41,7 @@ catch (Exception $e) {
 }

 function logMsg($priority, $message, $task = "LDAP Sync") {
-  global $redis;
+  global $valkey;

  $finalMsg = array(
    "time" => time(),
@@ -49,7 +49,7 @@ function logMsg($priority, $message, $task = "LDAP Sync") {
    "task" => $task,
    "message" => $message
  );
-  $redis->lPush('CRON_LOG', json_encode($finalMsg));
+  $valkey->lPush('CRON_LOG', json_encode($finalMsg));
 }

 // Load core functions first
@@ -1,16 +1,7 @@
-; NOTE: Restart phpfpm on ANY manual changes to PHP files!
-
-; opcache
 opcache.enable=1
 opcache.enable_cli=1
 opcache.interned_strings_buffer=16
 opcache.max_accelerated_files=10000
 opcache.memory_consumption=128
 opcache.save_comments=1
-opcache.validate_timestamps=0
-
-; JIT
-; Disabled for now due to some PHP segmentation faults observed
-; in certain environments. Possibly some PHP or PHP extension bug.
-opcache.jit=disable
-opcache.jit_buffer_size=0
+opcache.revalidate_freq=1
@@ -1,8 +1,7 @@
-# Whitelist generated by Postwhite v3.4 on Fri May  1 00:43:37 UTC 2026
+# Whitelist generated by Postwhite v3.4 on Wed Oct  1 00:21:33 UTC 2025
 # https://github.com/stevejenkins/postwhite/
-# 2249 total rules
+# 2216 total rules
 2a00:1450:4000::/36	permit
-2a00:1450:4864::/56	permit
 2a01:111:f400::/48	permit
 2a01:111:f403:2800::/53	permit
 2a01:111:f403:8000::/51	permit
@@ -30,13 +29,8 @@
 2a01:b747:3005:200::/56	permit
 2a01:b747:3006:200::/56	permit
 2a02:a60:0:5::/64	permit
-2a0f:f640::/56	permit
 2c0f:fb50:4000::/36	permit
-2c0f:fb50:4864::/56	permit
-2.207.151.32/27	permit
-2.207.151.53	permit
 2.207.217.30	permit
-2.207.223.160/27	permit
 3.64.237.68	permit
 3.65.3.180	permit
 3.70.123.177	permit
@@ -62,9 +56,8 @@
 8.40.222.0/23	permit
 8.40.222.250/31	permit
 12.130.86.238	permit
-13.107.213.40	permit
-13.107.246.40	permit
-13.108.16.0/20	permit
+13.107.213.41	permit
+13.107.246.41	permit
 13.110.208.0/21	permit
 13.110.209.0/24	permit
 13.110.216.0/22	permit
@@ -73,7 +66,6 @@
 13.111.191.0/24	permit
 13.216.7.111	permit
 13.216.54.180	permit
-13.247.164.219	permit
 15.200.21.50	permit
 15.200.44.248	permit
 15.200.201.185	permit
@@ -281,7 +273,6 @@
 50.56.130.221	permit
 50.56.130.222	permit
 50.112.246.219	permit
-51.83.17.38	permit
 52.1.14.157	permit
 52.5.230.59	permit
 52.6.74.205	permit
@@ -308,6 +299,15 @@
 52.94.124.0/28	permit
 52.95.48.152/29	permit
 52.95.49.88/29	permit
+52.96.91.34	permit
+52.96.111.82	permit
+52.96.172.98	permit
+52.96.214.50	permit
+52.96.222.194	permit
+52.96.222.226	permit
+52.96.223.2	permit
+52.96.228.130	permit
+52.96.229.242	permit
 52.100.0.0/15	permit
 52.102.0.0/16	permit
 52.103.0.0/17	permit
@@ -373,7 +373,6 @@
 64.132.88.0/23	permit
 64.132.92.0/24	permit
 64.181.194.190	permit
-64.181.213.254	permit
 64.207.219.7	permit
 64.207.219.8	permit
 64.207.219.9	permit
@@ -403,8 +402,27 @@
 64.207.219.143	permit
 64.233.160.0/19	permit
 65.52.80.137	permit
+65.54.51.64/26	permit
+65.54.61.64/26	permit
+65.54.121.120/29	permit
+65.54.190.0/24	permit
+65.54.241.0/24	permit
 65.55.29.77	permit
+65.55.33.64/28	permit
+65.55.34.0/24	permit
 65.55.42.224/28	permit
+65.55.52.224/27	permit
+65.55.78.128/25	permit
+65.55.81.48/28	permit
+65.55.90.0/24	permit
+65.55.94.0/25	permit
+65.55.111.0/24	permit
+65.55.113.64/26	permit
+65.55.116.0/25	permit
+65.55.126.0/25	permit
+65.55.174.0/25	permit
+65.55.178.128/27	permit
+65.55.234.192/26	permit
 65.110.161.77	permit
 65.123.29.213	permit
 65.123.29.220	permit
@@ -459,11 +477,7 @@
 66.218.75.252/31	permit
 66.218.75.254	permit
 66.220.144.128/25	permit
-66.220.144.178	permit
-66.220.144.179	permit
 66.220.155.0/24	permit
-66.220.155.178	permit
-66.220.155.179	permit
 66.220.157.0/25	permit
 66.231.80.0/20	permit
 66.240.227.0/24	permit
@@ -528,9 +542,8 @@
 69.162.98.0/24	permit
 69.169.224.0/20	permit
 69.171.232.0/24	permit
-69.171.232.180	permit
-69.171.232.181	permit
 69.171.244.0/23	permit
+70.37.151.128/25	permit
 70.42.149.35	permit
 72.3.185.0/24	permit
 72.14.192.0/18	permit
@@ -627,6 +640,7 @@
 74.208.4.220	permit
 74.208.4.221	permit
 74.209.250.0/24	permit
+75.2.70.75	permit
 76.223.128.0/19	permit
 76.223.176.0/20	permit
 77.238.176.0/24	permit
@@ -651,7 +665,6 @@
 77.238.189.148/30	permit
 79.135.106.0/24	permit
 79.135.107.0/24	permit
-80.225.160.128/25	permit
 81.169.146.243	permit
 81.169.146.245	permit
 81.169.146.246	permit
@@ -670,9 +683,6 @@
 82.165.159.45	permit
 82.165.159.130	permit
 82.165.159.131	permit
-84.8.68.0/25	permit
-84.8.192.128/25	permit
-84.8.224.128/25	permit
 85.9.206.169	permit
 85.9.210.45	permit
 85.158.136.0/21	permit
@@ -723,11 +733,11 @@
 87.248.117.205	permit
 87.253.232.0/21	permit
 89.22.108.0/24	permit
-91.198.2.177	permit
-91.198.2.217	permit
-91.198.2.222	permit
+91.198.2.0/24	permit
 91.211.240.0/22	permit
 94.236.119.0/26	permit
+94.245.112.0/27	permit
+94.245.112.10/31	permit
 95.131.104.0/21	permit
 95.217.114.154	permit
 96.43.144.0/20	permit
@@ -1220,9 +1230,9 @@
 98.139.245.208/30	permit
 98.139.245.212/31	permit
 99.78.197.208/28	permit
+99.83.190.102	permit
 103.9.96.0/22	permit
 103.28.42.0/24	permit
-103.84.217.15	permit
 103.84.217.238	permit
 103.89.75.238	permit
 103.151.192.0/23	permit
@@ -1368,6 +1378,11 @@
 108.179.144.0/20	permit
 109.224.244.0/24	permit
 109.237.142.0/24	permit
+111.221.23.128/25	permit
+111.221.26.0/27	permit
+111.221.66.0/25	permit
+111.221.69.128/25	permit
+111.221.112.0/21	permit
 112.19.199.64/29	permit
 112.19.242.64/29	permit
 116.214.12.47	permit
@@ -1415,7 +1430,6 @@
 128.245.248.0/21	permit
 129.41.77.70	permit
 129.41.169.249	permit
-129.77.16.0/20	permit
 129.80.5.164	permit
 129.80.64.36	permit
 129.80.67.121	permit
@@ -1424,20 +1438,6 @@
 129.146.88.28	permit
 129.146.147.105	permit
 129.146.236.58	permit
-129.148.135.0/25	permit
-129.148.148.0/25	permit
-129.148.164.0/25	permit
-129.148.180.0/25	permit
-129.148.215.0/25	permit
-129.149.6.0/25	permit
-129.149.22.0/25	permit
-129.149.38.0/25	permit
-129.149.52.0/25	permit
-129.149.68.0/25	permit
-129.149.84.0/25	permit
-129.149.100.0/25	permit
-129.149.118.0/25	permit
-129.149.126.0/25	permit
 129.151.67.221	permit
 129.153.62.216	permit
 129.153.104.71	permit
@@ -1446,23 +1446,19 @@
 129.153.194.228	permit
 129.154.255.129	permit
 129.158.56.255	permit
-129.158.62.153	permit
 129.159.22.159	permit
 129.159.87.137	permit
 129.213.195.191	permit
-130.35.116.0/25	permit
 130.61.9.72	permit
 130.162.39.83	permit
 130.248.172.0/24	permit
 130.248.173.0/24	permit
-131.186.12.0/25	permit
 131.253.30.0/24	permit
 131.253.121.0/26	permit
 132.145.13.209	permit
 132.226.26.225	permit
 132.226.49.32	permit
 132.226.56.24	permit
-134.98.248.128/25	permit
 134.128.64.0/19	permit
 134.128.96.0/19	permit
 134.170.27.8	permit
@@ -1485,7 +1481,6 @@
 136.143.184.0/24	permit
 136.143.188.0/24	permit
 136.143.190.0/23	permit
-136.146.128.0/20	permit
 136.147.128.0/20	permit
 136.147.135.0/24	permit
 136.147.176.0/20	permit
@@ -1493,10 +1488,6 @@
 136.147.182.0/24	permit
 136.147.224.0/20	permit
 136.179.50.206	permit
-136.248.224.128/25	permit
-136.248.232.128/25	permit
-138.1.108.0/25	permit
-138.1.170.0/24	permit
 139.60.152.0/22	permit
 139.138.35.44	permit
 139.138.46.121	permit
@@ -1505,11 +1496,8 @@
 139.138.57.55	permit
 139.138.58.119	permit
 139.167.79.86	permit
-139.177.108.0/25	permit
 139.180.17.0/24	permit
 140.238.148.191	permit
-141.148.55.217	permit
-141.148.91.244	permit
 141.148.159.229	permit
 141.193.32.0/23	permit
 141.193.184.32/27	permit
@@ -1544,9 +1532,6 @@
 146.88.28.0/24	permit
 146.148.116.76	permit
 147.154.32.0/25	permit
-147.154.63.0/24	permit
-147.154.126.0/24	permit
-147.154.191.0/24	permit
 147.243.1.47	permit
 147.243.1.48	permit
 147.243.1.153	permit
@@ -1558,32 +1543,36 @@
 149.72.234.184	permit
 149.72.248.236	permit
 149.97.173.180	permit
-149.118.160.128/25	permit
-150.136.21.199	permit
 150.230.98.160	permit
 151.145.38.14	permit
 152.67.105.195	permit
 152.69.200.236	permit
 152.70.155.126	permit
-155.248.135.128/25	permit
-155.248.140.0/25	permit
-155.248.148.0/25	permit
 155.248.208.51	permit
 155.248.220.138	permit
 155.248.234.149	permit
 155.248.237.141	permit
+157.55.0.192/26	permit
+157.55.1.128/26	permit
+157.55.2.0/25	permit
+157.55.9.128/25	permit
+157.55.11.0/25	permit
+157.55.49.0/25	permit
+157.55.61.0/24	permit
+157.55.157.128/25	permit
+157.55.225.0/25	permit
+157.56.24.0/25	permit
 157.56.120.128/26	permit
+157.56.232.0/21	permit
+157.56.240.0/20	permit
+157.56.248.0/21	permit
 157.58.30.128/25	permit
 157.58.196.96/29	permit
 157.58.249.3	permit
-157.137.32.128/25	permit
-157.137.96.128/25	permit
 157.151.208.65	permit
 157.255.1.64/29	permit
 158.101.211.207	permit
 158.247.16.0/20	permit
-158.247.100.0/25	permit
-159.13.4.0/25	permit
 159.92.154.0/24	permit
 159.92.155.0/24	permit
 159.92.157.0/24	permit
@@ -1605,10 +1594,8 @@
 159.135.224.0/20	permit
 159.135.228.10	permit
 159.183.0.0/16	permit
-159.183.14.233	permit
 159.183.68.71	permit
 159.183.79.38	permit
-159.183.121.182	permit
 159.183.129.172	permit
 160.1.62.192	permit
 161.38.192.0/20	permit
@@ -1617,7 +1604,6 @@
 161.71.64.0/20	permit
 162.88.4.0/23	permit
 162.88.8.0/24	permit
-162.88.24.0/23	permit
 162.88.24.0/24	permit
 162.88.25.0/24	permit
 162.88.36.0/24	permit
@@ -1629,18 +1615,12 @@
 163.114.135.16	permit
 163.116.128.0/17	permit
 163.192.116.87	permit
-163.192.125.176	permit
-163.192.196.146	permit
-163.192.204.161	permit
 164.152.23.32	permit
 164.152.25.241	permit
 164.177.132.168/30	permit
-165.1.100.0/25	permit
 165.173.128.0/24	permit
-165.173.180.1	permit
 165.173.180.250/31	permit
 165.173.182.250/31	permit
-165.173.189.205	permit
 166.78.68.0/22	permit
 166.78.68.221	permit
 166.78.69.169	permit
@@ -1659,12 +1639,9 @@
 167.89.75.126	permit
 167.89.75.136	permit
 167.89.75.164	permit
+167.89.101.2	permit
+167.89.101.192/28	permit
 167.220.67.232/29	permit
-168.107.248.128/25	permit
-168.110.160.128/25	permit
-168.110.248.128/25	permit
-168.129.184.128/25	permit
-168.129.248.128/25	permit
 168.138.5.36	permit
 168.138.73.51	permit
 168.138.77.31	permit
@@ -1681,17 +1658,17 @@
 169.148.144.0/25	permit
 169.148.144.10	permit
 169.148.146.0/23	permit
-169.148.174.10	permit
 169.148.175.3	permit
-169.148.179.3	permit
 169.148.188.0/24	permit
 169.148.188.182	permit
-170.9.232.254	permit
 170.10.128.0/24	permit
 170.10.129.0/24	permit
 170.10.132.56/29	permit
 170.10.132.64/29	permit
 170.10.133.0/24	permit
+172.217.32.0/20	permit
+172.253.56.0/21	permit
+172.253.112.0/20	permit
 173.0.84.0/29	permit
 173.0.84.224/27	permit
 173.0.94.244/30	permit
@@ -1719,7 +1696,8 @@
 182.50.78.64/28	permit
 183.240.219.64/29	permit
 185.4.120.0/22	permit
-185.11.255.144	permit
+185.11.253.128/27	permit
+185.11.255.0/24	permit
 185.12.80.0/22	permit
 185.28.196.0/22	permit
 185.58.84.93	permit
@@ -1733,16 +1711,8 @@
 185.138.56.128/25	permit
 185.189.236.0/22	permit
 185.211.120.0/22	permit
-185.233.188.68	permit
-185.233.188.75	permit
-185.233.188.84	permit
-185.233.188.160	permit
-185.233.188.176	permit
-185.233.188.247	permit
-185.233.189.44	permit
-185.233.189.98	permit
-185.233.189.122	permit
-185.233.189.228	permit
+185.233.188.0/23	permit
+185.233.190.0/23	permit
 185.250.236.0/22	permit
 185.250.239.148	permit
 185.250.239.168	permit
@@ -1801,24 +1771,8 @@
 192.18.139.154	permit
 192.18.145.36	permit
 192.18.152.58	permit
-192.22.32.128/25	permit
-192.22.96.128/25	permit
-192.22.160.128/25	permit
-192.22.224.128/25	permit
 192.28.128.0/18	permit
-192.29.24.0/25	permit
-192.29.44.0/25	permit
-192.29.72.0/25	permit
-192.29.88.0/25	permit
 192.29.103.128/25	permit
-192.29.134.0/25	permit
-192.29.151.128/25	permit
-192.29.172.0/25	permit
-192.29.178.0/25	permit
-192.29.200.0/25	permit
-192.29.216.0/25	permit
-192.29.232.0/25	permit
-192.29.248.0/25	permit
 192.30.252.0/22	permit
 192.161.144.0/20	permit
 192.162.87.0/24	permit
@@ -1826,12 +1780,15 @@
 192.237.159.42	permit
 192.237.159.43	permit
 192.254.112.0/20	permit
+192.254.112.60	permit
+192.254.112.98/31	permit
+192.254.113.10	permit
+192.254.113.101	permit
+192.254.114.176	permit
 193.109.254.0/23	permit
 193.122.128.100	permit
 193.123.56.63	permit
-193.142.157.15	permit
-193.142.157.125	permit
-193.142.157.158	permit
+193.142.157.0/24	permit
 193.142.157.191	permit
 193.142.157.198	permit
 194.19.134.0/25	permit
@@ -1855,7 +1812,6 @@
 194.97.212.12	permit
 194.106.220.0/23	permit
 194.113.24.0/22	permit
-194.113.42.0/26	permit
 194.154.193.192/27	permit
 195.4.92.0/23	permit
 195.54.172.0/23	permit
@@ -1869,7 +1825,6 @@
 198.61.254.21	permit
 198.61.254.231	permit
 198.178.234.57	permit
-198.202.211.1	permit
 198.244.48.0/20	permit
 198.244.56.107	permit
 198.244.56.108	permit
@@ -1953,6 +1908,7 @@
 204.14.232.64/28	permit
 204.14.234.64/28	permit
 204.75.142.0/24	permit
+204.79.197.212	permit
 204.92.114.187	permit
 204.92.114.203	permit
 204.92.114.204/31	permit
@@ -1980,13 +1936,24 @@
 206.165.246.80/29	permit
 206.191.224.0/19	permit
 206.246.157.1	permit
+207.46.4.128/25	permit
 207.46.22.35	permit
 207.46.50.72	permit
 207.46.50.82	permit
+207.46.50.192/26	permit
+207.46.50.224	permit
 207.46.52.71	permit
 207.46.52.79	permit
+207.46.58.128/25	permit
+207.46.116.128/29	permit
+207.46.117.0/24	permit
+207.46.132.128/27	permit
+207.46.198.0/25	permit
+207.46.200.0/27	permit
 207.67.38.0/24	permit
 207.67.98.192/27	permit
+207.68.176.0/26	permit
+207.68.176.96/27	permit
 207.97.204.96/29	permit
 207.126.144.0/20	permit
 207.171.160.0/19	permit
@@ -1994,7 +1961,6 @@
 207.211.30.128/25	permit
 207.211.31.0/25	permit
 207.211.41.113	permit
-207.211.132.0/25	permit
 207.218.90.0/24	permit
 207.218.90.122	permit
 207.250.68.0/24	permit
@@ -2002,8 +1968,6 @@
 208.43.21.28/30	permit
 208.43.21.64/29	permit
 208.43.21.72/30	permit
-208.56.9.224	permit
-208.56.13.196	permit
 208.64.132.0/22	permit
 208.71.40.63	permit
 208.71.40.64/31	permit
@@ -2030,7 +1994,6 @@
 208.71.42.214	permit
 208.72.249.240/29	permit
 208.75.120.0/22	permit
-208.76.62.0/23	permit
 208.76.62.0/24	permit
 208.76.63.0/24	permit
 208.82.237.96/29	permit
@@ -2139,10 +2102,14 @@
 212.227.126.225	permit
 212.227.126.226	permit
 212.227.126.227	permit
+213.95.19.64/27	permit
+213.95.135.4	permit
 213.199.128.139	permit
 213.199.128.145	permit
 213.199.138.181	permit
 213.199.138.191	permit
+213.199.161.128/27	permit
+213.199.177.0/26	permit
 216.17.150.242	permit
 216.17.150.251	permit
 216.24.224.0/20	permit
@@ -2170,6 +2137,7 @@
 216.39.62.60/31	permit
 216.39.62.136/29	permit
 216.39.62.144/31	permit
+216.58.192.0/19	permit
 216.66.217.240/29	permit
 216.71.138.33	permit
 216.71.152.207	permit
@@ -2191,7 +2159,6 @@
 216.136.168.80/28	permit
 216.139.64.0/19	permit
 216.145.221.0/24	permit
-216.146.32.0/23	permit
 216.146.32.0/24	permit
 216.146.33.0/24	permit
 216.198.0.0/18	permit
@@ -2212,7 +2179,6 @@
 223.165.120.0/23	permit
 2001:0868:0100:0600::/64	permit
 2001:4860:4000::/36	permit
-2001:4860:4864::/56	permit
 2001:748:100:40::2:0/112	permit
 2001:748:400:1300::3	permit
 2001:748:400:1300::4	permit
@@ -2230,13 +2196,15 @@
 2001:748:400:3301::3	permit
 2001:748:400:3301::4	permit
 2404:6800:4000::/36	permit
-2404:6800:4864::/56	permit
-2603:1061:14:72::1	permit
+2603:1010:3:3::5b	permit
+2603:1020:201:10::10f	permit
+2603:1030:20e:3::23c	permit
+2603:1030:b:3::152	permit
+2603:1030:c02:8::14	permit
 2607:13c0:0001:0000:0000:0000:0000:7000/116	permit
 2607:13c0:0002:0000:0000:0000:0000:1000/116	permit
 2607:13c0:0004:0000:0000:0000:0000:0000/116	permit
 2607:f8b0:4000::/36	permit
-2607:f8b0:4864::/56	permit
 2620:109:c003:104::/64	permit
 2620:109:c003:104::215	permit
 2620:109:c006:104::/64	permit
@@ -2249,6 +2217,5 @@
 2620:119:50c0:207::/64	permit
 2620:119:50c0:207::215	permit
 2800:3f0:4000::/36	permit
-2800:3f0:4864::/56	permit
 49.12.4.251 permit # checks.mailcow.email
 2a01:4f8:c17:7906::10 permit # checks.mailcow.email
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
FreddleSpl0it	c0f06bfc52	Merge branch 'staging' into feat/valkey	2025-10-10 12:40:41 +02:00
FreddleSpl0it	0698159f07	Add redis-to-valkey migratior	2025-02-28 15:49:28 +01:00
FreddleSpl0it	c27000215e	migrate from redis to valkey	2025-02-28 15:36:19 +01:00