declare better sieve script paths per user (for after and before)

dovecot: fix smaller config changes
dovecot: rechanged id type from uuid to string
2026-06-15 11:00:29 +00:00 · 2026-03-04 15:19:44 +01:00 · 2026-03-04 15:19:44 +01:00 · 2026-03-04 15:19:43 +01:00 · 2026-03-04 15:19:43 +01:00 · 2026-03-04 15:19:43 +01:00
85 changed files with 1024 additions and 2752 deletions
@@ -14,7 +14,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Mark/Close Stale Issues and Pull Requests 🗑️
-        uses: actions/stale@v10.3.0
+        uses: actions/stale@v10.2.0
        with:
          repo-token: ${{ secrets.STALE_ACTION_PAT }}
          days-before-stale: 60
@@ -12,7 +12,7 @@ jobs:
        with:
          fetch-depth: 0
      - name: Run the Action
-        uses: devops-infra/action-pull-request@v1.3.0
+        uses: devops-infra/action-pull-request@v1.0.2
        with:
          github_token: ${{ secrets.PRTONIGHTLY_ACTION_PAT }}
          title: Automatic PR to nightly from ${{ github.event.repository.updated_at}}
@@ -19,7 +19,7 @@ jobs:
        uses: docker/setup-qemu-action@v4

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@v3

      - name: Login to GHCR
        if: github.event_name != 'pull_request'
@@ -30,7 +30,7 @@ jobs:
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: linux/amd64,linux/arm64
@@ -64,7 +64,7 @@ adapt_new_options() {

  sed -i --follow-symlinks '$a\' mailcow.conf
  for option in ${CONFIG_ARRAY[@]}; do
-    if grep -q "^#\?${option}=" mailcow.conf; then
+    if grep -q "${option}" mailcow.conf; then
      continue
    fi

@@ -302,7 +302,7 @@ adapt_new_options() {
            ;;
        ACME_DNS_PROVIDER)
            echo '# DNS provider for DNS-01 challenge (e.g. dns_cf, dns_azure, dns_gd, etc.)' >> mailcow.conf
-            echo '# See the dns-01 provider documentation for more information.' >> mailcow.conf
+            echo '# See the dns-101 provider documentation for more information.' >> mailcow.conf
            echo 'ACME_DNS_PROVIDER=dns_xxx' >> mailcow.conf
            ;;
        ACME_ACCOUNT_EMAIL)
@@ -253,20 +253,10 @@ while true; do
    unset VALIDATED_CONFIG_DOMAINS_SUBDOMAINS
    declare -a VALIDATED_CONFIG_DOMAINS_SUBDOMAINS
    for SUBDOMAIN in "${ADDITIONAL_WC_ARR[@]}"; do
-      FULL_SUBDOMAIN="${SUBDOMAIN}.${SQL_DOMAIN}"
-
-      # Skip if subdomain matches MAILCOW_HOSTNAME
-      if [[ "${FULL_SUBDOMAIN}" == "${MAILCOW_HOSTNAME}" ]]; then
-        continue
-      fi
-      # Skip if subdomain is covered by a wildcard in ADDITIONAL_SAN
-      if is_covered_by_wildcard "${FULL_SUBDOMAIN}"; then
-        log_f "Subdomain '${FULL_SUBDOMAIN}' is covered by wildcard - skipping explicit subdomain"
-        continue
-      fi
-      # Validate and add subdomain
-      if check_domain "${FULL_SUBDOMAIN}"; then
-        VALIDATED_CONFIG_DOMAINS_SUBDOMAINS+=("${FULL_SUBDOMAIN}")
+      if [[  "${SUBDOMAIN}.${SQL_DOMAIN}" != "${MAILCOW_HOSTNAME}" ]]; then
+        if check_domain "${SUBDOMAIN}.${SQL_DOMAIN}"; then
+          VALIDATED_CONFIG_DOMAINS_SUBDOMAINS+=("${SUBDOMAIN}.${SQL_DOMAIN}")
+        fi
      fi
    done
    VALIDATED_CONFIG_DOMAINS+=("${VALIDATED_CONFIG_DOMAINS_SUBDOMAINS[*]}")
@@ -283,10 +273,7 @@ while true; do
        fi
        # Only add mta-sts subdomain for alias domains
        if [[ "mta-sts.${alias_domain}" != "${MAILCOW_HOSTNAME}" ]]; then
-          # Skip if mta-sts subdomain is covered by a wildcard
-          if is_covered_by_wildcard "mta-sts.${alias_domain}"; then
-            log_f "Alias domain mta-sts subdomain 'mta-sts.${alias_domain}' is covered by wildcard - skipping"
-          elif check_domain "mta-sts.${alias_domain}"; then
+          if check_domain "mta-sts.${alias_domain}"; then
            VALIDATED_CONFIG_DOMAINS+=("mta-sts.${alias_domain}")
          fi
        fi
@@ -321,31 +308,13 @@ while true; do
  done
  fi

-  # Check if MAILCOW_HOSTNAME is covered by a wildcard in ADDITIONAL_SAN
-  MAILCOW_HOSTNAME_COVERED=0
-  if [[ ! -z ${VALIDATED_MAILCOW_HOSTNAME} ]]; then
-    if is_covered_by_wildcard "${VALIDATED_MAILCOW_HOSTNAME}"; then
-      MAILCOW_PARENT_DOMAIN=$(echo ${VALIDATED_MAILCOW_HOSTNAME} | cut -d. -f2-)
-      log_f "MAILCOW_HOSTNAME '${VALIDATED_MAILCOW_HOSTNAME}' is covered by wildcard '*.${MAILCOW_PARENT_DOMAIN}' - skipping explicit hostname"
-      MAILCOW_HOSTNAME_COVERED=1
-    fi
-  fi
-
  # Unique domains for server certificate
  if [[ ${ENABLE_SSL_SNI} == "y" ]]; then
    # create certificate for server name and fqdn SANs only
-    if [[ ${MAILCOW_HOSTNAME_COVERED} == "1" ]]; then
-      SERVER_SAN_VALIDATED=($(echo ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
-    else
-      SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
-    fi
+    SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
  else
    # create certificate for all domains, including all subdomains from other domains [*]
-    if [[ ${MAILCOW_HOSTNAME_COVERED} == "1" ]]; then
-      SERVER_SAN_VALIDATED=($(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
-    else
-      SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
-    fi
+    SERVER_SAN_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
  fi
  if [[ ! -z ${SERVER_SAN_VALIDATED[*]} ]]; then
    CERT_NAME=${SERVER_SAN_VALIDATED[0]}
@@ -135,32 +135,3 @@ verify_challenge_path(){
    return 1
  fi
 }
-
-# Check if a domain is covered by a wildcard (*.example.com) in ADDITIONAL_SAN
-# Usage: is_covered_by_wildcard "subdomain.example.com"
-# Returns: 0 if covered, 1 if not covered
-# Note: Only returns 0 (covered) when DNS-01 challenge is enabled,
-#       as wildcards cannot be validated with HTTP-01 challenge
-is_covered_by_wildcard() {
-  local DOMAIN=$1
-
-  # Only skip if DNS challenge is enabled (wildcards require DNS-01)
-  if [[ ${ACME_DNS_CHALLENGE} != "y" ]]; then
-    return 1
-  fi
-
-  # Return early if no ADDITIONAL_SAN is set
-  if [[ -z ${ADDITIONAL_SAN} ]]; then
-    return 1
-  fi
-
-  # Extract parent domain (e.g., mail.example.com -> example.com)
-  local PARENT_DOMAIN=$(echo ${DOMAIN} | cut -d. -f2-)
-
-  # Check if ADDITIONAL_SAN contains a wildcard for this parent domain
-  if [[ "${ADDITIONAL_SAN}" == *"*.${PARENT_DOMAIN}"* ]]; then
-    return 0  # Covered by wildcard
-  fi
-
-  return 1  # Not covered
-}
@@ -7,7 +7,7 @@ else
  __dns_loader_standalone=0
 fi

-CONFIG_PATH="${ACME_DNS_CONFIG_FILE:-/etc/acme/dns-01.conf}"
+CONFIG_PATH="${ACME_DNS_CONFIG_FILE:-/etc/acme/dns-101.conf}"

 if [[ ! -f "${CONFIG_PATH}" ]]; then
  if [[ $__dns_loader_standalone -eq 1 ]]; then
@@ -12,7 +12,7 @@ CERT_DOMAINS=(${DOMAINS[@]})
 CERT_DOMAIN=${CERT_DOMAINS[0]}
 ACME_BASE=/var/lib/acme

-# Load optional DNS provider secrets from /etc/acme/dns-01.conf
+# Load optional DNS provider secrets from /etc/acme/dns-101.conf
 if [[ -f /srv/load-dns-config.sh ]]; then
  source /srv/load-dns-config.sh
  if declare -F log_f >/dev/null; then
@@ -1,4 +1,4 @@
-FROM alpine:3.21
+FROM alpine:3.22

 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"

@@ -44,90 +44,109 @@ if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
 else
  QUOTA_TABLE=quota2replica
 fi
+
+cat <<EOF > /etc/dovecot/conf.d/12-mysql.conf
+# Autogenerated by mailcow - DO NOT TOUCH!
+mysql /var/run/mysqld/mysqld.sock {
+  dbname=${DBNAME}
+  user=${DBUSER}
+  password=${DBPASS}
+
+  ssl = no
+}
+EOF
+
+
 cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-quota.conf
 # Autogenerated by mailcow
-connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
-map {
-  pattern = priv/quota/storage
-  table = ${QUOTA_TABLE}
+dict_map priv/quota/storage {
+  sql_table = ${QUOTA_TABLE}
  username_field = username
-  value_field = bytes
+  value_field bytes {
+  }
 }
-map {
-  pattern = priv/quota/messages
-  table = ${QUOTA_TABLE}
+
+dict_map priv/quota/messages {
+  sql_table = ${QUOTA_TABLE}
  username_field = username
-  value_field = messages
+  value_field messages {
+  }
 }
 EOF

 # Create dict used for sieve pre and postfilters
 cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_before.conf
 # Autogenerated by mailcow
-connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
-map {
-  pattern = priv/sieve/name/\$script_name
-  table = sieve_before
+
+dict_map priv/sieve/name/\$script_name {
+  sql_table = sieve_before
  username_field = username
-  value_field = id
-  fields {
-    script_name = \$script_name
+  value_field id {
+  }
+
+  # The script name field in the table to query
+  key_field script_name {
+    value = \$script_name
  }
 }
-map {
-  pattern = priv/sieve/data/\$id
-  table = sieve_before
+
+dict_map priv/sieve/data/\$id {
+  sql_table = sieve_before
  username_field = username
-  value_field = script_data
-  fields {
-    id = \$id
+  value_field script_data {
+  }
+  key_field id {
+    value = \$id
  }
 }
 EOF

 cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_after.conf
 # Autogenerated by mailcow
-connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
-map {
-  pattern = priv/sieve/name/\$script_name
-  table = sieve_after
+
+dict_map priv/sieve/name/\$script_name {
+  sql_table = sieve_after
  username_field = username
-  value_field = id
-  fields {
-    script_name = \$script_name
+  value_field id {
+  }
+  key_field script_name {
+    value = \$script_name
  }
 }
-map {
-  pattern = priv/sieve/data/\$id
-  table = sieve_after
+
+dict_map priv/sieve/data/\$id {
+  sql_table = sieve_after
  username_field = username
-  value_field = script_data
-  fields {
-    id = \$id
+  value_field script_data {
+  }
+  key_field id {
+    value = \$id
  }
 }
 EOF

-echo -n ${ACL_ANYONE} > /etc/dovecot/acl_anyone
+if [[ "${ACL_ANYONE}" == "allow" ]]; then
+  echo -n "yes" > /etc/dovecot/acl_anyone
+else
+  echo -n "no" > /etc/dovecot/acl_anyone
+fi

 if [[ "${SKIP_FTS}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
 echo -e "\e[33mDetecting SKIP_FTS=y... not enabling Flatcurve (FTS) then...\e[0m"
-echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify listescape replication lazy_expunge' > /etc/dovecot/mail_plugins
-echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify listescape replication mail_log' > /etc/dovecot/mail_plugins_imap
-echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
+echo -n 'quota quota_clone acl mail_crypt mail_crypt_acl mail_log mail_compress notify lazy_expunge' > /etc/dovecot/mail_plugins
+echo -n 'quota quota_clone imap_quota imap_acl acl imap_sieve mail_crypt mail_crypt_acl mail_compress notify mail_log' > /etc/dovecot/mail_plugins_imap
+echo -n 'quota quota_clone sieve acl mail_crypt mail_crypt_acl mail_compress notify' > /etc/dovecot/mail_plugins_lmtp
 else
 echo -e "\e[32mDetecting SKIP_FTS=n... enabling Flatcurve (FTS)\e[0m"
-echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify fts fts_flatcurve listescape replication lazy_expunge' > /etc/dovecot/mail_plugins
-echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify mail_log fts fts_flatcurve listescape replication' > /etc/dovecot/mail_plugins_imap
-echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl fts fts_flatcurve notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
+echo -n 'quota quota_clone acl mail_crypt mail_crypt_acl mail_log mail_compress notify fts fts_flatcurve lazy_expunge' > /etc/dovecot/mail_plugins
+echo -n 'quota quota_clone imap_quota imap_acl acl imap_sieve mail_crypt mail_crypt_acl mail_compress notify mail_log fts fts_flatcurve' > /etc/dovecot/mail_plugins_imap
+echo -n 'quota quota_clone sieve acl mail_crypt mail_crypt_acl mail_compress fts fts_flatcurve notify' > /etc/dovecot/mail_plugins_lmtp
 fi
 chmod 644 /etc/dovecot/mail_plugins /etc/dovecot/mail_plugins_imap /etc/dovecot/mail_plugins_lmtp /templates/quarantine.tpl

 cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-userdb.conf
 # Autogenerated by mailcow
-driver = mysql
-connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
-user_query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format')), mailbox_path_prefix, '%d/%n/${MAILDIR_SUB}:VOLATILEDIR=/var/volatile/%u:INDEX=/var/vmail_index/%u') AS mail, '%s' AS protocol, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND (active = '1' OR active = '2')
+query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format')), mailbox_path_prefix, '%{user | domain }}/%{user | username }/Maildir:VOLATILEDIR=/var/volatile/%{user}:INDEX=/var/vmail_index/%{user}') AS mail, '%{protocol}' AS protocol, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%{user}' AND (active = '1' OR active = '2')
 iterate_query = SELECT username FROM mailbox WHERE active = '1' OR active = '2';
 EOF

@@ -158,8 +177,8 @@ for cert_dir in /etc/ssl/mail/*/ ; do
  domains=($(cat ${cert_dir}domains))
  for domain in ${domains[@]}; do
    echo 'local_name '${domain}' {' >> /etc/dovecot/sni.conf;
-    echo '  ssl_cert = <'${cert_dir}'cert.pem' >> /etc/dovecot/sni.conf;
-    echo '  ssl_key = <'${cert_dir}'key.pem' >> /etc/dovecot/sni.conf;
+    echo '  ssl_server_cert_file = '${cert_dir}'cert.pem' >> /etc/dovecot/sni.conf;
+    echo '  ssl_server_key_file = '${cert_dir}'key.pem' >> /etc/dovecot/sni.conf;
    echo '}' >> /etc/dovecot/sni.conf;
  done
 done
@@ -183,11 +202,13 @@ else
 fi
 cat <<EOF > /etc/dovecot/shared_namespace.conf
 # Autogenerated by mailcow
-namespace {
+namespace shared {
    type = shared
    separator = /
-    prefix = Shared/%%u/
-    location = maildir:%%h${MAILDIR_SUB_SHARED}:INDEX=~${MAILDIR_SUB_SHARED}/Shared/%%u
+    prefix = Shared/\$user/
+    mail_driver = maildir
+    mail_path = %{owner_home}${MAILDIR_SUB_SHARED}
+    mail_index_private_path = ~${MAILDIR_SUB_SHARED}/Shared/%{owner_user}
    subscriptions = no
    list = children
 }
@@ -197,7 +218,7 @@ EOF
 cat <<EOF > /etc/dovecot/sogo_trusted_ip.conf
 # Autogenerated by mailcow
 remote ${IPV4_NETWORK}.248 {
-  disable_plaintext_auth = no
+  auth_allow_cleartext = yes
 }
 EOF

@@ -206,9 +227,13 @@ RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
 echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass
 cat <<EOF > /etc/dovecot/sogo-sso.conf
 # Autogenerated by mailcow
-passdb {
-  driver = static
-  args = allow_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
+passdb static {
+  fields {
+    allow_real_nets=${IPV4_NETWORK}.248/32
+  }
+
+  password={plain}${RAND_PASS}
+  
 }
 EOF

@@ -236,9 +261,9 @@ fi
 if [[ "${SKIP_FTS}" =~ ^([nN][oO]|[nN])+$ ]]; then
  echo -e "\e[94mConfiguring FTS Settings...\e[0m"
  echo -e "\e[94mSetting FTS Memory Limit (per process) to ${FTS_HEAP} MB\e[0m"
-  sed -i "s/vsz_limit\s*=\s*[0-9]*\s*MB*/vsz_limit=${FTS_HEAP} MB/" /etc/dovecot/conf.d/fts.conf
+  sed -i "s/vsz_limit\s*=\s*[0-9]*\s*MB*/vsz_limit=${FTS_HEAP} MB/" /etc/dovecot/conf.d/35-fts.conf
  echo -e "\e[94mSetting FTS Process Limit to ${FTS_PROCS}\e[0m"
-  sed -i "s/process_limit\s*=\s*[0-9]*/process_limit=${FTS_PROCS}/" /etc/dovecot/conf.d/fts.conf
+  sed -i "s/process_limit\s*=\s*[0-9]*/process_limit=${FTS_PROCS}/" /etc/dovecot/conf.d/35-fts.conf
 fi

 # 401 is user dovecot
@@ -250,16 +275,16 @@ else
 	chown 401 /mail_crypt/ecprivkey.pem /mail_crypt/ecpubkey.pem
 fi

-# Fix OpenSSL 3.X TLS1.0, 1.1 support (https://community.mailcow.email/d/4062-hi-all/20)
-if grep -qE 'ssl_min_protocol\s*=\s*(TLSv1|TLSv1\.1)\s*$' /etc/dovecot/dovecot.conf /etc/dovecot/extra.conf; then
-    sed -i '/\[openssl_init\]/a ssl_conf = ssl_configuration' /etc/ssl/openssl.cnf
+# # Fix OpenSSL 3.X TLS1.0, 1.1 support (https://community.mailcow.email/d/4062-hi-all/20)
+# if grep -qE 'ssl_min_protocol\s*=\s*(TLSv1|TLSv1\.1)\s*$' /etc/dovecot/dovecot.conf /etc/dovecot/extra.conf; then
+#     sed -i '/\[openssl_init\]/a ssl_conf = ssl_configuration' /etc/ssl/openssl.cnf

-    echo "[ssl_configuration]" >> /etc/ssl/openssl.cnf
-    echo "system_default = tls_system_default" >> /etc/ssl/openssl.cnf
-    echo "[tls_system_default]" >> /etc/ssl/openssl.cnf
-    echo "MinProtocol = TLSv1" >> /etc/ssl/openssl.cnf
-    echo "CipherString = DEFAULT@SECLEVEL=0" >> /etc/ssl/openssl.cnf
-fi
+#     echo "[ssl_configuration]" >> /etc/ssl/openssl.cnf
+#     echo "system_default = tls_system_default" >> /etc/ssl/openssl.cnf
+#     echo "[tls_system_default]" >> /etc/ssl/openssl.cnf
+#     echo "MinProtocol = TLSv1" >> /etc/ssl/openssl.cnf
+#     echo "CipherString = DEFAULT@SECLEVEL=0" >> /etc/ssl/openssl.cnf
+# fi

 # Compile sieve scripts
 sievec /var/vmail/sieve/global_sieve_before.sieve
@@ -47,7 +47,7 @@ try:
  if max_score == "":
    max_score = 9999.0

-  def query_mysql(query, params = None, headers = True, update = False):
+  def query_mysql(query, headers = True, update = False):
    while True:
      try:
        cnx = MySQLdb.connect(user=os.environ.get('DBUSER'), password=os.environ.get('DBPASS'), database=os.environ.get('DBNAME'), charset="utf8mb4", collation="utf8mb4_general_ci")
@@ -57,10 +57,7 @@ try:
      else:
        break
    cur = cnx.cursor()
-    if params:
-      cur.execute(query, params)
-    else:
-      cur.execute(query)
+    cur.execute(query)
    if not update:
      result = []
      columns = tuple( [d[0] for d in cur.description] )
@@ -79,7 +76,7 @@ try:

  def notify_rcpt(rcpt, msg_count, quarantine_acl, category):
    if category == "add_header": category = "add header"
-    meta_query = query_mysql('SELECT `qhash`, id, subject, score, sender, created, action FROM quarantine WHERE notified = 0 AND rcpt = %s AND score < %s AND (action = %s OR "all" = %s)', (rcpt, max_score, category, category))
+    meta_query = query_mysql('SELECT `qhash`, id, subject, score, sender, created, action FROM quarantine WHERE notified = 0 AND rcpt = "%s" AND score < %f AND (action = "%s" OR "all" = "%s")' % (rcpt, max_score, category, category))
    print("%s: %d of %d messages qualify for notification" % (rcpt, len(meta_query), msg_count))
    if len(meta_query) == 0:
      return
@@ -133,7 +130,7 @@ try:
            server.sendmail(msg['From'], [str(redirect)] + [str(bcc)], text)
        server.quit()
        for res in meta_query:
-         query_mysql('UPDATE quarantine SET notified = 1 WHERE id = %s', (res['id'],), update = True)
+         query_mysql('UPDATE quarantine SET notified = 1 WHERE id = "%d"' % (res['id']), update = True)
        r.hset('Q_LAST_NOTIFIED', record['rcpt'], time_now)
        break
      except Exception as ex:
@@ -141,7 +138,7 @@ try:
        print('%s'  % (ex))
        time.sleep(3)

-  records = query_mysql('SELECT IFNULL(user_acl.quarantine, 0) AS quarantine_acl, count(id) AS counter, rcpt FROM quarantine LEFT OUTER JOIN user_acl ON user_acl.username = rcpt WHERE notified = 0 AND score < %s AND rcpt in (SELECT username FROM mailbox) GROUP BY rcpt', (max_score,))
+  records = query_mysql('SELECT IFNULL(user_acl.quarantine, 0) AS quarantine_acl, count(id) AS counter, rcpt FROM quarantine LEFT OUTER JOIN user_acl ON user_acl.username = rcpt WHERE notified = 0 AND score < %f AND rcpt in (SELECT username FROM mailbox) GROUP BY rcpt' % (max_score))

  for record in records:
    attrs = ''
@@ -159,7 +156,7 @@ try:
    except Exception as ex:
      print('Could not determine last notification for %s, assuming never' % (record['rcpt']))
      last_notification = 0
-    attrs_json = query_mysql('SELECT attributes FROM mailbox WHERE username = %s', (record['rcpt'],))
+    attrs_json = query_mysql('SELECT attributes FROM mailbox WHERE username = "%s"' % (record['rcpt']))
    attrs = attrs_json[0]['attributes']
    if isinstance(attrs, str):
      # if attr is str then just load it
@@ -1,4 +1,4 @@
-FROM nginx:1.30.2-alpine
+FROM nginx:alpine
 LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"

 ENV PIP_BREAK_SYSTEM_PACKAGES=1
@@ -7,13 +7,13 @@ ARG APCU_PECL_VERSION=5.1.28
 # renovate: datasource=github-tags depName=Imagick/imagick versioning=semver-coerced extractVersion=(?<version>.*)$
 ARG IMAGICK_PECL_VERSION=3.8.1
 # renovate: datasource=github-tags depName=php/pecl-mail-mailparse versioning=semver-coerced extractVersion=^v(?<version>.*)$
-ARG MAILPARSE_PECL_VERSION=3.2.0
+ARG MAILPARSE_PECL_VERSION=3.1.9
 # renovate: datasource=github-tags depName=php-memcached-dev/php-memcached versioning=semver-coerced extractVersion=^v(?<version>.*)$
 ARG MEMCACHED_PECL_VERSION=3.4.0
 # renovate: datasource=github-tags depName=phpredis/phpredis versioning=semver-coerced extractVersion=(?<version>.*)$
 ARG REDIS_PECL_VERSION=6.3.0
 # renovate: datasource=github-tags depName=composer/composer versioning=semver-coerced extractVersion=(?<version>.*)$
-ARG COMPOSER_VERSION=2.10.1
+ARG COMPOSER_VERSION=2.9.5

 RUN apk add -U --no-cache autoconf \
  aspell-dev \
@@ -2,7 +2,7 @@ FROM debian:trixie-slim
 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"

 ARG DEBIAN_FRONTEND=noninteractive
-ARG RSPAMD_VER=rspamd_4.1.0-1~e2b0b18
+ARG RSPAMD_VER=rspamd_3.14.2-82~90302bc
 ARG CODENAME=trixie
 ENV LC_ALL=C

@@ -1,9 +1,9 @@
 # SOGo built from source to enable security patch application
 # Repository: https://github.com/Alinto/sogo
-# Version: SOGo-5.12.9
+# Version: SOGo-5.12.4
 #
 # Applied security patches:
-# -
+# - 16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb: XSS vulnerability in theme parameter
 #
 # To add new patches, modify SOGO_SECURITY_PATCHES ARG below with space-separated commit hashes

@@ -12,10 +12,10 @@ FROM debian:bookworm
 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"

 ARG DEBIAN_FRONTEND=noninteractive
-ARG SOGO_VERSION=SOGo-5.12.9
-ARG SOPE_VERSION=SOPE-5.12.9
+ARG SOGO_VERSION=SOGo-5.12.4
+ARG SOPE_VERSION=SOPE-5.12.4
 # Security patches to apply (space-separated commit hashes)
-ARG SOGO_SECURITY_PATCHES=""
+ARG SOGO_SECURITY_PATCHES="16ab99e7cf8db2c30b211f0d5e338d7f9e3a9efb"
 # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
 ARG GOSU_VERSION=1.19
 ENV LC_ALL=C
@@ -26,7 +26,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    git \
    build-essential \
    gobjc \
-    pkg-config \
    gnustep-make \
    gnustep-base-runtime \
    libgnustep-base-dev \
@@ -41,7 +40,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    libcurl4-openssl-dev \
    libzip-dev \
    libytnef0-dev \
-    libwbxml2-dev \
    curl \
    ca-certificates \
    # Runtime dependencies
@@ -70,7 +68,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    libcurl4 \
    libzip4 \
    libytnef0 \
-    libwbxml2-1 \
  # Download gosu
  && dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
  && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
@@ -100,9 +97,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
  && ./configure --disable-debug --disable-strip \
  && make -j$(nproc) \
  && make install \
-  && cd /tmp/sogo/ActiveSync \
-  && . /usr/share/GNUstep/Makefiles/GNUstep.sh \
-  && make -j$(nproc) install \
  && cd / \
  && rm -rf /tmp/sogo \
  # Strip binaries
@@ -152,8 +146,8 @@ RUN echo "/usr/lib64" > /etc/ld.so.conf.d/sogo.conf \
 # Create sogo user and group
 RUN groupadd -r -g 999 sogo \
  && useradd -r -u 999 -g sogo -d /var/lib/sogo -s /bin/bash -c "SOGo Daemon" sogo \
-  && mkdir -p /var/lib/sogo /var/run/sogo /var/log/sogo /var/spool/sogo \
-  && chown -R sogo:sogo /var/lib/sogo /var/run/sogo /var/log/sogo /var/spool/sogo
+  && mkdir -p /var/lib/sogo /var/run/sogo /var/log/sogo \
+  && chown -R sogo:sogo /var/lib/sogo /var/run/sogo /var/log/sogo

 # Create symlinks for SOGo binaries
 RUN ln -s /usr/local/sbin/sogod /usr/sbin/sogod \
@@ -1,5 +1,5 @@
--- /usr/local/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox    2018-08-17 18:29:57.987504204 +0200
-+++ /usr/local/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox    2018-08-17 18:29:35.918291298 +0200
+--- /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox    2018-08-17 18:29:57.987504204 +0200
+++ /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox    2018-08-17 18:29:35.918291298 +0200
@@ -46,7 +46,7 @@
           </md-item-template>
         </md-autocomplete>
@@ -130,22 +130,18 @@ chmod 600 /var/lib/sogo/GNUstep/Defaults/sogod.plist
 # Patch ACLs
 #if [[ ${ACL_ANYONE} == 'allow' ]]; then
 #  #enable any or authenticated targets for ACL
-#  if patch -R -sfN --dry-run /usr/local/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff > /dev/null; then
-#    patch -R /usr/local/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff;
+#  if patch -R -sfN --dry-run /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff > /dev/null; then
+#    patch -R /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff;
 #  fi
 #else
 #  #disable any or authenticated targets for ACL
-#  if patch -sfN --dry-run /usr/local/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff > /dev/null; then
-#    patch /usr/local/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff;
+#  if patch -sfN --dry-run /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff > /dev/null; then
+#    patch /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff;
 #  fi
 #fi

-# Apply custom UI patch (reverse patch to ADD buttons)
-if patch -R -sfN --dry-run /usr/local/lib/GNUstep/SOGo/Templates/UIxTopnavToolbar.wox < /navMailcowBtns.diff > /dev/null; then
-  echo "Applying navMailcowBtns patch (reverse to add buttons)..."
-  patch -R /usr/local/lib/GNUstep/SOGo/Templates/UIxTopnavToolbar.wox < /navMailcowBtns.diff;
-else
-  echo "navMailcowBtns patch already applied or cannot be applied"
+if patch -R -sfN --dry-run /usr/lib/GNUstep/SOGo/Templates/UIxTopnavToolbar.wox < /navMailcowBtns.diff > /dev/null; then
+  patch -R /usr/lib/GNUstep/SOGo/Templates/UIxTopnavToolbar.wox < /navMailcowBtns.diff;
 fi

 # Rename custom logo, if any
@@ -153,7 +149,7 @@ fi

 # Rsync web content
 echo "Syncing web content with named volume"
-rsync -a /usr/local/lib/GNUstep/SOGo/. /sogo_web/
+rsync -a /usr/lib/GNUstep/SOGo/. /sogo_web/

 # Chown backup path
 chown -R sogo:sogo /sogo_backup
@@ -2,14 +2,11 @@ FROM alpine:3.23

 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"

-# install unbound from alpine:edge to get security patches
-RUN apk add --no-cache --repository=https://dl-cdn.alpinelinux.org/alpine/edge/main unbound
-
-# install other packages from regular alpine stable repo
 RUN apk add --update --no-cache \
 	curl \
 	bind-tools \
 	coreutils \
+	unbound \
 	bash \
 	openssl \
 	drill \
@@ -37,6 +37,5 @@ RUN apk add --update \
 COPY watchdog.sh /watchdog.sh
 COPY check_mysql_slavestatus.sh /usr/lib/nagios/plugins/check_mysql_slavestatus.sh
 COPY check_dns.sh /usr/lib/mailcow/check_dns.sh
-COPY client.cnf /etc/my.cnf.d/client.cnf

 CMD ["/watchdog.sh"]
@@ -1,3 +0,0 @@
-[client]
-ssl = false
-ssl-verify-server-cert = false
@@ -38,7 +38,7 @@ if [[ ! -p /tmp/com_pipe ]]; then
 fi

 # Wait for containers
-while ! mariadb-admin status --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
+while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
  echo "Waiting for SQL..."
  sleep 2
 done
@@ -359,8 +359,8 @@ mysql_checks() {
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    touch /tmp/mysql-mailcow; echo "$(tail -50 /tmp/mysql-mailcow)" > /tmp/mysql-mailcow
    err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_mysql -f /etc/my.cnf.d/client.cnf -s /var/run/mysqld/mysqld.sock -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} 2>> /tmp/mysql-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_mysql_query -f /etc/my.cnf.d/client.cnf -s /var/run/mysqld/mysqld.sock -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} -q "SELECT COUNT(*) FROM information_schema.tables" 2>> /tmp/mysql-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_mysql -s /var/run/mysqld/mysqld.sock -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} 2>> /tmp/mysql-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_mysql_query -s /var/run/mysqld/mysqld.sock -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} -q "SELECT COUNT(*) FROM information_schema.tables" 2>> /tmp/mysql-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
    progress "MySQL/MariaDB" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
@@ -384,7 +384,7 @@ mysql_repl_checks() {
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    touch /tmp/mysql_repl_checks; echo "$(tail -50 /tmp/mysql_repl_checks)" > /tmp/mysql_repl_checks
    err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_mysql_slavestatus.sh -o /etc/my.cnf.d/client.cnf -S /var/run/mysqld/mysqld.sock -u root -p ${DBROOT} 2>> /tmp/mysql_repl_checks 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_mysql_slavestatus.sh -S /var/run/mysqld/mysqld.sock -u root -p ${DBROOT} 2>> /tmp/mysql_repl_checks 1>&2; err_count=$(( ${err_count} + $? ))
    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
    progress "MySQL/MariaDB replication" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
@@ -1,4 +1,5 @@
 function auth_password_verify(request, password)
+  request.domain = request.auth_user:match("@(.+)") or nil
  if request.domain == nil then
    return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
  end
@@ -9,10 +10,10 @@ function auth_password_verify(request, password)
  https.TIMEOUT = 30

  local req = {
-    username = request.user,
+    username = request.auth_user,
    password = password,
-    real_rip = request.real_rip,
-    service = request.service
+    real_rip = request.remote_ip,
+    service = request.protocol
  }
  local req_json = json.encode(req)
  local res = {}
@@ -33,7 +34,6 @@ function auth_password_verify(request, password)
  -- Returning PASSDB_RESULT_INTERNAL_FAILURE keeps the existing cache entry,
  -- even if the TTL has expired. Useful to avoid cache eviction during backend issues.
  if c ~= 200 and c ~= 401 then
-    dovecot.i_info("HTTP request failed with " .. c .. " for user " .. request.user)
    return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Upstream error"
  end

@@ -46,7 +46,7 @@ function auth_password_verify(request, password)
  end

  if response_json.success == true then
-    return dovecot.auth.PASSDB_RESULT_OK, ""
+    return dovecot.auth.PASSDB_RESULT_OK, { msg = "" }
  end

  return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
@@ -55,3 +55,7 @@ end
 function auth_passdb_lookup(req)
   return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
 end
+
+function auth_passdb_get_cache_key()
+  return "%{protocol}:%{user | username}\t:%{password}"
+end
@@ -0,0 +1,3 @@
+# /etc/dovecot/conf.d/05-core.conf
+# Core, single-line settings that don't fit elsewhere.
+recipient_delimiter = +
@@ -0,0 +1,13 @@
+# /etc/dovecot/conf.d/10-logging.conf
+# Logging and debug.
+#mail_debug = yes
+#auth_debug = yes
+#log_debug = category=fts-flatcurve
+log_path = syslog
+log_timestamp = "%Y-%m-%d %H:%M:%S "
+login_log_format_elements = "user=<%{user}> method=%{mechanism} rip=%{remote_ip} lip=%{local_ip} mpid=%{mail_pid} %{secured} session=<%{session}>"
+
+# Mail event logging.
+mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
+mail_log_fields = uid box msgid size
+mail_log_cached_only = yes
@@ -0,0 +1,10 @@
+# /etc/dovecot/conf.d/10-mail.conf
+# Mail storage paths and core mail settings.
+mail_home = /var/vmail/%{user | domain }/%{user | username }
+mail_driver = maildir
+mail_path = ~/Maildir
+mail_index_path = /var/vmail_index/%{user}
+mail_plugins = </etc/dovecot/mail_plugins
+mail_shared_explicit_inbox = yes
+mailbox_list_storage_escape_char = "\\"
+mail_prefetch_count = 30
@@ -0,0 +1,13 @@
+# /etc/dovecot/conf.d/10-ssl.conf
+# TLS/SSL settings.
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:!eNULL:!3DES:!MD5:!PSK:!DSS:!RC4:!SEED:!IDEA:+HIGH:+MEDIUM
+ssl_options = no_ticket
+#ssl_dh_parameters_length = 2048
+
+ssl_server {
+  prefer_ciphers = server
+  dh_file = /etc/ssl/mail/dhparams.pem
+  cert_file = /etc/ssl/mail/cert.pem
+  key_file = /etc/ssl/mail/key.pem
+}
@@ -0,0 +1,3 @@
+# /etc/dovecot/conf.d/11-sql.conf
+# Default SQL driver used by SQL-based dicts/userdb.
+sql_driver = mysql
@@ -0,0 +1,8 @@
+# Autogenerated by mailcow - DO NOT TOUCH!
+mysql /var/run/mysqld/mysqld.sock {
+  dbname=mailcow
+  user=mailcow
+  password=D8O9BIivJc7Pb2VCfpAeLbAzUOZ0
+
+  ssl = no
+}
@@ -0,0 +1,7 @@
+# /etc/dovecot/conf.d/12-storage-attachments.conf
+# External attachment storage.
+fs mail_ext_attachment {
+  fs_driver = posix
+  mail_ext_attachment_path = /var/attachments
+  mail_ext_attachment_min_size = 128k
+}
@@ -0,0 +1,10 @@
+# /etc/dovecot/conf.d/15-performance.conf
+# Performance and mailbox tuning.
+# Enable only when you do not manually touch cur/.
+maildir_very_dirty_syncs = yes
+
+# NFS examples | Only modify if using NFS!:
+#mm ap_disable = yes
+#mail_fsync = always
+#mail_nfs_index = yes
+#mail_nfs_storage = yes
@@ -0,0 +1,40 @@
+# /etc/dovecot/conf.d/20-auth.conf
+# Authentication mechanisms, master/user separation, passdb chain, auth cache.
+auth_mechanisms = plain login
+auth_allow_cleartext = yes
+auth_master_user_separator = *
+
+auth_cache_verify_password_with_worker = yes
+auth_cache_negative_ttl = 60s
+auth_cache_ttl = 300s
+auth_cache_size = 10M
+auth_verbose_passwords = sha1:6
+
+# 1) Lua password verification (blocking, return mapping).
+passdb lua {
+  driver = lua
+  lua_file = /etc/dovecot/auth/passwd-verify.lua
+  lua_settings {
+    blocking=yes
+    result_success = return-ok
+    result_failure = continue
+    result_internalfail = continue
+  }
+}
+
+# 2) Master password for master user logins.
+passdb master {
+  driver = passwd-file
+  passwd_file_path = /etc/dovecot/dovecot-master.passwd 
+  master = yes
+  skip = authenticated
+}
+
+# 3) Mandatory return layer: empty Lua (e.g. for forced reset).
+passdb empty-lua {
+  driver = lua
+  lua_file = /etc/dovecot/auth/passwd-verify.lua
+  lua_settings {
+    blocking = yes
+  }
+}
@@ -0,0 +1,11 @@
+# /etc/dovecot/conf.d/20-userdb.conf
+# User database chain.
+userdb passwd {
+  driver = passwd-file
+  passwd_file_path = /etc/dovecot/dovecot-master.userdb
+}
+
+userdb sql {
+  !include /etc/dovecot/sql/dovecot-dict-sql-userdb.conf
+  skip = found
+}
@@ -0,0 +1,144 @@
+# /etc/dovecot/conf.d/25-services.conf
+# All service listeners and workers.
+
+# doveadm remote admin
+# Set doveadm_password in extra.conf.
+service doveadm {
+  inet_listener doveadm {
+    port = 12345
+  }
+  vsz_limit = 2048 MB
+}
+
+# dict
+service dict {
+  unix_listener dict {
+    mode = 0660
+    user = vmail
+    group = vmail
+  }
+}
+
+# log
+service log {
+  user = dovenull
+}
+
+# config socket
+service config {
+  unix_listener config {
+    user = root
+    group = vmail
+    mode = 0660
+  }
+}
+
+# anvil socket
+service anvil {
+  unix_listener anvil {
+    user = vmail
+    group = vmail
+    mode = 0660
+  }
+}
+
+# auth sockets and inet
+service auth {
+  inet_listener auth-inet {
+    port = 10001
+  }
+  unix_listener auth-master {
+    mode = 0600
+    user = vmail
+  }
+  unix_listener auth-userdb {
+    mode = 0600
+    user = vmail
+  }
+  vsz_limit = 2G
+}
+
+# managesieve login
+service managesieve-login {
+  inet_listener sieve {
+    port = 4190
+  }
+  inet_listener sieve_haproxy {
+    port = 14190
+    haproxy = yes
+  }
+  service_restart_request_count = 1
+  process_min_avail = 2
+  vsz_limit = 1G
+}
+
+# imap login
+service imap-login {
+  service_restart_request_count = 1
+  process_min_avail = 2
+  process_limit = 10000
+  vsz_limit = 1G
+  user = dovenull
+  inet_listener imap_haproxy {
+    port = 10143
+    haproxy = yes
+  }
+  inet_listener imaps_haproxy {
+    port = 10993
+    ssl = yes
+    haproxy = yes
+  }
+}
+
+# pop3 login
+service pop3-login {
+  service_restart_request_count = 1
+  process_min_avail = 1
+  vsz_limit = 1G
+  inet_listener pop3_haproxy {
+    port = 10110
+    haproxy = yes
+  }
+  inet_listener pop3s_haproxy {
+    port = 10995
+    ssl = yes
+    haproxy = yes
+  }
+}
+
+# imap worker
+service imap {
+  executable = imap
+  user = vmail
+  vsz_limit = 1G
+}
+
+# managesieve worker
+service managesieve {
+  process_limit = 256
+}
+
+# lmtp
+service lmtp {
+  inet_listener lmtp-inet {
+    port = 24
+  }
+  user = vmail
+}
+
+# quota warning hook
+service quota-warning {
+  executable = script /usr/local/bin/quota_notify.py
+  user = vmail
+  unix_listener quota-warning {
+    user = vmail
+  }
+}
+
+# stats
+service stats {
+  unix_listener stats-writer {
+    mode = 0660
+    user = vmail
+  }
+}
@@ -0,0 +1,17 @@
+# /etc/dovecot/conf.d/30-protocols.conf
+# IMAP protocol specifics.
+protocol imap {
+  mail_plugins = </etc/dovecot/mail_plugins_imap
+  imap_metadata = yes
+}
+
+# LMTP protocol specifics.
+protocol lmtp {
+  mail_plugins = </etc/dovecot/mail_plugins_lmtp
+  auth_socket_path = /var/run/dovecot/auth-master
+}
+
+# ManageSieve protocol specifics.
+protocol sieve {
+  managesieve_logout_format = bytes=%i/%o
+}
@@ -0,0 +1,45 @@
+# mailcow FTS Flatcurve Settings, change them as you like.
+
+# Maximum term length can be set via the 'maxlen' argument (maxlen is
+# specified in bytes, not number of UTF-8 characters)
+language_tokenizer_address_token_maxlen = 100
+language_tokenizer_generic_algorithm = simple
+language_tokenizer_generic_token_maxlen = 30
+
+# These are not flatcurve settings, but required for Dovecot FTS. See
+# Dovecot FTS Configuration link above for further information.
+language en {
+  default = yes
+  language_filters = lowercase snowball english-possessive stopwords
+}
+
+language de {
+  language_filters = lowercase snowball stopwords
+}
+
+language es {
+  language_filters = lowercase snowball stopwords
+}
+
+language_tokenizers = generic email-address
+
+fts_search_timeout = 300s
+
+fts_autoindex = yes
+# Tweak this setting if you only want to ensure big and frequent folders are indexed, not all.
+fts_autoindex_max_recent_msgs = 20
+fts flatcurve {
+  substring_search = no
+}
+
+### THIS PART WILL BE CHANGED BY MODIFYING mailcow.conf AUTOMATICALLY DURING RUNTIME! ###
+
+service indexer-worker {
+  # Max amount of simultaniously running indexer jobs.
+  process_limit=1
+
+  # Max amount of RAM used by EACH indexer process.
+  vsz_limit=128 MB
+}
+
+### THIS PART WILL BE CHANGED BY MODIFYING mailcow.conf AUTOMATICALLY DURING RUNTIME! ###
@@ -0,0 +1,12 @@
+# /etc/dovecot/conf.d/40-acl.conf
+# ACL and shared mailboxes.
+imap_acl_allow_anyone = </etc/dovecot/acl_anyone
+
+acl_sharing_map {
+  dict file {
+    path = /var/vmail/shared-mailboxes.db
+  }
+}
+
+acl_driver = vfile
+acl_user = %{user}
@@ -0,0 +1,7 @@
+# /etc/dovecot/conf.d/40-attributes.conf
+# User/mail attributes.
+mail_attribute {
+  dict file {
+    path = /etc/dovecot/dovecot-attributes
+  }
+}
@@ -0,0 +1,25 @@
+# /etc/dovecot/conf.d/50-quota.conf
+# Quota configuration and notifications.
+quota "User quota" {
+  driver = count
+
+  warning warn-95 {
+    quota_storage_percentage = 95
+    execute quota-warning {
+      args = 95 %{user}
+    }
+  }
+
+  warning warn-80 {
+    quota_storage_percentage = 80
+    execute quota-warning {
+      args = 80 %{user}
+    }
+  }
+}
+
+quota_clone {
+  dict proxy {
+    name = mysql_quota
+  }
+}
@@ -0,0 +1,97 @@
+# /etc/dovecot/conf.d/60-sieve-pipeline.conf
+# Complete Sieve pipeline: personal/global scripts, plugins, limits, training.
+
+# Global before/after (file and dict)
+sieve_script before {
+  type = before
+  driver = file
+  path = /var/vmail/sieve/global_sieve_before.sieve
+}
+
+sieve_script before2 {
+  type = before
+  driver = dict
+  name = active
+  dict proxy {
+    name = sieve_before
+  }
+  bin_path = /var/vmail/sieve_before_bindir/%{user}
+}
+
+sieve_script after {
+  type = after
+  driver = file
+  path = /var/vmail/sieve/global_sieve_after.sieve
+}
+
+sieve_script after2 {
+  type = after
+  driver = dict
+  name = active
+  dict proxy {
+    name = sieve_after
+  }
+  bin_path = /var/vmail/sieve_after_bindir/%{user}
+}
+
+# Personal scripts
+sieve_script personal {
+  type = personal
+  driver = file
+  path = ~/sieve
+  active_path = ~/.dovecot.sieve
+}
+
+# Plugins and behavior
+sieve_plugins = sieve_imapsieve sieve_extprograms
+sieve_vacation_send_from_recipient = yes
+sieve_redirect_envelope_from = recipient
+
+# IMAPSieve training
+imapsieve_from Junk {
+  sieve_script ham {
+    type = before
+    cause = copy
+    path = /usr/lib/dovecot/sieve/report-ham.sieve
+  }
+}
+mailbox Junk {
+  sieve_script spam {
+    type = before
+    cause = copy
+    path = /usr/lib/dovecot/sieve/report-spam.sieve
+  }
+}
+
+# Extprograms and extensions
+sieve_pipe_bin_dir = /usr/lib/dovecot/sieve
+sieve_plugins {
+  sieve_extprograms = yes
+}
+sieve_global_extensions {
+  vnd.dovecot.pipe = yes
+  vnd.dovecot.execute = yes
+}
+
+# Limits and duplicate handling
+sieve_max_script_size = 1M
+sieve_max_redirects = 100
+sieve_max_actions = 101
+sieve_quota_script_count = 0
+sieve_quota_storage_size = 0
+sieve_vacation_min_period = 5s
+sieve_vacation_max_period = 365d
+sieve_vacation_default_period = 60s
+sieve_duplicate_default_period = 1m
+sieve_duplicate_max_period = 7d
+
+sieve_extensions {
+    vacation-seconds = yes
+    editheader = yes
+}
+
+# pipe sockets in /var/run/dovecot/sieve-pipe
+sieve_pipe_socket_dir = sieve-pipe
+
+# execute sockets in /var/run/dovecot/sieve-execute
+sieve_execute_socket_dir = sieve-execute
@@ -0,0 +1,6 @@
+# /etc/dovecot/conf.d/70-crypto.conf
+# Global mail-crypt keys.
+crypt_global_private_key global {
+  crypt_private_key_file = /mail_crypt/ecprivkey.pem
+}
+crypt_global_public_key_file = /mail_crypt/ecpubkey.pem
@@ -0,0 +1,3 @@
+# /etc/dovecot/conf.d/80-compress.conf
+# Compression settings.
+mail_compress_write_method = lz4
@@ -0,0 +1,18 @@
+# /etc/dovecot/conf.d/90-dict.conf
+# Dict declarations and SQL bindings.
+dict_server {
+  dict sieve_after {
+    driver = sql
+    !include /etc/dovecot/sql/dovecot-dict-sql-sieve_after.conf
+  }
+
+  dict sieve_before {
+    driver = sql
+    !include /etc/dovecot/sql/dovecot-dict-sql-sieve_before.conf
+  }
+
+  dict mysql_quota {
+    driver = sql
+    !include /etc/dovecot/sql/dovecot-dict-sql-quota.conf
+  }
+}
@@ -0,0 +1,7 @@
+# /etc/dovecot/conf.d/90-limits.conf
+# Connection and memory limits; doveadm port.
+mail_max_userip_connections = 500
+imap_max_line_length = 2 M
+default_client_limit = 10400
+default_vsz_limit = 1024 M
+doveadm_port = 12345
@@ -0,0 +1,22 @@
+# /etc/dovecot/conf.d/99-includes.conf
+# Late includes and site-specific bits.
+
+# Mailbox layout includes (if used)
+!include /etc/dovecot/dovecot.folders.conf
+
+# Optional replication
+!include_try /etc/dovecot/mail_replica.conf
+
+# Existing includes you already had
+!include_try /etc/dovecot/sni.conf
+!include_try /etc/dovecot/sogo_trusted_ip.conf
+!include_try /etc/dovecot/shared_namespace.conf
+!include_try /etc/dovecot/conf.d/fts.conf
+
+# Remote auth override
+remote 127.0.0.1 {
+  auth_allow_cleartext = yes
+}
+
+# Outbound submission target
+submission_host = postfix:588
@@ -1,37 +0,0 @@
-# mailcow FTS Flatcurve Settings, change them as you like.
-plugin {
-    fts_autoindex = yes
-    fts_autoindex_exclude = \Junk
-    fts_autoindex_exclude2 = \Trash
-    # Tweak this setting if you only want to ensure big and frequent folders are indexed, not all.
-    fts_autoindex_max_recent_msgs = 20
-    fts = flatcurve
-
-    # Maximum term length can be set via the 'maxlen' argument (maxlen is
-    # specified in bytes, not number of UTF-8 characters)
-    fts_tokenizer_email_address = maxlen=100
-    fts_tokenizer_generic = algorithm=simple maxlen=30
-
-    # These are not flatcurve settings, but required for Dovecot FTS. See
-    # Dovecot FTS Configuration link above for further information.
-    fts_languages = en es de
-    fts_tokenizers = generic email-address
-
-    # OPTIONAL: Recommended default FTS core configuration
-    fts_filters = normalizer-icu snowball stopwords
-    fts_filters_en = lowercase snowball english-possessive stopwords
-
-    fts_index_timeout = 300s
-}
-
-### THIS PART WILL BE CHANGED BY MODIFYING mailcow.conf AUTOMATICALLY DURING RUNTIME! ###
-
-service indexer-worker {
-  # Max amount of simultaniously running indexer jobs.
-  process_limit=1
-
-  # Max amount of RAM used by EACH indexer process.
-  vsz_limit=128 MB
-}
-
-### THIS PART WILL BE CHANGED BY MODIFYING mailcow.conf AUTOMATICALLY DURING RUNTIME! ###
@@ -1,311 +1,34 @@
-# --------------------------------------------------------------------------
-# Please create a file "extra.conf" for persistent overrides to dovecot.conf
-# --------------------------------------------------------------------------
-# LDAP example:
-#passdb {
-#  args = /etc/dovecot/ldap/passdb.conf
-#  driver = ldap
-#}
+# /etc/dovecot/dovecot.conf
+# Base file kept minimal. All real config lives under conf.d/.
+dovecot_config_version = 2.4.0
+dovecot_storage_version = 2.4.0

-auth_mechanisms = plain login
-#mail_debug = yes
-#auth_debug = yes
-#log_debug = category=fts-flatcurve # Activate Logging for Flatcurve FTS Searchings
-log_path = syslog
-disable_plaintext_auth = yes
-# Uncomment on NFS share
-#mmap_disable = yes
-#mail_fsync = always
-#mail_nfs_index = yes
-#mail_nfs_storage = yes
-login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k"
-mail_home = /var/vmail/%d/%n
-mail_location = maildir:~/
-mail_plugins = </etc/dovecot/mail_plugins
-mail_attachment_fs = crypt:set_prefix=mail_crypt_global:posix:
-mail_attachment_dir = /var/attachments
-mail_attachment_min_size = 128k
-# Significantly speeds up very large mailboxes, but is only safe to enable if
-# you do not manually modify the files in the `cur` directories in
-# mailcowdockerized_vmail-vol-1.
-# https://docs.mailcow.email/manual-guides/Dovecot/u_e-dovecot-performance/
-maildir_very_dirty_syncs = yes
-
-# Dovecot 2.2
-#ssl_protocols = !SSLv3
-# Dovecot 2.3
-ssl_min_protocol = TLSv1.2
-
-ssl_prefer_server_ciphers = yes
-ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:!eNULL:!3DES:!MD5:!PSK:!DSS:!RC4:!SEED:!IDEA:+HIGH:+MEDIUM
-
-# Default in Dovecot 2.3
-ssl_options = no_compression no_ticket
-
-# New in Dovecot 2.3
-ssl_dh = </etc/ssl/mail/dhparams.pem
-# Dovecot 2.2
-#ssl_dh_parameters_length = 2048
-log_timestamp = "%Y-%m-%d %H:%M:%S "
-recipient_delimiter = +
-auth_master_user_separator = *
-mail_shared_explicit_inbox = yes
-mail_prefetch_count = 30
-passdb {
-  driver = lua
-  args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes cache_key=%s:%u:%w
-  result_success = return-ok
-  result_failure = continue
-  result_internalfail = continue
-}
-# try a master passwd
-passdb {
-  driver = passwd-file
-  args = /etc/dovecot/dovecot-master.passwd
-  master = yes
-  skip = authenticated
-}
-# check for regular password - if empty (e.g. force-passwd-reset), previous pass=yes passdbs also fail
-# a return of the following passdb is mandatory
-passdb {
-  driver = lua
-  args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes
-}
-# Set doveadm_password=your-secret-password in data/conf/dovecot/extra.conf (create if missing)
-service doveadm {
-  inet_listener {
-    port = 12345
-  }
-  vsz_limit=2048 MB
-}
-!include /etc/dovecot/dovecot.folders.conf
-protocols = imap sieve lmtp pop3
-service dict {
-  unix_listener dict {
-    mode = 0660
-    user = vmail
-    group = vmail
-  }
-}
-service log {
-  user = dovenull
-}
-service config {
-  unix_listener config {
-    user = root
-    group = vmail
-    mode = 0660
-  }
-}
-service auth {
-  inet_listener auth-inet {
-    port = 10001
-  }
-  unix_listener auth-master {
-    mode = 0600
-    user = vmail
-  }
-  unix_listener auth-userdb {
-    mode = 0600
-    user = vmail
-  }
-  vsz_limit = 2G
-}
-service managesieve-login {
-  inet_listener sieve {
-    port = 4190
-  }
-  inet_listener sieve_haproxy {
-    port = 14190
-    haproxy = yes
-  }
-  service_count = 1
-  process_min_avail = 2
-  vsz_limit = 1G
-}
-service imap-login {
-  service_count = 1
-  process_min_avail = 2
-  process_limit = 10000
-  vsz_limit = 1G
-  user = dovenull
-  inet_listener imap_haproxy {
-    port = 10143
-    haproxy = yes
-  }
-  inet_listener imaps_haproxy {
-    port = 10993
-    ssl = yes
-    haproxy = yes
-  }
-}
-service pop3-login {
-  service_count = 1
-  process_min_avail = 1
-  vsz_limit = 1G
-  inet_listener pop3_haproxy {
-    port = 10110
-    haproxy = yes
-  }
-  inet_listener pop3s_haproxy {
-    port = 10995
-    ssl = yes
-    haproxy = yes
-  }
-}
-service imap {
-  executable = imap
-  user = vmail
-  vsz_limit = 1G
-}
-service managesieve {
-  process_limit = 256
-}
-service lmtp {
-  inet_listener lmtp-inet {
-    port = 24
-  }
-  user = vmail
-}
 listen = *,[::]
-ssl_cert = </etc/ssl/mail/cert.pem
-ssl_key = </etc/ssl/mail/key.pem
-userdb {
-  driver = passwd-file
-  args = /etc/dovecot/dovecot-master.userdb
-}
-userdb {
-  args = /etc/dovecot/sql/dovecot-dict-sql-userdb.conf
-  driver = sql
-  skip = found
-}
-protocol imap {
-  mail_plugins = </etc/dovecot/mail_plugins_imap
-  imap_metadata = yes
-}
-mail_attribute_dict = file:%h/dovecot-attributes
-protocol lmtp {
-  mail_plugins = </etc/dovecot/mail_plugins_lmtp
-  auth_socket_path = /var/run/dovecot/auth-master
-}
-protocol sieve {
-  managesieve_logout_format = bytes=%i/%o
-}
-plugin {
-  # Allow "any" or "authenticated" to be used in ACLs
-  acl_anyone = </etc/dovecot/acl_anyone
-  acl_shared_dict = file:/var/vmail/shared-mailboxes.db
-  acl = vfile
-  acl_user = %u
-  quota = dict:Userquota::proxy::sqlquota
-  quota_rule2 = Trash:storage=+100%%
-  sieve = /var/vmail/sieve/%u.sieve
-  sieve_plugins = sieve_imapsieve sieve_extprograms
-  sieve_vacation_send_from_recipient = yes
-  sieve_redirect_envelope_from = recipient
-  # From elsewhere to Spam folder
-  imapsieve_mailbox1_name = Junk
-  imapsieve_mailbox1_causes = COPY
-  imapsieve_mailbox1_before = file:/usr/lib/dovecot/sieve/report-spam.sieve
-  # END
-  # From Spam folder to elsewhere
-  imapsieve_mailbox2_name = *
-  imapsieve_mailbox2_from = Junk
-  imapsieve_mailbox2_causes = COPY
-  imapsieve_mailbox2_before = file:/usr/lib/dovecot/sieve/report-ham.sieve
-  # END
-  master_user = %u
-  quota_warning = storage=95%% quota-warning 95 %u
-  quota_warning2 = storage=80%% quota-warning 80 %u
-  sieve_pipe_bin_dir = /usr/lib/dovecot/sieve
-  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
-  sieve_extensions = +notify +imapflags +vacation-seconds +editheader
-  sieve_max_script_size = 1M
-  sieve_max_redirects = 100
-  sieve_max_actions = 101
-  sieve_quota_max_scripts = 0
-  sieve_quota_max_storage = 0
-  listescape_char = "\\"
-  sieve_vacation_min_period = 5s
-  sieve_vacation_max_period = 0
-  sieve_vacation_default_period = 60s
-  sieve_before = /var/vmail/sieve/global_sieve_before.sieve
-  sieve_before2 = dict:proxy::sieve_before;name=active;bindir=/var/vmail/sieve_before_bindir
-  sieve_after = dict:proxy::sieve_after;name=active;bindir=/var/vmail/sieve_after_bindir
-  sieve_after2 = /var/vmail/sieve/global_sieve_after.sieve
-  sieve_duplicate_default_period = 1m
-  sieve_duplicate_max_period = 7d
+protocols = imap sieve lmtp pop3

-  # -- Global keys
-  mail_crypt_global_private_key = </mail_crypt/ecprivkey.pem
-  mail_crypt_global_public_key = </mail_crypt/ecpubkey.pem
-  mail_crypt_save_version = 2
+!include_try /etc/dovecot/conf.d/05-core.conf
+!include_try /etc/dovecot/conf.d/10-logging.conf
+!include_try /etc/dovecot/conf.d/10-mail.conf
+!include_try /etc/dovecot/conf.d/10-ssl.conf
+!include_try /etc/dovecot/conf.d/11-sql.conf
+!include_try /etc/dovecot/conf.d/12-mysql.conf
+!include_try /etc/dovecot/conf.d/12-storage-attachments.conf
+!include_try /etc/dovecot/conf.d/15-performance.conf
+!include_try /etc/dovecot/conf.d/20-auth.conf
+!include_try /etc/dovecot/conf.d/20-userdb.conf
+!include_try /etc/dovecot/conf.d/25-services.conf
+!include_try /etc/dovecot/conf.d/30-protocols.conf
+!include_try /etc/dovecot/conf.d/35-fts.conf
+!include_try /etc/dovecot/conf.d/40-acl.conf
+!include_try /etc/dovecot/conf.d/40-attributes.conf
+!include_try /etc/dovecot/conf.d/50-quota.conf
+!include_try /etc/dovecot/conf.d/60-sieve-pipeline.conf
+!include_try /etc/dovecot/conf.d/70-crypto.conf
+!include_try /etc/dovecot/conf.d/80-compress.conf
+!include_try /etc/dovecot/conf.d/80-mail-logging.conf
+!include_try /etc/dovecot/conf.d/90-limits.conf
+!include_try /etc/dovecot/conf.d/90-dict.conf
+!include_try /etc/dovecot/conf.d/99-includes.conf

-  # Enable compression while saving, lz4 Dovecot v2.3.17+
-  zlib_save = lz4
-
-  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
-  mail_log_fields = uid box msgid size
-  mail_log_cached_only = yes
-
-  # Try set mail_replica
-  !include_try /etc/dovecot/mail_replica.conf
-}
-service quota-warning {
-  executable = script /usr/local/bin/quota_notify.py
-  # use some unprivileged user for executing the quota warnings
-  user = vmail
-  unix_listener quota-warning {
-    user = vmail
-  }
-}
-dict {
-  sqlquota = mysql:/etc/dovecot/sql/dovecot-dict-sql-quota.conf
-  sieve_after = mysql:/etc/dovecot/sql/dovecot-dict-sql-sieve_after.conf
-  sieve_before = mysql:/etc/dovecot/sql/dovecot-dict-sql-sieve_before.conf
-}
-remote 127.0.0.1 {
-  disable_plaintext_auth = no
-}
-submission_host = postfix:588
-mail_max_userip_connections = 500
-service stats {
-  unix_listener stats-writer {
-    mode = 0660
-    user = vmail
-  }
-}
-imap_max_line_length = 2 M
-auth_cache_verify_password_with_worker = yes
-auth_cache_negative_ttl = 60s
-auth_cache_ttl = 300s
-auth_cache_size = 10M
-auth_verbose_passwords = sha1:6
-service replicator {
-  process_min_avail = 1
-}
-service aggregator {
-  fifo_listener replication-notify-fifo {
-    user = vmail
-  }
-  unix_listener replication-notify {
-    user = vmail
-  }
-}
-service replicator {
-  unix_listener replicator-doveadm {
-    mode = 0666
-  }
-}
-replication_max_conns = 10
-doveadm_port = 12345
-replication_dsync_parameters = -d -l 30 -U -n INBOX
-# <Includes>
-!include_try /etc/dovecot/sni.conf
-!include_try /etc/dovecot/sogo_trusted_ip.conf
-!include_try /etc/dovecot/extra.conf
-!include_try /etc/dovecot/shared_namespace.conf
-!include_try /etc/dovecot/conf.d/fts.conf
-# </Includes>
-default_client_limit = 10400
-default_vsz_limit = 1024 M
+# Last: local overrides
+!include_try /etc/dovecot/extra.conf
@@ -1,10 +1,14 @@
 namespace inbox {
  inbox = yes
-  location =
  separator = /
+  mailbox storage/* {
+    quota_storage_extra = 100M
+  }
  mailbox "Trash" {
    auto = subscribe
    special_use = \Trash
+    quota_storage_percentage = 100
+    fts_autoindex = no
  }
  mailbox "Deleted Messages" {
    special_use = \Trash
@@ -195,6 +199,7 @@ namespace inbox {
  mailbox "Junk" {
    auto = subscribe
    special_use = \Junk
+    fts_autoindex = no
  }
  mailbox "Junk-E-Mail" {
    special_use = \Junk
@@ -261,19 +261,19 @@ location ~* /sogo$ {
 }

 location /SOGo.woa/WebServerResources/ {
-    alias /usr/local/lib/GNUstep/SOGo/WebServerResources/;
+    alias /usr/lib/GNUstep/SOGo/WebServerResources/;
 }

 location /.woa/WebServerResources/ {
-    alias /usr/local/lib/GNUstep/SOGo/WebServerResources/;
+    alias /usr/lib/GNUstep/SOGo/WebServerResources/;
 }

 location /SOGo/WebServerResources/ {
-    alias /usr/local/lib/GNUstep/SOGo/WebServerResources/;
+    alias /usr/lib/GNUstep/SOGo/WebServerResources/;
 }

 location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
-    alias /usr/local/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
+    alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
 }
 {% endif %}

@@ -1,8 +1,7 @@
-# Whitelist generated by Postwhite v3.4 on Mon Jun  1 00:52:17 UTC 2026
+# Whitelist generated by Postwhite v3.4 on Sun Mar  1 00:29:01 UTC 2026
 # https://github.com/stevejenkins/postwhite/
-# 2186 total rules
+# 2174 total rules
 2a00:1450:4000::/36	permit
-2a00:1450:4864::/56	permit
 2a01:111:f400::/48	permit
 2a01:111:f403:2800::/53	permit
 2a01:111:f403:8000::/51	permit
@@ -32,11 +31,8 @@
 2a02:a60:0:5::/64	permit
 2a0f:f640::/56	permit
 2c0f:fb50:4000::/36	permit
-2c0f:fb50:4864::/56	permit
-2.207.151.32/27	permit
 2.207.151.53	permit
 2.207.217.30	permit
-2.207.223.160/27	permit
 3.64.237.68	permit
 3.65.3.180	permit
 3.70.123.177	permit
@@ -56,8 +52,14 @@
 8.25.194.0/23	permit
 8.25.196.0/23	permit
 8.36.116.0/24	permit
+8.39.54.0/23	permit
+8.39.54.250/31	permit
 8.39.144.0/24	permit
+8.40.222.0/23	permit
+8.40.222.250/31	permit
 12.130.86.238	permit
+13.107.213.51	permit
+13.107.246.51	permit
 13.108.16.0/20	permit
 13.110.208.0/21	permit
 13.110.209.0/24	permit
@@ -67,6 +69,7 @@
 13.111.191.0/24	permit
 13.216.7.111	permit
 13.216.54.180	permit
+13.247.164.219	permit
 15.200.21.50	permit
 15.200.44.248	permit
 15.200.201.185	permit
@@ -170,6 +173,7 @@
 34.215.104.144	permit
 34.218.115.239	permit
 34.225.212.172	permit
+34.241.242.183	permit
 35.83.148.184	permit
 35.155.198.111	permit
 35.158.23.94	permit
@@ -193,6 +197,7 @@
 40.233.64.216	permit
 40.233.83.78	permit
 40.233.88.28	permit
+43.239.212.33	permit
 44.206.138.57	permit
 44.210.169.44	permit
 44.217.45.156	permit
@@ -272,9 +277,9 @@
 50.56.130.221	permit
 50.56.130.222	permit
 50.112.246.219	permit
-51.83.17.38	permit
 52.1.14.157	permit
 52.5.230.59	permit
+52.6.74.205	permit
 52.12.53.23	permit
 52.13.214.179	permit
 52.26.1.71	permit
@@ -331,6 +336,7 @@
 54.244.54.130	permit
 54.244.242.0/24	permit
 54.255.61.23	permit
+56.124.6.228	permit
 57.103.64.0/18	permit
 57.129.93.249	permit
 62.13.128.0/24	permit
@@ -362,7 +368,6 @@
 64.132.88.0/23	permit
 64.132.92.0/24	permit
 64.181.194.190	permit
-64.181.213.254	permit
 64.207.219.7	permit
 64.207.219.8	permit
 64.207.219.9	permit
@@ -397,6 +402,7 @@
 65.110.161.77	permit
 65.123.29.213	permit
 65.123.29.220	permit
+65.154.166.0/24	permit
 65.212.180.36	permit
 66.102.0.0/20	permit
 66.119.150.192/26	permit
@@ -447,11 +453,7 @@
 66.218.75.252/31	permit
 66.218.75.254	permit
 66.220.144.128/25	permit
-66.220.144.178	permit
-66.220.144.179	permit
 66.220.155.0/24	permit
-66.220.155.178	permit
-66.220.155.179	permit
 66.220.157.0/25	permit
 66.231.80.0/20	permit
 66.240.227.0/24	permit
@@ -516,8 +518,6 @@
 69.162.98.0/24	permit
 69.169.224.0/20	permit
 69.171.232.0/24	permit
-69.171.232.180	permit
-69.171.232.181	permit
 69.171.244.0/23	permit
 70.42.149.35	permit
 72.3.185.0/24	permit
@@ -639,7 +639,6 @@
 77.238.189.148/30	permit
 79.135.106.0/24	permit
 79.135.107.0/24	permit
-80.225.160.128/25	permit
 81.169.146.243	permit
 81.169.146.245	permit
 81.169.146.246	permit
@@ -658,9 +657,6 @@
 82.165.159.45	permit
 82.165.159.130	permit
 82.165.159.131	permit
-84.8.68.0/25	permit
-84.8.192.128/25	permit
-84.8.224.128/25	permit
 85.9.206.169	permit
 85.9.210.45	permit
 85.158.136.0/21	permit
@@ -1210,6 +1206,9 @@
 99.78.197.208/28	permit
 103.9.96.0/22	permit
 103.28.42.0/24	permit
+103.84.217.15	permit
+103.84.217.238	permit
+103.89.75.238	permit
 103.151.192.0/23	permit
 103.168.172.128/27	permit
 103.237.104.0/22	permit
@@ -1370,6 +1369,9 @@
 117.120.16.0/21	permit
 119.42.242.52/31	permit
 119.42.242.156	permit
+121.244.91.48	permit
+121.244.91.52	permit
+122.15.156.182	permit
 123.126.78.64/29	permit
 124.108.96.24/31	permit
 124.108.96.28/31	permit
@@ -1406,20 +1408,6 @@
 129.146.88.28	permit
 129.146.147.105	permit
 129.146.236.58	permit
-129.148.135.0/25	permit
-129.148.148.0/25	permit
-129.148.164.0/25	permit
-129.148.180.0/25	permit
-129.148.215.0/25	permit
-129.149.6.0/25	permit
-129.149.22.0/25	permit
-129.149.38.0/25	permit
-129.149.52.0/25	permit
-129.149.68.0/25	permit
-129.149.84.0/25	permit
-129.149.100.0/25	permit
-129.149.118.0/25	permit
-129.149.126.0/25	permit
 129.151.67.221	permit
 129.153.62.216	permit
 129.153.104.71	permit
@@ -1432,19 +1420,16 @@
 129.159.22.159	permit
 129.159.87.137	permit
 129.213.195.191	permit
-130.35.116.0/25	permit
 130.61.9.72	permit
 130.162.39.83	permit
 130.248.172.0/24	permit
 130.248.173.0/24	permit
-131.186.12.0/25	permit
 131.253.30.0/24	permit
 131.253.121.0/26	permit
 132.145.13.209	permit
 132.226.26.225	permit
 132.226.49.32	permit
 132.226.56.24	permit
-134.98.248.128/25	permit
 134.128.64.0/19	permit
 134.128.96.0/19	permit
 134.170.27.8	permit
@@ -1452,7 +1437,21 @@
 134.170.141.64/26	permit
 134.170.143.0/24	permit
 134.170.174.0/24	permit
+135.84.80.0/24	permit
+135.84.81.0/24	permit
+135.84.82.0/24	permit
+135.84.83.0/24	permit
 135.84.216.0/22	permit
+136.143.160.0/24	permit
+136.143.161.0/24	permit
+136.143.162.0/24	permit
+136.143.176.0/24	permit
+136.143.177.0/24	permit
+136.143.178.49	permit
+136.143.182.0/23	permit
+136.143.184.0/24	permit
+136.143.188.0/24	permit
+136.143.190.0/23	permit
 136.146.128.0/20	permit
 136.147.128.0/20	permit
 136.147.135.0/24	permit
@@ -1461,10 +1460,6 @@
 136.147.182.0/24	permit
 136.147.224.0/20	permit
 136.179.50.206	permit
-136.248.224.128/25	permit
-136.248.232.128/25	permit
-138.1.108.0/25	permit
-138.1.170.0/24	permit
 139.60.152.0/22	permit
 139.138.35.44	permit
 139.138.46.121	permit
@@ -1472,7 +1467,7 @@
 139.138.46.219	permit
 139.138.57.55	permit
 139.138.58.119	permit
-139.177.108.0/25	permit
+139.167.79.86	permit
 139.180.17.0/24	permit
 140.238.148.191	permit
 141.148.55.217	permit
@@ -1511,9 +1506,6 @@
 146.88.28.0/24	permit
 146.148.116.76	permit
 147.154.32.0/25	permit
-147.154.63.0/24	permit
-147.154.126.0/24	permit
-147.154.191.0/24	permit
 147.243.1.47	permit
 147.243.1.48	permit
 147.243.1.153	permit
@@ -1521,22 +1513,16 @@
 147.243.128.26	permit
 148.105.0.0/16	permit
 148.105.8.0/21	permit
-148.116.32.128/25	permit
 149.72.0.0/16	permit
 149.72.234.184	permit
 149.72.248.236	permit
 149.97.173.180	permit
-149.118.160.128/25	permit
 150.136.21.199	permit
-150.171.109.118	permit
 150.230.98.160	permit
 151.145.38.14	permit
 152.67.105.195	permit
 152.69.200.236	permit
 152.70.155.126	permit
-155.248.135.128/25	permit
-155.248.140.0/25	permit
-155.248.148.0/25	permit
 155.248.208.51	permit
 155.248.220.138	permit
 155.248.234.149	permit
@@ -1545,14 +1531,10 @@
 157.58.30.128/25	permit
 157.58.196.96/29	permit
 157.58.249.3	permit
-157.137.32.128/25	permit
-157.137.96.128/25	permit
 157.151.208.65	permit
 157.255.1.64/29	permit
 158.101.211.207	permit
 158.247.16.0/20	permit
-158.247.100.0/25	permit
-159.13.4.0/25	permit
 159.92.154.0/24	permit
 159.92.155.0/24	permit
 159.92.157.0/24	permit
@@ -1586,7 +1568,6 @@
 161.71.64.0/20	permit
 162.88.4.0/23	permit
 162.88.8.0/24	permit
-162.88.24.0/23	permit
 162.88.24.0/24	permit
 162.88.25.0/24	permit
 162.88.36.0/24	permit
@@ -1604,7 +1585,10 @@
 164.152.23.32	permit
 164.152.25.241	permit
 164.177.132.168/30	permit
-165.1.100.0/25	permit
+165.173.128.0/24	permit
+165.173.180.1	permit
+165.173.180.250/31	permit
+165.173.182.250/31	permit
 166.78.68.0/22	permit
 166.78.68.221	permit
 166.78.69.169	permit
@@ -1623,12 +1607,9 @@
 167.89.75.126	permit
 167.89.75.136	permit
 167.89.75.164	permit
+167.89.101.2	permit
+167.89.101.192/28	permit
 167.220.67.232/29	permit
-168.107.248.128/25	permit
-168.110.160.128/25	permit
-168.110.248.128/25	permit
-168.129.184.128/25	permit
-168.129.248.128/25	permit
 168.138.5.36	permit
 168.138.73.51	permit
 168.138.77.31	permit
@@ -1637,6 +1618,18 @@
 168.245.12.252	permit
 168.245.46.9	permit
 168.245.127.231	permit
+169.148.129.0/24	permit
+169.148.131.0/24	permit
+169.148.138.0/24	permit
+169.148.142.10	permit
+169.148.142.33	permit
+169.148.144.0/25	permit
+169.148.144.10	permit
+169.148.146.0/23	permit
+169.148.175.3	permit
+169.148.179.3	permit
+169.148.188.0/24	permit
+169.148.188.182	permit
 170.9.232.254	permit
 170.10.128.0/24	permit
 170.10.129.0/24	permit
@@ -1752,24 +1745,8 @@
 192.18.139.154	permit
 192.18.145.36	permit
 192.18.152.58	permit
-192.22.32.128/25	permit
-192.22.96.128/25	permit
-192.22.160.128/25	permit
-192.22.224.128/25	permit
 192.28.128.0/18	permit
-192.29.24.0/25	permit
-192.29.44.0/25	permit
-192.29.72.0/25	permit
-192.29.88.0/25	permit
 192.29.103.128/25	permit
-192.29.134.0/25	permit
-192.29.151.128/25	permit
-192.29.172.0/25	permit
-192.29.178.0/25	permit
-192.29.200.0/25	permit
-192.29.216.0/25	permit
-192.29.232.0/25	permit
-192.29.248.0/25	permit
 192.30.252.0/22	permit
 192.161.144.0/20	permit
 192.162.87.0/24	permit
@@ -1777,6 +1754,11 @@
 192.237.159.42	permit
 192.237.159.43	permit
 192.254.112.0/20	permit
+192.254.112.60	permit
+192.254.112.98/31	permit
+192.254.113.10	permit
+192.254.113.101	permit
+192.254.114.176	permit
 193.109.254.0/23	permit
 193.122.128.100	permit
 193.123.56.63	permit
@@ -1842,7 +1824,16 @@
 199.16.156.0/22	permit
 199.33.145.1	permit
 199.33.145.32	permit
+199.34.22.36	permit
 199.59.148.0/22	permit
+199.67.80.2	permit
+199.67.80.20	permit
+199.67.82.2	permit
+199.67.82.20	permit
+199.67.84.0/24	permit
+199.67.86.0/24	permit
+199.67.88.0/24	permit
+199.67.90.0/24	permit
 199.101.161.130	permit
 199.101.162.0/25	permit
 199.122.120.0/21	permit
@@ -1898,6 +1889,8 @@
 204.92.114.187	permit
 204.92.114.203	permit
 204.92.114.204/31	permit
+204.141.32.0/23	permit
+204.141.42.0/23	permit
 204.216.164.202	permit
 204.220.160.0/21	permit
 204.220.168.0/21	permit
@@ -1934,7 +1927,6 @@
 207.211.30.128/25	permit
 207.211.31.0/25	permit
 207.211.41.113	permit
-207.211.132.0/25	permit
 207.218.90.0/24	permit
 207.218.90.122	permit
 207.250.68.0/24	permit
@@ -1942,8 +1934,6 @@
 208.43.21.28/30	permit
 208.43.21.64/29	permit
 208.43.21.72/30	permit
-208.56.9.224	permit
-208.56.13.196	permit
 208.64.132.0/22	permit
 208.71.40.63	permit
 208.71.40.64/31	permit
@@ -1970,7 +1960,6 @@
 208.71.42.214	permit
 208.72.249.240/29	permit
 208.75.120.0/22	permit
-208.76.62.0/23	permit
 208.76.62.0/24	permit
 208.76.63.0/24	permit
 208.82.237.96/29	permit
@@ -2131,7 +2120,6 @@
 216.136.168.80/28	permit
 216.139.64.0/19	permit
 216.145.221.0/24	permit
-216.146.32.0/23	permit
 216.146.32.0/24	permit
 216.146.33.0/24	permit
 216.198.0.0/18	permit
@@ -2152,7 +2140,6 @@
 223.165.120.0/23	permit
 2001:0868:0100:0600::/64	permit
 2001:4860:4000::/36	permit
-2001:4860:4864::/56	permit
 2001:748:100:40::2:0/112	permit
 2001:748:400:1300::3	permit
 2001:748:400:1300::4	permit
@@ -2170,10 +2157,10 @@
 2001:748:400:3301::3	permit
 2001:748:400:3301::4	permit
 2404:6800:4000::/36	permit
-2404:6800:4864::/56	permit
-2603:1061:14:40::1	permit
+2607:13c0:0001:0000:0000:0000:0000:7000/116	permit
+2607:13c0:0002:0000:0000:0000:0000:1000/116	permit
+2607:13c0:0004:0000:0000:0000:0000:0000/116	permit
 2607:f8b0:4000::/36	permit
-2607:f8b0:4864::/56	permit
 2620:109:c003:104::/64	permit
 2620:109:c003:104::215	permit
 2620:109:c006:104::/64	permit
@@ -2185,7 +2172,8 @@
 2620:10d:c09c:400::8:1	permit
 2620:119:50c0:207::/64	permit
 2620:119:50c0:207::215	permit
+2620:1ec:46::51	permit
+2620:1ec:bdf::51	permit
 2800:3f0:4000::/36	permit
-2800:3f0:4864::/56	permit
 49.12.4.251 permit # checks.mailcow.email
 2a01:4f8:c17:7906::10 permit # checks.mailcow.email
@@ -3,7 +3,8 @@ rules {
    backend = "http";
    url = "http://nginx:9081/pipe.php";
    selector = "reject_no_global_bl";
-    formatter = "multipart";
+    formatter = "default";
+    meta_headers = true;
  }
 	RLINFO {
 		backend = "http";
@@ -15,7 +16,8 @@ rules {
    backend = "http";
    url = "http://nginx:9081/pushover.php";
    selector = "mailcow_rcpt";
-    formatter = "multipart";
+    formatter = "json";
+    meta_headers = true;
  }
 }

@@ -32,42 +32,47 @@ function parse_email($email) {
  $a = strrpos($email, '@');
  return array('local' => substr($email, 0, $a), 'domain' => substr(substr($email, $a), 1));
 }
-// rspamd metadata_exporter (multipart formatter):
-//   - $_POST['metadata']        JSON with the rspamd metadata
-//   - $_FILES['message']        raw RFC822 message
-if (empty($_POST['metadata']) || !isset($_FILES['message']) || $_FILES['message']['error'] !== UPLOAD_ERR_OK) {
-  error_log("QUARANTINE: missing multipart parts from rspamd" . PHP_EOL);
-  http_response_code(400);
-  exit;
+if (!function_exists('getallheaders'))  {
+  function getallheaders() {
+    if (!is_array($_SERVER)) {
+      return array();
+    }
+    $headers = array();
+    foreach ($_SERVER as $name => $value) {
+      if (substr($name, 0, 5) == 'HTTP_') {
+        $headers[str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5)))))] = $value;
+      }
+    }
+    return $headers;
+  }
 }

-$meta = json_decode($_POST['metadata'], true);
-if (!is_array($meta)) {
-  error_log("QUARANTINE: cannot decode metadata JSON" . PHP_EOL);
-  http_response_code(400);
-  exit;
-}
-
-$raw_data_content = file_get_contents($_FILES['message']['tmp_name']);
+$raw_data_content = file_get_contents('php://input');
 $raw_data = mb_convert_encoding($raw_data_content, 'HTML-ENTITIES', "UTF-8");
-$raw_size = (int)$_FILES['message']['size'];
+$headers = getallheaders();

-$qid      = $meta['qid']     ?? 'unknown';
-$subject  = iconv_mime_decode($meta['subject'] ?? '');
-$score    = $meta['score']   ?? 0;
-$rcpts    = $meta['rcpt']    ?? array();
-$user     = $meta['user']    ?? 'unknown';
-$ip       = $meta['ip']      ?? 'unknown';
-$action   = $meta['action']  ?? 'no action';
-$sender   = $meta['from']    ?? '';
-$symbols  = json_encode($meta['symbols'] ?? array());
-$fuzzy    = json_encode(is_array($meta['fuzzy'] ?? null) ? $meta['fuzzy'] : array());
+$qid      = $headers['X-Rspamd-Qid'];
+$fuzzy    = $headers['X-Rspamd-Fuzzy'];
+$subject  = iconv_mime_decode($headers['X-Rspamd-Subject']);
+$score    = $headers['X-Rspamd-Score'];
+$rcpts    = $headers['X-Rspamd-Rcpt'];
+$user     = $headers['X-Rspamd-User'];
+$ip       = $headers['X-Rspamd-Ip'];
+$action   = $headers['X-Rspamd-Action'];
+$sender   = $headers['X-Rspamd-From'];
+$symbols  = $headers['X-Rspamd-Symbols'];
+
+$raw_size = (int)$_SERVER['CONTENT_LENGTH'];

 if (empty($sender)) {
  error_log("QUARANTINE: Unknown sender, assuming empty-env-from@localhost" . PHP_EOL);
  $sender = 'empty-env-from@localhost';
 }

+if ($fuzzy == 'unknown') {
+  $fuzzy = '[]';
+}
+
 try {
  $max_size = (int)$redis->Get('Q_MAX_SIZE');
  if (($max_size * 1048576) < $raw_size) {
@@ -89,7 +94,7 @@ catch (RedisException $e) {
 $rcpt_final_mailboxes = array();

 // Loop through all rcpts
-foreach ($rcpts as $rcpt) {
+foreach (json_decode($rcpts, true) as $rcpt) {
  // Remove tag
  $rcpt = preg_replace('/^(.*?)\+.*(@.*)$/', '$1$2', $rcpt);

@@ -32,46 +32,50 @@ function parse_email($email) {
  $a = strrpos($email, '@');
  return array('local' => substr($email, 0, $a), 'domain' => substr(substr($email, $a), 1));
 }
-// rspamd metadata_exporter (multipart formatter): metadata JSON arrives as $_POST['metadata'].
-if (empty($_POST['metadata'])) {
-  error_log("NOTIFY: missing metadata part from rspamd" . PHP_EOL);
-  http_response_code(400);
-  exit;
+if (!function_exists('getallheaders'))  {
+  function getallheaders() {
+    if (!is_array($_SERVER)) {
+      return array();
+    }
+    $headers = array();
+    foreach ($_SERVER as $name => $value) {
+      if (substr($name, 0, 5) == 'HTTP_') {
+        $headers[str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5)))))] = $value;
+      }
+    }
+    return $headers;
+  }
 }

-$meta = json_decode($_POST['metadata'], true);
-if (!is_array($meta)) {
-  error_log("NOTIFY: cannot decode metadata JSON" . PHP_EOL);
-  http_response_code(400);
-  exit;
-}
+$headers = getallheaders();
+$json_body = json_decode(file_get_contents('php://input'));

-$qid      = $meta['qid']    ?? 'unknown';
-$rcpts    = $meta['rcpt']   ?? array();
-$sender   = $meta['from']   ?? '';
-$ip       = $meta['ip']     ?? 'unknown';
-$subject  = iconv_mime_decode($meta['subject'] ?? '');
-$messageid= $meta['message_id'] ?? '';
+$qid      = $headers['X-Rspamd-Qid'];
+$rcpts    = $headers['X-Rspamd-Rcpt'];
+$sender   = $headers['X-Rspamd-From'];
+$ip       = $headers['X-Rspamd-Ip'];
+$subject  = iconv_mime_decode($headers['X-Rspamd-Subject']);
+$messageid= $json_body->message_id;
 $priority = 0;

-$symbols_array = $meta['symbols'] ?? array();
+$symbols_array = json_decode($headers['X-Rspamd-Symbols'], true);
 if (is_array($symbols_array)) {
  foreach ($symbols_array as $symbol) {
-    if (($symbol['name'] ?? null) == 'HAS_X_PRIO_ONE') {
+    if ($symbol['name'] == 'HAS_X_PRIO_ONE') {
      $priority = 1;
      break;
    }
  }
 }

-$sender_address = $meta['header_from'][0] ?? '';
+$sender_address = $json_body->header_from[0];
 $sender_name = '-';
 if (preg_match('/(?<name>.*?)<(?<address>.*?)>/i', $sender_address, $matches)) {
 	$sender_address = $matches['address'];
  $sender_name =  trim($matches['name'], '"\' ');
 }

-$to_address = $meta['header_to'][0] ?? '';
+$to_address = $json_body->header_to[0];
 $to_name = '-';
 if (preg_match('/(?<name>.*?)<(?<address>.*?)>/i', $to_address, $matches)) {
 	$to_address = $matches['address'];
@@ -81,7 +85,7 @@ if (preg_match('/(?<name>.*?)<(?<address>.*?)>/i', $to_address, $matches)) {
 $rcpt_final_mailboxes = array();

 // Loop through all rcpts
-foreach ($rcpts as $rcpt) {
+foreach (json_decode($rcpts, true) as $rcpt) {
  // Remove tag
  $rcpt = preg_replace('/^(.*?)\+.*(@.*)$/', '$1$2', $rcpt);

@@ -1072,7 +1072,6 @@ paths:
                          password2: "*"
                          quota: "3072"
                          force_pw_update: "1"
-                          force_tfa: "1"
                          tls_enforce_in: "1"
                          tls_enforce_out: "1"
                          tags: ["tag1", "tag2"]
@@ -1119,7 +1118,6 @@ paths:
                password2: atedismonsin
                quota: "3072"
                force_pw_update: "1"
-                force_tfa: "1"
                tls_enforce_in: "1"
                tls_enforce_out: "1"
                tags: ["tag1", "tag2"]
@@ -1153,9 +1151,6 @@ paths:
                force_pw_update:
                  description: forces the user to update its password on first login
                  type: boolean
-                force_tfa:
-                  description: force 2FA enrollment at login
-                  type: boolean
                tls_enforce_in:
                  description: force inbound email tls encryption
                  type: boolean
@@ -2515,7 +2510,7 @@ paths:
      description: >-
        Using this endpoint you can perform actions on quarantine items. It is possible to release
        emails from quarantine into to the inbox, or learn them as ham to improve Rspamd filtering.
-        You must provide the quarantine item IDs. You can get the IDs using the GET method.
+        You must provide the quarantine item IDs. You can get the IDs using the GET method.      
      operationId: Edit mails in Quarantine
      requestBody:
        content:
@@ -3419,7 +3414,6 @@ paths:
                        - mailbox
                        - active: "1"
                          force_pw_update: "0"
-                          force_tfa: "0"
                          name: Full name
                          password: "*"
                          password2: "*"
@@ -3470,7 +3464,6 @@ paths:
                attr:
                  active: "1"
                  force_pw_update: "0"
-                  force_tfa: "0"
                  name: Full name
                  authsource: mailcow
                  password: ""
@@ -3494,9 +3487,6 @@ paths:
                    force_pw_update:
                      description: force user to change password on next login
                      type: boolean
-                    force_tfa:
-                      description: force 2FA enrollment at login
-                      type: boolean
                    name:
                      description: Full name of the mailbox user
                      type: string
@@ -4891,7 +4881,6 @@ paths:
                    - active: "1"
                      attributes:
                        force_pw_update: "0"
-                        force_tfa: "0"
                        mailbox_format: "maildir:"
                        quarantine_notification: never
                        sogo_access: "1"
@@ -5816,7 +5805,6 @@ paths:
                    - active: "1"
                      attributes:
                        force_pw_update: "0"
-                        force_tfa: "0"
                        mailbox_format: "maildir:"
                        quarantine_notification: never
                        sogo_access: "1"
@@ -287,8 +287,6 @@ function user_login($user, $pass, $extra = null){
            return false;
          }

-          $row['attributes'] = json_decode($row['attributes'], true);
-
          // check for tfa authenticators
          $authenticators = get_tfa($user);
          if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
@@ -345,8 +343,6 @@ function user_login($user, $pass, $extra = null){
          return false;
        }

-        $row['attributes'] = json_decode($row['attributes'], true);
-
        // check for tfa authenticators
        $authenticators = get_tfa($user);
        if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
@@ -108,14 +108,6 @@ function fwdhost($_action, $_data = null) {
      }
    break;
    case 'delete':
-      if ($_SESSION['mailcow_cc_role'] != "admin") {
-        $_SESSION['return'][] = array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => 'access_denied'
-        );
-        return false;
-      }
      $hosts = (array)$_data['forwardinghost'];
      foreach ($hosts as $host) {
        try {
@@ -9,10 +9,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
  $_data_log = $_data;
  !isset($_data_log['password']) ?: $_data_log['password'] = '*';
  !isset($_data_log['password2']) ?: $_data_log['password2'] = '*';
-
-  // Track mailboxes affected by alias operations for incremental SOGo updates
-  $update_sogo_mailboxes = array();
-
  switch ($_action) {
    case 'add':
      switch ($_type) {
@@ -890,17 +886,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
              'msg' => array('alias_added', $address, $id)
            );
-
-            // Track affected mailboxes for SOGo update
-            if (!empty($goto)) {
-              $gotos = array_map('trim', explode(',', $goto));
-              foreach ($gotos as $g) {
-                if (filter_var($g, FILTER_VALIDATE_EMAIL) &&
-                    !in_array($g, array('null@localhost', 'spam@localhost', 'ham@localhost'))) {
-                  $update_sogo_mailboxes[] = $g;
-                }
-              }
-            }
          }
        break;
        case 'alias_domain':
@@ -1111,21 +1096,10 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
          $relayhost = (isset($_data['relayhost'])) ? intval($_data['relayhost']) : 0;
          $quarantine_notification = (isset($_data['quarantine_notification'])) ? strval($_data['quarantine_notification']) : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_notification']);
          $quarantine_category = (isset($_data['quarantine_category'])) ? strval($_data['quarantine_category']) : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_category']);
-          // Validate quarantine_category
-          if (!in_array($quarantine_category, array('add_header', 'reject', 'all'))) {
-            $_SESSION['return'][] = array(
-              'type' => 'danger',
-              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-              'msg' => 'quarantine_category_invalid'
-            );
-            return false;
-          }
          $quota_b    = ($quota_m * 1048576);
          $attribute_hash = (!empty($_data['attribute_hash'])) ? $_data['attribute_hash'] : '';
          if (in_array($authsource, array('keycloak', 'generic-oidc', 'ldap'))){
            $force_pw_update = 0;
-          }
-          if ($authsource == 'generic-oidc'){
            $force_tfa = 0;
          }
          $mailbox_attrs = json_encode(
@@ -1394,8 +1368,15 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
            ), $_extra);
          }

-          // Track affected mailboxes for SOGo update
-          $update_sogo_mailboxes[] = $username;
+          try {
+            update_sogo_static_view($username);
+          } catch (PDOException $e) {
+            $_SESSION['return'][] = array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+              'msg' => $e->getMessage()
+            );
+          }
          $_SESSION['return'][] = array(
            'type' => 'success',
            'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1626,9 +1607,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
            'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
            'msg' => array('resource_added', htmlspecialchars($name))
          );
-
-          // Track affected mailboxes for SOGo update
-          $update_sogo_mailboxes[] = $name;
        break;
        case 'domain_templates':
          if ($_SESSION['mailcow_cc_role'] != "admin") {
@@ -1742,15 +1720,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
          $attr["tagged_mail_handler"]         = (!empty($_data['tagged_mail_handler'])) ? $_data['tagged_mail_handler'] : strval($MAILBOX_DEFAULT_ATTRIBUTES['tagged_mail_handler']);
          $attr["quarantine_notification"]     = (!empty($_data['quarantine_notification'])) ? $_data['quarantine_notification'] : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_notification']);
          $attr["quarantine_category"]         = (!empty($_data['quarantine_category'])) ? $_data['quarantine_category'] : strval($MAILBOX_DEFAULT_ATTRIBUTES['quarantine_category']);
-          // Validate quarantine_category
-          if (!in_array($attr["quarantine_category"], array('add_header', 'reject', 'all'))) {
-            $_SESSION['return'][] = array(
-              'type' => 'danger',
-              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_extra),
-              'msg' => 'quarantine_category_invalid'
-            );
-            return false;
-          }
          $attr["rl_frame"]                    = (!empty($_data['rl_frame'])) ? $_data['rl_frame'] : "s";
          $attr["rl_value"]                    = (!empty($_data['rl_value'])) ? $_data['rl_value'] : "";
          $attr["force_pw_update"]             = isset($_data['force_pw_update']) ? intval($_data['force_pw_update']) : intval($MAILBOX_DEFAULT_ATTRIBUTES['force_pw_update']);
@@ -2080,14 +2049,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
            return false;
          }
          foreach ($usernames as $username) {
-            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
-              $_SESSION['return'][] = array(
-                'type' => 'danger',
-                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-                'msg' => 'access_denied'
-              );
-              continue;
-            }
            if ($_data['spam_score'] == "default") {
              $stmt = $pdo->prepare("DELETE FROM `filterconf` WHERE `object` = :username
                AND (`option` = 'lowspamlevel' OR `option` = 'highspamlevel')");
@@ -2764,28 +2725,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
              'msg' => array('alias_modified', htmlspecialchars($address))
            );
-
-            // Track affected mailboxes for SOGo update (both old and new goto addresses)
-            // Old goto: to remove alias from their view
-            if (!empty($is_now['goto'])) {
-              $old_gotos = array_map('trim', explode(',', $is_now['goto']));
-              foreach ($old_gotos as $g) {
-                if (filter_var($g, FILTER_VALIDATE_EMAIL) &&
-                    !in_array($g, array('null@localhost', 'spam@localhost', 'ham@localhost'))) {
-                  $update_sogo_mailboxes[] = $g;
-                }
-              }
-            }
-            // New goto: to add alias to their view
-            if (!empty($goto)) {
-              $new_gotos = array_map('trim', explode(',', $goto));
-              foreach ($new_gotos as $g) {
-                if (filter_var($g, FILTER_VALIDATE_EMAIL) &&
-                    !in_array($g, array('null@localhost', 'spam@localhost', 'ham@localhost'))) {
-                  $update_sogo_mailboxes[] = $g;
-                }
-              }
-            }
          }
        break;
        case 'domain':
@@ -3154,8 +3093,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              }
              if (in_array($authsource, array('keycloak', 'generic-oidc', 'ldap'))){
                $force_pw_update = 0;
-              }
-              if ($authsource == 'generic-oidc'){
                $force_tfa = 0;
              }
              $pw_recovery_email    = (isset($_data['pw_recovery_email']) && $authsource == 'mailcow') ? $_data['pw_recovery_email'] : $is_now['attributes']['recovery_email'];
@@ -3502,9 +3439,17 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              'msg' => array('mailbox_modified', $username)
            );

-            // Track affected mailboxes for SOGo update
-            $update_sogo_mailboxes[] = $username;
+            try {
+              update_sogo_static_view($username);
+            } catch (PDOException $e) {
+              $_SESSION['return'][] = array(
+                'type' => 'danger',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                'msg' => $e->getMessage()
+              );
+            }
          }
+          return true;
        break;
        case 'mailbox_rename':
          $domain = $_data['domain'];
@@ -3815,19 +3760,9 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
            $attr["tagged_mail_handler"]         = (!empty($_data['tagged_mail_handler'])) ? $_data['tagged_mail_handler'] : $is_now['tagged_mail_handler'];
            $attr["quarantine_notification"]     = (!empty($_data['quarantine_notification'])) ? $_data['quarantine_notification'] : $is_now['quarantine_notification'];
            $attr["quarantine_category"]         = (!empty($_data['quarantine_category'])) ? $_data['quarantine_category'] : $is_now['quarantine_category'];
-            // Validate quarantine_category
-            if (!in_array($attr["quarantine_category"], array('add_header', 'reject', 'all'))) {
-              $_SESSION['return'][] = array(
-                'type' => 'danger',
-                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_extra),
-                'msg' => 'quarantine_category_invalid'
-              );
-              continue;
-            }
            $attr["rl_frame"]                    = (!empty($_data['rl_frame'])) ? $_data['rl_frame'] : $is_now['rl_frame'];
            $attr["rl_value"]                    = (!empty($_data['rl_value'])) ? $_data['rl_value'] : $is_now['rl_value'];
            $attr["force_pw_update"]             = isset($_data['force_pw_update']) ? intval($_data['force_pw_update']) : $is_now['force_pw_update'];
-            $attr["force_tfa"]                   = isset($_data['force_tfa']) ? intval($_data['force_tfa']) : $is_now['force_tfa'];
            $attr["sogo_access"]                 = isset($_data['sogo_access']) ? intval($_data['sogo_access']) : $is_now['sogo_access'];
            $attr["active"]                      = isset($_data['active']) ? intval($_data['active']) : $is_now['active'];
            $attr["tls_enforce_in"]              = isset($_data['tls_enforce_in']) ? intval($_data['tls_enforce_in']) : $is_now['tls_enforce_in'];
@@ -4141,9 +4076,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
              'msg' => array('resource_modified', htmlspecialchars($name))
            );
-
-            // Track affected mailboxes for SOGo update
-            $update_sogo_mailboxes[] = $name;
          }
        break;
        case 'domain_wide_footer':
@@ -5848,18 +5780,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              );
              continue;
            }
-
-            // Track affected mailboxes for SOGo update (capture before deletion)
-            if (!empty($alias_data['goto'])) {
-              $gotos = array_map('trim', explode(',', $alias_data['goto']));
-              foreach ($gotos as $g) {
-                if (filter_var($g, FILTER_VALIDATE_EMAIL) &&
-                    !in_array($g, array('null@localhost', 'spam@localhost', 'ham@localhost'))) {
-                  $update_sogo_mailboxes[] = $g;
-                }
-              }
-            }
-
            $stmt = $pdo->prepare("DELETE FROM `alias` WHERE `id` = :id");
            $stmt->execute(array(
              ':id' => $alias_data['id']
@@ -6118,15 +6038,22 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              continue;
            }

+            try {
+              update_sogo_static_view($username);
+            }catch (PDOException $e) {
+              $_SESSION['return'][] = array(
+                'type' => 'success',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                'msg' => $e->getMessage()
+              );
+            }
            $_SESSION['return'][] = array(
              'type' => 'success',
              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
              'msg' => array('mailbox_removed', htmlspecialchars($username))
            );
-
-            // Track affected mailboxes for SOGo update
-            $update_sogo_mailboxes[] = $username;
          }
+          return true;
        break;
        case 'mailbox_templates':
          if ($_SESSION['mailcow_cc_role'] != "admin") {
@@ -6226,9 +6153,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
              'msg' => array('resource_removed', htmlspecialchars($name))
            );
-
-            // Track affected mailboxes for SOGo update
-            $update_sogo_mailboxes[] = $name;
          }
        break;
        case 'tags_domain':
@@ -6335,21 +6259,9 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
      }
    break;
  }
-  if ($_action != 'get' && in_array($_type, array('domain', 'alias', 'alias_domain', 'resource', 'mailbox')) && getenv('SKIP_SOGO') != "y") {
+  if ($_action != 'get' && in_array($_type, array('domain', 'alias', 'alias_domain', 'resource')) && getenv('SKIP_SOGO') != "y") {
    try {
-      if (($_type == 'alias' || $_type == 'resource' || $_type == 'mailbox') && !empty($update_sogo_mailboxes)) {
-        // INCREMENTAL UPDATE: Update only affected mailboxes/resources
-        $update_sogo_mailboxes = array_unique($update_sogo_mailboxes);
-        foreach ($update_sogo_mailboxes as $mailbox) {
-          update_sogo_static_view($mailbox);
-        }
-      }
-      else {
-        // FULL REBUILD: For domain and alias_domain operations or if no tracked mailboxes
-        // Domain operations affect all mailboxes
-        // Alias_domain operations affect entire target domain
-        update_sogo_static_view();
-      }
+      update_sogo_static_view();
    }catch (PDOException $e) {
      $_SESSION['return'][] = array(
        'type' => 'success',
@@ -89,7 +89,7 @@ $globalVariables = [
  'app_links' => $app_links,
  'app_links_processed' => $app_links_processed,
  'is_root_uri' => (parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH) == '/'),
-  'uri' => parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH) ?: '/',
+  'uri' => $_SERVER['REQUEST_URI'],
 ];

 foreach ($globalVariables as $globalVariableName => $globalVariableValue) {
@@ -13,9 +13,7 @@ $twig = new Environment($loader, [

 // functions
 $twig->addFunction(new TwigFunction('query_string', function (array $params = []) {
-  $allowed = ['lang', 'mobileconfig'];
-  $filtered = array_intersect_key($_GET, array_flip($allowed));
-  return http_build_query(array_merge($filtered, $params));
+  return http_build_query(array_merge($_GET, $params));
 }));

 $twig->addFunction(new TwigFunction('is_uri', function (string $uri, string $where = null) {
@@ -112,7 +112,6 @@ $AVAILABLE_LANGUAGES = array(
  'sv-se' => 'Svenska (Swedish)',
  'tr-tr' => 'Türkçe (Turkish)',
  'uk-ua' => 'Українська (Ukrainian)',
-  'uz-uz' => 'Oʻzbekcha (Uzbek)',
  'vi-vn' => 'Tiếng Việt (Vietnamese)',
  'zh-cn' => '简体中文 (Simplified Chinese)',
  'zh-tw' => '繁體中文 (Traditional Chinese)',
@@ -345,7 +345,7 @@ $(document).ready(function() {
      $('.main-logo-dark').addClass('d-none');
      if ($('#rspamd_logo').length) $('#rspamd_logo').attr('src', '/img/rspamd_logo_dark.png');
      if ($('#rspamd_logo_sm').length) $('#rspamd_logo_sm').attr('src', '/img/rspamd_logo_dark.png');
-      localStorage.setItem('mailcow_theme', 'light');
+      localStorage.setItem('theme', 'light');
    }else{
      $('head').append('<link id="dark-mode-theme" rel="stylesheet" type="text/css" href="/css/themes/mailcow-darkmode.css">');
      $('#dark-mode-toggle').prop('checked', true);
@@ -353,7 +353,7 @@ $(document).ready(function() {
      $('.main-logo-dark').removeClass('d-none');
      if ($('#rspamd_logo').length) $('#rspamd_logo').attr('src', '/img/rspamd_logo_light.png');
      if ($('#rspamd_logo_sm').length) $('#rspamd_logo_sm').attr('src', '/img/rspamd_logo_light.png');
-      localStorage.setItem('mailcow_theme', 'dark');
+      localStorage.setItem('theme', 'dark');
    }
  }

@@ -1128,11 +1128,6 @@ jQuery(function($){
          item.ua = escapeHtml(item.ua);
        }
        item.ua = '<span style="font-size:small">' + item.ua + '</span>';
-        if (item.user == null) {
-          item.user = 'unknown';
-        } else {
-          item.user = escapeHtml(item.user);
-        }
        if (item.service == "activesync") {
          item.service = '<span class="badge fs-6 bg-info">ActiveSync</span>';
        }
@@ -1,6 +1,5 @@
 $(document).ready(function() {
-  var theme = localStorage.getItem("mailcow_theme");
-  if (theme !== null) {
-    localStorage.setItem("mailcow_theme", theme);
-  }
+  var theme = localStorage.getItem("theme");
+  localStorage.clear();
+  localStorage.setItem("theme", theme);
 });
@@ -424,11 +424,6 @@ $(document).ready(function() {
    } else {
      $('#force_pw_update').prop('checked', false);
    }
-    if (template.force_tfa == 1){
-      $('#force_tfa').prop('checked', true);
-    } else {
-      $('#force_tfa').prop('checked', false);
-    }
    if (template.sogo_access == 1){
      $('#sogo_access').prop('checked', true);
    } else {
@@ -1247,7 +1242,6 @@ jQuery(function($){
            item.attributes.eas_access = '<i class="text-' + (item.attributes.eas_access == 1 ? 'success' : 'danger') + ' bi bi-' + (item.attributes.eas_access == 1 ? 'check-lg' : 'x-lg') + '"><span class="sorting-value">' + (item.attributes.eas_access == 1 ? '1' : '0') + '</span></i>';
            item.attributes.dav_access = '<i class="text-' + (item.attributes.dav_access == 1 ? 'success' : 'danger') + ' bi bi-' + (item.attributes.dav_access == 1 ? 'check-lg' : 'x-lg') + '"><span class="sorting-value">' + (item.attributes.dav_access == 1 ? '1' : '0') + '</span></i>';
            item.attributes.sogo_access = '<i class="text-' + (item.attributes.sogo_access == 1 ? 'success' : 'danger') + ' bi bi-' + (item.attributes.sogo_access == 1 ? 'check-lg' : 'x-lg') + '"><span class="sorting-value">' + (item.attributes.sogo_access == 1 ? '1' : '0') + '</span></i>';
-            item.attributes.force_tfa = '<i class="text-' + (item.attributes.force_tfa == 1 ? 'success' : 'danger') + ' bi bi-' + (item.attributes.force_tfa == 1 ? 'check-lg' : 'x-lg') + '"><span class="sorting-value">' + (item.attributes.force_tfa == 1 ? '1' : '0') + '</span></i>';
            if (item.attributes.quarantine_notification === 'never') {
              item.attributes.quarantine_notification = lang.never;
            } else if (item.attributes.quarantine_notification === 'hourly') {
@@ -1391,11 +1385,6 @@ jQuery(function($){
            return 1==data?'<i class="bi bi-check-lg"></i>':'<i class="bi bi-x-lg"></i>';
          }
        },
-        {
-          title: lang.force_tfa,
-          data: 'attributes.force_tfa',
-          defaultContent: ''
-        },
        {
          title: lang_edit.ratelimit,
          data: 'attributes.ratelimit',
@@ -102,21 +102,18 @@ jQuery(function($){
        {
          title: 'ID',
          data: 'id',
-          defaultContent: '',
-          render: $.fn.dataTable.render.text()
+          defaultContent: ''
        },
        {
          title: lang.qid,
          data: 'qid',
-          defaultContent: '',
-          render: $.fn.dataTable.render.text()
+          defaultContent: ''
        },
        {
          title: lang.sender,
          data: 'sender',
          className: 'senders-mw220',
-          defaultContent: '',
-          render: $.fn.dataTable.render.text()
+          defaultContent: ''
        },
        {
          title: lang.subj,
@@ -131,8 +128,7 @@ jQuery(function($){
        {
          title: lang.rcpt,
          data: 'rcpt',
-          defaultContent: '',
-          render: $.fn.dataTable.render.text()
+          defaultContent: ''
        },
        {
          title: lang.danger,
@@ -230,18 +226,18 @@ jQuery(function($){
        }
        if (typeof data.fuzzy_hashes === 'object' && data.fuzzy_hashes !== null && data.fuzzy_hashes.length !== 0) {
          $.each(data.fuzzy_hashes, function (index, value) {
-            $('#qid_detail_fuzzy').append('<p style="font-family:monospace">' + escapeHtml(value) + '</p>');
+            $('#qid_detail_fuzzy').append('<p style="font-family:monospace">' + value + '</p>');
          });
        } else {
          $('#qid_detail_fuzzy').append('-');
        }
        if (typeof data.score !== 'undefined' && typeof data.action !== 'undefined') {
          if (data.action == "add header") {
-            $('#qid_detail_score').append('<span class="label-rspamd-action badge fs-6 bg-warning"><b>' + escapeHtml(data.score) + '</b> - ' + lang.junk_folder + '</span>');
+            $('#qid_detail_score').append('<span class="label-rspamd-action badge fs-6 bg-warning"><b>' + data.score + '</b> - ' + lang.junk_folder + '</span>');
          } else if (data.action == "reject") {
-            $('#qid_detail_score').append('<span class="label-rspamd-action badge fs-6 bg-danger"><b>' + escapeHtml(data.score) + '</b> - ' + lang.rejected + '</span>');
+            $('#qid_detail_score').append('<span class="label-rspamd-action badge fs-6 bg-danger"><b>' + data.score + '</b> - ' + lang.rejected + '</span>');
          } else if (data.action == "rewrite subject") {
-            $('#qid_detail_score').append('<span class="label-rspamd-action badge fs-6 bg-warning"><b>' + escapeHtml(data.score) + '</b> - ' + lang.rewrite_subject + '</span>');
+            $('#qid_detail_score').append('<span class="label-rspamd-action badge fs-6 bg-warning"><b>' + data.score + '</b> - ' + lang.rewrite_subject + '</span>');
          }
        }
        if (typeof data.recipients !== 'undefined') {
@@ -258,8 +254,8 @@ jQuery(function($){
          qAtts.text('');
          $.each(data.attachments, function(index, value) {
            qAtts.append(
-              '<p><a href="/inc/ajax/qitem_details.php?id=' + escapeHtml(qitem) + '&amp;att=' + index + '" target="_blank">' + escapeHtml(value[0]) + '</a> (' + escapeHtml(value[1]) + ')' +
-              ' - <small><a href="' + escapeHtml(value[3]) + '" target="_blank">' + lang.check_hash + '</a></small></p>'
+              '<p><a href="/inc/ajax/qitem_details.php?id=' + qitem + '&att=' + index + '" target="_blank">' + value[0] + '</a> (' + value[1] + ')' +
+              ' - <small><a href="' + value[3] + '" target="_blank">' + lang.check_hash + '</a></small></p>'
            );
          });
        }
@@ -48,13 +48,13 @@ jQuery(function($){
      url: "/api/v1/get/mailq/all",
      dataSrc: function(data){
        $.each(data, function (i, item) {
-          item.chkbox = '<input type="checkbox" class="form-check-input" data-id="mailqitems" name="multi_select" value="' + escapeHtml(item.queue_id) + '" />';
+          item.chkbox = '<input type="checkbox" class="form-check-input" data-id="mailqitems" name="multi_select" value="' + item.queue_id + '" />';
          rcpts = $.map(item.recipients, function(i) {
            return escapeHtml(i);
          });
          item.recipients = rcpts.join('<hr style="margin:1px!important">');
          item.action = '<div class="btn-group">' +
-            '<a href="#" data-bs-toggle="modal" data-bs-target="#showQueuedMsg" data-queue-id="' + escapeHtml(item.queue_id) + '" class="btn btn-xs btn-secondary">' + lang.show_message + '</a>' +
+            '<a href="#" data-bs-toggle="modal" data-bs-target="#showQueuedMsg" data-queue-id="' + encodeURI(item.queue_id) + '" class="btn btn-xs btn-secondary">' + lang.show_message + '</a>' +
            '</div>';
          });
          return data;
@@ -79,14 +79,12 @@ jQuery(function($){
        {
          title: 'QID',
          data: 'queue_id',
-          defaultContent: '',
-          render: $.fn.dataTable.render.text()
+          defaultContent: ''
        },
        {
          title: 'Queue',
          data: 'queue_name',
-          defaultContent: '',
-          render: $.fn.dataTable.render.text()
+          defaultContent: ''
        },
        {
          title: lang_admin.arrival_time,
@@ -108,8 +106,7 @@ jQuery(function($){
        {
          title: lang_admin.sender,
          data: 'sender',
-          defaultContent: '',
-          render: $.fn.dataTable.render.text()
+          defaultContent: ''
        },
        {
          title: lang_admin.recipients,
@@ -98,8 +98,8 @@ jQuery(function($){
              var local_datetime = datetime.toLocaleDateString(undefined, {year: "numeric", month: "2-digit", day: "2-digit", hour: "2-digit", minute: "2-digit", second: "2-digit"});
              var service = '<div class="badge bg-secondary">' + item.service.toUpperCase() + '</div>';
              var app_password = item.app_password ? ' <a href="/edit/app-passwd/' + item.app_password + '"><i class="bi bi-key-fill"></i><span class="ms-1">' + escapeHtml(item.app_password_name || "App") + '</span></a>' : '';
-              var real_rip = item.real_rip.startsWith("Web") ? escapeHtml(item.real_rip) : '<a href="https://bgp.tools/prefix/' + escapeHtml(item.real_rip) + '" target="_blank">' + escapeHtml(item.real_rip) + "</a>";
-              var ip_location = item.location ? ' <span class="flag-icon flag-icon-' + escapeHtml(item.location.toLowerCase()) + '"></span>' : '';
+              var real_rip = item.real_rip.startsWith("Web") ? item.real_rip : '<a href="https://bgp.tools/prefix/' + item.real_rip + '" target="_blank">' + item.real_rip + "</a>";
+              var ip_location = item.location ? ' <span class="flag-icon flag-icon-' + item.location.toLowerCase() + '"></span>' : '';
              var ip_data = real_rip + ip_location + app_password;

              $(".last-sasl-login").append(`
@@ -1,17 +0,0 @@
-{
-    "acl": {
-        "login_as": "E-poçt qutusu istifadəçisi olaraq daxil ol",
-        "alias_domains": "Alternativ domenlər əlavə et",
-        "app_passwds": "Tətbiq parollarını idarə et",
-        "bcc_maps": "BCC yönləndirmə xəritələri",
-        "delimiter_action": "Ayırıcı əməliyyatı",
-        "domain_desc": "Domen təsvirini dəyiş",
-        "domain_relayhost": "Domen üçün relay serveri dəyiş",
-        "eas_reset": "EAS cihazlarını sıfırla",
-        "extend_sender_acl": "Göndərən ACL-ni xarici ünvanlarla genişləndirməyə icazə ver",
-        "filters": "Filtrlər",
-        "mailbox_relayhost": "E-poçt qutusu üçün relay serveri dəyiş",
-        "prohibited": "ACL tərəfindən məhdudlaşdırılıb",
-        "protocol_access": "Protokol girişini dəyiş"
-    }
-}
@@ -150,7 +150,7 @@
        "arrival_time": "Ankunftszeit (Serverzeit)",
        "authed_user": "Auth. Benutzer",
        "ays": "Soll der Vorgang wirklich ausgeführt werden?",
-        "ban_list_info": "Übersicht ausgesperrter Netzwerke: <b>Netzwerk (verbleibende Bannzeit) - [Aktionen]</b>.<br />IPs, die zum Entsperren eingereiht werden, verlassen die Liste aktiver Banns nach wenigen Sekunden.<br />Rote Labels kennzeichnen aktive permanente Sperren durch Denylisting.",
+        "ban_list_info": "Übersicht ausgesperrter Netzwerke: <b>Netzwerk (verbleibende Bannzeit) - [Aktionen]</b>.<br />IPs, die zum Entsperren eingereiht werden, verlassen die Liste aktiver Banns nach wenigen Sekunden.<br />Rote Labels sind Indikatoren für aktive Allowlist-Einträge.",
        "change_logo": "Logo ändern",
        "configuration": "Konfiguration",
        "convert_html_to_text": "Konvertiere HTML zu reinem Text",
@@ -512,7 +512,6 @@
        "pushover_credentials_missing": "Pushover Token und/oder Key fehlen",
        "pushover_key": "Pushover Key hat das falsche Format",
        "pushover_token": "Pushover Token hat das falsche Format",
-        "quarantine_category_invalid": "Quarantäne-Kategorie muss eine der folgenden sein: add_header, reject, all",
        "quota_not_0_not_numeric": "Speicherplatz muss numerisch und >= 0 sein",
        "recipient_map_entry_exists": "Eine Empfängerumschreibung für Objekt \"%s\" existiert bereits",
        "recovery_email_failed": "E-Mail zur Wiederherstellung konnte nicht gesendet werden. Bitte wenden Sie sich an Ihren Administrator.",
@@ -513,7 +513,6 @@
        "pushover_credentials_missing": "Pushover token and or key missing",
        "pushover_key": "Pushover key has a wrong format",
        "pushover_token": "Pushover token has a wrong format",
-        "quarantine_category_invalid": "Quarantine category must be one of: add_header, reject, all",
        "quota_not_0_not_numeric": "Quota must be numeric and >= 0",
        "recipient_map_entry_exists": "A Recipient map entry \"%s\" exists",
        "recovery_email_failed": "Could not send a recovery email. Please contact your administrator.",
@@ -929,7 +928,6 @@
        "filters": "Filters",
        "fname": "Full name",
        "force_pw_update": "Force password update at next login",
-        "force_tfa": "TFA",
        "gal": "Global Address List",
        "goto_ham": "Learn as <b>ham</b>",
        "goto_spam": "Learn as <b>spam</b>",
@@ -1144,8 +1144,7 @@
        "subscribeall": "Feliratkozás minden mappára",
        "syncjob": "Szinkronizálási feladat hozzáadása",
        "internal": "Belső",
-        "internal_info": "Belső álnevek csak a saját domain vagy domain álnév számára elérhető.",
-        "sender_allowed": "Küldés engedélyezése ezzel az aliasszal"
+        "internal_info": "Belső álnevek csak a saját domain vagy domain álnév számára elérhető."
    },
    "danger": {
        "access_denied": "Hozzáférés megtagatva vagy nem megfelelő űrlap adat",
@@ -1246,21 +1245,6 @@
        "pushover_key": "A pushover kulcs rossz formátumú",
        "pushover_token": "A Pushover token rossz formátumú",
        "quota_not_0_not_numeric": "A kvótának numerikusnak és >= 0-nak kell lennie.",
-        "recipient_map_entry_exists": "Létezik egy \"%s\" címzett-térkép bejegyzés",
-        "redis_error": "Redis hiba lépett fel: %s",
-        "relayhost_invalid": "A(z) %s elem érvénytelen a leképezésben.",
-        "release_send_failed": "Az üzenet felszabadítása sikertelen: %s",
-        "reset_f2b_regex": "A regex-szűrő időtúllépés miatt nem állt le. Próbálja újra, vagy várjon egy kicsit, és töltse újra az oldalt.",
-        "resource_invalid": "A(z) %s erőforrásnév érvénytelen",
-        "rl_timeframe": "Érvénytelen időkeret a lekérdezési korláthoz",
-        "rspamd_ui_pw_length": "A Rspamd UI jelszónak legalább 6 karakter hosszúnak kell lennie.",
-        "script_empty": "A szkript nem lehet üres",
-        "sender_acl_invalid": "A küldőhöz tartozó ACL-érték (%s) érvénytelen",
-        "set_acl_failed": "Az ACL beállítása meghiúsult",
-        "settings_map_invalid": "Érvénytelen beállítás-leképezési azonosító: %s",
-        "recovery_email_failed": "A helyreállítási email kiküldése sikertelen. Kérlek, lépj kapcsolatba az adminisztrátorral!",
-        "reset_token_limit_exceeded": "Túl sok visszaállítási kísérlet. Kérjük, várjon, mielőtt újra próbálkozna.",
-        "required_data_missing": "Hiányzik a(z) szükséges %s adat",
-        "tfa_removal_blocked": "A kétfaktoros hitelesítés nem távolítható el, mert elengedhetetlen a fiókod használatához."
+        "recipient_map_entry_exists": "Létezik egy \"%s\" címzett-térkép bejegyzés"
    }
 }
@@ -13,7 +13,7 @@
        "domain_relayhost": "Mainīt domēna relayhost",
        "eas_reset": "EAS ierīču atiestatīšana",
        "extend_sender_acl": "Ļauj paplašināt sūtītāja ACL ar ārējām adresēm",
-        "login_as": "Pieteikties kā pastkastes lietotājam",
+        "login_as": "Pieteikšanās kā pastkastes lietotājam",
        "mailbox_relayhost": "Pasta kastītes relayhost maiņa",
        "prohibited": "Aizliegts ar ACL",
        "protocol_access": "Protokola piekļuves maiņa",
@@ -91,12 +91,12 @@
        "activate_api": "Aktivizēt API",
        "active": "Aktīvs",
        "add": "Pievienot",
-        "add_domain_admin": "Pievienot domēna pārvaldītāju",
+        "add_domain_admin": "Pievienot domēna administratoru",
        "add_forwarding_host": "Pievienot pāradresācijas hostu",
        "add_relayhost": "Pievienot Relayhost",
        "add_row": "Pievienot rindu",
-        "admin": "Pārvaldītājs",
-        "admin_details": "Labot informāciju par pārvaldītāju",
+        "admin": "Administrators",
+        "admin_details": "Labot administratora detaļas",
        "admin_domains": "Domēna uzdevumi",
        "api_allow_from": "Atļaut API piekļuvi no šīm IP",
        "api_key": "API atslēga",
@@ -114,7 +114,7 @@
        "dkim_keys": "ARC/DKIM atslēgas",
        "dkim_private_key": "Privāta atslēga",
        "domain": "Domēns",
-        "domain_admins": "Domēna pārvaldītāji",
+        "domain_admins": "Domēna administratori",
        "edit": "Labot",
        "empty": "Nav iznākuma",
        "f2b_ban_time": "Aizlieguma laiks (s)",
@@ -188,14 +188,7 @@
        "quarantine_max_score": "Atmest paziņojumu, ja e-pasta ziņojuma mēstuļu novērtējums ir augstāks par šo vērtību:<br><small>Noklusējums ir 9999.0</small>",
        "options": "Iespējas",
        "password_reset_settings": "Paroļu atkopes iestatījumi",
-        "password_settings": "Paroļu iestatījumi",
-        "add_admin": "Pievienot pārvaldītāju",
-        "admins": "Pārvaldītāji",
-        "admins_ldap": "LDAP pārvaldītāji",
-        "admin_quicklink": "Paslēpt ātro saiti uz pārvaldītāju pieteikšanās lapu",
-        "domain_admin": "Domēna pārvaldītājs",
-        "domainadmin_quicklink": "Paslēpt ātro saiti uz domēna pārvaldītāju pieteikšanās lapu",
-        "user_quicklink": "Paslēpt ātro saiti uz lietotāju pieteikšanās lapu"
+        "password_settings": "Paroļu iestatījumi"
    },
    "danger": {
        "access_denied": "Piekļuve liegta, vai nepareizi dati",
@@ -251,10 +244,7 @@
        "app_passwd_id_invalid": "Lietotnes paroles Id %s ir nederīgs",
        "img_dimensions_exceeded": "Attēls pārsniedz lielāko pieļaujamo attēla lielumu",
        "img_size_exceeded": "Attēls pārsniedz lielāko pieļaujamo datnes lielumu",
-        "version_invalid": "Versija %s ir nederīga",
-        "generic_server_error": "Atgadījās neparedzēta servera kļūda. Lūgums sazināties ar pārvaldītāju.",
-        "password_reset_na": "Paroļu atkope šobrīd nav pieejama. Lūgums sazināties ar pārvaldītāju.",
-        "recovery_email_failed": "Nevarēja nosūtīt atkopes e-pasta ziņojumu. Lūgums sazināties ar pārvaldītāju."
+        "version_invalid": "Versija %s ir nederīga"
    },
    "diagnostics": {
        "cname_from_a": "Vērtība, kas iegūta no A/AAAA ieraksta. Tas tiek atbalstīts tik ilgi, kamēr ieraksts norāda uz pareizo resursu.",
@@ -276,7 +266,7 @@
        "delete2duplicates": "Izdzēst atkārtojošos vienumus galamērķī",
        "description": "Apraksts",
        "domain": "Labot domēnu",
-        "domain_admin": "Labot domēna pārvaldītāju",
+        "domain_admin": "Labot domēna administratoru",
        "domain_quota": "Domēna kvota",
        "domains": "Domēni",
        "dont_check_sender_acl": "Atspējot sūtītāju pārbaudi domēnam %s (+ aizstājdomēni)",
@@ -339,8 +329,7 @@
        "app_passwd": "Lietotnes parole",
        "mta_sts_version": "Versija",
        "mta_sts_version_info": "Norāda MTA-STS standarta versiju – pašreiz ir derīga tikai <code>STSv1</code>.",
-        "sender_acl_disabled": "<span class=\"badge fs-6 bg-danger\">Sūtītāja pārbaude ir atspējota</span>",
-        "admin": "Labot pārvaldītāju"
+        "sender_acl_disabled": "<span class=\"badge fs-6 bg-danger\">Sūtītāja pārbaude ir atspējota</span>"
    },
    "footer": {
        "cancel": "Atcelt",
@@ -373,14 +362,7 @@
        "username": "Lietotājvārds",
        "fido2_webauthn": "FIDO/WebAuthn pieteikšanās",
        "mobileconfig_info": "Lūgums pieteikties kā pastkastes lietotājam, lai lejupielādētu pieprasīto Apple savienojuma profilu.",
-        "other_logins": "vai pieteikties ar",
-        "forgot_password": "> Aizmirsta parole?",
-        "login_linkstext": "Nepareiza pieteikšanās?",
-        "login_domainadmintext": "Pieteikties kā domēna pārvaldītājam",
-        "login_admintext": "Pieteikties kā pārvaldītājam",
-        "login_user": "Lietotu pieteikšanās",
-        "login_dadmin": "Domēna pārvaldītāju pieteikšanās",
-        "login_admin": "Pārvaldītāju pieteikšanās"
+        "other_logins": "vai pieslēgties ar"
    },
    "mailbox": {
        "action": "Rīcība",
@@ -415,7 +397,7 @@
        "description": "Apraksts",
        "dkim_key_length": "DKIM atslēgas garums (bits)",
        "domain": "Domēns",
-        "domain_admins": "Domēna pārvaldītāji",
+        "domain_admins": "Domēna administratori",
        "domain_aliases": "Domēna aizstājvārdi",
        "domain_quota": "Kvota",
        "domain_quota_total": "Kopējais domēna ierobežojums",
@@ -525,7 +507,7 @@
        "imap_smtp_server_auth_info": "Lūgums izmantot pilnu e-pasta adresi un PLAIN autentificēšanās mehānismu.<br>\nPieteikšanās dati tiks šifrēti ar servera puses obligātu šifrēšanu."
    },
    "success": {
-        "admin_modified": "Pārvaldītāja izmaiņas tika saglabātas",
+        "admin_modified": "Izmaiņas administrātoram ir saglabātas",
        "alias_added": "Aizstājadrese %s (%d) tika pievienota",
        "alias_domain_removed": "Aizstājdomēns %s tika noņemts",
        "alias_modified": "Aizstājadreses izmaiņas %s tika saglabātas",
@@ -536,9 +518,9 @@
        "dkim_added": "DKIM atslēga saglabāta",
        "dkim_removed": "DKIM atslēga %s ir noņemta",
        "domain_added": "Pievienots domēns %s",
-        "domain_admin_added": "Tika pievienots domēna pārvaldītājs %s",
-        "domain_admin_modified": "Domēna pārvaldītāja %s izmaiņas tika saglabātas",
-        "domain_admin_removed": "Tika noņemts domēna pārvaldītājs %s",
+        "domain_admin_added": "Domēna administrātors %s pievienots",
+        "domain_admin_modified": "Izmaiņas domēna administrātoram %s ir saglabātas",
+        "domain_admin_removed": "Domēna administrators %s tika noņemts",
        "domain_modified": "Izmaiņas domēnam %s ir saglabātas",
        "domain_removed": "Domēns %s ir noņemts",
        "eas_reset": "ActiveSync ierīces priekš lietotāja %s tika atiestatītas",
@@ -566,9 +548,7 @@
        "verified_yotp_login": "Apliecināta Yubico OTP pieteikšanās",
        "app_passwd_removed": "Noņemta lietotnes parole ar Id %s",
        "app_passwd_added": "Pievienota jauna lietotnes parole",
-        "f2b_banlist_refreshed": "Liegumu saraksta Id tika sekmīgi atsvaidzināts.",
-        "admin_added": "Tika pievienots pārvaldītājs %s",
-        "admin_removed": "Tika noņemts pārvaldītājs %s"
+        "f2b_banlist_refreshed": "Liegumu saraksta Id tika sekmīgi atsvaidzināts."
    },
    "tfa": {
        "api_register": "%s izmanto Yubico Cloud API. Lūdzu iegūstiet API atslēgu priekš Jūsu atslēgas<a href=\"https://upgrade.yubico.com/getapikey/\" target=\"_blank\">here</a>",
@@ -589,8 +569,7 @@
        "waiting_usb_auth": "<i>Gaida USB ierīci...</i><br><br>Lūdzu, tagad nospiežiet pogu uz Jūsu WebAuthn USB ierīces.",
        "waiting_usb_register": "<i>Gaida USB ierīci...</i><br><br>Lūgums augstāk ievadīt savu paroli un apstiprināt reģistrēšanos ar USB ierīces pogas nospiešanu.",
        "yubi_otp": "Yubico OTP autentifikators",
-        "authenticators": "Autentificētāji",
-        "u2f_deprecated_important": "Lūgums reģistrēt savu atslēgu pārvaldības lapā ar jauno WebAuthn veidu."
+        "authenticators": "Autentificētāji"
    },
    "user": {
        "action": "Rīcība",
@@ -722,8 +701,7 @@
    "warning": {
        "domain_added_sogo_failed": "Domēns pievienots, bet neizdevās pārsāknēt SOGO. Lūgums pārbaudīt servera žurnālus.",
        "dovecot_restart_failed": "Dovecot neizdevās pārsāknēties. Lūgums pārbaudīt žurnālus",
-        "is_not_primary_alias": "Izlaists aizstājvārds %s, kas nav galvenais",
-        "no_active_admin": "Nevar deaktivēt pēdējo aktīvo pārvaldītāju"
+        "is_not_primary_alias": "Izlaists aizstājvārds %s, kas nav galvenais"
    },
    "oauth2": {
        "access_denied": "Lūgums pieteikties kā pastkastes īpašniekam, lai nodrošinātu piekļuvi ar OAuth2."
@@ -26,9 +26,7 @@
        "syncjobs": "Sync jobs",
        "tls_policy": "Versleutelingsbeleid",
        "unlimited_quota": "Onbeperkte quota voor mailboxen",
-        "domain_desc": "Wijzig domeinbeschrijving",
-        "pw_reset": "Toegang om mailcow gebruikers wachtwoord te resetten",
-        "domain_relayhost": "Verander relayhost voor een domein"
+        "domain_desc": "Wijzig domeinbeschrijving"
    },
    "add": {
        "activate_filter_warn": "Alle andere filters worden gedeactiveerd zolang deze geactiveerd is.",
@@ -106,11 +104,7 @@
        "validate": "Verifieer",
        "validation_success": "Succesvol geverifieerd",
        "tags": "Tags",
-        "bcc_dest_format": "BCC-bestemming moet één geldig e-mailadres zijn.<br>Als u een kopie naar meerdere adressen wilt sturen, maak dan een alias aan en gebruik die hier.",
-        "dry": "Synchronisatie simuleren",
-        "internal": "Intern",
-        "internal_info": "Interne aliassen zijn alleen toegankelijk vanuit het eigen (alias)domein.",
-        "sender_allowed": "Toestaan om te verzenden als deze alias"
+        "bcc_dest_format": "BCC-bestemming moet één geldig e-mailadres zijn.<br>Als u een kopie naar meerdere adressen wilt sturen, maak dan een alias aan en gebruik die hier."
    },
    "admin": {
        "access": "Toegang",
@@ -144,7 +138,7 @@
        "arrival_time": "Aankomsttijd",
        "authed_user": "Geauthenticeerde gebruiker",
        "ays": "Weet je zeker dat je deze actie wilt uitvoeren?",
-        "ban_list_info": "Bekijk de lijst met verbannen IP-adressen hieronder: <b>netwerk (resterende tijd) - [acties]</b>.<br />IP-adressen die in de wachtrij staan om te worden gedeblokkeerd, worden binnen enkele seconden uit de actieve banlijst verwijderd.<br />\n<br />Rode labels geven actieve permanente blokkades door denylisting aan.",
+        "ban_list_info": "Bekijk de lijst met verbannen IP-adressen hieronder: <b>netwerk (resterende tijd) - [acties]</b>.<br />Rode labels geven een permanente verbanning aan.<br />Het kan enkele seconden duren voordat wijzigingen hieronder zichtbaar zijn.",
        "change_logo": "Logo",
        "configuration": "Instellingen",
        "convert_html_to_text": "Converteer HTML naar plaintext",
@@ -177,7 +171,7 @@
        "excludes": "Exclusief",
        "f2b_ban_time": "Verbanningstijd (s)",
        "f2b_ban_time_increment": "Verbanningstijd wordt verhoogd met elk verbanning",
-        "f2b_blacklist": "Netwerken/hosts op de denylist",
+        "f2b_blacklist": "Netwerken/hosts op de blacklist",
        "f2b_filter": "Regex-filters",
        "f2b_list_info": "Een host of netwerk op de blacklist staat altijd boven eenzelfde op de whitelist. <b>Het doorvoeren van wijzigingen kan enkele seconden in beslag nemen.</b>",
        "f2b_max_attempts": "Maximaal aantal pogingen",
@@ -212,7 +206,7 @@
        "link": "Link",
        "loading": "Even geduld aub...",
        "logo_info": "De afbeelding zal worden geschaald naar een hoogte van 40px voor de navigatiebar, en naar een breedte van 250px voor de startpagina.",
-        "lookup_mx": "Bestemming is een reguliere expressie die wordt gematcht met de MX-naam (<code>.*\\.google\\.com</code> om alle e-mail die gericht is aan een MX die eindigt op google.com via deze hop te routeren)",
+        "lookup_mx": "Match bestemming aan MX (gebruik .outlook.com om alle mail gericht aan MX *.outlook.com over deze hop te laten gaan)",
        "main_name": "\"Mailcow\"",
        "merged_vars_hint": "Grijze rijen zijn samengevoegd van <code>vars.(local.)inc.php</code> en kunnen niet worden gewijzigd.",
        "message": "Bericht",
@@ -281,7 +275,7 @@
        "rspamd_com_settings": "Een beschrijving voor deze instelling zal automatisch worden gegenereerd, gebruik de onderstaande presets als voorbeeld. Raadpleeg de <a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">Rspamd-documentatie</a> voor meer informatie.",
        "rspamd_global_filters": "Globale filters",
        "rspamd_global_filters_agree": "Ik ben me ervan bewust dat aanpassingen desastreuze gevolgen kunnen hebben",
-        "rspamd_global_filters_info": "Globale filtermaps bevatten verschillende soorten globale deny- en allowlists.",
+        "rspamd_global_filters_info": "Ieder globaal filter heeft zijn eigen functie, zie de namen.",
        "rspamd_global_filters_regex": "De velden kunnen uitsluitend regular expressions bevatten met het formaat \"/pattern/options\", bijvoorbeeld <code>/.+@domain\\.tld/i</code>.<br>Ondanks dat alle invoer wordt gecontroleerd op fouten, is het toch mogelijk dat Rspamd onbruikbaar wordt als deze de invoer niet kan lezen.<br>Als je problemen ervaart, <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">herstart Rspamd</a> dan om de filters opnieuw te laten lezen.<br>Elementen op de blacklist zijn uitgesloten van de quarantaine.",
        "rspamd_settings_map": "Rspamd",
        "sal_level": "Moo-level",
@@ -343,71 +337,7 @@
        "admins_ldap": "LDAP administrators",
        "api_read_only": "Alleen-lezen toegang",
        "api_read_write": "Lees en schrijf toegang",
-        "login_time": "Login tijd",
-        "admin_quicklink": "Snelle link naar de admin-loginpagina verbergen",
-        "allowed_methods": "Toegestane toegangsmethoden",
-        "app_hide": "Verberg voor login",
-        "copy_to_clipboard": "Tekst gekopieerd naar het klembord!",
-        "login_page": "Loginpagina",
-        "domainadmin_quicklink": "Snelle link naar de domeinbeheerder-loginpagina verbergen",
-        "f2b_manage_external": "Fail2Ban extern beheren",
-        "f2b_manage_external_info": "Fail2Ban zal nog steeds de banlijst bijhouden, maar zal niet actief regels instellen om verkeer te blokkeren. Gebruik de onderstaande gegenereerde banlijst om het verkeer extern te blokkeren.",
-        "filter": "Filter",
-        "force_sso_text": "Als een externe OIDC-provider is geconfigureerd, verbergt deze optie de standaard Mailcow-loginformulieren en wordt alleen de Single SignOn-knop weergegeven.",
-        "force_sso": "Mailcow-login uitschakelen en alleen Single SignOn tonen",
-        "iam": "Identiteitsprovider",
-        "iam_attribute_field": "Attribuutveld",
-        "iam_authorize_url": "Autorisatie endpoint",
-        "iam_auth_flow": "Autorisatie flow",
-        "iam_auth_flow_info": "Naast de Authorization Code Flow (Standard Flow in Keycloak), die wordt gebruikt voor Single SignOn-login, ondersteunt Mailcow ook een authenticatiestroom met directe inloggegevens. De Mailpassword Flow probeert de gebruikersgegevens te valideren door gebruik te maken van de Keycloak Admin REST API. Mailcow haalt het gehashte wachtwoord op uit het attribuut <code>mailcow_password</code>, dat in Keycloak is gekoppeld.",
-        "iam_client_id": "Client ID",
-        "iam_client_secret": "Client Secret",
-        "iam_client_scopes": "Clientscopes",
-        "iam_default_template": "Standaardsjabloon",
-        "iam_default_template_description": "Als er geen sjabloon aan een gebruiker is toegewezen, wordt het standaardsjabloon gebruikt voor het aanmaken van de mailbox, maar niet voor het bijwerken van de mailbox.",
-        "iam_description": "Configureer een externe provider voor authenticatie. De mailboxen van gebruikers worden automatisch aangemaakt bij hun eerste login, mits er een attribuutkoppeling is ingesteld.",
-        "iam_extra_permission": "Om de volgende instellingen te laten werken, heeft de mailcow-client in Keycloak een <code>service account</code> nodig en de toestemming <code>view-users</code>.",
-        "iam_host": "Hostname",
-        "iam_host_info": "Voer één of meerdere LDAP-hosts in, gescheiden door komma’s.",
-        "iam_import_users": "Importeer gebruikers",
-        "iam_login_provisioning": "Gebruikers automatisch aanmaken bij het inloggen",
-        "iam_mapping": "Attribuutkoppeling",
-        "iam_bindpass": "Bind-wachtwoord",
-        "iam_periodic_full_sync": "Periodieke volledige synchronisatie",
-        "iam_port": "Poort",
-        "iam_realm": "Realm",
-        "iam_redirect_url": "Redirect-URL",
-        "iam_rest_flow": "Mailwachtwoord-flow",
-        "iam_server_url": "Server Url",
-        "iam_sso": "Single SignOn",
-        "iam_sync_interval": "Synchronisatie-/importinterval (min)",
-        "iam_test_connection": "Verbinding testen",
-        "iam_token_url": "Token endpoint",
-        "iam_userinfo_url": "Gebruikersinfo endpoint",
-        "iam_username_field": "Gebruikersnaam veld",
-        "iam_use_ssl": "Gebruik SSL",
-        "iam_use_ssl_info": "Als SSL wordt ingeschakeld en de poort is ingesteld op 389, wordt deze automatisch aangepast naar 636.",
-        "iam_use_tls": "Gebruik StartTLS",
-        "iam_use_tls_info": "Als TLS wordt ingeschakeld, moet je de standaardpoort voor je LDAP-server (389) gebruiken. SSL-poorten kunnen niet worden gebruikt.",
-        "iam_version": "Versie",
-        "ignore_ssl_error": "Negeer SSL foutmeldingen",
-        "ip_check_opt_in": "Kies ervoor om de externe diensten <strong>ipv4.mailcow.email</strong> en <strong>ipv6.mailcow.email</strong> te gebruiken om externe IP-adressen te bepalen.",
-        "needs_restart": "vereist een herstart",
-        "no": "&#10005;",
-        "password_reset_info": "Als er geen herstel-e-mailadres is opgegeven, kan deze functie niet worden gebruikt.",
-        "password_reset_settings": "Instellingen voor wachtwoordherstel",
-        "password_reset_tmpl_html": "HTML sjabloon",
-        "password_reset_tmpl_text": "Tekst sjabloon",
-        "password_settings": "Wachtwoordinstellingen",
-        "quicklink_text": "Toon of verberg snelle links naar andere inlogpagina’s onder het inlogformulier",
-        "queue_unban": "deblokkeren",
-        "reset_password_vars": "<code>{{link}}</code> De gegenereerde link om het wachtwoord te resetten<br><code>{{username}}</code> De mailboxnaam van de gebruiker die het wachtwoordherstel heeft aangevraagd<br><code>{{username2}}</code> De naam van de herstelmailbox<br><code>{{date}}</code> De datum waarop het verzoek tot wachtwoordherstel is gedaan<br><code>{{token_lifetime}}</code> De geldigheidsduur van de token in minuten<br><code>{{hostname}}</code> De mailcow-hostnaam",
-        "restore_template": "Leeg laten om het standaardsjabloon te herstellen.",
-        "task": "Taak",
-        "transport_test_rcpt_info": "&#8226; Gebruik null@hosted.mailcow.de om relaying naar een externe bestemming te testen.",
-        "user_link": "Gebruikerslink",
-        "user_quicklink": "Snelle link naar de gebruikers-loginpagina verbergen",
-        "yes": "&#10003;"
+        "login_time": "Login tijd"
    },
    "danger": {
        "access_denied": "Toegang geweigerd of ongeldige gegevens",
@@ -533,27 +463,7 @@
        "demo_mode_enabled": "Demo modus is ingeschakeld",
        "template_exists": "Sjabloon %s bestaat al",
        "template_id_invalid": "Sjabloon ID %s ongeldig",
-        "template_name_invalid": "Sjabloon naam ongeldig",
-        "tfa_removal_blocked": "Twee-factor-authenticatie kan niet worden verwijderd omdat dit vereist is voor uw account.",
-        "authsource_in_use": "De identiteitsprovider kan niet worden gewijzigd of verwijderd omdat deze momenteel door één of meerdere gebruikers wordt gebruikt.",
-        "cors_invalid_origin": "Ongeldige Allow-Origin opgegeven",
-        "extended_sender_acl_denied": "Ontbrekende ACL om externe afzenderadressen in te stellen",
-        "generic_server_error": "Er is een onverwachte serverfout opgetreden. Neem contact op met uw beheerder.",
-        "iam_test_connection": "Verbinding mislukt",
-        "img_dimensions_exceeded": "De afbeelding overschrijdt de maximale afbeeldingsgrootte",
-        "img_size_exceeded": "De afbeelding overschrijdt de maximale afbeeldingsgrootte",
-        "invalid_reset_token": "Ongeldige reset-token",
-        "max_age_invalid": "Maximale leeftijd %s is ongeldig",
-        "mode_invalid": "Mode %s is ongeldig",
-        "mx_invalid": "MX-record %s is ongeldig",
-        "password_reset_invalid_user": "Mailbox niet gevonden of er is geen herstel-e-mailadres ingesteld",
-        "password_reset_na": "Wachtwoordherstel is momenteel niet beschikbaar. Neem contact op met uw beheerder.",
-        "recovery_email_failed": "Kon geen herstel-e-mail verzenden. Neem contact op met uw beheerder.",
-        "required_data_missing": "Vereiste gegevens %s ontbreken",
-        "reset_token_limit_exceeded": "De limiet voor reset-tokens is overschreden. Probeer het later opnieuw.",
-        "to_invalid": "Ontvanger mag niet leeg zijn",
-        "webauthn_username_failed": "De geselecteerde authenticator behoort tot een ander account",
-        "version_invalid": "Versie %s is ongeldig"
+        "template_name_invalid": "Sjabloon naam ongeldig"
    },
    "debug": {
        "chart_this_server": "Grafiek (deze server)",
@@ -610,7 +520,7 @@
        "alias": "Wijzig alias",
        "allow_from_smtp": "Sta enkel de volgende IP-adressen toe voor <b>SMTP</b>",
        "allow_from_smtp_info": "Laat leeg om alle afzenders toe te staan.<br>IPv4/IPv6-adressen en netwerken.",
-        "allowed_protocols": "Toegestane protocollen voor directe gebruikerstoegang (heeft geen invloed op protocollen voor app-wachtwoorden).",
+        "allowed_protocols": "Toegestane protocollen",
        "app_name": "Naam van app",
        "app_passwd": "Appwachtwoord",
        "automap": "Probeer mappen automatisch te koppelen (\"Verzonden items\", \"Verzonden\" => \"Verzonden\" etc.)",
@@ -695,7 +605,7 @@
        "sogo_visible_info": "Wanneer verborgen zal een alias niet worden weergegeven als een selecteerbaar verzendadres. Deze optie beïnvloedt uitsluitend objecten die kunnen worden weergegeven in SOGo (gedeelde of niet-gedeelde aliasadressen die naar minstens één mailbox verwijzen).",
        "spam_alias": "Maak een nieuw tijdelijk alias aan, of pas deze aan",
        "spam_filter": "Spamfilter",
-        "spam_policy": "Voeg items toe of verwijder items van de deny- en allowlists",
+        "spam_policy": "Voeg items toe of verwijder items van de white- of blacklist",
        "spam_score": "Stel een aangepaste spamscore in",
        "subfolder2": "Synchroniseer in submap op bestemming<br><small>(leeg = gebruik geen submappen)</small>",
        "syncjob": "Wijzig sync job",
@@ -714,47 +624,7 @@
        "acl": "ACL (Toestemming)",
        "domain_footer": "Domeinbreede footer",
        "domain_footer_html": "HTML footer",
-        "mailbox_relayhost_info": "Wordt alleen toegepast op de mailbox en directe aliassen, maar heft een domein relayhost op.",
-        "custom_attributes": "Aangepaste attributen",
-        "domain_footer_info_vars": {
-            "auth_user": "{= auth_user =}   - Geauthenticeerde gebruikersnaam opgegeven door een MTA",
-            "from_user": "{= from_user =}   - Afzendergedeelte van het e-mailadres, bijvoorbeeld bij \"moo@mailcow.tld\" wordt \"moo\" teruggegeven",
-            "from_name": "{= from_name =}   - Naam van de afzender, bijvoorbeeld bij \"Mailcow <moo@mailcow.tld>\" wordt \"Mailcow\" teruggegeven",
-            "from_addr": "{= from_addr =}   - Adres van de afzender",
-            "from_domain": "{= from_domain =} - Domein van de afzender",
-            "custom": "{= foo =}         - Als de mailbox het aangepaste attribuut \"foo\" met de waarde \"bar\" heeft, wordt \"bar\" teruggegeven."
-        },
-        "domain_footer_plain": "PLAIN-voettekst",
-        "domain_footer_skip_replies": "Voettekst negeren bij antwoord-e-mails",
-        "footer_exclude": "Uitsluiten van voettekst",
-        "internal": "Intern",
-        "internal_info": "Interne aliassen zijn alleen toegankelijk vanuit het eigen (alias)domein.",
-        "sender_allowed": "Toestaan om als deze alias te verzenden",
-        "sender_allowed_info": "Als dit is uitgeschakeld, kan deze alias alleen e-mail ontvangen. Gebruik de afzender-ACL om dit te overschrijven en specifieke mailboxen toestemming te geven om te verzenden.",
-        "lookup_mx": "Bestemming is een reguliere expressie die wordt gematcht met de MX-naam (<code>.*.google.com</code> om alle e-mail die gericht is aan een MX die eindigt op google.com via deze hop te routeren)",
-        "mailbox_rename": "Hernoem mailbox",
-        "mailbox_rename_agree": "Ik heb een backup gemaakt.",
-        "mailbox_rename_warning": "BELANGRIJK! Maak een back-up voordat u de mailbox hernoemt.",
-        "mailbox_rename_alias": "Alias automatisch aanmaken.",
-        "mailbox_rename_title": "Nieuwe naam van de lokale mailbox",
-        "mta_sts": "MTA-STS",
-        "mta_sts_info": "<a href='https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_MTA_Strict_Transport_Security' target='_blank'>MTA-STS</a> is een standaard die afdwingt dat e-mailbezorging tussen mailservers TLS met geldige certificaten gebruikt. <br>\nDeze wordt gebruikt wanneer <a target='_blank' href='https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities'>DANE</a> niet mogelijk is vanwege ontbrekende of niet-ondersteunde DNSSEC.<br>\n<b>Opmerking</b>: Als het ontvangende domein DANE met DNSSEC ondersteunt, heeft DANE <b>altijd</b> de voorkeur – MTA-STS fungeert alleen als een fallback.",
-        "mta_sts_version": "Versie",
-        "mta_sts_version_info": "Definieert de versie van de MTA-STS-standaard – momenteel is alleen <code>STSv1</code> geldig.",
-        "mta_sts_mode": "Modus",
-        "mta_sts_mode_info": "Er zijn drie modus om uit te kiezen:<ul><li><em>testing</em> – het beleid wordt alleen gemonitord, overtredingen hebben geen impact.</li><li><em>enforce</em> – het beleid wordt strikt afgedwongen, verbindingen zonder geldige TLS worden geweigerd.</li><li><em>none</em> – het beleid wordt gepubliceerd maar niet toegepast.</li></ul>",
-        "mta_sts_max_age": "Maximale leeftijd",
-        "mta_sts_max_age_info": "Tijd in seconden dat ontvangende mailservers dit beleid mogen cachen voordat het opnieuw wordt opgehaald.",
-        "mta_sts_mx": "MX server",
-        "mta_sts_mx_info": "Staat verzending alleen toe naar expliciet vermelde mailserver-hostnamen; de verzendende MTA controleert of de DNS MX-hostnaam overeenkomt met de beleidslijst en staat levering alleen toe met een geldig TLS-certificaat (beschermt tegen MITM).",
-        "mta_sts_mx_notice": "Meerdere MX-servers kunnen worden opgegeven (gescheiden door komma’s).",
-        "none_inherit": "Geen / Erven",
-        "password_recovery_email": "E-mail voor wachtwoordherstel",
-        "pushover": "Pushover",
-        "quota_warning_bcc": "Quotum waarschuwing BCC",
-        "quota_warning_bcc_info": "Waarschuwingen zullen in afzonderlijke exemplaren naar de volgende ontvangers worden gestuurd. Het onderwerp zal worden gevolgd door de bijbehorende gebruikersnaam tussen haakjes, bijvoorbeeld: <code>Contingentwaarschuwing (user@example.com)</code>.",
-        "sogo_access": "Verleen directe logintoegang tot SOGo",
-        "sogo_access_info": "Na het inloggen wordt de gebruiker automatisch doorgestuurd naar SOGo"
+        "mailbox_relayhost_info": "Wordt alleen toegepast op de mailbox en directe aliassen, maar heft een domein relayhost op."
    },
    "footer": {
        "cancel": "Annuleren",
@@ -767,21 +637,18 @@
        "restart_container": "Herstart container",
        "restart_container_info": "<b>Belangrijk:</b> Een herstart kan enige tijd in beslag nemen, wacht aub totdat dit proces voltooid is.<br>Deze pagina zal zichzelf verversen zodra het proces voltooid is.",
        "restart_now": "Nu herstarten",
-        "restarting_container": "Container wordt herstart, even geduld aub...",
-        "hibp_check": "Controleer tegen haveibeenpwned.com",
-        "nothing_selected": "Niets geselecteerd"
+        "restarting_container": "Container wordt herstart, even geduld aub..."
    },
    "header": {
        "administration": "Configuratie & details",
        "apps": "Apps",
-        "debug": "Informatie",
+        "debug": "Systeeminformatie",
        "email": "E-Mail",
        "mailcow_config": "Beheer",
        "quarantine": "Quarantaine",
        "restart_netfilter": "Herstart netfilter",
        "restart_sogo": "Herstart SOGo",
-        "user_settings": "Gebruikersinstellingen",
-        "mailcow_system": "Systeem"
+        "user_settings": "Gebruikersinstellingen"
    },
    "info": {
        "awaiting_tfa_confirmation": "In afwachting van tweefactorauthenticatie...",
@@ -795,22 +662,7 @@
        "mobileconfig_info": "Log in als mailboxgebruiker om het Apple-verbindingsprofiel te downloaden.",
        "other_logins": "of aanmelden met",
        "password": "Wachtwoord",
-        "username": "Gebruikersnaam",
-        "back_to_mailcow": "Terug naar mailcow",
-        "forgot_password": "> Wachtwoord vergeten?",
-        "invalid_pass_reset_token": "De reset-wachtwoordtoken is ongeldig of verlopen.<br>Vraag een nieuwe link voor het resetten van het wachtwoord aan.",
-        "login_linkstext": "Niet de juiste login?",
-        "login_usertext": "Log in als gebruiker",
-        "login_domainadmintext": "Login in als domeinbeheerder",
-        "login_admintext": "Log in als administrator",
-        "login_user": "Gebruikerslogin",
-        "login_dadmin": "Domeinbeheerder login",
-        "login_admin": "Administrator login",
-        "new_password": "Nieuw wachtwoord",
-        "new_password_confirm": "Bevestig nieuw wachtwoord",
-        "reset_password": "Herstel wachtwoord",
-        "request_reset_password": "Verzoek wachtwoord wijziging",
-        "email": "E-mailadres"
+        "username": "Gebruikersnaam"
    },
    "mailbox": {
        "action": "Handeling",
@@ -930,7 +782,7 @@
        "sieve_preset_5": "Autoreply (vakantie)",
        "sieve_preset_6": "Weiger mail met antwoord",
        "sieve_preset_7": "Forward en behoud/verwijder",
-        "sieve_preset_8": "E-mail van een specifieke afzender doorsturen, als gelezen markeren en in een submap plaatsen",
+        "sieve_preset_8": "Verwijder mail verstuurd naar een aliasadres van de afzender",
        "sieve_preset_header": "Zie de onderstaande voorbeelden. Raadpleeg <a href=\"https://en.wikipedia.org/wiki/Sieve_(mail_filtering_language)\" target=\"_blank\">Wikipedia</a> voor meer informatie.",
        "sogo_visible": "Alias tonen in SOGo",
        "sogo_visible_n": "Verberg alias in SOGo",
@@ -957,37 +809,7 @@
        "toggle_all": "Selecteer alles",
        "username": "Gebruikersnaam",
        "waiting": "Wachten",
-        "weekly": "Wekelijks",
-        "add_alias_expand": "Alias uitbreiden over alias-domeinen",
-        "add_template": "Sjabloon toevoegen",
-        "all_domains": "Alle domeinen",
-        "catch_all": "Catch-All",
-        "created_on": "Aangemaakt op",
-        "domain_templates": "Domein sjablonen",
-        "domain_quota_total": "Totale domein-opslagruimte",
-        "goto_ham": "Leren als <b>Ham</b>",
-        "goto_spam": "Leren als <b>spam</b>",
-        "iam": "Identiteitsprovider",
-        "internal": "Intern",
-        "last_pw_change": "Laatste wachtwoordwijziging",
-        "mailbox_templates": "Mailbox sjablonen",
-        "no": "&#10005;",
-        "open_logs": "Open logs",
-        "recipient": "Ontvanger",
-        "relay_unknown": "Onbekende mailboxen relayen",
-        "sender": "Afzender",
-        "syncjob_check_log": "Controleer log",
-        "syncjob_last_run_result": "Laatste uitvoeringsresultaat",
-        "syncjob_EX_OK": "Succes",
-        "syncjob_EXIT_CONNECTION_FAILURE": "Verbindingsprobleem",
-        "syncjob_EXIT_TLS_FAILURE": "Probleem met versleutelde verbinding",
-        "syncjob_EXIT_AUTHENTICATION_FAILURE": "Authenticatieprobleem",
-        "syncjob_EXIT_OVERQUOTA": "Doel mailbox is over quota",
-        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Kan geen verbinding maken met de externe server",
-        "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Verkeerde gebruikersnaam of wachtwoord",
-        "templates": "Sjablonen",
-        "template": "Sjabloon",
-        "yes": "&#10003;"
+        "weekly": "Wekelijks"
    },
    "oauth2": {
        "access_denied": "Log in als een mailboxgebruiker om toegang via OAuth te verlenen",
@@ -1020,7 +842,7 @@
        "notified": "Verwittigd",
        "qhandler_success": "Aanvraag succesvol verzonden naar het systeem. Je kunt nu het venster sluiten.",
        "qid": "Rspamd QID",
-        "qinfo": "Het quarantainesysteem slaat een kopie van zowel geweigerde mail (voor de afzender zal het lijken alsof de mail <em>niet</em> afgeleverd is), als mail die afgeleverd is de spamfolder, op in de database.\n  <br>\"Markeer als spam en verwijder\" traint het systeem om soortgelijke mails in de toekomst opnieuw als spam te markeren.\n  <br>Wanneer er meerdere berichten tegelijkertijd worden behandeld kan het mogelijk enige tijd duren.<br>Elementen op de denylist zijn uitgesloten van de quarantaine.",
+        "qinfo": "Het quarantainesysteem slaat een kopie van zowel geweigerde mail (voor de afzender zal het lijken alsof de mail <em>niet</em> afgeleverd is), als mail die afgeleverd is de spamfolder, op in de database.\r\n  <br>\"Markeer als spam en verwijder\" traint het systeem om soortgelijke mails in de toekomst opnieuw als spam te markeren.\r\n  <br>Wanneer er meerdere berichten tegelijkertijd worden behandeld kan het mogelijk enige tijd duren.<br>Elementen op de blacklist zijn uitgesloten van de quarantaine.",
        "qitem": "Quarantaine-item",
        "quarantine": "Quarantaine",
        "quick_actions": "Handelingen",
@@ -1052,19 +874,7 @@
        "toggle_all": "Selecteer alles"
    },
    "queue": {
-        "queue_manager": "Queue manager",
-        "delete": "Verwijder alles",
-        "flush": "Wachtrij leegmaken",
-        "info": "De mailwachtrij bevat alle e-mails die wachten op aflevering. Als een e-mail lange tijd in de mailwachtrij blijft staan, wordt deze automatisch door het systeem verwijderd.<br>De foutmelding van de betreffende e-mail geeft informatie over waarom de e-mail niet kon worden afgeleverd.",
-        "legend": "Functies voor acties in de mailwachtrij:",
-        "ays": "Bevestig dat u alle items uit de huidige wachtrij wilt verwijderen.",
-        "deliver_mail": "Afleveren",
-        "deliver_mail_legend": "Probeert de geselecteerde e-mails opnieuw te bezorgen.",
-        "hold_mail": "Vasthouden",
-        "hold_mail_legend": "Houdt de geselecteerde e-mails vast. (Voorkomt verdere afleverpogingen)",
-        "show_message": "Bericht weergeven",
-        "unban": "Wachtrij deblokkeren",
-        "unhold_mail": "Vrijgeven"
+        "queue_manager": "Queue manager"
    },
    "start": {
        "help": "Toon/verberg hulppaneel",
@@ -1184,8 +994,7 @@
        "start_fido2_validation": "Start FIDO2-validatie",
        "fido2_auth": "Aanmelden met FIDO2",
        "fido2_success": "Apparaat succesvol geregistreerd",
-        "fido2_validation_failed": "Validatie mislukt",
-        "set_fido2_touchid": "Registreer Touch ID op Apple M1"
+        "fido2_validation_failed": "Validatie mislukt"
    },
    "user": {
        "action": "Handeling",
@@ -1352,7 +1161,6 @@
        "loadingRecords": "Laden...",
        "processing": "Wachten alstublieft..",
        "search": "Zoeken:",
-        "zeroRecords": "Geen overeenkomsten gevonden",
-        "infoFiltered": "(gefilterd uit _MAX_ totale vermeldingen)"
+        "zeroRecords": "Geen overeenkomsten gevonden"
    }
 }
@@ -189,7 +189,7 @@
        "api_info": "API jest w trakcie prac. Dokumentację można znaleźć pod adresem <a href=\"/api\">/api</a>",
        "api_key": "klucz API",
        "api_read_only": "Dostęp tylko do odczytu",
-        "api_read_write": "Dostęp do odczytu i zapisu",
+        "api_read_write": "Dostęp tylko do odczytu",
        "api_skip_ip_check": "Pomiń sprawdzenie IP dla API",
        "app_hide": "Ukryj dla logowania",
        "app_links": "Linki aplikacji",
@@ -1226,7 +1226,7 @@
        "decimal": ".",
        "emptyTable": "Brak danych w tabeli",
        "expand_all": "Rozszerz wszystko",
-        "info": "Wyświetlanie od _START_ do _END_ z _TOTAL_ wpisów",
+        "info": "Wyświetlanie od START do END z TOTAL wpisów",
        "infoEmpty": "Wyświetlanie od 0 do 0 z 0 wpisów",
        "infoFiltered": "(filtrowane z _MAX_ suma wpisów)",
        "thousands": ",",
@@ -38,7 +38,7 @@
        "add_domain_only": "Adicionar somente domínio",
        "add_domain_restart": "Adicionar domínio e reiniciar o SoGo",
        "alias_address": "Endereço (s) de alias",
-        "alias_address_info": "<small>Endereço(s) de e-mail completo(s) ou @example.com, para capturar todas as mensagens de um domínio (separadas por vírgula). <b>Apenas domínios do Mailcow</b>.</small>",
+        "alias_address_info": "<small>Endereço/s de e-mail completo ou @example .com, para capturar todas as mensagens de um domínio (separadas por vírgula). <b> somente  domínios mailcow</b>.</small>",
        "alias_domain": "Domínio de alias",
        "alias_domain_info": "<small>Somente nomes de domínio válidos (separados por vírgula).</small>",
        "app_name": "Nome do aplicativo",
@@ -111,8 +111,7 @@
        "validation_success": "Validado com sucesso",
        "dry": "Simular sincronização",
        "internal": "Interno",
-        "internal_info": "Aliases internos são acessíveis apenas a partir do próprio domínio ou alias de domínio.",
-        "sender_allowed": "Permitir enviar como este alias"
+        "internal_info": "Aliases internos são acessíveis apenas a partir do próprio domínio ou alias de domínio."
    },
    "admin": {
        "access": "Acesso",
@@ -152,13 +151,13 @@
        "arrival_time": "Hora de chegada (hora do servidor)",
        "authed_user": "Usuário autoritário",
        "ays": "Tem certeza de que deseja continuar?",
-        "ban_list_info": "Veja abaixo a lista de IPs banidos: <b>rede (tempo restante do banimento) - [ações]</b>.<br />IPs na fila para serem desbanidos serão removidos da lista de banimentos ativos em alguns segundos.<br />Rótulos vermelhos indicam banimentos permanentes ativos na lista de bloqueio.",
+        "ban_list_info": "Veja uma lista de IPs banidos abaixo: <b>rede (tempo restante de banimento) - [ações]</b>. <br />Os IPs na fila para serem desbanidos serão removidos da lista de banimentos ativos em alguns segundos. <br />Rótulos vermelhos indicam proibições permanentes ativas na lista negra.",
        "change_logo": "Alterar logotipo",
        "logo_normal_label": "Normal",
        "logo_dark_label": "Invertido para o modo escuro",
        "configuration": "Configuração",
        "convert_html_to_text": "Converter HTML em texto sem formatação",
-        "copy_to_clipboard": "Copiado para a área de transferência!",
+        "copy_to_clipboard": "Text copied to clipboard!",
        "cors_settings": "Configurações do CORS",
        "credentials_transport_warning": "<b>Aviso</b>: Adicionar uma nova entrada no mapa de transporte atualizará as credenciais de todas as entradas com uma coluna correspondente do próximo salto.",
        "customer_id": "ID do cliente",
@@ -189,9 +188,9 @@
        "excludes": "Exclui esses destinatários",
        "f2b_ban_time": "Tempo (s) de proibição",
        "f2b_ban_time_increment": "O tempo de banimento é incrementado com cada banimento",
-        "f2b_blacklist": "Redes/hosts na lista de bloqueio",
+        "f2b_blacklist": "Redes/hosts na lista negra",
        "f2b_filter": "Filtros Regex",
-        "f2b_list_info": "Um host ou rede na lista de bloqueio sempre terá prioridade sobre uma entidade na lista de permissões. <b>As atualizações das listas levarão alguns segundos para serem aplicadas.</b>",
+        "f2b_list_info": "Um host ou rede na lista negra sempre superará uma entidade na lista branca. <b>As atualizações da lista levarão alguns segundos para serem aplicadas.</b>",
        "f2b_manage_external": "Gerenciar Fail2Ban externamente",
        "f2b_manage_external_info": "O Fail2ban ainda manterá a lista de banimentos, mas não definirá ativamente regras para bloquear o tráfego. Use a lista de banimento gerada abaixo para bloquear externamente o tráfego.",
        "f2b_max_attempts": "Máximo de tentativas",
@@ -201,7 +200,7 @@
        "f2b_parameters": "Parâmetros do Fail2ban",
        "f2b_regex_info": "Registros considerados: SoGo, Postfix, Dovecot, PHP-FPM.",
        "f2b_retry_window": "Repita a (s) janela (s) para o máximo de tentativas",
-        "f2b_whitelist": "Redes/hosts na lista de permissões",
+        "f2b_whitelist": "Redes/hosts incluídos na lista branca",
        "filter_table": "Tabela de filtros",
        "forwarding_hosts": "Anfitriões de encaminhamento",
        "forwarding_hosts_add_hint": "Você pode especificar endereços IPv4/IPv6, redes em notação CIDR, nomes de host (que serão resolvidos para endereços IP) ou nomes de domínio (que serão resolvidos para endereços IP consultando registros SPF ou, na ausência deles, registros MX).",
@@ -223,7 +222,7 @@
        "includes": "Inclua esses destinatários",
        "ip_check": "Verificação de IP",
        "ip_check_disabled": "A verificação de IP está desativada. Você pode ativá-lo em <br><strong>Sistema > Configuração > Opções > Personalizar</strong>",
-        "ip_check_opt_in": "Opte por usar o serviço de terceiros <strong>ipv4.mailcow.email</strong> e <strong>ipv6.mailcow.email</strong> para resolver endereços IP externos.",
+        "ip_check_opt_in": "Opte por usar o serviço de terceiros <strong>ipv4.mailcow.email.</strong> e <strong>ipv6.mailcow.email</strong> para resolver endereços IP externos.",
        "is_mx_based": "Baseado em MX",
        "last_applied": "Aplicado pela última vez",
        "license_info": "Uma licença não é necessária, mas ajuda no desenvolvimento.<br><a href=\"https://www.servercow.de/mailcow? Lang=en#sal\" target=\"_blank\" alt=\"SAL order\">Registre seu GUID aqui</a> ou <a href=\"https://www.servercow.de/mailcow? Lang=en#support\" target=\"_blank\" alt=\"Support order\">comprar suporte para sua instalação de mailcow.</a>",
@@ -245,7 +244,7 @@
        "oauth2_add_client": "Adicionar cliente OAuth2",
        "oauth2_client_id": "ID do cliente",
        "oauth2_client_secret": "Segredo do cliente",
-        "oauth2_info": "A implementação do OAuth2 suporta o tipo de concessão \"Código de Autorização\" e emite tokens de atualização.<br>\nO servidor também emite automaticamente novos tokens de atualização após um token de atualização ter sido usado.<br>\nO escopo padrão é <i>profile</i>. Somente usuários de caixa de correio podem ser autenticados com o OAuth2. Se o parâmetro de escopo for omitido, o padrão será <i>profile</i>.<br>\nO parâmetro <i>state</i> deve ser enviado pelo cliente como parte da solicitação de autorização.<br><br>\nCaminhos para solicitações à API OAuth2: <br>\n\n<ul>\n  <li>Ponto de extremidade de autorização: <code>/oauth/authorize</code></li>\n  <li>Endpoint do token: <code>/oauth/token</code></li>\n  <li>Página de recursos: <code>/oauth/profile</code></li>\n</ul>\n\nRegenerar o segredo do cliente não expirará os códigos de autorização existentes, mas impedirá a renovação do token.<br><br>\nA revogação dos tokens de cliente causará o encerramento imediato de todas as sessões ativas. Todos os clientes precisarão se autenticar novamente.",
+        "oauth2_info": "A implementação OAuth2 suporta o tipo de concessão \"Código de Autorização\" e emite tokens de atualização.<br>\nO servidor também emite automaticamente novos tokens de atualização, depois que um token de atualização foi usado.<br><br>\n&#8226; O escopo padrão é <i>perfil</i>. Somente usuários com caixa de e-mail podem ser autenticados contra o OAuth2. Se o parâmetro de escopo for omitido, ele voltará para <i>perfil</i>.<br>\nCaminhos para solicitações OAuth2 API: <br>\n<ul>\n<li>Endpoint de autorização: <code>/oauth/authorize</code></li>\n<li>Endpoint token: <code>/oauth/token</code></li>\n<li>Página de recursos: <code>/oauth/profile</code></li>\n</ul>\nRegenerar o segredo do cliente não expirará os códigos de autorização existentes, mas eles não renovarão seu token.<br><br>\nA revogação dos tokens do cliente causará o término imediato de todas as sessões ativas. Todos os clientes precisam se autenticar novamente.",
        "oauth2_redirect_uri": "URI de redirecionamento",
        "oauth2_renew_secret": "Gere um novo segredo de cliente",
        "oauth2_revoke_tokens": "Revogar todos os tokens do cliente",
@@ -321,8 +320,8 @@
        "rspamd_com_settings": "Um nome de configuração será gerado automaticamente, veja os exemplos de predefinições abaixo. Para obter mais detalhes, consulte a documentação <a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">do Rspamd</a>",
        "rspamd_global_filters": "Mapas de filtro globais",
        "rspamd_global_filters_agree": "Eu vou ter cuidado!",
-        "rspamd_global_filters_info": "Os mapas de filtros globais contêm diferentes tipos de listas globais de bloqueio e de permissões.",
-        "rspamd_global_filters_regex": "Os nomes explicam sua finalidade. Todo o conteúdo deve conter uma expressão regular válida no formato \"/padrão/opções\" (por exemplo, <code>/.[+@domain.tld](mailto:+@domain.tld)/i</code>).<br>\nEmbora verificações básicas sejam executadas em cada linha de regex, a funcionalidade do Rspamd pode ser comprometida se ele não conseguir ler a sintaxe corretamente.<br>\nO Rspamd tentará ler o conteúdo do mapa quando ele for alterado. Se você tiver problemas, <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">reinicie o Rspamd</a> para forçar o recarregamento do mapa.<br>Elementos na lista de bloqueio são excluídos da quarentena.",
+        "rspamd_global_filters_info": "Os mapas de filtros globais contêm diferentes tipos de listas negras e brancas globais.",
+        "rspamd_global_filters_regex": "Seus nomes explicam seu propósito. <code>Todo o conteúdo deve conter uma expressão regular válida no formato “/padrão/opções” (por exemplo, /. + @domain\\ .tld/i</code>). <br>\r\n Embora verificações rudimentares estejam sendo executadas em cada linha de regex, a funcionalidade do Rspamd pode ser interrompida se não conseguir ler a sintaxe corretamente. <br>\r\n O Rspamd tentará ler o conteúdo do mapa quando alterado. Se você tiver problemas, <a href=\"\" data-toggle=\"modal\" data-container=\"rspamd-mailcow\" data-target=\"#RestartContainer\">reinicie o Rspamd</a> para forçar o recarregamento do mapa. <br>Os elementos da lista negra são excluídos da quarentena.",
        "rspamd_settings_map": "Mapa de configurações do Rspamd",
        "sal_level": "Nível de humor",
        "save": "Salvar alterações",
@@ -557,9 +556,7 @@
        "mode_invalid": "Modo %s é inválido",
        "mx_invalid": "Registro MX %s é inválido",
        "required_data_missing": "Dados obrigatórios %s estão ausentes",
-        "version_invalid": "Versão %s é inválida",
-        "tfa_removal_blocked": "A autenticação de dois fatores não pode ser removida, pois é obrigatória para a sua conta.",
-        "quarantine_category_invalid": "A categoria da quarentena deve ser uma das seguintes: add_header, reject, all"
+        "version_invalid": "Versão %s é inválida"
    },
    "datatables": {
        "collapse_all": "Recolher tudo",
@@ -730,7 +727,7 @@
        "pushover_verify": "Verifique as credenciais",
        "quota_mb": "Cota (MiB)",
        "quota_warning_bcc": "Aviso de cota BCC",
-        "quota_warning_bcc_info": "Os avisos serão enviados em cópias separadas para os seguintes destinatários. O assunto será precedido pelo nome de usuário correspondente entre colchetes, por exemplo: <code>Aviso de cota (user@example.com)</code>.",
+        "quota_warning_bcc_info": "Os avisos serão enviados em cópias separadas para os seguintes destinatários. O assunto será sufixado pelo nome de usuário correspondente entre colchetes, por exemplo: <code>Aviso de cota (</code>user@example.com).",
        "ratelimit": "Limite de taxa",
        "redirect_uri": "URL de redirecionamento/retorno de chamada",
        "relay_all": "Retransmita todos os destinatários",
@@ -749,17 +746,17 @@
        "sieve_desc": "Breve descrição",
        "sieve_type": "Tipo de filtro",
        "skipcrossduplicates": "Ignore mensagens duplicadas entre pastas (primeiro a chegar, primeiro a ser servido)",
-        "sogo_access": "Encaminhamento direto para o SOGo",
-        "sogo_access_info": "Após o login, o usuário é automaticamente redirecionado para o SOGo.",
+        "sogo_access": "Encaminhamento direto para o SOGoo",
+        "sogo_access_info": "Depois de fazer login, o usuário é automaticamente redirecionado para o SOGo.",
        "sogo_visible": "O alias é visível no SoGo",
        "sogo_visible_info": "Essa opção afeta somente objetos, que podem ser exibidos no SoGo (endereços de alias compartilhados ou não compartilhados apontando para pelo menos uma mailbox local). Se estiver oculto, um alias não aparecerá como remetente selecionável no SoGo.",
        "spam_alias": "Crie ou altere endereços de alias com limite de tempo",
        "spam_filter": "Filtro de spam",
-        "spam_policy": "Adicionar ou remover itens da lista de permissões/bloqueio",
+        "spam_policy": "Adicionar ou remover itens da lista branca/negra",
        "spam_score": "Defina uma pontuação de spam personalizada",
        "subfolder2": "Sincronizar na subpasta no destino <br><small>(vazio = não usar subpasta</small>)",
        "syncjob": "Editar tarefa de sincronização",
-        "target_address": "Ir para o(s) endereço(s) <small>(separados por vírgula)</small>",
+        "target_address": "<small>Ir para endereço/es (separados por vírgula)</small>",
        "target_domain": "Domínio de destino",
        "timeout1": "Tempo limite para conexão com o host remoto",
        "timeout2": "Tempo limite para conexão com o host local",
@@ -784,9 +781,7 @@
        "mta_sts_max_age_info": "Tempo em segundos que servidores de email de recepção podem armazenar esta política em cache até buscar novamente.",
        "mta_sts_mx": "Servidor MX",
        "mta_sts_mx_info": "Permite envio apenas para nomes de host de servidor de email explicitamente listados; o MTA de envio verifica se o nome do host DNS MX corresponde à lista de políticas e permite entrega apenas com certificado TLS válido (protege contra MITM).",
-        "mta_sts_mx_notice": "Múltiplos servidores MX podem ser especificados (separados por vírgulas).",
-        "sender_allowed": "Permitir enviar como este alias",
-        "sender_allowed_info": "Se desativado, este alias poderá apenas receber e-mails. Use a ACL de remetente para substituir essa configuração e conceder a caixas de correio específicas permissão para enviar."
+        "mta_sts_mx_notice": "Múltiplos servidores MX podem ser especificados (separados por vírgulas)."
    },
    "fido2": {
        "confirm": "Confirme",
@@ -807,7 +802,7 @@
        "cancel": "Cancelar",
        "confirm_delete": "Confirme a exclusão",
        "delete_now": "Excluir agora",
-        "delete_these_items": "Por favor, confirme as alterações feitas no seguinte ID de objeto.",
+        "delete_these_items": "Confirme suas alterações no seguinte ID de objeto",
        "hibp_check": "Verifique em haveibeenpwned.com",
        "hibp_nok": "Combinado! Essa é uma senha potencialmente perigosa!",
        "hibp_ok": "Nenhuma combinação encontrada.",
@@ -975,7 +970,7 @@
        "recipient_map_new": "Novo destinatário",
        "recipient_map_new_info": "O destino do mapa do destinatário deve ser um endereço de e-mail válido ou um nome de domínio.",
        "recipient_map_old": "Destinatário original",
-        "recipient_map_old_info": "O destino original do mapa de destinatário deve ser um endereço de e-mail válido ou um nome de domínio.",
+        "recipient_map_old_info": "O destino original do mapa de um destinatário deve ser um endereço de e-mail válido ou um nome de domínio.",
        "recipient_maps": "Mapas de destinatários",
        "relay_all": "Retransmita todos os destinatários",
        "relay_unknown": "Retransmitir mailboxes desconhecidas",
@@ -1066,7 +1061,7 @@
        "notified": "Notificado",
        "qhandler_success": "Solicitação enviada com sucesso para o sistema. Agora você pode fechar a janela.",
        "qid": "Respand AID",
-        "qinfo": "O sistema de quarentena irá salvar no banco de dados os e-mails rejeitados (o remetente <em>não</em> terá a impressão de que o e-mail foi entregue), bem como os e-mails que são entregues como cópia na pasta de spam de uma mailbox.\n<br>“Aprender como spam e excluir” irá classificar a mensagem como spam por meio do Teorema de Bayes e também calcular hashes fuzzy para bloquear mensagens semelhantes no futuro.\n<br>Esteja ciente de que o aprendizado de múltiplas mensagens pode, dependendo do seu sistema, levar tempo. <br>Elementos na lista de bloqueio são excluídos da quarentena.",
+        "qinfo": "O sistema de quarentena salvará as mensagens rejeitadas no banco de dados (o remetente <em>não</em> terá a impressão de uma mensagem entregue), bem como as mensagens, que são entregues como cópia na pasta Lixo eletrônico de uma mailbox.\n <br>“Aprenda como spam e exclua” aprenderá uma mensagem como spam por meio do Teorema de Bayes e também calculará hashes difusos para negar mensagens semelhantes no futuro.\n <br>Esteja ciente de que aprender várias mensagens pode ser demorado, dependendo do seu sistema. <br>Os elementos da lista negra são excluídos da quarentena.",
        "qitem": "Item de quarentena",
        "quarantine": "Quarentena",
        "quick_actions": "Ações",
@@ -1242,12 +1237,7 @@
        "webauthn": "Autenticação WebAuthn",
        "waiting_usb_auth": "<i>Aguardando o dispositivo USB...</i> <br><br>Toque no botão no seu dispositivo USB agora.",
        "waiting_usb_register": "<i>Aguardando o dispositivo USB...</i> <br><br>Digite sua senha acima e confirme seu registro tocando no botão no seu dispositivo USB.",
-        "yubi_otp": "Autenticação Yubico OTP",
-        "force_tfa": "Forçar o cadastro de 2FA no login",
-        "force_tfa_info": "O usuário será obrigado a configurar a autenticação de dois fatores antes de acessar o painel.",
-        "setup_title": "Autenticação de Dois Fatores Obrigatória",
-        "setup_required": "Sua conta exige autenticação de dois fatores. Configure um método de 2FA para continuar.",
-        "cancel_setup": "Cancelar e sair"
+        "yubi_otp": "Autenticação Yubico OTP"
    },
    "user": {
        "action": "Ação",
@@ -1286,7 +1276,7 @@
        "delete_ays": "Confirme o processo de exclusão.",
        "direct_aliases": "Endereços de alias diretos",
        "direct_aliases_desc": "Os endereços de alias diretos são afetados pelo filtro de spam e pelas configurações da política TLS.",
-        "direct_protocol_access": "Este usuário da mailbox possui <b>acesso direto e externo</b> aos seguintes protocolos e aplicações. Esta configuração é controlada pelo seu administrador. Senhas de aplicativo podem ser criadas para conceder acesso a protocolos e aplicações específicos.<br>O botão “Webmail” fornece login único (SSO) para o SOGo e está sempre disponível.",
+        "direct_protocol_access": "Esse usuário da mailbox tem <b>acesso externo direto</b> aos seguintes protocolos e aplicativos. Essa configuração é controlada pelo administrador. As senhas de aplicativos podem ser criadas para conceder acesso a protocolos e aplicativos individuais. <br>O botão “Login no webmail” fornece login único no SoGo e está sempre disponível.",
        "eas_reset": "Redefinir o cache do dispositivo ActiveSync",
        "eas_reset_help": "Em muitos casos, uma redefinição do cache do dispositivo ajudará a recuperar um perfil quebrado do ActiveSync. <br><b>Atenção:</b> Todos os elementos serão baixados novamente!",
        "eas_reset_now": "Reinicie agora",
@@ -1362,12 +1352,12 @@
        "sogo_profile_reset": "Redefinir perfil SoGo",
        "sogo_profile_reset_help": "Isso destruirá o perfil SoGo de um usuário e <b>excluirá todos os dados de contato e calendário irrecuperáveis</b>.",
        "sogo_profile_reset_now": "Redefina o perfil agora",
-        "spam_aliases": "Aliases de e-mail de spam",
+        "spam_aliases": "Aliases de e-mail temporários",
        "spam_score_reset": "Redefinir para o padrão do servidor",
        "spamfilter": "Filtro de spam",
        "spamfilter_behavior": "Avaliação",
-        "spamfilter_bl": "Lista de bloqueio",
-        "spamfilter_bl_desc": "Endereços de e-mail na lista de bloqueio para <b>sempre</b> classificar como spam e rejeitados. E-mails rejeitados <b>não</b> serão copiados para a quarentena. Coringas podem ser utilizados. O filtro é aplicado apenas a aliases diretos (aliases com uma única mailbox de destino), excluindo aliases catch-all e a própria mailbox.",
+        "spamfilter_bl": "Lista negra",
+        "spamfilter_bl_desc": "Endereços de e-mail na lista negra para <b>sempre</b> serem classificados como spam e rejeitados. E-mails rejeitados <b>não</b> serão copiados para a quarentena. Podem ser usados curingas. Um filtro só é aplicado a aliases diretos (aliases com uma única caixa de correio de destino), excluindo aliases abrangentes e a própria mailbox.",
        "spamfilter_default_score": "Valores padrão",
        "spamfilter_green": "Verde: esta mensagem não é spam",
        "spamfilter_hint": "O primeiro valor descreve a “pontuação baixa de spam”, o segundo representa a “alta pontuação de spam”.",
@@ -1378,8 +1368,8 @@
        "spamfilter_table_empty": "Não há dados para exibir",
        "spamfilter_table_remove": "remover",
        "spamfilter_table_rule": "Regra",
-        "spamfilter_wl": "Lista de permissões",
-        "spamfilter_wl_desc": "Endereços de e-mail na lista de permissões são configurados para <b>nunca</b> serem classificados como spam. Coringas podem ser utilizados. O filtro é aplicado apenas a aliases diretos (aliases com uma única mailbox de destino), excluindo aliases catch-all e a própria mailbox.",
+        "spamfilter_wl": "Lista branca",
+        "spamfilter_wl_desc": "Os endereços de e-mail incluídos na lista branca são programados para <b>nunca</b> serem classificados como spam. Podem ser usados curingas. Um filtro só é aplicado a aliases diretos (aliases com uma única mailbox de destino), excluindo aliases abrangentes e a própria mailbox.",
        "spamfilter_yellow": "Amarelo: esta mensagem pode ser spam, será marcada como spam e movida para sua pasta de lixo eletrônico",
        "status": "Status",
        "sync_jobs": "Trabalhos de sincronização",
@@ -1393,7 +1383,7 @@
        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Não é possível se conectar ao servidor remoto",
        "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Nome de usuário ou senha incorretos",
        "tag_handling": "Definir o tratamento para e-mails marcados",
-        "tag_help_example": "Exemplo de endereço de e-mail com tag: eu+Facebook</b>@exemplo.org",
+        "tag_help_example": "Exemplo de um endereço de e-mail marcado: me <b>+Facebook</b> @example .org",
        "tag_help_explain": "Na subpasta: uma nova subpasta com o nome da tag será criada abaixo da CAIXA DE ENTRADA (“Caixa de entrada/Facebook”). <br>\r\nNo assunto: o nome das tags será anexado ao assunto do e-mail, por exemplo: “[Facebook] Minhas notícias”.",
        "tag_in_none": "Não faça nada",
        "tag_in_subfolder": "Na subpasta",
@@ -1418,11 +1408,7 @@
        "authentication": "Autenticação",
        "overview": "Visão geral",
        "protocols": "Protocolos",
-        "tfa_info": "A autenticação de dois fatores ajuda a proteger sua conta. Se você habilitá-la, precisará de senhas de aplicativo para fazer login em aplicativos ou serviços que não suportam autenticação de dois fatores (por exemplo, clientes de email).",
-        "expire_never": "Nunca expirar",
-        "forever": "Para sempre",
-        "pw_update_required": "Sua conta exige a alteração de senha. Defina uma nova senha para continuar.",
-        "spam_aliases_info": "Um alias de spam é um endereço de e-mail temporário que pode ser usado para proteger endereços de e-mail reais. <br>Opcionalmente, pode-se definir um tempo de expiração para que o alias seja automaticamente desativado após o período definido, descartando efetivamente endereços que tenham sido abusados ou vazados."
+        "tfa_info": "A autenticação de dois fatores ajuda a proteger sua conta. Se você habilitá-la, precisará de senhas de aplicativo para fazer login em aplicativos ou serviços que não suportam autenticação de dois fatores (por exemplo, clientes de email)."
    },
    "warning": {
        "cannot_delete_self": "Não é possível excluir o usuário conectado",
@@ -558,8 +558,7 @@
        "mode_invalid": "Način %s ni veljaven",
        "mx_invalid": "Zapis MX %s je neveljaven",
        "version_invalid": "Različica %s je neveljavna",
-        "tfa_removal_blocked": "Dvofaktorske avtentikacije ni mogoče odstraniti, ker je obvezna za vaš račun.",
-        "quarantine_category_invalid": "Kategorija karantene mora biti ena od: add_header, reject, all"
+        "tfa_removal_blocked": "Dvofaktorske avtentikacije ni mogoče odstraniti, ker je obvezna za vaš račun."
    },
    "debug": {
        "containers_info": "Informacije o zabojniku",
@@ -268,10 +268,10 @@
        "includes": "Bao gồm những người nhận này",
        "ip_check": "Kiểm tra IP",
        "ip_check_disabled": "Kiểm tra IP đã bị vô hiệu hóa. Bạn có thể bật nó trong<br> <strong>Hệ thống > Cấu hình > Tùy chọn > Tùy chỉnh</strong>",
-        "ip_check_opt_in": "Đăng ký tham gia sử dụng dịch vụ bên thứ ba dùng <strong>ipv4.mailcow.email</strong> và <strong>ipv6.mailcow.email</strong> để phân giải địa chỉ IP bên ngoài.",
+        "ip_check_opt_in": "Chọn tham gia sử dụng dịch vụ bên thứ ba <strong>ipv4.mailcow.email</strong> và <strong>ipv6.mailcow.email</strong> để phân giải địa chỉ IP bên ngoài.",
        "is_mx_based": "Dựa trên MX",
        "last_applied": "Áp dụng lần cuối",
-        "license_info": "Giấy phép tuy không bắt buộc nhưng giúp phát triển thêm.<br><a href=\"https://www.servercow.de/mailcow?lang=en#sal\" target=\"_blank\" alt=\"Đặt hàng SAL\">Đăng ký GUID của bạn tại đây</a> hoặc <a href=\"https://www.servercow.de/mailcow?lang=en#support\" target=\"_blank\" alt=\"Đặt hàng hỗ trợ\">mua hỗ trợ cho cài đặt mailcow của bạn.</a>",
+        "license_info": "Giấy phép không bắt buộc nhưng giúp phát triển thêm.<br><a href=\"https://www.servercow.de/mailcow?lang=en#sal\" target=\"_blank\" alt=\"Đặt hàng SAL\">Đăng ký GUID của bạn tại đây</a> hoặc <a href=\"https://www.servercow.de/mailcow?lang=en#support\" target=\"_blank\" alt=\"Đặt hàng hỗ trợ\">mua hỗ trợ cho cài đặt mailcow của bạn.</a>",
        "link": "Liên kết",
        "loading": "Vui lòng đợi...",
        "login_time": "Thời gian đăng nhập",
@@ -556,9 +556,7 @@
        "validity_missing": "Vui lòng gán thời hạn hiệu lực",
        "value_missing": "Vui lòng cung cấp tất cả các giá trị",
        "version_invalid": "Phiên bản %s không hợp lệ",
-        "yotp_verification_failed": "Xác thực Yubico OTP thất bại: %s",
-        "tfa_removal_blocked": "Xác thực hai yếu tố không thể bị xóa vì đây là yêu cầu bắt buộc đối với tài khoản của bạn.",
-        "quarantine_category_invalid": "Danh mục cách ly phải là một trong các loại sau : add_header, reject, all."
+        "yotp_verification_failed": "Xác thực Yubico OTP thất bại: %s"
    },
    "datatables": {
        "collapse_all": "Thu gọn tất cả",
@@ -581,9 +579,7 @@
        "aria": {
            "sortAscending": ": kích hoạt để sắp xếp cột tăng dần",
            "sortDescending": ": kích hoạt để sắp xếp cột giảm dần"
-        },
-        "decimal": ".",
-        "thousands": ","
+        }
    },
    "debug": {
        "architecture": "Kiến trúc",
@@ -697,19 +693,6 @@
        "internal_info": "Bí danh nội bộ chỉ có thể truy cập từ tên miền sở hữu hoặc tên miền bí danh.",
        "kind": "Loại",
        "last_modified": "Sửa đổi lần cuối",
-        "lookup_mx": "Đích là một biểu thức chính quy để khớp với tên MX (<code>.*.google.com</code> để định tuyến tất cả thư nhắm đến MX kết thúc bằng google.com qua bước nhảy này)",
-        "sender_allowed": "Cho phép gửi đi bằng bí danh",
-        "sender_allowed_info": "Nếu bị vô hiệu hóa, bí danh này chỉ có thể nhận thư. Sử dụng ACL của người gửi để ghi đè và cấp quyền gửi cho các hộp thư cụ thể.",
-        "mailbox": "Chỉnh sửa hộp thư",
-        "mailbox_quota_def": "Hạn mức hộp thư mặc định",
-        "mailbox_relayhost_info": "Chỉ áp dụng cho hộp thư và các bí danh trực tiếp, thao tác này sẽ ghi đè lên máy chủ chuyển tiếp tên miền.",
-        "mailbox_rename": "Đổi tên hộp thư",
-        "mailbox_rename_agree": "Tôi đã tạo bản sao lưu.",
-        "mailbox_rename_warning": "QUAN TRỌNG! Hãy tạo bản sao lưu trước khi đổi tên hộp thư.",
-        "mailbox_rename_alias": "Tạo tự động bí danh",
-        "mailbox_rename_title": "Tên mới của hộp thư cục bộ",
-        "max_aliases": "Số lượng Bí danh tối đa",
-        "max_mailboxes": "Số lượng hộp thư tối đa có thể có",
-        "max_quota": "Dung lượng tối đa cho mỗi hộp thư (MiB)"
+        "lookup_mx": "Đích là một biểu thức chính quy để khớp với tên MX (<code>.*.google.com</code> để định tuyến tất cả thư nhắm đến MX kết thúc bằng google.com qua bước nhảy này)"
    }
 }
@@ -65,7 +65,6 @@ if (isset($_GET['app_password'])) {
      $attr['protocols'][] = 'dav_access';
  }
  app_passwd("add", $attr);
-  $password = htmlspecialchars($password, ENT_NOQUOTES);
 } else {
  $app_password = false;
 }
@@ -11,8 +11,8 @@
  <link rel="stylesheet" href="{{ css_path }}">
  <script>
    // check if darkmode is preferred by OS or set by localStorage
-    if (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches && localStorage.getItem("mailcow_theme") !== "light" ||
-        localStorage.getItem("mailcow_theme") === "dark") {
+    if (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches && localStorage.getItem("theme") !== "light" ||
+        localStorage.getItem("theme") === "dark") {
      var head  = document.getElementsByTagName('head')[0];
      var link  = document.createElement('link');
      link.id   = 'dark-mode-theme';
@@ -193,7 +193,7 @@ $(window).scroll(function() {
 });
 // Select language and reopen active URL without POST
 function setLang(sel) {
-  $.post( '{{ uri|escape("js") }}', {lang: sel} );
+  $.post( '{{ uri }}', {lang: sel} );
  window.location.href = window.location.pathname + window.location.search;
 }
 // FIDO2 functions
@@ -23,7 +23,7 @@
  <div class="row mb-4">
    <label class="control-label col-sm-2" for="script_data">Script:</label>
    <div class="col-sm-10">
-      <textarea spellcheck="false" autocorrect="off" autocapitalize="none" class="form-control textarea-code" rows="20" id="script_data" name="script_data" required>{{ result.script_data }}</textarea>
+      <textarea spellcheck="false" autocorrect="off" autocapitalize="none" class="form-control textarea-code" rows="20" id="script_data" name="script_data" required>{{ result.script_data|raw }}</textarea>
    </div>
  </div>
  <div class="row mb-2">
@@ -8,7 +8,6 @@

    <input type="hidden" value="default" name="sender_acl">
    <input type="hidden" value="0" name="force_pw_update">
-    <input type="hidden" value="0" name="force_tfa">
    <input type="hidden" value="0" name="sogo_access">
    <input type="hidden" value="0" name="protocol_access">

@@ -166,14 +165,6 @@
        </div>
      </div>
    </div>
-    <div class="row">
-      <div class="offset-sm-2 col-sm-10">
-        <div class="form-check">
-          <label><input type="checkbox" class="form-check-input" value="1" name="force_tfa" id="force_tfa"{% if template.attributes.force_tfa == '1' %} checked{% endif %}> {{ lang.tfa.force_tfa }}</label>
-          <small class="text-muted">{{ lang.tfa.force_tfa_info }}</small>
-        </div>
-      </div>
-    </div>
    {% if not skip_sogo %}
    <div class="row">
      <div class="offset-sm-2 col-sm-10">
@@ -1,7 +1,7 @@
 services:

    unbound-mailcow:
-      image: ghcr.io/mailcow/unbound:1.25.1-1
+      image: ghcr.io/mailcow/unbound:1.25
      environment:
        - TZ=${TZ}
        - SKIP_UNBOUND_HEALTHCHECK=${SKIP_UNBOUND_HEALTHCHECK:-n}
@@ -84,7 +84,7 @@ services:
            - clamd

    rspamd-mailcow:
-      image: ghcr.io/mailcow/rspamd:4.1.0-1
+      image: ghcr.io/mailcow/rspamd:3.14.2
      stop_grace_period: 30s
      depends_on:
        - dovecot-mailcow
@@ -117,7 +117,7 @@ services:
            - rspamd

    php-fpm-mailcow:
-      image: ghcr.io/mailcow/phpfpm:8.2.29-3
+      image: ghcr.io/mailcow/phpfpm:8.2.29-2
      command: "php-fpm -d date.timezone=${TZ} -d expose_php=0"
      depends_on:
        - redis-mailcow
@@ -200,7 +200,7 @@ services:
            - phpfpm

    sogo-mailcow:
-      image: ghcr.io/mailcow/sogo:5.12.9-1
+      image: ghcr.io/mailcow/sogo:5.12.4-2
      environment:
        - DBNAME=${DBNAME}
        - DBUSER=${DBUSER}
@@ -225,12 +225,12 @@ services:
        - ./data/hooks/sogo:/hooks:Z
        - ./data/conf/sogo/:/etc/sogo/:z
        - ./data/web/inc/init_db.inc.php:/init_db.inc.php:z
-        - ./data/conf/sogo/custom-favicon.ico:/usr/local/lib/GNUstep/SOGo/WebServerResources/img/sogo.ico:z
-        - ./data/conf/sogo/custom-shortlogo.svg:/usr/local/lib/GNUstep/SOGo/WebServerResources/img/sogo-compact.svg:z
-        - ./data/conf/sogo/custom-fulllogo.svg:/usr/local/lib/GNUstep/SOGo/WebServerResources/img/sogo-full.svg:z
-        - ./data/conf/sogo/custom-fulllogo.png:/usr/local/lib/GNUstep/SOGo/WebServerResources/img/sogo-logo.png:z
-        - ./data/conf/sogo/custom-theme.js:/usr/local/lib/GNUstep/SOGo/WebServerResources/js/theme.js:z
-        - ./data/conf/sogo/custom-sogo.js:/usr/local/lib/GNUstep/SOGo/WebServerResources/js/custom-sogo.js:z
+        - ./data/conf/sogo/custom-favicon.ico:/usr/lib/GNUstep/SOGo/WebServerResources/img/sogo.ico:z
+        - ./data/conf/sogo/custom-shortlogo.svg:/usr/lib/GNUstep/SOGo/WebServerResources/img/sogo-compact.svg:z
+        - ./data/conf/sogo/custom-fulllogo.svg:/usr/lib/GNUstep/SOGo/WebServerResources/img/sogo-full.svg:z
+        - ./data/conf/sogo/custom-fulllogo.png:/usr/lib/GNUstep/SOGo/WebServerResources/img/sogo-logo.png:z
+        - ./data/conf/sogo/custom-theme.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/theme.js:z
+        - ./data/conf/sogo/custom-sogo.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/custom-sogo.js:z
        - mysql-socket-vol-1:/var/run/mysqld/:z
        - sogo-web-vol-1:/sogo_web
        - sogo-userdata-backup-vol-1:/sogo_backup
@@ -252,7 +252,7 @@ services:
            - sogo

    dovecot-mailcow:
-      image: ghcr.io/mailcow/dovecot:2.3.21.1-2
+      image: ghcr.io/mailcow/dovecot:2.3.21.1-1
      depends_on:
        - mysql-mailcow
        - netfilter-mailcow
@@ -419,7 +419,7 @@ services:
        - php-fpm-mailcow
        - sogo-mailcow
        - rspamd-mailcow
-      image: ghcr.io/mailcow/nginx:1.30.2-1
+      image: ghcr.io/mailcow/nginx:1.06
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      environment:
@@ -449,7 +449,7 @@ services:
        - ./data/web/inc/functions.inc.php:/mailcowauth/functions.inc.php:z
        - ./data/web/inc/functions.auth.inc.php:/mailcowauth/functions.auth.inc.php:z
        - ./data/web/inc/sessions.inc.php:/mailcowauth/sessions.inc.php:z
-        - sogo-web-vol-1:/usr/local/lib/GNUstep/SOGo/
+        - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/
      ports:
        - "${HTTPS_BIND:-}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
        - "${HTTP_BIND:-}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
@@ -465,7 +465,7 @@ services:
          condition: service_started
        unbound-mailcow:
          condition: service_healthy
-      image: ghcr.io/mailcow/acme:1.97
+      image: ghcr.io/mailcow/acme:1.96
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      environment:
@@ -526,7 +526,7 @@ services:
        - /lib/modules:/lib/modules:ro

    watchdog-mailcow:
-      image: ghcr.io/mailcow/watchdog:2.11
+      image: ghcr.io/mailcow/watchdog:2.10
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      tmpfs:
@@ -299,7 +299,7 @@ ACME_DNS_CHALLENGE=n
 ACME_DNS_PROVIDER=dns_xxx
 ACME_ACCOUNT_EMAIL=me@example.com
 # You will need to pass provider-specific environment variables to the acme-mailcow container.
-# See the dns-01 provider documentation for more information.
+# See the dns-101 provider documentation for more information.
 # for example for Azure DNS:
 #AZUREDNS_SUBSCRIPTIONID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 #AZUREDNS_TENANTID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
@@ -25,6 +25,6 @@ services:
        - /var/run/mysqld/mysqld.sock:/var/run/mysqld/mysqld.sock

    mysql-mailcow:
-      image: alpine:3.24
+      image: alpine:3.23
      command: /bin/true
      restart: "no"
@@ -19,48 +19,30 @@ if [ ! -f "${PWD}/mailcow.conf" ]; then
 fi
 BRANCH="$(cd "${SCRIPT_DIR}" && git rev-parse --abbrev-ref HEAD)"

-# Check for --dev flag early to skip _modules update
-for arg in "$@"; do
-  if [[ "$arg" == "--dev" || "$arg" == "-d" ]]; then
-    echo -e "\e[32mRunning in Developer mode...\e[0m"
-    DEV=y
-    break
-  fi
-done
-
 MODULE_DIR="${SCRIPT_DIR}/_modules"
-
-if [ ! "$DEV" ]; then
-  # Calculate hash before fetch
-  if [[ -d "${MODULE_DIR}" && -n "$(ls -A "${MODULE_DIR}" 2>/dev/null)" ]]; then
-    MODULES_HASH_BEFORE=$(find "${MODULE_DIR}" -type f -exec sha256sum {} \; 2>/dev/null | sort | sha256sum | awk '{print $1}')
-  else
-    MODULES_HASH_BEFORE="EMPTY"
-  fi
-
-  echo -e "\e[33mFetching latest _modules from origin/${BRANCH}…\e[0m"
-  git fetch origin "${BRANCH}"
-  git checkout "origin/${BRANCH}" -- _modules
-
-  if [[ ! -d "${MODULE_DIR}" || -z "$(ls -A "${MODULE_DIR}")" ]]; then
-    echo -e "\e[31mError: _modules is still missing or empty after fetch!\e[0m"
-    exit 2
-  fi
-
-  # Calculate hash after fetch
-  MODULES_HASH_AFTER=$(find "${MODULE_DIR}" -type f -exec sha256sum {} \; 2>/dev/null | sort | sha256sum | awk '{print $1}')
-
-  # Check if modules changed
-  if [[ "${MODULES_HASH_BEFORE}" != "${MODULES_HASH_AFTER}" ]]; then
-    echo -e "\e[33m_modules have been updated. Please restart the update script.\e[0m"
-    exit 2
-  fi
+# Calculate hash before fetch
+if [[ -d "${MODULE_DIR}" && -n "$(ls -A "${MODULE_DIR}" 2>/dev/null)" ]]; then
+  MODULES_HASH_BEFORE=$(find "${MODULE_DIR}" -type f -exec sha256sum {} \; 2>/dev/null | sort | sha256sum | awk '{print $1}')
 else
-  echo -e "\e[33mDeveloper mode: Skipping _modules update from git\e[0m"
-  if [[ ! -d "${MODULE_DIR}" || -z "$(ls -A "${MODULE_DIR}")" ]]; then
-    echo -e "\e[31mError: _modules directory is missing or empty!\e[0m"
-    exit 2
-  fi
+  MODULES_HASH_BEFORE="EMPTY"
+fi
+
+echo -e "\e[33mFetching latest _modules from origin/${BRANCH}…\e[0m"
+git fetch origin "${BRANCH}"
+git checkout "origin/${BRANCH}" -- _modules
+
+if [[ ! -d "${MODULE_DIR}" || -z "$(ls -A "${MODULE_DIR}")" ]]; then
+  echo -e "\e[31mError: _modules is still missing or empty after fetch!\e[0m"
+  exit 2
+fi
+
+# Calculate hash after fetch
+MODULES_HASH_AFTER=$(find "${MODULE_DIR}" -type f -exec sha256sum {} \; 2>/dev/null | sort | sha256sum | awk '{print $1}')
+
+# Check if modules changed
+if [[ "${MODULES_HASH_BEFORE}" != "${MODULES_HASH_AFTER}" ]]; then
+  echo -e "\e[33m_modules have been updated. Please restart the update script.\e[0m"
+  exit 2
 fi

 source _modules/scripts/core.sh
@@ -169,7 +151,8 @@ while (($#)); do
      FORCE=y
    ;;
    -d|--dev)
-      # Already handled at the top of the script before _modules update
+      echo -e "\e[32mRunning in Developer mode...\e[0m"
+      DEV=y
    ;;
    --legacy)
      CURRENT_BRANCH="$(cd "${SCRIPT_DIR}"; git rev-parse --abbrev-ref HEAD)"
Author	SHA1	Message	Date
DerLinkman	816b5cdb60	declare better sieve script paths per user (for after and before)	2026-03-04 15:19:44 +01:00
DerLinkman	fb7bbc3fd8	dovecot: fix smaller config changes	2026-03-04 15:19:44 +01:00
DerLinkman	8e93a48ac0	dovecot: rechanged id type from uuid to string	2026-03-04 15:19:43 +01:00
DerLinkman	05fbd549f8	dovecot: change dict declarations for before scripts	2026-03-04 15:19:43 +01:00
DerLinkman	58a26dc966	dovecot: changes to config aligning to 2.4	2026-03-04 15:19:43 +01:00
DerLinkman	9d54fbcc3e	dovecot: migrated config to 2.4 + config splitting	2026-03-04 15:19:42 +01:00
DerLinkman	8063b671cb	indev: dovecot 2.4 config migration	2026-03-04 15:19:14 +01:00