Set HOST env vars

[Postfix] Add extra.cf via jinja2 include
2026-02-15 21:10:04 +00:00 · 2025-06-02 15:54:16 +02:00 · 2025-06-02 15:53:39 +02:00 · 2025-06-02 15:52:59 +02:00 · 2025-05-31 22:31:08 +02:00 · 2025-05-31 21:50:49 +02:00
1004 changed files with 57316 additions and 13984 deletions
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,7 +1,7 @@
 blank_issues_enabled: false
 contact_links:
  - name: ❓ Community-driven support (Free)
-    url: https://docs.mailcow.email/#get-support
+    url: https://docs.mailcow.email/#community-support-and-chat
    about: Please use the community forum for questions or assistance
  - name: 🔥 Premium Support (Paid)
    url: https://www.servercow.de/mailcow?lang=en#support
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -15,12 +15,6 @@
    "data\/web\/inc\/lib\/vendor\/**"
  ],
  "regexManagers": [
-    {
-      "fileMatch": ["^helper-scripts\/nextcloud.sh$"],
-      "matchStrings": [
-        "#\\srenovate:\\sdatasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?( extractVersion=(?<extractVersion>.*?))?\\s.*?_VERSION=(?<currentValue>.*)"
-       ]
-    },
    {
      "fileMatch": ["(^|/)Dockerfile[^/]*$"],
      "matchStrings": [
--- a/.github/workflows/check_prs_if_on_staging.yml
+++ b/.github/workflows/check_prs_if_on_staging.yml
@@ -12,7 +12,7 @@ jobs:
      - name: Send message
        uses: thollander/actions-comment-pull-request@v3.0.1
        with:
-          GITHUB_TOKEN: ${{ secrets.CHECKIFPRISSTAGING_ACTION_PAT }}
+          github-token: ${{ secrets.CHECKIFPRISSTAGING_ACTION_PAT }}
          message: |
                   Thanks for contributing!

--- a/.github/workflows/close_old_issues_and_prs.yml
+++ b/.github/workflows/close_old_issues_and_prs.yml
@@ -14,7 +14,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Mark/Close Stale Issues and Pull Requests 🗑️
-        uses: actions/stale@v9.0.0
+        uses: actions/stale@v9.1.0
        with:
          repo-token: ${{ secrets.STALE_ACTION_PAT }}
          days-before-stale: 60
--- a/.github/workflows/image_builds.yml
+++ b/.github/workflows/image_builds.yml
@@ -23,7 +23,6 @@ jobs:
          - "postfix-mailcow"
          - "rspamd-mailcow"
          - "sogo-mailcow"
-          - "solr-mailcow"
          - "unbound-mailcow"
          - "watchdog-mailcow"
    runs-on: ubuntu-latest
--- a/.github/workflows/pr_to_nightly.yml
+++ b/.github/workflows/pr_to_nightly.yml
@@ -12,7 +12,7 @@ jobs:
        with:
          fetch-depth: 0
      - name: Run the Action
-        uses: devops-infra/action-pull-request@v0.5.5
+        uses: devops-infra/action-pull-request@v0.6.0
        with:
          github_token: ${{ secrets.PRTONIGHTLY_ACTION_PAT }}
          title: Automatic PR to nightly from ${{ github.event.repository.updated_at}}
--- a/.github/workflows/rebuild_backup_image.yml
+++ b/.github/workflows/rebuild_backup_image.yml
@@ -9,6 +9,8 @@ on:
 jobs:
  docker_image_build:
    runs-on: ubuntu-latest
+    permissions:
+      packages: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -19,11 +21,13 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

-      - name: Login to Docker Hub
+      - name: Login to GHCR
+        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
-          username: ${{ secrets.BACKUPIMAGEBUILD_ACTION_DOCKERHUB_USERNAME }}
-          password: ${{ secrets.BACKUPIMAGEBUILD_ACTION_DOCKERHUB_TOKEN }}
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push
        uses: docker/build-push-action@v6
@@ -32,4 +36,4 @@ jobs:
          platforms: linux/amd64,linux/arm64
          file: data/Dockerfiles/backup/Dockerfile
          push: true
-          tags: mailcow/backup:latest
+          tags: ghcr.io/mailcow/backup:latest
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,3 @@
-!data/conf/nginx/dynmaps.conf
-!data/conf/nginx/meta_exporter.conf
-!data/conf/nginx/site.conf
 !/**/.gitkeep
 *.iml
 .idea
@@ -8,48 +5,33 @@
 data/assets/ssl-example/*
 data/assets/ssl/*
 data/conf/borgmatic/
-data/conf/clamav/whitelist.ign2
-data/conf/dovecot/acl_anyone
-data/conf/dovecot/dovecot-master.passwd
-data/conf/dovecot/dovecot-master.userdb
+data/conf/clamav/rendered_configs
 data/conf/dovecot/extra.conf
-data/conf/dovecot/mail_replica.conf
-data/conf/dovecot/global_sieve_*
-data/conf/dovecot/last_login
-data/conf/dovecot/lua
-data/conf/dovecot/mail_plugins*
-data/conf/dovecot/shared_namespace.conf
-data/conf/dovecot/sni.conf
-data/conf/dovecot/sogo-sso.conf
-data/conf/dovecot/sogo_trusted_ip.conf
-data/conf/dovecot/sql
-data/conf/nextcloud-*.bak
-data/conf/nginx/*.active
-data/conf/nginx/*.bak
-data/conf/nginx/*.conf
-data/conf/nginx/*.custom
+data/conf/dovecot/rendered_configs
+data/conf/nginx/rendered_configs
 data/conf/phpfpm/sogo-sso/sogo-sso.pass
+data/conf/phpfpm/rendered_configs
 data/conf/portainer/
-data/conf/postfix/allow_mailcow_local.regexp
-data/conf/postfix/custom_postscreen_whitelist.cidr
-data/conf/postfix/custom_transport.pcre
 data/conf/postfix/extra.cf
-data/conf/postfix/sni.map
-data/conf/postfix/sni.map.db
-data/conf/postfix/sql
-data/conf/postfix/dns_blocklists.cf
-data/conf/postfix/dnsbl_reply.map
+data/conf/postfix/rendered_configs
 data/conf/rspamd/custom/*
 data/conf/rspamd/local.d/*
 data/conf/rspamd/override.d/*
+data/conf/rspamd/rendered_configs
 data/conf/sogo/custom-theme.js
-data/conf/sogo/plist_ldap
 data/conf/sogo/sieve.creds
 data/conf/sogo/cron.creds
-data/conf/sogo/sogo-full.svg
+data/conf/sogo/custom-fulllogo.svg
+data/conf/sogo/custom-shortlogo.svg
+data/conf/sogo/custom-fulllogo.png
+data/conf/sogo/rendered_configs
+data/conf/mysql/rendered_configs
 data/gitea/
 data/gogs/
+data/hooks/clamd/*
 data/hooks/dovecot/*
+data/hooks/mariadb/*
+data/hooks/nginx/*
 data/hooks/phpfpm/*
 data/hooks/postfix/*
 data/hooks/rspamd/*
@@ -70,3 +52,4 @@ rebuild-images.sh
 refresh_images.sh
 update_diffs/
 create_cold_standby.sh
+!data/conf/nginx/mailcow_auth.conf
--- a/README.md
+++ b/README.md
@@ -13,6 +13,22 @@ You can also [get a SAL](https://www.servercow.de/mailcow?lang=en#sal) which is

 Or just spread the word: moo.

+## Many thanks to our GitHub Sponsors ❤️
+A big thank you to everyone supporting us on GitHub Sponsors—your contributions mean the world to us! Special thanks to the following amazing supporters:
+
+### 100$/Month Sponsors
+  <a href="https://www.colba.net/" target=_blank><img
+    src="https://avatars.githubusercontent.com/u/204464723" height="58"
+  /></a>
+  <a href="https://www.maehdros.com/" target=_blank><img
+    src="https://avatars.githubusercontent.com/u/173894712" height="58"
+  /></a>
+
+### 50$/Month Sponsors
+  <a href="https://github.com/vnukhr" target=_blank><img
+    src="https://avatars.githubusercontent.com/u/7805987?s=52&v=4" height="58"
+  /></a>
+
 ## Info, documentation and support

 Please see [the official documentation](https://docs.mailcow.email/) for installation and support instructions. 🐄
--- a/data/Dockerfiles/acme/Dockerfile
+++ b/data/Dockerfiles/acme/Dockerfile
@@ -1,8 +1,7 @@
-FROM alpine:3.20
+FROM alpine:3.21

 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"

-
 RUN apk upgrade --no-cache \
  && apk add --update --no-cache \
  bash \
@@ -15,7 +14,7 @@ RUN apk upgrade --no-cache \
  tini \
  tzdata \
  python3 \
-  acme-tiny --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community/
+  acme-tiny

 COPY acme.sh /srv/acme.sh
 COPY functions.sh /srv/functions.sh
--- a/data/Dockerfiles/acme/acme.sh
+++ b/data/Dockerfiles/acme/acme.sh
@@ -4,9 +4,9 @@ exec 5>&1

 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  export REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
+  export REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
 else
-  export REDIS_CMDLINE="redis-cli -h redis -p 6379"
+  export REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
 fi

 until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
@@ -138,7 +138,7 @@ log_f "Resolver OK"
 log_f "Waiting for domain table..."
 while [[ -z ${DOMAIN_TABLE} ]]; do
  curl --silent http://nginx.${COMPOSE_PROJECT_NAME}_mailcow-network/ >/dev/null 2>&1
-  DOMAIN_TABLE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'domain'" -Bs)
+  DOMAIN_TABLE=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'domain'" -Bs)
  [[ -z ${DOMAIN_TABLE} ]] && sleep 10
 done
 log_f "OK" no_date
@@ -231,7 +231,7 @@ while true; do

  #########################################
  # IP and webroot challenge verification #
-  SQL_DOMAINS=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs)
+  SQL_DOMAINS=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 and active=1" -Bs)
  if [[ ! $? -eq 0 ]]; then
    log_f "Failed to read SQL domains, retrying in 1 minute..."
    sleep 1m
--- a/data/Dockerfiles/acme/obtain-certificate.sh
+++ b/data/Dockerfiles/acme/obtain-certificate.sh
@@ -124,7 +124,7 @@ case "$SUCCESS" in
    ;;
  *) # non-zero is non-fun
    log_f "Failed to obtain certificate ${CERT} for domains '${CERT_DOMAINS[*]}'"
-    redis-cli -h redis SET ACME_FAIL_TIME "$(date +%s)"
+    redis-cli -h redis -a ${REDISPASS} --no-auth-warning SET ACME_FAIL_TIME "$(date +%s)"
    exit 100${SUCCESS}
    ;;
 esac
--- a/data/Dockerfiles/backup/Dockerfile
+++ b/data/Dockerfiles/backup/Dockerfile
@@ -1,3 +1,3 @@
 FROM debian:bookworm-slim

-RUN apt update && apt install pigz
+RUN apt update && apt install pigz -y --no-install-recommends
--- a/data/Dockerfiles/bootstrap/main.py
+++ b/data/Dockerfiles/bootstrap/main.py
@@ -0,0 +1,66 @@
+import os
+import sys
+import signal
+import ipaddress
+
+def handle_sigterm(signum, frame):
+  print("Received SIGTERM, exiting gracefully...")
+  sys.exit(0)
+
+def get_mysql_config(service_name):
+  db_config = {
+    "user": os.getenv("DBUSER") or os.getenv("MYSQL_USER"),
+    "password": os.getenv("DBPASS") or os.getenv("MYSQL_PASSWORD"),
+    "database": os.getenv("DBNAME") or os.getenv("MYSQL_DATABASE"),
+    "connection_timeout": 2,
+    "service_table": "service_settings",
+    "service_types": [service_name]
+  }
+
+  db_host = os.getenv("DB_HOST")
+  if db_host.startswith("/"):
+    db_config["host"] = "localhost"
+    db_config["unix_socket"] = db_host
+  else:
+    db_config["host"] = db_host
+
+  return db_config
+
+def get_redis_config():
+  redis_config = {
+    "read_host": os.getenv("REDIS_HOST"),
+    "read_port": 6379,
+    "write_host": os.getenv("REDIS_SLAVEOF_IP") or os.getenv("REDIS_HOST"),
+    "write_port": int(os.getenv("REDIS_SLAVEOF_PORT") or 6379),
+    "password": os.getenv("REDISPASS"),
+    "db": 0
+  }
+
+  return redis_config
+
+def main():
+  signal.signal(signal.SIGTERM, handle_sigterm)
+
+  container_name = os.getenv("CONTAINER_NAME")
+  service_name = container_name.replace("-mailcow", "").replace("-", "")
+  module_name = f"Bootstrap{service_name.capitalize()}"
+
+  try:
+    mod = __import__(f"modules.{module_name}", fromlist=[module_name])
+    Bootstrap = getattr(mod, module_name)
+  except (ImportError, AttributeError) as e:
+    print(f"Failed to load bootstrap module for: {container_name} → {module_name}")
+    print(str(e))
+    sys.exit(1)
+
+  b = Bootstrap(
+    container=container_name,
+    service=service_name,
+    db_config=get_mysql_config(service_name),
+    redis_config=get_redis_config()
+  )
+
+  b.bootstrap()
+
+if __name__ == "__main__":
+  main()
--- a/data/Dockerfiles/bootstrap/modules/BootstrapBase.py
+++ b/data/Dockerfiles/bootstrap/modules/BootstrapBase.py
@@ -0,0 +1,827 @@
+import os
+import pwd
+import grp
+import shutil
+import secrets
+import string
+import subprocess
+import time
+import socket
+import re
+import redis
+import hashlib
+import json
+import psutil
+import signal
+from urllib.parse import quote
+from pathlib import Path
+import dns.resolver
+import mysql.connector
+
+class BootstrapBase:
+  def __init__(self, container, service, db_config, redis_config):
+    self.container = container
+    self.service = service
+    self.db_config = db_config
+    self.redis_config = redis_config
+
+    self.env = None
+    self.env_vars = None
+    self.mysql_conn = None
+    self.redis_connr = None
+    self.redis_connw = None
+
+  def render_config(self, config_dir):
+    """
+    Renders multiple Jinja2 templates from a config.json file in a given directory.
+
+    Args:
+      config_dir (str or Path): Path to the directory containing config.json
+
+    Behavior:
+      - Renders each template defined in config.json
+      - Writes the result to the specified output path
+      - Also copies the rendered file to: <config_dir>/rendered_configs/<relative_output_path>
+    """
+
+    config_dir = Path(config_dir)
+    config_path = config_dir / "config.json"
+
+    if not config_path.exists():
+      print(f"config.json not found in: {config_dir}")
+      return
+
+    with config_path.open("r") as f:
+      entries = json.load(f)
+
+    for entry in entries:
+      template_name = entry["template"]
+      output_path = Path(entry["output"])
+      clean_blank_lines = entry.get("clean_blank_lines", False)
+      if_not_exists = entry.get("if_not_exists", False)
+
+      if if_not_exists and output_path.exists():
+        print(f"Skipping {output_path} (already exists)")
+        continue
+
+      output_path.parent.mkdir(parents=True, exist_ok=True)
+
+      try:
+        template = self.env.get_template(template_name)
+      except Exception as e:
+        print(f"Template not found: {template_name} ({e})")
+        continue
+
+      rendered = template.render(self.env_vars)
+
+      if clean_blank_lines:
+        rendered = "\n".join(line for line in rendered.splitlines() if line.strip())
+
+      rendered = rendered.replace('\r\n', '\n').replace('\r', '\n')
+
+      with output_path.open("w") as f:
+        f.write(rendered)
+
+      rendered_copy_path = config_dir / "rendered_configs" / output_path.name
+      rendered_copy_path.parent.mkdir(parents=True, exist_ok=True)
+      self.copy_file(output_path, rendered_copy_path)
+
+      print(f"Rendered {template_name} → {output_path}")
+
+  def prepare_template_vars(self, overwrite_path, extra_vars = None):
+    """
+    Loads and merges environment variables for Jinja2 templates from multiple sources, and registers custom template filters.
+
+    This method combines variables from:
+      1. System environment variables
+      2. The MySQL `service_settings` table (filtered by service type if defined)
+      3. An optional `extra_vars` dictionary
+      4. A JSON overwrite file (if it exists at the given path)
+
+    Also registers custom Jinja2 filters.
+
+    Args:
+        overwrite_path (str or Path): Path to a JSON file containing key-value overrides.
+        extra_vars (dict, optional): Additional variables to merge into the environment.
+
+    Returns:
+        dict: A dictionary containing all resolved template variables.
+
+    Raises:
+        Prints errors if database fetch or JSON parsing fails, but does not raise exceptions.
+    """
+
+    # 1. setup filters
+    self.env.filters['sha1'] = self.sha1_filter
+    self.env.filters['urlencode'] = self.urlencode_filter
+    self.env.filters['escape_quotes'] = self.escape_quotes_filter
+
+    # 2. Load env vars
+    env_vars = dict(os.environ)
+
+    # 3. Load from MySQL
+    try:
+      cursor = self.mysql_conn.cursor()
+
+      if self.db_config['service_types']:
+        placeholders = ','.join(['%s'] * len(self.db_config['service_types']))
+        sql = f"SELECT `key`, `value` FROM {self.db_config['service_table']} WHERE `type` IN ({placeholders})"
+        cursor.execute(sql, self.db_config['service_types'])
+      else:
+        cursor.execute(f"SELECT `key`, `value` FROM {self.db_config['service_table']}")
+
+      for key, value in cursor.fetchall():
+        env_vars[key] = value
+
+      cursor.close()
+    except Exception as e:
+      print(f"Failed to fetch DB service settings: {e}")
+
+    # 4. Load extra vars
+    if extra_vars:
+      env_vars.update(extra_vars)
+
+    # 5. Load overwrites
+    overwrite_path = Path(overwrite_path)
+    if overwrite_path.exists():
+      try:
+        with overwrite_path.open("r") as f:
+          overwrite_data = json.load(f)
+          env_vars.update(overwrite_data)
+      except Exception as e:
+        print(f"Failed to parse overwrites: {e}")
+
+    return env_vars
+
+  def set_timezone(self):
+    """
+    Sets the system timezone based on the TZ environment variable.
+
+    If the TZ variable is set, writes its value to /etc/timezone.
+    """
+
+    timezone = os.getenv("TZ")
+    if timezone:
+      with open("/etc/timezone", "w") as f:
+        f.write(timezone + "\n")
+
+  def set_syslog_redis(self):
+    """
+    Reconfigures syslog-ng to use a Redis slave configuration.
+
+    If the REDIS_SLAVEOF_IP environment variable is set, replaces the syslog-ng config
+    with the Redis slave-specific config.
+    """
+
+    redis_slave_ip = os.getenv("REDIS_SLAVEOF_IP")
+    if redis_slave_ip:
+      shutil.copy("/etc/syslog-ng/syslog-ng-redis_slave.conf", "/etc/syslog-ng/syslog-ng.conf")
+
+  def rsync_file(self, src, dst, recursive=False, owner=None, mode=None):
+    """
+    Copies files or directories using rsync, with optional ownership and permissions.
+
+    Args:
+        src (str or Path): Source file or directory.
+        dst (str or Path): Destination directory.
+        recursive (bool): If True, copies contents recursively.
+        owner (tuple): Tuple of (user, group) to set ownership.
+        mode (int): File mode (e.g., 0o644) to set permissions after sync.
+    """
+
+    src_path = Path(src)
+    dst_path = Path(dst)
+    dst_path.mkdir(parents=True, exist_ok=True)
+
+    rsync_cmd = ["rsync", "-a"]
+    if recursive:
+      rsync_cmd.append(str(src_path) + "/")
+    else:
+      rsync_cmd.append(str(src_path))
+    rsync_cmd.append(str(dst_path))
+
+    try:
+      subprocess.run(rsync_cmd, check=True)
+    except Exception as e:
+      print(f"Rsync failed: {e}")
+
+    if owner:
+      self.set_owner(dst_path, *owner, recursive=True)
+    if mode:
+      self.set_permissions(dst_path, mode)
+
+  def set_permissions(self, path, mode):
+    """
+    Sets file or directory permissions.
+
+    Args:
+        path (str or Path): Path to the file or directory.
+        mode (int): File mode to apply, e.g., 0o644.
+
+    Raises:
+        FileNotFoundError: If the path does not exist.
+    """
+
+    file_path = Path(path)
+    if not file_path.exists():
+      raise FileNotFoundError(f"Cannot chmod: {file_path} does not exist")
+    os.chmod(file_path, mode)
+
+  def set_owner(self, path, user, group=None, recursive=False):
+    """
+    Changes ownership of a file or directory.
+
+    Args:
+        path (str or Path): Path to the file or directory.
+        user (str or int): Username or UID for new owner.
+        group (str or int, optional): Group name or GID; defaults to user's group if not provided.
+        recursive (bool): If True and path is a directory, ownership is applied recursively.
+
+    Raises:
+        FileNotFoundError: If the path does not exist.
+    """
+
+    # Resolve UID
+    uid = int(user) if str(user).isdigit() else pwd.getpwnam(user).pw_uid
+    # Resolve GID
+    if group is not None:
+      gid = int(group) if str(group).isdigit() else grp.getgrnam(group).gr_gid
+    else:
+      gid = uid if isinstance(user, int) or str(user).isdigit() else grp.getgrnam(user).gr_gid
+
+    p = Path(path)
+    if not p.exists():
+      raise FileNotFoundError(f"{path} does not exist")
+
+    if recursive and p.is_dir():
+      for sub_path in p.rglob("*"):
+        os.chown(sub_path, uid, gid)
+    os.chown(p, uid, gid)
+
+  def fix_permissions(self, path, user=None, group=None, mode=None, recursive=False):
+    """
+    Sets owner and/or permissions on a file or directory.
+
+    Args:
+      path (str or Path): Target path.
+      user (str|int, optional): Username or UID.
+      group (str|int, optional): Group name or GID.
+      mode (int, optional): File mode (e.g. 0o644).
+      recursive (bool): Apply recursively if path is a directory.
+    """
+
+    if user or group:
+      self.set_owner(path, user, group, recursive)
+    if mode:
+      self.set_permissions(path, mode)
+
+  def move_file(self, src, dst, overwrite=True):
+    """
+    Moves a file from src to dst, optionally overwriting existing files.
+
+    Args:
+        src (str or Path): Source file path.
+        dst (str or Path): Destination path.
+        overwrite (bool): If False, raises error if dst exists.
+
+    Raises:
+        FileNotFoundError: If the source file does not exist.
+        FileExistsError: If the destination file exists and overwrite is False.
+    """
+
+    src_path = Path(src)
+    dst_path = Path(dst)
+
+    if not src_path.exists():
+      raise FileNotFoundError(f"Source file does not exist: {src}")
+
+    dst_path.parent.mkdir(parents=True, exist_ok=True)
+
+    if dst_path.exists() and not overwrite:
+      raise FileExistsError(f"Destination already exists: {dst} (set overwrite=True to overwrite)")
+
+    shutil.move(str(src_path), str(dst_path))
+
+  def copy_file(self, src, dst, overwrite=True):
+    """
+    Copies a file from src to dst using shutil.
+
+    Args:
+      src (str or Path): Source file path.
+      dst (str or Path): Destination file path.
+      overwrite (bool): Whether to overwrite the destination if it exists.
+
+    Raises:
+      FileNotFoundError: If the source file doesn't exist.
+      FileExistsError: If the destination exists and overwrite is False.
+      IOError: If the copy operation fails.
+    """
+
+    src_path = Path(src)
+    dst_path = Path(dst)
+
+    if not src_path.is_file():
+      raise FileNotFoundError(f"Source file not found: {src_path}")
+
+    if dst_path.exists() and not overwrite:
+      raise FileExistsError(f"Destination exists: {dst_path}")
+
+    dst_path.parent.mkdir(parents=True, exist_ok=True)
+
+    shutil.copy2(src_path, dst_path)
+
+  def remove(self, path, recursive=False, wipe_contents=False, exclude=None):
+    """
+    Removes a file or directory with optional exclusion logic.
+
+    Args:
+      path (str or Path): The file or directory path to remove.
+      recursive (bool): If True, directories will be removed recursively.
+      wipe_contents (bool): If True and path is a directory, only its contents are removed, not the dir itself.
+      exclude (list[str], optional): List of filenames to exclude from deletion.
+
+    Raises:
+      FileNotFoundError: If the path does not exist.
+      ValueError: If a directory is passed without recursive or wipe_contents.
+    """
+
+
+    path = Path(path)
+    exclude = set(exclude or [])
+
+    if not path.exists():
+      raise FileNotFoundError(f"Cannot remove: {path} does not exist")
+
+    if wipe_contents and path.is_dir():
+      for child in path.iterdir():
+        if child.name in exclude:
+          continue
+        if child.is_dir():
+          shutil.rmtree(child)
+        else:
+          child.unlink()
+    elif path.is_file():
+      if path.name not in exclude:
+        path.unlink()
+    elif path.is_dir():
+      if recursive:
+        shutil.rmtree(path)
+      else:
+        raise ValueError(f"{path} is a directory. Use recursive=True or wipe_contents=True to remove it.")
+
+  def create_dir(self, path):
+    """
+    Creates a directory if it does not exist.
+
+    If the directory is missing, it will be created along with any necessary parent directories.
+
+    Args:
+      path (str or Path): The directory path to create.
+    """
+
+    dir_path = Path(path)
+    if not dir_path.exists():
+      print(f"Creating directory: {dir_path}")
+      dir_path.mkdir(parents=True, exist_ok=True)
+
+  def patch_exists(self, target_file, patch_file, reverse=False):
+    """
+    Checks whether a patch can be applied (or reversed) to a target file.
+
+    Args:
+        target_file (str): File to test the patch against.
+        patch_file (str): Patch file to apply.
+        reverse (bool): If True, checks whether the patch can be reversed.
+
+    Returns:
+        bool: True if patch is applicable, False otherwise.
+    """
+
+    cmd = ["patch", "-sfN", "--dry-run", target_file, "<", patch_file]
+    if reverse:
+      cmd.insert(1, "-R")
+    try:
+      result = subprocess.run(
+        " ".join(cmd),
+        shell=True,
+        stdout=subprocess.DEVNULL,
+        stderr=subprocess.DEVNULL
+      )
+      return result.returncode == 0
+    except Exception as e:
+      print(f"Patch dry-run failed: {e}")
+      return False
+
+  def apply_patch(self, target_file, patch_file, reverse=False):
+    """
+    Applies a patch file to a target file.
+
+    Args:
+        target_file (str): File to be patched.
+        patch_file (str): Patch file containing the diff.
+        reverse (bool): If True, applies the patch in reverse (rollback).
+
+    Logs:
+        Success or failure of the patching operation.
+    """
+
+    cmd = ["patch", target_file, "<", patch_file]
+    if reverse:
+      cmd.insert(0, "-R")
+    try:
+      subprocess.run(" ".join(cmd), shell=True, check=True)
+      print(f"Applied patch {'(reverse)' if reverse else ''} to {target_file}")
+    except subprocess.CalledProcessError as e:
+      print(f"Patch failed: {e}")
+
+  def isYes(self, value):
+    """
+    Determines whether a given string represents a "yes"-like value.
+
+    Args:
+        value (str): Input string to evaluate.
+
+    Returns:
+        bool: True if value is "yes" or "y" (case-insensitive), otherwise False.
+    """
+    return value.lower() in ["yes", "y"]
+
+  def is_port_open(self, host, port):
+    """
+    Checks whether a TCP port is open on a given host.
+
+    Args:
+        host (str): The hostname or IP address to check.
+        port (int): The TCP port number to test.
+
+    Returns:
+        bool: True if the port is open and accepting connections, False otherwise.
+    """
+
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
+      sock.settimeout(1)
+      result = sock.connect_ex((host, port))
+      return result == 0
+
+  def resolve_docker_dns_record(self, hostname, record_type="A"):
+    """
+    Resolves DNS A or AAAA records for a given hostname.
+
+    Args:
+        hostname (str): The domain to query.
+        record_type (str): "A" for IPv4, "AAAA" for IPv6. Default is "A".
+
+    Returns:
+        list[str]: A list of resolved IP addresses.
+
+    Raises:
+        Exception: If resolution fails or no results are found.
+    """
+
+    try:
+      resolver = dns.resolver.Resolver()
+      resolver.nameservers = ["127.0.0.11"]
+      answers = resolver.resolve(hostname, record_type)
+      return [answer.to_text() for answer in answers]
+    except Exception as e:
+      raise Exception(f"Failed to resolve {record_type} record for {hostname}: {e}")
+
+  def kill_proc(self, process_name):
+    """
+    Sends SIGTERM to all running processes matching the given name.
+
+    Args:
+      process_name (str): Name of the process to terminate.
+
+    Returns:
+      int: Number of processes successfully signaled.
+    """
+
+    killed = 0
+    for proc in psutil.process_iter(['name']):
+      try:
+        if proc.info['name'] == process_name:
+          proc.send_signal(signal.SIGTERM)
+          killed += 1
+      except (psutil.NoSuchProcess, psutil.AccessDenied):
+        continue
+    return killed
+
+  def connect_mysql(self, socket=None):
+    """
+    Establishes a connection to the MySQL database using the provided configuration.
+
+    Continuously retries the connection until the database is reachable. Stores
+    the connection in `self.mysql_conn` once successful.
+
+    Logs:
+        Connection status and retry errors to stdout.
+
+    Args:
+      socket (str, optional): Custom UNIX socket path to override the default.
+    """
+
+    print("Connecting to MySQL...")
+    config = {
+      "host": self.db_config['host'],
+      "user": self.db_config['user'],
+      "password": self.db_config['password'],
+      "database": self.db_config['database'],
+      'connection_timeout': self.db_config['connection_timeout']
+    }
+    if self.db_config['unix_socket']:
+      config["unix_socket"] = socket or self.db_config['unix_socket']
+
+    while True:
+      try:
+        self.mysql_conn = mysql.connector.connect(**config)
+        if self.mysql_conn.is_connected():
+          print("MySQL is up and ready!")
+          break
+      except mysql.connector.Error as e:
+        print(f"Waiting for MySQL... ({e})")
+        time.sleep(2)
+
+  def close_mysql(self):
+    """
+    Closes the MySQL connection if it's currently open and connected.
+
+    Safe to call even if the connection has already been closed.
+    """
+
+    if self.mysql_conn and self.mysql_conn.is_connected():
+      self.mysql_conn.close()
+
+  def connect_redis(self, max_retries=10, delay=2):
+    """
+    Connects to both read and write Redis servers and stores the connections.
+
+    Read server: tries indefinitely until successful.
+    Write server: tries up to `max_retries` before giving up.
+
+    Sets:
+      self.redis_connr: Redis client for read
+      self.redis_connw: Redis client for write
+    """
+
+    use_rw = self.redis_config['read_host'] == self.redis_config['write_host'] and self.redis_config['read_port'] == self.redis_config['write_port']
+
+    if use_rw:
+      print("Connecting to Redis read server...")
+    else:
+      print("Connecting to Redis server...")
+
+    while True:
+      try:
+        clientr = redis.Redis(
+          host=self.redis_config['read_host'],
+          port=self.redis_config['read_port'],
+          password=self.redis_config['password'],
+          db=self.redis_config['db'],
+          decode_responses=True
+        )
+        if clientr.ping():
+          self.redis_connr = clientr
+          print("Redis read server is up and ready!")
+          if use_rw:
+            break
+          else:
+            self.redis_connw = clientr
+            return
+      except redis.RedisError as e:
+        print(f"Waiting for Redis read... ({e})")
+        time.sleep(delay)
+
+
+    print("Connecting to Redis write server...")
+    for attempt in range(max_retries):
+      try:
+        clientw = redis.Redis(
+          host=self.redis_config['write_host'],
+          port=self.redis_config['write_port'],
+          password=self.redis_config['password'],
+          db=self.redis_config['db'],
+          decode_responses=True
+        )
+        if clientw.ping():
+          self.redis_connw = clientw
+          print("Redis write server is up and ready!")
+          return
+      except redis.RedisError as e:
+        print(f"Waiting for Redis write... (attempt {attempt + 1}/{max_retries}) ({e})")
+        time.sleep(delay)
+    print("Redis write server is unreachable.")
+
+  def close_redis(self):
+    """
+    Closes the Redis read/write connections if open.
+    """
+
+    if self.redis_connr:
+      try:
+        self.redis_connr.close()
+      except Exception as e:
+        print(f"Error while closing Redis read connection: {e}")
+      finally:
+        self.redis_connr = None
+
+    if self.redis_connw:
+      try:
+        self.redis_connw.close()
+      except Exception as e:
+        print(f"Error while closing Redis write connection: {e}")
+      finally:
+        self.redis_connw = None
+
+  def wait_for_schema_update(self, init_file_path="init_db.inc.php", check_interval=5):
+    """
+    Waits until the current database schema version matches the expected version
+    defined in a PHP initialization file.
+
+    Compares the `version` value in the `versions` table for `application = 'db_schema'`
+    with the `$db_version` value extracted from the specified PHP file.
+
+    Args:
+        init_file_path (str): Path to the PHP file containing the expected version string.
+        check_interval (int): Time in seconds to wait between version checks.
+
+    Logs:
+        Current vs. expected schema versions until they match.
+    """
+
+    print("Checking database schema version...")
+
+    while True:
+      current_version = self._get_current_db_version()
+      expected_version = self._get_expected_schema_version(init_file_path)
+
+      if current_version == expected_version:
+        print(f"DB schema is up to date: {current_version}")
+        break
+
+      print(f"Waiting for schema update... (DB: {current_version}, Expected: {expected_version})")
+      time.sleep(check_interval)
+
+  def wait_for_host(self, host, retry_interval=1.0, count=1):
+    """
+    Waits for a host to respond to ICMP ping.
+
+    Args:
+      host (str): Hostname or IP to ping.
+      retry_interval (float): Seconds to wait between pings.
+      count (int): Number of ping packets to send per check (default 1).
+    """
+    while True:
+      try:
+        result = subprocess.run(
+          ["ping", "-c", str(count), host],
+          stdout=subprocess.DEVNULL,
+          stderr=subprocess.DEVNULL
+        )
+        if result.returncode == 0:
+          print(f"{host} is reachable via ping.")
+          break
+      except Exception:
+        pass
+      print(f"Waiting for {host}...")
+      time.sleep(retry_interval)
+
+  def wait_for_dns(self, domain, retry_interval=1, timeout=30):
+    """
+    Waits until the domain resolves via DNS using pure Python (socket).
+
+    Args:
+      domain (str): The domain to resolve.
+      retry_interval (int): Time (seconds) to wait between attempts.
+      timeout (int): Maximum total wait time (seconds).
+
+    Returns:
+      bool: True if resolved, False if timed out.
+    """
+
+    start = time.time()
+    while True:
+      try:
+        socket.gethostbyname(domain)
+        print(f"{domain} is resolving via DNS.")
+        return True
+      except socket.gaierror:
+        pass
+
+      if time.time() - start > timeout:
+        print(f"DNS resolution for {domain} timed out.")
+        return False
+
+      print(f"Waiting for DNS for {domain}...")
+      time.sleep(retry_interval)
+
+  def _get_current_db_version(self):
+    """
+    Fetches the current schema version from the database.
+
+    Executes a SELECT query on the `versions` table where `application = 'db_schema'`.
+
+    Returns:
+        str or None: The current schema version as a string, or None if not found or on error.
+
+    Logs:
+        Error message if the query fails.
+    """
+
+    try:
+      cursor = self.mysql_conn.cursor()
+      cursor.execute("SELECT version FROM versions WHERE application = 'db_schema'")
+      result = cursor.fetchone()
+      cursor.close()
+      return result[0] if result else None
+    except Exception as e:
+      print(f"Error fetching current DB schema version: {e}")
+      return None
+
+  def _get_expected_schema_version(self, filepath):
+    """
+    Extracts the expected database schema version from a PHP initialization file.
+
+    Looks for a line in the form of: `$db_version = "..."` and extracts the version string.
+
+    Args:
+        filepath (str): Path to the PHP file containing the `$db_version` definition.
+
+    Returns:
+        str or None: The extracted version string, or None if not found or on error.
+
+    Logs:
+        Error message if the file cannot be read or parsed.
+    """
+
+    try:
+      with open(filepath, "r") as f:
+        content = f.read()
+        match = re.search(r'\$db_version\s*=\s*"([^"]+)"', content)
+        if match:
+          return match.group(1)
+    except Exception as e:
+      print(f"Error reading expected schema version from {filepath}: {e}")
+    return None
+
+  def rand_pass(self, length=22):
+    """
+    Generates a secure random password using allowed characters.
+
+    Allowed characters include upper/lowercase letters, digits, underscores, and hyphens.
+
+    Args:
+        length (int): Length of the password to generate. Default is 22.
+
+    Returns:
+        str: A securely generated random password string.
+    """
+
+    allowed_chars = string.ascii_letters + string.digits + "_-"
+    return ''.join(secrets.choice(allowed_chars) for _ in range(length))
+
+  def run_command(self, command, check=True, shell=False, input_stream=None, log_output=True):
+    """
+    Executes a shell command and optionally logs output.
+
+    Args:
+      command (str or list): Command to run.
+      check (bool): Raise if non-zero exit.
+      shell (bool): Run in shell.
+      input_stream: stdin stream.
+      log_output (bool): If True, print output.
+
+    Returns:
+      subprocess.CompletedProcess
+    """
+    try:
+      result = subprocess.run(
+        command,
+        shell=shell,
+        check=check,
+        stdin=input_stream,
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+        text=True
+      )
+      if log_output:
+        if result.stdout:
+          print(result.stdout.strip())
+        if result.stderr:
+          print(result.stderr.strip())
+      return result
+    except subprocess.CalledProcessError as e:
+      print(f"Command failed with exit code {e.returncode}: {e.cmd}")
+      print(e.stderr.strip())
+      if check:
+        raise
+      return e
+
+  def sha1_filter(self, value):
+    return hashlib.sha1(value.encode()).hexdigest()
+
+  def urlencode_filter(self, value):
+    return quote(value, safe='')
+
+  def escape_quotes_filter(self, value):
+    return value.replace('"', r'\"')
--- a/data/Dockerfiles/bootstrap/modules/BootstrapClamd.py
+++ b/data/Dockerfiles/bootstrap/modules/BootstrapClamd.py
@@ -0,0 +1,60 @@
+from jinja2 import Environment, FileSystemLoader
+from modules.BootstrapBase import BootstrapBase
+from pathlib import Path
+import os
+import sys
+import time
+
+class BootstrapClamd(BootstrapBase):
+  def bootstrap(self):
+    # Skip Clamd if set
+    if self.isYes(os.getenv("SKIP_CLAMD", "")):
+      print("SKIP_CLAMD is set, skipping ClamAV startup...")
+      time.sleep(365 * 24 * 60 * 60)
+      sys.exit(1)
+
+    # Connect to MySQL
+    self.connect_mysql()
+
+    print("Cleaning up tmp files...")
+    tmp_files = Path("/var/lib/clamav").glob("clamav-*.tmp")
+    for tmp_file in tmp_files:
+      try:
+        self.remove(tmp_file)
+        print(f"Removed: {tmp_file}")
+      except Exception as e:
+        print(f"Failed to remove {tmp_file}: {e}")
+
+    self.create_dir("/run/clamav")
+    self.create_dir("/var/lib/clamav")
+
+    # Setup Jinja2 Environment and load vars
+    self.env = Environment(
+      loader=FileSystemLoader([
+        '/service_config/custom_templates',
+        '/service_config/config_templates'
+      ]),
+      keep_trailing_newline=True,
+      lstrip_blocks=True,
+      trim_blocks=True
+    )
+    extra_vars = {
+    }
+    self.env_vars = self.prepare_template_vars('/service_config/overwrites.json', extra_vars)
+
+    print("Set Timezone")
+    self.set_timezone()
+
+    print("Render config")
+    self.render_config("/service_config")
+
+    # Fix permissions
+    self.set_owner("/var/lib/clamav", "clamav", "clamav", recursive=True)
+    self.set_owner("/run/clamav", "clamav", "clamav", recursive=True)
+    self.set_permissions("/var/lib/clamav", 0o755)
+    for item in Path("/var/lib/clamav").glob("*"):
+      self.set_permissions(item, 0o644)
+    self.set_permissions("/run/clamav", 0o750)
+
+    # Copying to /etc/clamav to expose file as-is to administrator
+    self.copy_file("/var/lib/clamav/whitelist.ign2", "/etc/clamav/whitelist.ign2")
--- a/data/Dockerfiles/bootstrap/modules/BootstrapDovecot.py
+++ b/data/Dockerfiles/bootstrap/modules/BootstrapDovecot.py
@@ -0,0 +1,289 @@
+from jinja2 import Environment, FileSystemLoader
+from modules.BootstrapBase import BootstrapBase
+from pathlib import Path
+import os
+import pwd
+import hashlib
+
+class BootstrapDovecot(BootstrapBase):
+  def bootstrap(self):
+    # Connect to MySQL
+    self.connect_mysql()
+    self.wait_for_schema_update()
+
+    # Connect to Redis
+    self.connect_redis()
+    if self.redis_connw:
+      self.redis_connw.set("DOVECOT_REPL_HEALTH", 1)
+
+    # Wait for DNS
+    self.wait_for_dns("mailcow.email")
+
+    # Create missing directories
+    self.create_dir("/etc/dovecot/sql/")
+    self.create_dir("/etc/dovecot/auth/")
+    self.create_dir("/var/vmail/_garbage")
+    self.create_dir("/var/vmail/sieve")
+    self.create_dir("/etc/sogo")
+    self.create_dir("/var/volatile")
+
+    # Setup Jinja2 Environment and load vars
+    self.env = Environment(
+      loader=FileSystemLoader([
+        '/service_config/custom_templates',
+        '/service_config/config_templates'
+      ]),
+      keep_trailing_newline=True,
+      lstrip_blocks=True,
+      trim_blocks=True
+    )
+    extra_vars = {
+      "VALID_CERT_DIRS": self.get_valid_cert_dirs(),
+      "RAND_USER": self.rand_pass(),
+      "RAND_PASS": self.rand_pass(),
+      "RAND_PASS2": self.rand_pass(),
+      "ENV_VARS": dict(os.environ)
+    }
+    self.env_vars = self.prepare_template_vars('/service_config/overwrites.json', extra_vars)
+
+    print("Set Timezone")
+    self.set_timezone()
+
+    print("Render config")
+    self.render_config("/service_config")
+
+    files = [
+      "/etc/dovecot/mail_plugins",
+      "/etc/dovecot/mail_plugins_imap",
+      "/etc/dovecot/mail_plugins_lmtp",
+      "/templates/quarantine.tpl"
+    ]
+    for file in files:
+      self.set_permissions(file, 0o644)
+
+    try:
+      # Migrate old sieve_after file
+      self.move_file("/etc/dovecot/sieve_after", "/var/vmail/sieve/global_sieve_after.sieve")
+    except Exception as e:
+      pass
+    try:
+      # Cleanup random user maildirs
+      self.remove("/var/vmail/mailcow.local", wipe_contents=True)
+    except Exception as e:
+      pass
+    try:
+      # Cleanup PIDs
+      self.remove("/tmp/quarantine_notify.pid")
+    except Exception as e:
+      pass
+    try:
+      self.remove("/var/run/dovecot/master.pid")
+    except Exception as e:
+      pass
+
+    # Check permissions of vmail/index/garbage directories.
+    # Do not do this every start-up, it may take a very long time. So we use a stat check here.
+    files = [
+      "/var/vmail",
+      "/var/vmail/_garbage",
+      "/var/vmail_index"
+    ]
+    for file in files:
+      path = Path(file)
+      try:
+        stat_info = path.stat()
+        current_user = pwd.getpwuid(stat_info.st_uid).pw_name
+
+        if current_user != "vmail":
+          print(f"Ownership of {path} is {current_user}, fixing to vmail:vmail...")
+          self.set_owner(path, user="vmail", group="vmail", recursive=True)
+        else:
+          print(f"Ownership of {path} is already correct (vmail)")
+      except Exception as e:
+          print(f"Error checking ownership of {path}: {e}")
+
+    # Compile sieve scripts
+    files = [
+      "/var/vmail/sieve/global_sieve_before.sieve",
+      "/var/vmail/sieve/global_sieve_after.sieve",
+      "/usr/lib/dovecot/sieve/report-spam.sieve",
+      "/usr/lib/dovecot/sieve/report-ham.sieve",
+    ]
+    for file in files:
+      self.run_command(["sievec", file], check=False)
+
+    # Fix permissions
+    for path in Path("/etc/dovecot/sql").glob("*.conf"):
+      self.set_owner(path, "root", "root")
+      self.set_permissions(path, 0o640)
+
+    files = [
+      "/etc/dovecot/auth/passwd-verify.lua",
+      *Path("/etc/dovecot/sql").glob("dovecot-dict-sql-sieve*"),
+      *Path("/etc/dovecot/sql").glob("dovecot-dict-sql-quota*")
+    ]
+    for file in files:
+      self.set_owner(file, "root", "dovecot")
+
+    self.set_permissions("/etc/dovecot/auth/passwd-verify.lua", 0o640)
+
+    for file in ["/var/vmail/sieve", "/var/volatile", "/var/vmail_index"]:
+      self.set_owner(file, "vmail", "vmail", recursive=True)
+
+    self.run_command(["adduser", "vmail", "tty"])
+    self.run_command(["chmod", "g+rw", "/dev/console"])
+    self.set_owner("/dev/console", "root", "tty")
+    files = [
+      "/usr/lib/dovecot/sieve/rspamd-pipe-ham",
+      "/usr/lib/dovecot/sieve/rspamd-pipe-spam",
+      "/usr/local/bin/imapsync_runner.pl",
+      "/usr/local/bin/imapsync",
+      "/usr/local/bin/trim_logs.sh",
+      "/usr/local/bin/sa-rules.sh",
+      "/usr/local/bin/clean_q_aged.sh",
+      "/usr/local/bin/maildir_gc.sh",
+      "/usr/local/sbin/stop-supervisor.sh",
+      "/usr/local/bin/quota_notify.py",
+      "/usr/local/bin/repl_health.sh",
+      "/usr/local/bin/optimize-fts.sh"
+    ]
+    for file in files:
+      self.set_permissions(file, 0o755)
+
+    # Collect SA rules once now
+    self.run_command(["/usr/local/bin/sa-rules.sh"], check=False)
+
+    self.generate_mail_crypt_keys()
+    self.cleanup_imapsync_jobs()
+    self.generate_guid_version()
+
+  def get_valid_cert_dirs(self):
+    """
+    Returns a mapping of domains to their certificate directory path.
+
+    Example:
+        {
+            "example.com": "/etc/ssl/mail/example.com/",
+            "www.example.com": "/etc/ssl/mail/example.com/"
+        }
+    """
+    sni_map = {}
+    base_path = Path("/etc/ssl/mail")
+    if not base_path.exists():
+      return sni_map
+
+    for cert_dir in base_path.iterdir():
+      if not cert_dir.is_dir():
+        continue
+
+      domains_file = cert_dir / "domains"
+      cert_file = cert_dir / "cert.pem"
+      key_file = cert_dir / "key.pem"
+
+      if not (domains_file.exists() and cert_file.exists() and key_file.exists()):
+        continue
+
+      with open(domains_file, "r") as f:
+        domains = [line.strip() for line in f if line.strip()]
+        for domain in domains:
+          sni_map[domain] = str(cert_dir)
+
+    return sni_map
+
+  def generate_mail_crypt_keys(self):
+    """
+    Ensures mail_crypt EC keypair exists. Generates if missing. Adjusts permissions.
+    """
+
+    key_dir = Path("/mail_crypt")
+    priv_key = key_dir / "ecprivkey.pem"
+    pub_key = key_dir / "ecpubkey.pem"
+
+    # Generate keys if they don't exist or are empty
+    if not priv_key.exists() or priv_key.stat().st_size == 0 or \
+      not pub_key.exists() or pub_key.stat().st_size == 0:
+      self.run_command(
+        "openssl ecparam -name prime256v1 -genkey | openssl pkey -out /mail_crypt/ecprivkey.pem",
+        shell=True
+      )
+      self.run_command(
+        "openssl pkey -in /mail_crypt/ecprivkey.pem -pubout -out /mail_crypt/ecpubkey.pem",
+        shell=True
+      )
+
+    # Set ownership to UID 401 (dovecot)
+    self.set_owner(priv_key, user='401')
+    self.set_owner(pub_key, user='401')
+
+  def cleanup_imapsync_jobs(self):
+    """
+    Cleans up stale imapsync locks and resets running status in the database.
+
+    Deletes the imapsync_busy.lock file if present and sets `is_running` to 0
+    in the `imapsync` table, if it exists.
+
+    Logs:
+      Any issues with file operations or SQL execution.
+    """
+
+    lock_file = Path("/tmp/imapsync_busy.lock")
+    if lock_file.exists():
+      try:
+        lock_file.unlink()
+      except Exception as e:
+        print(f"Failed to remove lock file: {e}")
+
+    try:
+      cursor = self.mysql_conn.cursor()
+      cursor.execute("SHOW TABLES LIKE 'imapsync'")
+      result = cursor.fetchone()
+      if result:
+        cursor.execute("UPDATE imapsync SET is_running='0'")
+        self.mysql_conn.commit()
+      cursor.close()
+    except Exception as e:
+      print(f"Error updating imapsync table: {e}")
+
+  def generate_guid_version(self):
+    """
+    Waits for the `versions` table to be created, then generates a GUID
+    based on the mail hostname and Dovecot's public key and inserts it
+    into the `versions` table.
+
+    If the key or hash is missing or malformed, marks it as INVALID.
+    """
+
+    try:
+      result = self.run_command(["doveconf", "-P"], check=True, log_output=False)
+      pubkey_path = None
+      for line in result.stdout.splitlines():
+        if "mail_crypt_global_public_key" in line:
+          parts = line.split('<')
+          if len(parts) > 1:
+            pubkey_path = parts[1].strip()
+            break
+
+      if pubkey_path and Path(pubkey_path).exists():
+        with open(pubkey_path, "rb") as key_file:
+          pubkey_data = key_file.read()
+
+        hostname = self.env_vars.get("MAILCOW_HOSTNAME", "mailcow.local").encode("utf-8")
+        concat = hostname + pubkey_data
+        guid = hashlib.sha256(concat).hexdigest()
+
+        if len(guid) == 64:
+          version_value = guid
+        else:
+          version_value = "INVALID"
+
+        cursor = self.mysql_conn.cursor()
+        cursor.execute(
+          "REPLACE INTO versions (application, version) VALUES (%s, %s)",
+          ("GUID", version_value)
+        )
+        self.mysql_conn.commit()
+        cursor.close()
+      else:
+        print("Public key not found or unreadable. GUID not generated.")
+    except Exception as e:
+      print(f"Failed to generate or store GUID: {e}")
--- a/data/Dockerfiles/bootstrap/modules/BootstrapMysql.py
+++ b/data/Dockerfiles/bootstrap/modules/BootstrapMysql.py
@@ -0,0 +1,163 @@
+from jinja2 import Environment, FileSystemLoader
+from modules.BootstrapBase import BootstrapBase
+import os
+import time
+import subprocess
+
+class BootstrapMysql(BootstrapBase):
+  def bootstrap(self):
+    dbuser = "root"
+    dbpass = os.getenv("MYSQL_ROOT_PASSWORD", "")
+    socket = "/tmp/mysql-temp.sock"
+
+    # Check if mysql has been initialized
+    if os.path.exists("/var/lib/mysql/mysql/db.frm"):
+      print("Starting temporary mysqld for upgrade...")
+      self.start_temporary(socket)
+
+      self.connect_mysql(socket)
+
+      print("Running mysql_upgrade...")
+      self.upgrade_mysql(dbuser, dbpass, socket)
+      print("Checking timezone support with CONVERT_TZ...")
+      self.check_and_import_timezone_support(dbuser, dbpass, socket)
+
+      print("Shutting down temporary mysqld...")
+      self.close_mysql()
+      self.stop_temporary(dbuser, dbpass, socket)
+
+
+    # Setup Jinja2 Environment and load vars
+    self.env = Environment(
+      loader=FileSystemLoader([
+        '/service_config/custom_templates',
+        '/service_config/config_templates'
+      ]),
+      keep_trailing_newline=True,
+      lstrip_blocks=True,
+      trim_blocks=True
+    )
+    extra_vars = {
+    }
+    self.env_vars = self.prepare_template_vars('/service_config/overwrites.json', extra_vars)
+
+    print("Set Timezone")
+    self.set_timezone()
+
+    print("Render config")
+    self.render_config("/service_config")
+
+  def start_temporary(self, socket):
+    """
+    Starts a temporary mysqld process in the background using the given UNIX socket.
+
+    The server is started with networking disabled (--skip-networking).
+
+    Args:
+      socket (str): Path to the UNIX socket file for MySQL to listen on.
+
+    Returns:
+      subprocess.Popen: The running mysqld process object.
+    """
+
+    return subprocess.Popen([
+      "mysqld",
+      "--user=mysql",
+      "--skip-networking",
+      f"--socket={socket}"
+    ])
+
+  def stop_temporary(self, dbuser, dbpass, socket):
+    """
+    Shuts down the temporary mysqld instance gracefully.
+
+    Uses mariadb-admin to issue a shutdown command to the running server.
+
+    Args:
+      dbuser (str): The MySQL username with shutdown privileges (typically 'root').
+      dbpass (str): The password for the MySQL user.
+      socket (str): Path to the UNIX socket the server is listening on.
+    """
+
+    self.run_command([
+      "mariadb-admin",
+      "shutdown",
+      f"--socket={socket}",
+      "-u", dbuser,
+      f"-p{dbpass}"
+    ])
+
+  def upgrade_mysql(self, dbuser, dbpass, socket, max_retries=5, wait_interval=3):
+    """
+    Executes mysql_upgrade to check and fix any schema or table incompatibilities.
+
+    Retries the upgrade command if it fails, up to a maximum number of attempts.
+
+    Args:
+      dbuser (str): MySQL username with privilege to perform the upgrade.
+      dbpass (str): Password for the MySQL user.
+      socket (str): Path to the MySQL UNIX socket for local communication.
+      max_retries (int): Maximum number of attempts before giving up. Default is 5.
+      wait_interval (int): Number of seconds to wait between retries. Default is 3.
+
+    Returns:
+      bool: True if upgrade succeeded, False if all attempts failed.
+    """
+
+    retries = 0
+    while retries < max_retries:
+      result = self.run_command([
+        "mysql_upgrade",
+        "-u", dbuser,
+        f"-p{dbpass}",
+        f"--socket={socket}"
+      ], check=False)
+
+      if result.returncode == 0:
+        print("mysql_upgrade completed successfully.")
+        break
+      else:
+        print(f"mysql_upgrade failed (try {retries+1}/{max_retries})")
+        retries += 1
+        time.sleep(wait_interval)
+    else:
+      print("mysql_upgrade failed after all retries.")
+      return False
+
+  def check_and_import_timezone_support(self, dbuser, dbpass, socket):
+    """
+    Checks if MySQL supports timezone conversion (CONVERT_TZ).
+    If not, it imports timezone info using mysql_tzinfo_to_sql piped into mariadb.
+    """
+
+    try:
+      cursor = self.mysql_conn.cursor()
+      cursor.execute("SELECT CONVERT_TZ('2019-11-02 23:33:00','Europe/Berlin','UTC')")
+      result = cursor.fetchone()
+      cursor.close()
+
+      if not result or result[0] is None:
+        print("Timezone conversion failed or returned NULL. Importing timezone info...")
+
+        # Use mysql_tzinfo_to_sql piped into mariadb
+        tz_dump = subprocess.Popen(
+          ["mysql_tzinfo_to_sql", "/usr/share/zoneinfo"],
+          stdout=subprocess.PIPE
+        )
+
+        self.run_command([
+          "mariadb",
+          "--socket", socket,
+          "-u", dbuser,
+          f"-p{dbpass}",
+          "mysql"
+        ], input_stream=tz_dump.stdout)
+
+        tz_dump.stdout.close()
+        tz_dump.wait()
+
+        print("Timezone info successfully imported.")
+      else:
+        print(f"Timezone support is working. Sample result: {result[0]}")
+    except Exception as e:
+      print(f"Failed to verify or import timezone info: {e}")
--- a/data/Dockerfiles/bootstrap/modules/BootstrapNginx.py
+++ b/data/Dockerfiles/bootstrap/modules/BootstrapNginx.py
@@ -0,0 +1,65 @@
+from jinja2 import Environment, FileSystemLoader
+from modules.BootstrapBase import BootstrapBase
+import os
+
+class BootstrapNginx(BootstrapBase):
+  def bootstrap(self):
+    # Connect to MySQL
+    self.connect_mysql()
+
+    # wait for Hosts
+    php_service = os.getenv("PHPFPM_HOST") or "php-fpm-mailcow"
+    rspamd_service = os.getenv("RSPAMD_HOST") or "rspamd-mailcow"
+    sogo_service = os.getenv("SOGO_HOST")
+    self.wait_for_host(php_service)
+    if not self.isYes(os.getenv("SKIP_RSPAMD", False)):
+      self.wait_for_host(rspamd_service)
+    if not self.isYes(os.getenv("SKIP_SOGO", False)):
+      self.wait_for_host(sogo_service)
+
+    # Setup Jinja2 Environment and load vars
+    self.env = Environment(
+      loader=FileSystemLoader([
+        '/service_config/custom_templates',
+        '/service_config/config_templates'
+      ]),
+      keep_trailing_newline=True,
+      lstrip_blocks=True,
+      trim_blocks=True
+    )
+    extra_vars = {
+      "VALID_CERT_DIRS": self.get_valid_cert_dirs(),
+      'TRUSTED_PROXIES': [item.strip() for item in os.getenv("TRUSTED_PROXIES", "").split(",") if item.strip()],
+      'ADDITIONAL_SERVER_NAMES': [item.strip() for item in os.getenv("ADDITIONAL_SERVER_NAMES", "").split(",") if item.strip()],
+    }
+    self.env_vars = self.prepare_template_vars('/service_config/overwrites.json', extra_vars)
+
+    print("Set Timezone")
+    self.set_timezone()
+
+    print("Render config")
+    self.render_config("/service_config")
+
+  def get_valid_cert_dirs(self):
+    ssl_dir = '/etc/ssl/mail/'
+    valid_cert_dirs = []
+    for d in os.listdir(ssl_dir):
+      full_path = os.path.join(ssl_dir, d)
+      if not os.path.isdir(full_path):
+        continue
+
+      cert_path = os.path.join(full_path, 'cert.pem')
+      key_path = os.path.join(full_path, 'key.pem')
+      domains_path = os.path.join(full_path, 'domains')
+
+      if os.path.isfile(cert_path) and os.path.isfile(key_path) and os.path.isfile(domains_path):
+        with open(domains_path, 'r') as file:
+          domains = file.read().strip()
+        domains_list = domains.split()
+        if domains_list and os.getenv("MAILCOW_HOSTNAME", "") not in domains_list:
+          valid_cert_dirs.append({
+            'cert_path': full_path + '/',
+            'domains': domains
+          })
+
+    return valid_cert_dirs
--- a/data/Dockerfiles/bootstrap/modules/BootstrapPhpfpm.py
+++ b/data/Dockerfiles/bootstrap/modules/BootstrapPhpfpm.py
@@ -0,0 +1,202 @@
+from jinja2 import Environment, FileSystemLoader
+from modules.BootstrapBase import BootstrapBase
+import os
+import ipaddress
+
+class BootstrapPhpfpm(BootstrapBase):
+  def bootstrap(self):
+    self.connect_mysql()
+    self.connect_redis()
+
+    # Setup Jinja2 Environment and load vars
+    self.env = Environment(
+      loader=FileSystemLoader([
+        '/service_config/custom_templates',
+        '/service_config/config_templates'
+      ]),
+      keep_trailing_newline=True,
+      lstrip_blocks=True,
+      trim_blocks=True
+    )
+    extra_vars = {
+    }
+    self.env_vars = self.prepare_template_vars('/service_config/overwrites.json', extra_vars)
+
+    print("Set Timezone")
+    self.set_timezone()
+
+    # Prepare Redis and MySQL Database
+    # TODO: move to dockerapi
+    if self.isYes(os.getenv("MASTER", "")):
+      print("We are master, preparing...")
+      self.prepare_redis()
+      self.setup_apikeys(
+        os.getenv("API_ALLOW_FROM", "").strip(),
+        os.getenv("API_KEY", "").strip(),
+        os.getenv("API_KEY_READ_ONLY", "").strip()
+      )
+      self.setup_mysql_events()
+
+
+    print("Render config")
+    self.render_config("/service_config")
+
+    self.copy_file("/usr/local/etc/php/conf.d/opcache-recommended.ini", "/php-conf/opcache-recommended.ini")
+    self.copy_file("/usr/local/etc/php-fpm.d/z-pools.conf", "/php-conf/pools.conf")
+    self.copy_file("/usr/local/etc/php/conf.d/zzz-other.ini", "/php-conf/other.ini")
+    self.copy_file("/usr/local/etc/php/conf.d/upload.ini", "/php-conf/upload.ini")
+    self.copy_file("/usr/local/etc/php/conf.d/session_store.ini", "/php-conf/session_store.ini")
+
+    self.set_owner("/global_sieve", 82, 82, recursive=True)
+    self.set_owner("/web/templates/cache", 82, 82, recursive=True)
+    self.remove("/web/templates/cache", wipe_contents=True, exclude=[".gitkeep"])
+
+    print("Running DB init...")
+    self.run_command(["php", "-c", "/usr/local/etc/php", "-f", "/web/inc/init_db.inc.php"], check=False)
+
+  def prepare_redis(self):
+    print("Setting default Redis keys if missing...")
+
+    # Q_RELEASE_FORMAT
+    if self.redis_connw and self.redis_connr.get("Q_RELEASE_FORMAT") is None:
+        self.redis_connw.set("Q_RELEASE_FORMAT", "raw")
+
+    # Q_MAX_AGE
+    if self.redis_connw and self.redis_connr.get("Q_MAX_AGE") is None:
+      self.redis_connw.set("Q_MAX_AGE", 365)
+
+    # PASSWD_POLICY hash defaults
+    if self.redis_connw and self.redis_connr.hget("PASSWD_POLICY", "length") is None:
+      self.redis_connw.hset("PASSWD_POLICY", mapping={
+        "length": 6,
+        "chars": 0,
+        "special_chars": 0,
+        "lowerupper": 0,
+        "numbers": 0
+      })
+
+    # DOMAIN_MAP
+    print("Rebuilding DOMAIN_MAP from MySQL...")
+    if self.redis_connw:
+      self.redis_connw.delete("DOMAIN_MAP")
+    domains = set()
+    try:
+      cursor = self.mysql_conn.cursor()
+
+      cursor.execute("SELECT domain FROM domain")
+      domains.update(row[0] for row in cursor.fetchall())
+      cursor.execute("SELECT alias_domain FROM alias_domain")
+      domains.update(row[0] for row in cursor.fetchall())
+
+      cursor.close()
+
+      if domains:
+        for domain in domains:
+          if self.redis_connw:
+            self.redis_conn.hset("DOMAIN_MAP", domain, 1)
+        print(f"{len(domains)} domains added to DOMAIN_MAP.")
+      else:
+        print("No domains found to insert into DOMAIN_MAP.")
+    except Exception as e:
+      print(f"Failed to rebuild DOMAIN_MAP: {e}")
+
+  def setup_apikeys(self, api_allow_from, api_key_rw, api_key_ro):
+    if not api_allow_from or api_allow_from == "invalid":
+      return
+
+    print("Validating API_ALLOW_FROM IPs...")
+    ip_list = [ip.strip() for ip in api_allow_from.split(",")]
+    validated_ips = []
+
+    for ip in ip_list:
+      try:
+        ipaddress.ip_network(ip, strict=False)
+        validated_ips.append(ip)
+      except ValueError:
+        continue
+    if not validated_ips:
+      print("No valid IPs found in API_ALLOW_FROM")
+      return
+
+    allow_from_str = ",".join(validated_ips)
+    cursor = self.mysql_conn.cursor()
+    try:
+      if api_key_rw and api_key_rw != "invalid":
+        print("Setting RW API key...")
+        cursor.execute("DELETE FROM api WHERE access = 'rw'")
+        cursor.execute(
+          "INSERT INTO api (api_key, active, allow_from, access) VALUES (%s, %s, %s, %s)",
+          (api_key_rw, 1, allow_from_str, "rw")
+        )
+
+      if api_key_ro and api_key_ro != "invalid":
+        print("Setting RO API key...")
+        cursor.execute("DELETE FROM api WHERE access = 'ro'")
+        cursor.execute(
+          "INSERT INTO api (api_key, active, allow_from, access) VALUES (%s, %s, %s, %s)",
+          (api_key_ro, 1, allow_from_str, "ro")
+        )
+
+      self.mysql_conn.commit()
+      print("API key(s) set successfully.")
+    except Exception as e:
+      print(f"Failed to configure API keys: {e}")
+      self.mysql_conn.rollback()
+    finally:
+      cursor.close()
+
+  def setup_mysql_events(self):
+    print("Creating scheduled MySQL EVENTS...")
+
+    queries = [
+      "DROP EVENT IF EXISTS clean_spamalias;",
+      """
+      CREATE EVENT clean_spamalias
+      ON SCHEDULE EVERY 1 DAY
+      DO
+      DELETE FROM spamalias WHERE validity < UNIX_TIMESTAMP();
+      """,
+      "DROP EVENT IF EXISTS clean_oauth2;",
+      """
+      CREATE EVENT clean_oauth2
+      ON SCHEDULE EVERY 1 DAY
+      DO
+      BEGIN
+        DELETE FROM oauth_refresh_tokens WHERE expires < NOW();
+        DELETE FROM oauth_access_tokens WHERE expires < NOW();
+        DELETE FROM oauth_authorization_codes WHERE expires < NOW();
+      END;
+      """,
+      "DROP EVENT IF EXISTS clean_sasl_log;",
+      """
+      CREATE EVENT clean_sasl_log
+      ON SCHEDULE EVERY 1 DAY
+      DO
+      BEGIN
+        DELETE sasl_log.* FROM sasl_log
+          LEFT JOIN (
+            SELECT username, service, MAX(datetime) AS lastdate
+            FROM sasl_log
+            GROUP BY username, service
+          ) AS last
+          ON sasl_log.username = last.username AND sasl_log.service = last.service
+          WHERE datetime < DATE_SUB(NOW(), INTERVAL 31 DAY)
+            AND datetime < lastdate;
+
+        DELETE FROM sasl_log
+          WHERE username NOT IN (SELECT username FROM mailbox)
+            AND datetime < DATE_SUB(NOW(), INTERVAL 31 DAY);
+      END;
+      """
+    ]
+
+    try:
+      cursor = self.mysql_conn.cursor()
+      for query in queries:
+        cursor.execute(query)
+      self.mysql_conn.commit()
+      cursor.close()
+      print("MySQL EVENTS created successfully.")
+    except Exception as e:
+      print(f"Failed to create MySQL EVENTS: {e}")
+      self.mysql_conn.rollback()
--- a/data/Dockerfiles/bootstrap/modules/BootstrapPostfix.py
+++ b/data/Dockerfiles/bootstrap/modules/BootstrapPostfix.py
@@ -0,0 +1,83 @@
+from jinja2 import Environment, FileSystemLoader
+from modules.BootstrapBase import BootstrapBase
+from pathlib import Path
+
+class BootstrapPostfix(BootstrapBase):
+  def bootstrap(self):
+    # Connect to MySQL
+    self.connect_mysql()
+
+    # Wait for DNS
+    self.wait_for_dns("mailcow.email")
+
+    self.create_dir("/opt/postfix/conf/sql/")
+
+    # Setup Jinja2 Environment and load vars
+    self.env = Environment(
+      loader=FileSystemLoader([
+        '/service_config/custom_templates',
+        '/service_config/config_templates'
+      ]),
+      keep_trailing_newline=True,
+      lstrip_blocks=True,
+      trim_blocks=True
+    )
+    extra_vars = {
+      "VALID_CERT_DIRS": self.get_valid_cert_dirs()
+    }
+    self.env_vars = self.prepare_template_vars('/service_config/overwrites.json', extra_vars)
+
+    print("Set Timezone")
+    self.set_timezone()
+
+    print("Set Syslog redis")
+    self.set_syslog_redis()
+
+    print("Render config")
+    self.render_config("/service_config")
+
+    # Create aliases DB
+    self.run_command(["newaliases"])
+
+    # Create SNI Config
+    self.run_command(["postmap", "-F", "hash:/opt/postfix/conf/sni.map"])
+
+    # Fix Postfix permissions
+    self.set_owner("/opt/postfix/conf/sql", user="root", group="postfix", recursive=True)
+    self.set_owner("/opt/postfix/conf/custom_transport.pcre", user="root", group="postfix")
+    for cf_file in Path("/opt/postfix/conf/sql").glob("*.cf"):
+      self.set_permissions(cf_file, 0o640)
+    self.set_permissions("/opt/postfix/conf/custom_transport.pcre", 0o640)
+    self.set_owner("/var/spool/postfix/public", user="root", group="postdrop", recursive=True)
+    self.set_owner("/var/spool/postfix/maildrop", user="root", group="postdrop", recursive=True)
+    self.run_command(["postfix", "set-permissions"], check=False)
+
+    # Checking if there is a leftover of a crashed postfix container before starting a new one
+    pid_file = Path("/var/spool/postfix/pid/master.pid")
+    if pid_file.exists():
+      print(f"Removing stale Postfix PID file: {pid_file}")
+      pid_file.unlink()
+
+  def get_valid_cert_dirs(self):
+    certs = {}
+    base_path = Path("/etc/ssl/mail")
+    if not base_path.exists():
+      return certs
+
+    for cert_dir in base_path.iterdir():
+      if not cert_dir.is_dir():
+        continue
+
+      domains_file = cert_dir / "domains"
+      cert_file = cert_dir / "cert.pem"
+      key_file = cert_dir / "key.pem"
+
+      if not (domains_file.exists() and cert_file.exists() and key_file.exists()):
+        continue
+
+      with open(domains_file, "r") as f:
+        domains = [line.strip() for line in f if line.strip()]
+        if domains:
+          certs[str(cert_dir)] = domains
+
+    return certs
--- a/data/Dockerfiles/bootstrap/modules/BootstrapRspamd.py
+++ b/data/Dockerfiles/bootstrap/modules/BootstrapRspamd.py
@@ -0,0 +1,132 @@
+from jinja2 import Environment, FileSystemLoader
+from modules.BootstrapBase import BootstrapBase
+from pathlib import Path
+import time
+import platform
+
+class BootstrapRspamd(BootstrapBase):
+  def bootstrap(self):
+    # Connect to MySQL
+    self.connect_mysql()
+
+    # Connect to MySQL
+    self.connect_redis()
+
+    # get dovecot ips
+    dovecot_v4 = []
+    dovecot_v6 = []
+    while not dovecot_v4 and not dovecot_v6:
+      try:
+        dovecot_v4 = self.resolve_docker_dns_record("dovecot-mailcow", "A")
+        dovecot_v6 = self.resolve_docker_dns_record("dovecot-mailcow", "AAAA")
+      except Exception as e:
+        print(e)
+      if not dovecot_v4 and not dovecot_v6:
+        print("Waiting for Dovecot IPs...")
+        time.sleep(3)
+
+    # get rspamd ips
+    rspamd_v4 = []
+    rspamd_v6 = []
+    while not rspamd_v4 and not rspamd_v6:
+      try:
+        rspamd_v4 = self.resolve_docker_dns_record("rspamd-mailcow", "A")
+        rspamd_v6 = self.resolve_docker_dns_record("rspamd-mailcow", "AAAA")
+      except Exception:
+        print(e)
+      if not rspamd_v4 and not rspamd_v6:
+        print("Waiting for Rspamd IPs...")
+        time.sleep(3)
+
+    # wait for Services
+    services = [
+      ["php-fpm-mailcow", 9001],
+      ["php-fpm-mailcow", 9002]
+    ]
+    for service in services:
+      while not self.is_port_open(service[0], service[1]):
+        print(f"Waiting for {service[0]} on port {service[1]}...")
+        time.sleep(1)
+      print(f"Service {service[0]} on port {service[1]} is ready!")
+
+    for dir_path in ["/etc/rspamd/plugins.d", "/etc/rspamd/custom"]:
+      Path(dir_path).mkdir(parents=True, exist_ok=True)
+    for file_path in ["/etc/rspamd/rspamd.conf.local", "/etc/rspamd/rspamd.conf.override"]:
+      Path(file_path).touch(exist_ok=True)
+    self.set_permissions("/var/lib/rspamd", 0o755)
+
+
+    # Setup Jinja2 Environment and load vars
+    self.env = Environment(
+      loader=FileSystemLoader([
+        '/service_config/custom_templates',
+        '/service_config/config_templates'
+      ]),
+      keep_trailing_newline=True,
+      lstrip_blocks=True,
+      trim_blocks=True
+    )
+    extra_vars = {
+      "DOVECOT_V4": dovecot_v4[0],
+      "DOVECOT_V6": dovecot_v6[0],
+      "RSPAMD_V4": rspamd_v4[0],
+      "RSPAMD_V6": rspamd_v6[0],
+    }
+    self.env_vars = self.prepare_template_vars('/service_config/overwrites.json', extra_vars)
+
+    print("Set Timezone")
+    self.set_timezone()
+
+    print("Render config")
+    self.render_config("/service_config")
+
+    # Fix missing default global maps, if any
+    # These exists in mailcow UI and should not be removed
+    files = [
+      "/etc/rspamd/custom/global_mime_from_blacklist.map",
+      "/etc/rspamd/custom/global_rcpt_blacklist.map",
+      "/etc/rspamd/custom/global_smtp_from_blacklist.map",
+      "/etc/rspamd/custom/global_mime_from_whitelist.map",
+      "/etc/rspamd/custom/global_rcpt_whitelist.map",
+      "/etc/rspamd/custom/global_smtp_from_whitelist.map",
+      "/etc/rspamd/custom/bad_languages.map",
+      "/etc/rspamd/custom/sa-rules",
+      "/etc/rspamd/custom/dovecot_trusted.map",
+      "/etc/rspamd/custom/rspamd_trusted.map",
+      "/etc/rspamd/custom/mailcow_networks.map",
+      "/etc/rspamd/custom/ip_wl.map",
+      "/etc/rspamd/custom/fishy_tlds.map",
+      "/etc/rspamd/custom/bad_words.map",
+      "/etc/rspamd/custom/bad_asn.map",
+      "/etc/rspamd/custom/bad_words_de.map",
+      "/etc/rspamd/custom/bulk_header.map",
+      "/etc/rspamd/custom/bad_header.map"
+    ]
+    for file in files:
+      path = Path(file)
+      path.parent.mkdir(parents=True, exist_ok=True)
+      path.touch(exist_ok=True)
+
+    # Fix permissions
+    paths_rspamd = [
+      "/var/lib/rspamd",
+      "/etc/rspamd/local.d",
+      "/etc/rspamd/override.d",
+      "/etc/rspamd/rspamd.conf.local",
+      "/etc/rspamd/rspamd.conf.override",
+      "/etc/rspamd/plugins.d"
+    ]
+    for path in paths_rspamd:
+      self.set_owner(path, "_rspamd", "_rspamd", recursive=True)
+    self.set_owner("/etc/rspamd/custom", "_rspamd", "_rspamd")
+    self.set_permissions("/etc/rspamd/custom", 0o755)
+
+    custom_path = Path("/etc/rspamd/custom")
+    for child in custom_path.iterdir():
+      if child.is_file():
+        self.set_owner(child, 82, 82)
+        self.set_permissions(child, 0o644)
+
+    # Provide additional lua modules
+    arch = platform.machine()
+    self.run_command(["ln", "-s", f"/usr/lib/{arch}-linux-gnu/liblua5.1-cjson.so.0.0.0", "/usr/lib/rspamd/cjson.so"], check=False)
--- a/data/Dockerfiles/bootstrap/modules/BootstrapSogo.py
+++ b/data/Dockerfiles/bootstrap/modules/BootstrapSogo.py
@@ -0,0 +1,138 @@
+from jinja2 import Environment, FileSystemLoader
+from modules.BootstrapBase import BootstrapBase
+from pathlib import Path
+import os
+import sys
+import time
+
+class BootstrapSogo(BootstrapBase):
+  def bootstrap(self):
+    # Skip SOGo if set
+    if self.isYes(os.getenv("SKIP_SOGO", "")):
+      print("SKIP_SOGO is set, skipping SOGo startup...")
+      time.sleep(365 * 24 * 60 * 60)
+      sys.exit(1)
+
+    # Connect to MySQL
+    self.connect_mysql()
+
+    # Wait until port is free
+    while self.is_port_open(os.getenv("SOGO_HOST"), 20000):
+      print("Port 20000 still in use — terminating sogod...")
+      self.kill_proc("sogod")
+      time.sleep(3)
+
+    # Wait for schema to update to expected version
+    self.wait_for_schema_update(init_file_path="init_db.inc.php")
+
+    # Setup Jinja2 Environment and load vars
+    self.env = Environment(
+      loader=FileSystemLoader([
+        '/service_config/custom_templates',
+        '/service_config/config_templates'
+      ]),
+      keep_trailing_newline=True,
+      lstrip_blocks=True,
+      trim_blocks=True
+    )
+    extra_vars = {
+      "SQL_DOMAINS": self.get_domains(),
+      "IAM_SETTINGS": self.get_identity_provider_settings()
+    }
+    self.env_vars = self.prepare_template_vars('/service_config/overwrites.json', extra_vars)
+
+    print("Set Timezone")
+    self.set_timezone()
+
+    print("Set Syslog redis")
+    self.set_syslog_redis()
+
+    print("Render config")
+    self.render_config("/service_config")
+
+    print("Fix permissions")
+    self.set_owner("/var/lib/sogo", "sogo", "sogo", recursive=True)
+    self.set_permissions("/var/lib/sogo/GNUstep/Defaults/sogod.plist", 0o600)
+
+    # Rename custom logo
+    logo_src = Path("/etc/sogo/sogo-full.svg")
+    if logo_src.exists():
+      print("Set Logo")
+      self.move_file(logo_src, "/etc/sogo/custom-fulllogo.svg")
+
+    # Rsync web content
+    print("Syncing web content")
+    self.rsync_file("/usr/lib/GNUstep/SOGo/", "/sogo_web/", recursive=True)
+
+    # Chown backup path
+    self.set_owner("/sogo_backup", "sogo", "sogo", recursive=True)
+
+  def get_domains(self):
+    """
+    Retrieves a list of domains and their GAL (Global Address List) status.
+
+    Executes a SQL query to select:
+      - `domain`
+      - a human-readable GAL status ("YES" or "NO")
+      - `ldap_gal` as a boolean (True/False)
+
+    Returns:
+      list[dict]: A list of dicts with keys: domain, gal_status, ldap_gal.
+                  Example: [{"domain": "example.com", "gal_status": "YES", "ldap_gal": True}]
+
+    Logs:
+      Error messages if the query fails.
+    """
+
+    query = """
+      SELECT domain,
+             CASE gal WHEN '1' THEN 'YES' ELSE 'NO' END AS gal_status,
+             ldap_gal = 1 AS ldap_gal
+      FROM domain;
+    """
+    try:
+      cursor = self.mysql_conn.cursor()
+      cursor.execute(query)
+      result = cursor.fetchall()
+      cursor.close()
+
+      return [
+        {
+          "domain": row[0],
+          "gal_status": row[1],
+          "ldap_gal": bool(row[2])
+        }
+        for row in result
+      ]
+    except Exception as e:
+      print(f"Error fetching domains: {e}")
+      return []
+
+  def get_identity_provider_settings(self):
+    """
+    Retrieves all key-value identity provider settings.
+
+    Returns:
+      dict: Settings in the format { key: value }
+
+    Logs:
+      Error messages if the query fails.
+    """
+    query = "SELECT `key`, `value` FROM identity_provider;"
+    try:
+      cursor = self.mysql_conn.cursor()
+      cursor.execute(query)
+      result = cursor.fetchall()
+      cursor.close()
+
+      iam_settings = {row[0]: row[1] for row in result}
+
+      if iam_settings['authsource'] == "ldap":
+        protocol = "ldaps" if iam_settings.get("use_ssl") else "ldap"
+        starttls = "/????!StartTLS" if iam_settings.get("use_tls") else ""
+        iam_settings['ldap_url'] = f"{protocol}://{iam_settings['host']}:{iam_settings['port']}{starttls}"
+
+      return iam_settings
+    except Exception as e:
+      print(f"Error fetching identity provider settings: {e}")
+      return {}
--- a/data/Dockerfiles/bootstrap/modules/init.py
+++ b/data/Dockerfiles/bootstrap/modules/init.py
--- a/data/Dockerfiles/clamd/Dockerfile
+++ b/data/Dockerfiles/clamd/Dockerfile
@@ -1,25 +1,129 @@
-FROM alpine:3.20
+FROM alpine:3.21 AS builder
+
+WORKDIR /src
+ENV CLAMD_VERSION=1.4.2
+
+RUN apk upgrade --no-cache \
+  && apk add --update --no-cache \
+    g++ \
+    gcc \
+    gdb \
+    make \
+    cmake \
+    py3-pytest \
+    python3 \
+    valgrind \
+    bzip2-dev \
+    check-dev \
+    curl-dev \
+    json-c-dev \
+    libmilter-dev \
+    libxml2-dev \
+    linux-headers \
+    ncurses-dev \
+    openssl-dev \
+    pcre2-dev \
+    zlib-dev \
+    cargo \
+    rust
+
+RUN wget -P /src https://www.clamav.net/downloads/production/clamav-${CLAMD_VERSION}.tar.gz \
+  && tar xzfv /src/clamav-${CLAMD_VERSION}.tar.gz \
+  && cd /src/clamav-${CLAMD_VERSION} \
+  && cmake . \
+  -D CMAKE_BUILD_TYPE="Release"                                                       \
+  -D CMAKE_INSTALL_PREFIX="/usr"                                                      \
+  -D CMAKE_INSTALL_LIBDIR="/usr/lib"                                                  \
+  -D APP_CONFIG_DIRECTORY="/etc/clamav"                                               \
+  -D DATABASE_DIRECTORY="/var/lib/clamav"                                             \
+  -D ENABLE_CLAMONACC=OFF                                                             \
+  -D ENABLE_EXAMPLES=OFF                                                              \
+  -D ENABLE_MILTER=ON                                                                 \
+  -D ENABLE_MAN_PAGES=OFF                                                             \
+  -D ENABLE_STATIC_LIB=OFF                                                            \
+  -D ENABLE_JSON_SHARED=ON                                                            \
+  && cmake --build . \
+  && make DESTDIR="/clamav" -j$(($(nproc) - 1)) install \
+  && rm -r "/clamav/usr/lib/pkgconfig/" \
+  && sed -e "s|^\(Example\)|\# \1|" \
+    -e "s|.*\(LocalSocket\) .*|\1 /tmp/clamd.sock|" \
+    -e "s|.*\(TCPSocket\) .*|\1 3310|" \
+    -e "s|.*\(TCPAddr\) .*|#\1 0.0.0.0|" \
+    -e "s|.*\(User\) .*|\1 clamav|" \
+    -e "s|^\#\(LogFile\) .*|\1 /var/log/clamav/clamd.log|" \
+    -e "s|^\#\(LogTime\).*|\1 yes|" \
+    "/clamav/etc/clamav/clamd.conf.sample" > "/clamav/etc/clamav/clamd.conf" \
+  && sed -e "s|^\(Example\)|\# \1|" \
+    -e "s|.*\(DatabaseOwner\) .*|\1 clamav|" \
+    -e "s|^\#\(UpdateLogFile\) .*|\1 /var/log/clamav/freshclam.log|" \
+    -e "s|^\#\(NotifyClamd\).*|\1 /etc/clamav/clamd.conf|" \
+    -e "s|^\#\(ScriptedUpdates\).*|\1 yes|" \
+    "/clamav/etc/clamav/freshclam.conf.sample" > "/clamav/etc/clamav/freshclam.conf" \
+  && sed -e "s|^\(Example\)|\# \1|" \
+  -e "s|.*\(MilterSocket\) .*|\1 inet:7357|" \
+  -e "s|.*\(User\) .*|\1 clamav|" \
+  -e "s|^\#\(LogFile\) .*|\1 /var/log/clamav/milter.log|" \
+  -e "s|^\#\(LogTime\).*|\1 yes|" \
+  -e "s|.*\(\ClamdSocket\) .*|\1 unix:/tmp/clamd.sock|" \
+  "/clamav/etc/clamav/clamav-milter.conf.sample" > "/clamav/etc/clamav/clamav-milter.conf" || exit 1
+
+
+FROM alpine:3.21

 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"

 RUN apk upgrade --no-cache \
  && apk add --update --no-cache \
-  rsync \
-  clamav \
-  bind-tools \
-  bash \
-  tini
+    tzdata \
+    rsync \
+    bind-tools \
+    bash \
+    tini \
+    json-c \
+    libbz2 \
+    libcurl \
+    libmilter \
+    libxml2 \
+    ncurses-libs \
+    pcre2 \
+    zlib \
+    libgcc \
+    py3-pip \
+  && addgroup -S "clamav" && \
+    adduser -D -G "clamav" -h "/var/lib/clamav" -s "/bin/false" -S "clamav" && \
+    install -d -m 755 -g "clamav" -o "clamav" "/var/log/clamav" && \
+    chown -R clamav:clamav /var/lib/clamav

-# init
-COPY clamd.sh /clamd.sh
-RUN chmod +x /sbin/tini
+RUN apk add --no-cache --virtual .build-deps \
+      gcc \
+      musl-dev \
+      python3-dev \
+      linux-headers \
+  && pip install --break-system-packages psutil \
+  && apk del .build-deps

-# healthcheck
-COPY healthcheck.sh /healthcheck.sh
-COPY clamdcheck.sh /usr/local/bin
-RUN chmod +x /healthcheck.sh
-RUN chmod +x /usr/local/bin/clamdcheck.sh
+RUN pip install --break-system-packages \
+  mysql-connector-python \
+  jinja2 \
+  redis \
+  dnspython
+
+
+COPY --from=builder "/clamav" "/"
+
+
+COPY data/Dockerfiles/bootstrap /bootstrap
+COPY data/Dockerfiles/clamd/docker-entrypoint.sh /docker-entrypoint.sh
+COPY data/Dockerfiles/clamd/clamd.sh /clamd.sh
+COPY data/Dockerfiles/clamd/healthcheck.sh /healthcheck.sh
+COPY data/Dockerfiles/clamd/clamdcheck.sh /usr/local/bin
 HEALTHCHECK --start-period=6m CMD "/healthcheck.sh"

-ENTRYPOINT []
+RUN chmod +x /docker-entrypoint.sh \
+  /clamd.sh \
+  /healthcheck.sh \
+  /usr/local/bin/clamdcheck.sh \
+  /sbin/tini
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["/sbin/tini", "-g", "--", "/clamd.sh"]
--- a/data/Dockerfiles/clamd/clamd.sh
+++ b/data/Dockerfiles/clamd/clamd.sh
@@ -1,48 +1,5 @@
 #!/bin/bash

-if [[ "${SKIP_CLAMD}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "SKIP_CLAMD=y, skipping ClamAV..."
-  sleep 365d
-  exit 0
-fi
-
-# Cleaning up garbage
-echo "Cleaning up tmp files..."
-rm -rf /var/lib/clamav/clamav-*.tmp
-
-# Prepare whitelist
-
-mkdir -p /run/clamav /var/lib/clamav
-
-if [[ -s /etc/clamav/whitelist.ign2 ]]; then
-  echo "Copying non-empty whitelist.ign2 to /var/lib/clamav/whitelist.ign2"
-  cp /etc/clamav/whitelist.ign2 /var/lib/clamav/whitelist.ign2
-fi
-
-if [[ ! -f /var/lib/clamav/whitelist.ign2 ]]; then
-  echo "Creating /var/lib/clamav/whitelist.ign2"
-  cat <<EOF > /var/lib/clamav/whitelist.ign2
-# Please restart ClamAV after changing signatures
-Example-Signature.Ignore-1
-PUA.Win.Trojan.EmbeddedPDF-1
-PUA.Pdf.Trojan.EmbeddedJavaScript-1
-PUA.Pdf.Trojan.OpenActionObjectwithJavascript-1
-EOF
-fi
-
-chown clamav:clamav -R /var/lib/clamav /run/clamav
-
-chmod 755 /var/lib/clamav
-chmod 644 -R /var/lib/clamav/*
-chmod 750 /run/clamav
-
-stat /var/lib/clamav/whitelist.ign2
-dos2unix /var/lib/clamav/whitelist.ign2
-sed -i '/^\s*$/d' /var/lib/clamav/whitelist.ign2
-# Copying to /etc/clamav to expose file as-is to administrator
-cp -p /var/lib/clamav/whitelist.ign2 /etc/clamav/whitelist.ign2
-
-
 BACKGROUND_TASKS=()

 echo "Running freshclam..."
@@ -91,6 +48,7 @@ done
 ) &
 BACKGROUND_TASKS+=($!)

+echo "$(clamd -V) is starting... please wait a moment."
 nice -n10 clamd &
 BACKGROUND_TASKS+=($!)

--- a/data/Dockerfiles/clamd/clamdcheck.sh
+++ b/data/Dockerfiles/clamd/clamdcheck.sh
@@ -11,4 +11,4 @@ if [ "${CLAMAV_NO_CLAMD:-}" != "false" ]; then
 	echo "Clamd is up"
 fi

-exit 0
+exit 0
--- a/data/Dockerfiles/clamd/docker-entrypoint.sh
+++ b/data/Dockerfiles/clamd/docker-entrypoint.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Run hooks
+for file in /hooks/*; do
+  if [ -x "${file}" ]; then
+    echo "Running hook ${file}"
+    "${file}"
+  fi
+done
+
+python3 -u /bootstrap/main.py
+BOOTSTRAP_EXIT_CODE=$?
+
+if [ $BOOTSTRAP_EXIT_CODE -ne 0 ]; then
+  echo "Bootstrap failed with exit code $BOOTSTRAP_EXIT_CODE. Not starting Clamd."
+  exit $BOOTSTRAP_EXIT_CODE
+fi
+
+echo "Bootstrap succeeded. Starting Clamd..."
+exec "$@"
--- a/data/Dockerfiles/dockerapi/Dockerfile
+++ b/data/Dockerfiles/dockerapi/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.20
+FROM alpine:3.21

 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"

@@ -19,9 +19,9 @@ RUN apk add --update --no-cache python3 \
  docker
 RUN mkdir /app/modules

-COPY docker-entrypoint.sh /app/
-COPY main.py /app/main.py
-COPY modules/ /app/modules/
+COPY data/Dockerfiles/dockerapi/docker-entrypoint.sh /app/
+COPY data/Dockerfiles/dockerapi/main.py /app/main.py
+COPY data/Dockerfiles/dockerapi/modules/ /app/modules/

 ENTRYPOINT ["/bin/sh", "/app/docker-entrypoint.sh"]
 CMD ["python", "main.py"]
--- a/data/Dockerfiles/dockerapi/main.py
+++ b/data/Dockerfiles/dockerapi/main.py
@@ -34,9 +34,9 @@ async def lifespan(app: FastAPI):

  # Init redis client
  if os.environ['REDIS_SLAVEOF_IP'] != "":
-    redis_client = redis = await aioredis.from_url(f"redis://{os.environ['REDIS_SLAVEOF_IP']}:{os.environ['REDIS_SLAVEOF_PORT']}/0")
+    redis_client = redis = await aioredis.from_url(f"redis://{os.environ['REDIS_SLAVEOF_IP']}:{os.environ['REDIS_SLAVEOF_PORT']}/0", password=os.environ['REDISPASS'])
  else:
-    redis_client = redis = await aioredis.from_url("redis://redis-mailcow:6379/0")
+    redis_client = redis = await aioredis.from_url(f"redis://{os.environ['REDIS_HOST']}:6379/0", password=os.environ['REDISPASS'])

  # Init docker clients
  sync_docker_client = docker.DockerClient(base_url='unix://var/run/docker.sock', version='auto')
@@ -241,9 +241,9 @@ async def handle_pubsub_messages(channel: aioredis.client.PubSub):
              else:
                dockerapi.logger.error("api call: missing container_name, post_action or request")
            else:
-              dockerapi.logger.error("Unknwon PubSub recieved - %s" % json.dumps(data_json))
+              dockerapi.logger.error("Unknown PubSub received - %s" % json.dumps(data_json))
          else:
-            dockerapi.logger.error("Unknwon PubSub recieved - %s" % json.dumps(data_json))
+            dockerapi.logger.error("Unknown PubSub received - %s" % json.dumps(data_json))

        await asyncio.sleep(0.0)
    except asyncio.TimeoutError:
--- a/data/Dockerfiles/dovecot/Dockerfile
+++ b/data/Dockerfiles/dovecot/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.20
+FROM alpine:3.21

 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"

@@ -34,9 +34,13 @@ RUN addgroup -g 5000 vmail \
  lua5.3-sql-mysql \
  icu-data-full \
  mariadb-connector-c \
+  lua-sec \
+  mariadb-dev \
+  glib-dev \
  gcompat \
  mariadb-client \
  perl \
+  perl-dev \
  perl-ntlm \
  perl-cgi \
  perl-crypt-openssl-rsa \
@@ -65,7 +69,7 @@ RUN addgroup -g 5000 vmail \
  perl-par-packer \
  perl-parse-recdescent \
  perl-lockfile-simple \
-  libproc \
+  libproc2 \
  perl-readonly \
  perl-regexp-common \
  perl-sys-meminfo \
@@ -83,11 +87,11 @@ RUN addgroup -g 5000 vmail \
  perl-proc-processtable \
  perl-app-cpanminus \
  procps \
-  python3 \
-  py3-mysqlclient \
+  python3 py3-pip python3-dev \
  py3-html2text \
-  py3-jinja2 \
-  py3-redis \
+  linux-headers \
+  musl-dev \
+  gcc \
  redis \
  syslog-ng \
  syslog-ng-redis \
@@ -105,32 +109,42 @@ RUN addgroup -g 5000 vmail \
  dovecot-submissiond \
  dovecot-pigeonhole-plugin \
  dovecot-pop3d \
-  dovecot-fts-solr \
  dovecot-fts-flatcurve \
  && arch=$(arch | sed s/aarch64/arm64/ | sed s/x86_64/amd64/) \
  && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$arch" \
  && chmod +x /usr/local/bin/gosu \
  && gosu nobody true

-COPY trim_logs.sh /usr/local/bin/trim_logs.sh
-COPY clean_q_aged.sh /usr/local/bin/clean_q_aged.sh
-COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
-COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
-COPY imapsync /usr/local/bin/imapsync
-COPY imapsync_runner.pl /usr/local/bin/imapsync_runner.pl
-COPY report-spam.sieve /usr/lib/dovecot/sieve/report-spam.sieve
-COPY report-ham.sieve /usr/lib/dovecot/sieve/report-ham.sieve
-COPY rspamd-pipe-ham /usr/lib/dovecot/sieve/rspamd-pipe-ham
-COPY rspamd-pipe-spam /usr/lib/dovecot/sieve/rspamd-pipe-spam
-COPY sa-rules.sh /usr/local/bin/sa-rules.sh
-COPY maildir_gc.sh /usr/local/bin/maildir_gc.sh
-COPY docker-entrypoint.sh /
-COPY supervisord.conf /etc/supervisor/supervisord.conf
-COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
-COPY quarantine_notify.py /usr/local/bin/quarantine_notify.py
-COPY quota_notify.py /usr/local/bin/quota_notify.py
-COPY repl_health.sh /usr/local/bin/repl_health.sh
-COPY optimize-fts.sh /usr/local/bin/optimize-fts.sh
+RUN pip install  --break-system-packages \
+  mysql-connector-python \
+  jinja2 \
+  redis \
+  dnspython \
+  psutil
+
+
+COPY data/Dockerfiles/bootstrap /bootstrap
+COPY data/Dockerfiles/dovecot/trim_logs.sh /usr/local/bin/trim_logs.sh
+COPY data/Dockerfiles/dovecot/clean_q_aged.sh /usr/local/bin/clean_q_aged.sh
+COPY data/Dockerfiles/dovecot/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
+COPY data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY data/Dockerfiles/dovecot/imapsync /usr/local/bin/imapsync
+COPY data/Dockerfiles/dovecot/imapsync_runner.pl /usr/local/bin/imapsync_runner.pl
+COPY data/Dockerfiles/dovecot/report-spam.sieve /usr/lib/dovecot/sieve/report-spam.sieve
+COPY data/Dockerfiles/dovecot/report-ham.sieve /usr/lib/dovecot/sieve/report-ham.sieve
+COPY data/Dockerfiles/dovecot/rspamd-pipe-ham /usr/lib/dovecot/sieve/rspamd-pipe-ham
+COPY data/Dockerfiles/dovecot/rspamd-pipe-spam /usr/lib/dovecot/sieve/rspamd-pipe-spam
+COPY data/Dockerfiles/dovecot/sa-rules.sh /usr/local/bin/sa-rules.sh
+COPY data/Dockerfiles/dovecot/docker-entrypoint.sh /
+COPY data/Dockerfiles/dovecot/supervisord.conf /etc/supervisor/supervisord.conf
+COPY data/Dockerfiles/dovecot/stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
+COPY data/Dockerfiles/dovecot/quarantine_notify.py /usr/local/bin/quarantine_notify.py
+COPY data/Dockerfiles/dovecot/quota_notify.py /usr/local/bin/quota_notify.py
+COPY data/Dockerfiles/dovecot/repl_health.sh /usr/local/bin/repl_health.sh
+COPY data/Dockerfiles/dovecot/optimize-fts.sh /usr/local/bin/optimize-fts.sh
+
+RUN chmod +x /docker-entrypoint.sh \
+  /usr/local/sbin/stop-supervisor.sh
+

-ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
--- a/data/Dockerfiles/dovecot/clean_q_aged.sh
+++ b/data/Dockerfiles/dovecot/clean_q_aged.sh
@@ -2,7 +2,7 @@

 source /source_env.sh

-MAX_AGE=$(redis-cli --raw -h redis-mailcow GET Q_MAX_AGE)
+MAX_AGE=$(redis-cli --raw -h redis-mailcow -a ${REDISPASS} --no-auth-warning GET Q_MAX_AGE)

 if [[ -z ${MAX_AGE} ]]; then
  echo "Max age for quarantine items not defined"
@@ -15,6 +15,6 @@ if ! [[ ${MAX_AGE} =~ ${NUM_REGEXP} ]] ; then
  exit 1
 fi

-TO_DELETE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT COUNT(id) FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY" -BN)
-mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DELETE FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY"
+TO_DELETE=$(mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT COUNT(id) FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY" -BN)
+mariadb --skip-ssl --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DELETE FROM quarantine WHERE created < NOW() - INTERVAL ${MAX_AGE//[!0-9]/} DAY"
 echo "Deleted ${TO_DELETE} items from quarantine table (max age is ${MAX_AGE//[!0-9]/} days)"
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -1,411 +1,15 @@
 #!/bin/bash
-set -e

-# Wait for MySQL to warm-up
-while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
-  echo "Waiting for database to come up..."
-  sleep 2
-done
-
-until dig +short mailcow.email > /dev/null; do
-  echo "Waiting for DNS..."
-  sleep 1
-done
-
-# Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
-else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379"
-fi
-
-until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
-  echo "Waiting for Redis..."
-  sleep 2
-done
-
-${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
-
-# Create missing directories
-[[ ! -d /etc/dovecot/sql/ ]] && mkdir -p /etc/dovecot/sql/
-[[ ! -d /etc/dovecot/lua/ ]] && mkdir -p /etc/dovecot/lua/
-[[ ! -d /etc/dovecot/conf.d/ ]] && mkdir -p /etc/dovecot/conf.d/
-[[ ! -d /var/vmail/_garbage ]] && mkdir -p /var/vmail/_garbage
-[[ ! -d /var/vmail/sieve ]] && mkdir -p /var/vmail/sieve
-[[ ! -d /etc/sogo ]] && mkdir -p /etc/sogo
-[[ ! -d /var/volatile ]] && mkdir -p /var/volatile
-
-# Set Dovecot sql config parameters, escape " in db password
-DBPASS=$(echo ${DBPASS} | sed 's/"/\\"/g')
-
-# Create quota dict for Dovecot
-if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  QUOTA_TABLE=quota2
-else
-  QUOTA_TABLE=quota2replica
-fi
-cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-quota.conf
-# Autogenerated by mailcow
-connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
-map {
-  pattern = priv/quota/storage
-  table = ${QUOTA_TABLE}
-  username_field = username
-  value_field = bytes
-}
-map {
-  pattern = priv/quota/messages
-  table = ${QUOTA_TABLE}
-  username_field = username
-  value_field = messages
-}
-EOF
-
-# Create dict used for sieve pre and postfilters
-cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_before.conf
-# Autogenerated by mailcow
-connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
-map {
-  pattern = priv/sieve/name/\$script_name
-  table = sieve_before
-  username_field = username
-  value_field = id
-  fields {
-    script_name = \$script_name
-  }
-}
-map {
-  pattern = priv/sieve/data/\$id
-  table = sieve_before
-  username_field = username
-  value_field = script_data
-  fields {
-    id = \$id
-  }
-}
-EOF
-
-cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_after.conf
-# Autogenerated by mailcow
-connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
-map {
-  pattern = priv/sieve/name/\$script_name
-  table = sieve_after
-  username_field = username
-  value_field = id
-  fields {
-    script_name = \$script_name
-  }
-}
-map {
-  pattern = priv/sieve/data/\$id
-  table = sieve_after
-  username_field = username
-  value_field = script_data
-  fields {
-    id = \$id
-  }
-}
-EOF
-
-echo -n ${ACL_ANYONE} > /etc/dovecot/acl_anyone
-
-if [[ "${FLATCURVE_EXPERIMENTAL}" =~ ^([yY][eE][sS]|[yY]) ]]; then
-echo -e "\e[33mActivating Flatcurve as FTS Backend...\e[0m"
-echo -e "\e[33mDepending on your previous setup a full reindex might be needed... \e[0m"
-echo -e "\e[34mVisit https://docs.mailcow.email/manual-guides/Dovecot/u_e-dovecot-fts/#fts-related-dovecot-commands to learn how to reindex\e[0m"
-echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify fts fts_flatcurve listescape replication lazy_expunge' > /etc/dovecot/mail_plugins
-echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify mail_log fts fts_flatcurve listescape replication' > /etc/dovecot/mail_plugins_imap
-echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl fts fts_flatcurve notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
-elif [[ "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify listescape replication lazy_expunge' > /etc/dovecot/mail_plugins
-echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify listescape replication mail_log' > /etc/dovecot/mail_plugins_imap
-echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
-else
-echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify fts fts_solr listescape replication lazy_expunge' > /etc/dovecot/mail_plugins
-echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify mail_log fts fts_solr listescape replication' > /etc/dovecot/mail_plugins_imap
-echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl fts fts_solr notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
-fi
-chmod 644 /etc/dovecot/mail_plugins /etc/dovecot/mail_plugins_imap /etc/dovecot/mail_plugins_lmtp /templates/quarantine.tpl
-
-cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-userdb.conf
-# Autogenerated by mailcow
-driver = mysql
-connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
-user_query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format')), mailbox_path_prefix, '%d/%n/${MAILDIR_SUB}:VOLATILEDIR=/var/volatile/%u:INDEX=/var/vmail_index/%u') AS mail, '%s' AS protocol, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND (active = '1' OR active = '2')
-iterate_query = SELECT username FROM mailbox WHERE active = '1' OR active = '2';
-EOF
-
-cat <<EOF > /etc/dovecot/lua/passwd-verify.lua
-function auth_password_verify(req, pass)
-
-  if req.domain == nil then
-    return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
-  end
-
-  if cur == nil then
-    script_init()
-  end
-
-  if req.user == nil then
-    req.user = ''
-  end
-
-  respbody = {}
-
-  -- check against mailbox passwds
-  local cur,errorString = con:execute(string.format([[SELECT password FROM mailbox
-    WHERE username = '%s'
-      AND active = '1'
-      AND domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')
-      AND IFNULL(JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.force_pw_update')), 0) != '1'
-      AND IFNULL(JSON_UNQUOTE(JSON_VALUE(attributes, '$.%s_access')), 1) = '1']], con:escape(req.user), con:escape(req.domain), con:escape(req.service)))
-  local row = cur:fetch ({}, "a")
-  while row do
-    if req.password_verify(req, row.password, pass) == 1 then
-      con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
-        VALUES ("%s", 0, "%s", "%s")]], con:escape(req.service), con:escape(req.user), con:escape(req.real_rip)))
-      cur:close()
-      con:close()
-      return dovecot.auth.PASSDB_RESULT_OK, ""
-    end
-    row = cur:fetch (row, "a")
-  end
-
-  -- check against app passwds for imap and smtp
-  -- app passwords are only available for imap, smtp, sieve and pop3 when using sasl
-  if req.service == "smtp" or req.service == "imap" or req.service == "sieve" or req.service == "pop3" then
-    local cur,errorString = con:execute(string.format([[SELECT app_passwd.id, %s_access AS has_prot_access, app_passwd.password FROM app_passwd
-      INNER JOIN mailbox ON mailbox.username = app_passwd.mailbox
-      WHERE mailbox = '%s'
-        AND app_passwd.active = '1'
-        AND mailbox.active = '1'
-        AND app_passwd.domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')]], con:escape(req.service), con:escape(req.user), con:escape(req.domain)))
-    local row = cur:fetch ({}, "a")
-    while row do
-      if req.password_verify(req, row.password, pass) == 1 then
-        -- if password is valid and protocol access is 1 OR real_rip matches SOGo, proceed
-        if tostring(req.real_rip) == "__IPV4_SOGO__" then
-          cur:close()
-          con:close()
-          return dovecot.auth.PASSDB_RESULT_OK, ""
-        elseif row.has_prot_access == "1" then
-          con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
-            VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip)))
-          cur:close()
-          con:close()
-          return dovecot.auth.PASSDB_RESULT_OK, ""
-        end
-      end
-      row = cur:fetch (row, "a")
-    end
-  end
-
-  cur:close()
-  con:close()
-
-  return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
-
-  -- PoC
-  -- local reqbody = string.format([[{
-  --   "success":0,
-  --   "service":"%s",
-  --   "app_password":false,
-  --   "username":"%s",
-  --   "real_rip":"%s"
-  -- }]], con:escape(req.service), con:escape(req.user), con:escape(req.real_rip))
-  -- http.request {
-  --   method = "POST",
-  --   url = "http://nginx:8081/sasl_log.php",
-  --   source = ltn12.source.string(reqbody),
-  --   headers = {
-  --     ["content-type"] = "application/json",
-  --     ["content-length"] = tostring(#reqbody)
-  --   },
-  --   sink = ltn12.sink.table(respbody)
-  -- }
-
-end
-
-function auth_passdb_lookup(req)
-   return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
-end
-
-function script_init()
-  mysql = require "luasql.mysql"
-  http = require "socket.http"
-  http.TIMEOUT = 5
-  ltn12 = require "ltn12"
-  env  = mysql.mysql()
-  con = env:connect("__DBNAME__","__DBUSER__","__DBPASS__","localhost")
-  return 0
-end
-
-function script_deinit()
-  con:close()
-  env:close()
-end
-EOF
-
-# Temporarily set FTS depending on user choice inside mailcow.conf. Will be removed as soon as Solr is dropped
-if [[ "${FLATCURVE_EXPERIMENTAL}" =~ ^([yY][eE][sS]|[yY])$ ]]; then
-cat <<EOF > /etc/dovecot/conf.d/fts.conf
-# Autogenerated by mailcow
-plugin {
-    fts_autoindex = yes
-    fts_autoindex_exclude = \Junk
-    fts_autoindex_exclude2 = \Trash
-    fts = flatcurve
-
-    # Maximum term length can be set via the 'maxlen' argument (maxlen is
-    # specified in bytes, not number of UTF-8 characters)
-    fts_tokenizer_email_address = maxlen=100
-    fts_tokenizer_generic = algorithm=simple maxlen=30
-
-    # These are not flatcurve settings, but required for Dovecot FTS. See
-    # Dovecot FTS Configuration link above for further information.
-    fts_languages = en es de
-    fts_tokenizers = generic email-address
-
-    # OPTIONAL: Recommended default FTS core configuration
-    fts_filters = normalizer-icu snowball stopwords
-    fts_filters_en = lowercase snowball english-possessive stopwords
-}
-EOF
-elif [[ ! "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])$ ]]; then
-cat <<EOF > /etc/dovecot/conf.d/fts.conf
-# Autogenerated by mailcow
-plugin {
-  fts = solr
-  fts_autoindex = yes
-  fts_autoindex_exclude = \Junk
-  fts_autoindex_exclude2 = \Trash
-  fts_solr = url=http://solr:8983/solr/dovecot-fts/
-
-  fts_tokenizers = generic email-address
-  fts_tokenizer_generic = algorithm=simple
-
-  fts_filters = normalizer-icu snowball stopwords
-  fts_filters_en = lowercase snowball english-possessive stopwords
-}
-EOF
-fi
-
-
-# Replace patterns in app-passdb.lua
-sed -i "s/__DBUSER__/${DBUSER}/g" /etc/dovecot/lua/passwd-verify.lua
-sed -i "s/__DBPASS__/${DBPASS}/g" /etc/dovecot/lua/passwd-verify.lua
-sed -i "s/__DBNAME__/${DBNAME}/g" /etc/dovecot/lua/passwd-verify.lua
-sed -i "s/__IPV4_SOGO__/${IPV4_NETWORK}.248/g" /etc/dovecot/lua/passwd-verify.lua
-
-
-# Migrate old sieve_after file
-[[ -f /etc/dovecot/sieve_after ]] && mv /etc/dovecot/sieve_after /etc/dovecot/global_sieve_after
-# Create global sieve scripts
-cat /etc/dovecot/global_sieve_after > /var/vmail/sieve/global_sieve_after.sieve
-cat /etc/dovecot/global_sieve_before > /var/vmail/sieve/global_sieve_before.sieve
-
-# Check permissions of vmail/index/garbage directories.
-# Do not do this every start-up, it may take a very long time. So we use a stat check here.
-if [[ $(stat -c %U /var/vmail/) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail ; fi
-if [[ $(stat -c %U /var/vmail/_garbage) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail/_garbage ; fi
-if [[ $(stat -c %U /var/vmail_index) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail_index ; fi
-
-# Cleanup random user maildirs
-rm -rf /var/vmail/mailcow.local/*
-# Cleanup PIDs
-[[ -f /tmp/quarantine_notify.pid ]] && rm /tmp/quarantine_notify.pid
-
-# create sni configuration
-echo "" > /etc/dovecot/sni.conf
-for cert_dir in /etc/ssl/mail/*/ ; do
-  if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
-    continue
+# Run hooks
+for file in /hooks/*; do
+  if [ -x "${file}" ]; then
+    echo "Running hook ${file}"
+    "${file}"
  fi
-  domains=($(cat ${cert_dir}domains))
-  for domain in ${domains[@]}; do
-    echo 'local_name '${domain}' {' >> /etc/dovecot/sni.conf;
-    echo '  ssl_cert = <'${cert_dir}'cert.pem' >> /etc/dovecot/sni.conf;
-    echo '  ssl_key = <'${cert_dir}'key.pem' >> /etc/dovecot/sni.conf;
-    echo '}' >> /etc/dovecot/sni.conf;
-  done
 done

-# Create random master for SOGo sieve features
-RAND_USER=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 16 | head -n 1)
-RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 24 | head -n 1)
-
-if [[ ! -z ${DOVECOT_MASTER_USER} ]] && [[ ! -z ${DOVECOT_MASTER_PASS} ]]; then
-  RAND_USER=${DOVECOT_MASTER_USER}
-  RAND_PASS=${DOVECOT_MASTER_PASS}
-fi
-echo ${RAND_USER}@mailcow.local:{SHA1}$(echo -n ${RAND_PASS} | sha1sum | awk '{print $1}'):::::: > /etc/dovecot/dovecot-master.passwd
-echo ${RAND_USER}@mailcow.local::5000:5000:::: > /etc/dovecot/dovecot-master.userdb
-echo ${RAND_USER}@mailcow.local:${RAND_PASS} > /etc/sogo/sieve.creds
-
-if [[ -z ${MAILDIR_SUB} ]]; then
-  MAILDIR_SUB_SHARED=
-else
-  MAILDIR_SUB_SHARED=/${MAILDIR_SUB}
-fi
-cat <<EOF > /etc/dovecot/shared_namespace.conf
-# Autogenerated by mailcow
-namespace {
-    type = shared
-    separator = /
-    prefix = Shared/%%u/
-    location = maildir:%%h${MAILDIR_SUB_SHARED}:INDEX=~${MAILDIR_SUB_SHARED}/Shared/%%u
-    subscriptions = no
-    list = children
-}
-EOF
-
-
-cat <<EOF > /etc/dovecot/sogo_trusted_ip.conf
-# Autogenerated by mailcow
-remote ${IPV4_NETWORK}.248 {
-  disable_plaintext_auth = no
-}
-EOF
-
-# Create random master Password for SOGo SSO
-RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
-echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass
-# Creating additional creds file for SOGo notify crons (calendars, etc)
-echo -n ${RAND_USER}@mailcow.local:${RAND_PASS} > /etc/sogo/cron.creds
-cat <<EOF > /etc/dovecot/sogo-sso.conf
-# Autogenerated by mailcow
-passdb {
-  driver = static
-  args = allow_real_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
-}
-EOF
-
-if [[ "${MASTER}" =~ ^([nN][oO]|[nN])+$ ]]; then
-  # Toggling MASTER will result in a rebuild of containers, so the quota script will be recreated
-  cat <<'EOF' > /usr/local/bin/quota_notify.py
-#!/usr/bin/python3
-import sys
-sys.exit()
-EOF
-fi
-
-# Set mail_replica for HA setups
-if [[ -n ${MAILCOW_REPLICA_IP} && -n ${DOVEADM_REPLICA_PORT} ]]; then
-  cat <<EOF > /etc/dovecot/mail_replica.conf
-# Autogenerated by mailcow
-mail_replica = tcp:${MAILCOW_REPLICA_IP}:${DOVEADM_REPLICA_PORT}
-EOF
-fi
-
-# 401 is user dovecot
-if [[ ! -s /mail_crypt/ecprivkey.pem || ! -s /mail_crypt/ecpubkey.pem ]]; then
-	openssl ecparam -name prime256v1 -genkey | openssl pkey -out /mail_crypt/ecprivkey.pem
-	openssl pkey -in /mail_crypt/ecprivkey.pem -pubout -out /mail_crypt/ecpubkey.pem
-	chown 401 /mail_crypt/ecprivkey.pem /mail_crypt/ecpubkey.pem
-else
-	chown 401 /mail_crypt/ecprivkey.pem /mail_crypt/ecpubkey.pem
-fi
+python3 -u /bootstrap/main.py
+BOOTSTRAP_EXIT_CODE=$?

 # Fix OpenSSL 3.X TLS1.0, 1.1 support (https://community.mailcow.email/d/4062-hi-all/20)
 if grep -qE 'ssl_min_protocol\s*=\s*(TLSv1|TLSv1\.1)\s*$' /etc/dovecot/dovecot.conf /etc/dovecot/extra.conf; then
@@ -418,89 +22,10 @@ if grep -qE 'ssl_min_protocol\s*=\s*(TLSv1|TLSv1\.1)\s*$' /etc/dovecot/dovecot.c
    echo "CipherString = DEFAULT@SECLEVEL=0" >> /etc/ssl/openssl.cnf
 fi

-# Compile sieve scripts
-sievec /var/vmail/sieve/global_sieve_before.sieve
-sievec /var/vmail/sieve/global_sieve_after.sieve
-sievec /usr/lib/dovecot/sieve/report-spam.sieve
-sievec /usr/lib/dovecot/sieve/report-ham.sieve
-
-# Fix permissions
-chown root:root /etc/dovecot/sql/*.conf
-chown root:dovecot /etc/dovecot/sql/dovecot-dict-sql-sieve* /etc/dovecot/sql/dovecot-dict-sql-quota* /etc/dovecot/lua/passwd-verify.lua
-chmod 640 /etc/dovecot/sql/*.conf /etc/dovecot/lua/passwd-verify.lua
-chown -R vmail:vmail /var/vmail/sieve
-chown -R vmail:vmail /var/volatile
-chown -R vmail:vmail /var/vmail_index
-adduser vmail tty
-chmod g+rw /dev/console
-chown root:tty /dev/console
-chmod +x /usr/lib/dovecot/sieve/rspamd-pipe-ham \
-  /usr/lib/dovecot/sieve/rspamd-pipe-spam \
-  /usr/local/bin/imapsync_runner.pl \
-  /usr/local/bin/imapsync \
-  /usr/local/bin/trim_logs.sh \
-  /usr/local/bin/sa-rules.sh \
-  /usr/local/bin/clean_q_aged.sh \
-  /usr/local/bin/maildir_gc.sh \
-  /usr/local/sbin/stop-supervisor.sh \
-  /usr/local/bin/quota_notify.py \
-  /usr/local/bin/repl_health.sh \
-  /usr/local/bin/optimize-fts.sh
-
-# Prepare environment file for cronjobs
-printenv | sed 's/^\(.*\)$/export \1/g' > /source_env.sh
-
-# Clean old PID if any
-[[ -f /var/run/dovecot/master.pid ]] && rm /var/run/dovecot/master.pid
-
-# Clean stopped imapsync jobs
-rm -f /tmp/imapsync_busy.lock
-IMAPSYNC_TABLE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'imapsync'" -Bs)
-[[ ! -z ${IMAPSYNC_TABLE} ]] && mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "UPDATE imapsync SET is_running='0'"
-
-# Envsubst maildir_gc
-echo "$(envsubst < /usr/local/bin/maildir_gc.sh)" > /usr/local/bin/maildir_gc.sh
-
-# GUID generation
-while [[ ${VERSIONS_OK} != 'OK' ]]; do
-  if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = \"${DBNAME}\" AND TABLE_NAME = 'versions'") ]]; then
-    VERSIONS_OK=OK
-  else
-    echo "Waiting for versions table to be created..."
-    sleep 3
-  fi
-done
-PUBKEY_MCRYPT=$(doveconf -P 2> /dev/null | grep -i mail_crypt_global_public_key | cut -d '<' -f2)
-if [ -f ${PUBKEY_MCRYPT} ]; then
-  GUID=$(cat <(echo ${MAILCOW_HOSTNAME}) /mail_crypt/ecpubkey.pem | sha256sum | cut -d ' ' -f1 | tr -cd "[a-fA-F0-9.:/] ")
-  if [ ${#GUID} -eq 64 ]; then
-    mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-REPLACE INTO versions (application, version) VALUES ("GUID", "${GUID}");
-EOF
-  else
-    mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-REPLACE INTO versions (application, version) VALUES ("GUID", "INVALID");
-EOF
-  fi
+if [ $BOOTSTRAP_EXIT_CODE -ne 0 ]; then
+  echo "Bootstrap failed with exit code $BOOTSTRAP_EXIT_CODE. Not starting Dovecot."
+  exit $BOOTSTRAP_EXIT_CODE
 fi

-# Collect SA rules once now
-/usr/local/bin/sa-rules.sh
-
-# Run hooks
-for file in /hooks/*; do
-  if [ -x "${file}" ]; then
-    echo "Running hook ${file}"
-    "${file}"
-  fi
-done
-
-# For some strange, unknown and stupid reason, Dovecot may run into a race condition, when this file is not touched before it is read by dovecot/auth
-# May be related to something inside Docker, I seriously don't know
-touch /etc/dovecot/lua/passwd-verify.lua
-
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
-fi
-
-exec "$@"
+echo "Bootstrap succeeded. Starting Dovecot..."
+/usr/sbin/dovecot -F
--- a/data/Dockerfiles/dovecot/maildir_gc.sh
+++ b/data/Dockerfiles/dovecot/maildir_gc.sh
@@ -1,2 +0,0 @@
-#!/bin/bash
-[ -d /var/vmail/_garbage/ ] && /usr/bin/find /var/vmail/_garbage/ -mindepth 1 -maxdepth 1 -type d -cmin +${MAILDIR_GC_TIME} -exec rm -r {} \;
--- a/data/Dockerfiles/dovecot/optimize-fts.sh
+++ b/data/Dockerfiles/dovecot/optimize-fts.sh
@@ -1,7 +1,7 @@
 #!/bin/bash

-if [[ "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])+$ && ! "${FLATCURVE_EXPERIMENTAL}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+if [[ "${SKIP_FTS}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
    exit 0
 else
    doveadm fts optimize -A
-fi
+fi
--- a/data/Dockerfiles/dovecot/quarantine_notify.py
+++ b/data/Dockerfiles/dovecot/quarantine_notify.py
@@ -31,7 +31,7 @@ try:

  while True:
    try:
-      r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0)
+      r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0, password=os.environ['REDISPASS'])
      r.ping()
    except Exception as ex:
      print('%s - trying again...'  % (ex))
--- a/data/Dockerfiles/dovecot/quota_notify.py
+++ b/data/Dockerfiles/dovecot/quota_notify.py
@@ -14,6 +14,11 @@ import sys
 import html2text
 from subprocess import Popen, PIPE, STDOUT

+
+# Don't run if role is not master
+if os.getenv("MASTER").lower() in ["n", "no"]:
+  sys.exit()
+
 if len(sys.argv) > 2:
  percent = int(sys.argv[1])
  username = str(sys.argv[2])
@@ -23,7 +28,7 @@ else:

 while True:
  try:
-    r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0)
+    r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0, username='quota_notify', password='')
    r.ping()
  except Exception as ex:
    print('%s - trying again...'  % (ex))
--- a/data/Dockerfiles/dovecot/repl_health.sh
+++ b/data/Dockerfiles/dovecot/repl_health.sh
@@ -4,9 +4,9 @@ source /source_env.sh

 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
+  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379"
+  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
 fi

 # Is replication active?
--- a/data/Dockerfiles/dovecot/sa-rules.sh
+++ b/data/Dockerfiles/dovecot/sa-rules.sh
@@ -11,7 +11,7 @@ else
 fi

 # Deploy
-if curl --connect-timeout 15 --retry 10 --max-time 30 https://www.spamassassin.heinlein-support.de/$(dig txt 1.4.3.spamassassin.heinlein-support.de +short | tr -d '"' | tr -dc '0-9').tar.gz --output /tmp/sa-rules-heinlein.tar.gz; then
+if curl --connect-timeout 15 --retry 5 --max-time 30 https://www.spamassassin.heinlein-support.de/$(dig txt 1.4.3.spamassassin.heinlein-support.de +short | tr -d '"' | tr -dc '0-9').tar.gz --output /tmp/sa-rules-heinlein.tar.gz; then
  if gzip -t /tmp/sa-rules-heinlein.tar.gz; then
    tar xfvz /tmp/sa-rules-heinlein.tar.gz -C /tmp/sa-rules-heinlein
    cat /tmp/sa-rules-heinlein/*cf > /etc/rspamd/custom/sa-rules
--- a/data/Dockerfiles/dovecot/supervisord.conf
+++ b/data/Dockerfiles/dovecot/supervisord.conf
@@ -11,8 +11,8 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autostart=true

-[program:dovecot]
-command=/usr/sbin/dovecot -F
+[program:bootstrap]
+command=/docker-entrypoint.sh
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
--- a/data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf
+++ b/data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf
@@ -20,6 +20,7 @@ destination d_redis_ui_log {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis1")
    port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
    command("LPUSH" "DOVECOT_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -28,6 +29,7 @@ destination d_redis_f2b_channel {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis2")
    port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
@@ -36,8 +38,13 @@ filter f_replica {
  not match("User has no mail_replica in userdb" value("MESSAGE"));
  not match("Error: sync: Unknown user in remote" value("MESSAGE"));
 };
+filter f_dovecot_auth_try {
+  not match("- trying the next passdb" value("MESSAGE")) and
+  not match("- trying the next userdb" value("MESSAGE"));
+};
 log {
  source(s_dgram);
+  filter(f_dovecot_auth_try);
  filter(f_replica);
  destination(d_stdout);
  filter(f_mail);
--- a/data/Dockerfiles/dovecot/syslog-ng.conf
+++ b/data/Dockerfiles/dovecot/syslog-ng.conf
@@ -20,6 +20,7 @@ destination d_redis_ui_log {
    host("redis-mailcow")
    persist-name("redis1")
    port(6379)
+    auth("`REDISPASS`")
    command("LPUSH" "DOVECOT_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -28,6 +29,7 @@ destination d_redis_f2b_channel {
    host("redis-mailcow")
    persist-name("redis2")
    port(6379)
+    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
@@ -36,8 +38,13 @@ filter f_replica {
  not match("User has no mail_replica in userdb" value("MESSAGE"));
  not match("Error: sync: Unknown user in remote" value("MESSAGE"));
 };
+filter f_dovecot_auth_try {
+  not match("- trying the next passdb" value("MESSAGE")) and
+  not match("- trying the next userdb" value("MESSAGE"));
+};
 log {
  source(s_dgram);
+  filter(f_dovecot_auth_try);
  filter(f_replica);
  destination(d_stdout);
  filter(f_mail);
--- a/data/Dockerfiles/dovecot/trim_logs.sh
+++ b/data/Dockerfiles/dovecot/trim_logs.sh
@@ -10,9 +10,9 @@ catch_non_zero() {
 source /source_env.sh
 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
+  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379"
+  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
 fi
 catch_non_zero "${REDIS_CMDLINE} LTRIM ACME_LOG 0 ${LOG_LINES}"
 catch_non_zero "${REDIS_CMDLINE} LTRIM POSTFIX_MAILLOG 0 ${LOG_LINES}"
@@ -23,3 +23,4 @@ catch_non_zero "${REDIS_CMDLINE} LTRIM AUTODISCOVER_LOG 0 ${LOG_LINES}"
 catch_non_zero "${REDIS_CMDLINE} LTRIM API_LOG 0 ${LOG_LINES}"
 catch_non_zero "${REDIS_CMDLINE} LTRIM RL_LOG 0 ${LOG_LINES}"
 catch_non_zero "${REDIS_CMDLINE} LTRIM WATCHDOG_LOG 0 ${LOG_LINES}"
+catch_non_zero "${REDIS_CMDLINE} LTRIM CRON_LOG 0 ${LOG_LINES}"
--- a/data/Dockerfiles/mariadb/Dockerfile
+++ b/data/Dockerfiles/mariadb/Dockerfile
@@ -0,0 +1,28 @@
+FROM mariadb:10.11
+
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
+
+
+RUN apt-get update && \
+  apt-get install -y --no-install-recommends \
+    python3 \
+    python3-pip \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN pip install \
+  mysql-connector-python \
+  jinja2 \
+  redis \
+  dnspython \
+  psutil
+
+
+COPY data/Dockerfiles/bootstrap /bootstrap
+COPY data/Dockerfiles/mariadb/docker-entrypoint.sh /docker-entrypoint.sh
+
+RUN chmod +x /docker-entrypoint.sh
+
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+CMD ["mysqld"]
--- a/data/Dockerfiles/mariadb/docker-entrypoint.sh
+++ b/data/Dockerfiles/mariadb/docker-entrypoint.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Run hooks
+for file in /hooks/*; do
+  if [ -x "${file}" ]; then
+    echo "Running hook ${file}"
+    "${file}"
+  fi
+done
+
+python3 -u /bootstrap/main.py
+BOOTSTRAP_EXIT_CODE=$?
+
+if [ $BOOTSTRAP_EXIT_CODE -ne 0 ]; then
+  echo "Bootstrap failed with exit code $BOOTSTRAP_EXIT_CODE. Not starting MariaDB."
+  exit $BOOTSTRAP_EXIT_CODE
+fi
+
+echo "Bootstrap succeeded. Starting MariaDB..."
+exec /usr/local/bin/docker-entrypoint.sh "$@"
--- a/data/Dockerfiles/netfilter/Dockerfile
+++ b/data/Dockerfiles/netfilter/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.20
+FROM alpine:3.21

 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"

--- a/data/Dockerfiles/netfilter/main.py
+++ b/data/Dockerfiles/netfilter/main.py
@@ -85,11 +85,10 @@ def refreshF2bregex():
    f2bregex[3] = r'warning: .*\[([0-9a-f\.:]+)\]: SASL .+ authentication failed: (?!.*Connection lost to authentication server).+'
    f2bregex[4] = r'warning: non-SMTP command from .*\[([0-9a-f\.:]+)]:.+'
    f2bregex[5] = r'NOQUEUE: reject: RCPT from \[([0-9a-f\.:]+)].+Protocol error.+'
-    f2bregex[6] = r'-login: Disconnected.+ \(auth failed, .+\): user=.*, method=.+, rip=([0-9a-f\.:]+),'
-    f2bregex[7] = r'-login: Aborted login.+ \(auth failed .+\): user=.+, rip=([0-9a-f\.:]+), lip.+'
-    f2bregex[8] = r'-login: Aborted login.+ \(tried to use disallowed .+\): user=.+, rip=([0-9a-f\.:]+), lip.+'
-    f2bregex[9] = r'SOGo.+ Login from \'([0-9a-f\.:]+)\' for user .+ might not have worked'
-    f2bregex[10] = r'([0-9a-f\.:]+) \"GET \/SOGo\/.* HTTP.+\" 403 .+'
+    f2bregex[6] = r'\w+\([^,]+,([0-9a-f\.:]+),<[^>]+>\): Password mismatch \(SHA1 of given password: [a-f0-9]+\)'
+    f2bregex[7] = r'\w+\([^,]+,([0-9a-f\.:]+),<[^>]+>\): unknown user \(SHA1 of given password: [a-f0-9]+\)'
+    f2bregex[8] = r'SOGo.+ Login from \'([0-9a-f\.:]+)\' for user .+ might not have worked'
+    f2bregex[9] = r'([0-9a-f\.:]+) \"GET \/SOGo\/.* HTTP.+\" 403 .+'
    r.set('F2B_REGEX', json.dumps(f2bregex, ensure_ascii=False))
  else:
    try:
@@ -106,7 +105,7 @@ def get_ip(address):
    ip = ip.ipv4_mapped
  if ip.is_private or ip.is_loopback:
    return False
-  
+
  return ip

 def ban(address):
@@ -434,9 +433,9 @@ if __name__ == '__main__':
      redis_slaveof_ip = os.getenv('REDIS_SLAVEOF_IP', '')
      redis_slaveof_port = os.getenv('REDIS_SLAVEOF_PORT', '')
      if "".__eq__(redis_slaveof_ip):
-        r = redis.StrictRedis(host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0)
+        r = redis.StrictRedis(host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0, password=os.environ['REDISPASS'])
      else:
-        r = redis.StrictRedis(host=redis_slaveof_ip, decode_responses=True, port=redis_slaveof_port, db=0)
+        r = redis.StrictRedis(host=redis_slaveof_ip, decode_responses=True, port=redis_slaveof_port, db=0, password=os.environ['REDISPASS'])
      r.ping()
      pubsub = r.pubsub()
    except Exception as ex:
@@ -452,7 +451,7 @@ if __name__ == '__main__':
  # clear bans in redis
  r.delete('F2B_ACTIVE_BANS')
  r.delete('F2B_PERM_BANS')
-  
+
  refreshF2boptions()

  watch_thread = Thread(target=watch)
--- a/data/Dockerfiles/nginx/Dockerfile
+++ b/data/Dockerfiles/nginx/Dockerfile
@@ -0,0 +1,36 @@
+FROM nginx:alpine
+LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
+
+ENV PIP_BREAK_SYSTEM_PACKAGES=1
+
+RUN apk add --no-cache nginx \
+  python3 py3-pip \
+  supervisor
+
+RUN apk add --no-cache --virtual .build-deps \
+      gcc \
+      musl-dev \
+      python3-dev \
+      linux-headers \
+  && pip install --break-system-packages psutil \
+  && apk del .build-deps
+
+RUN pip install  --break-system-packages \
+  mysql-connector-python \
+  jinja2 \
+  redis \
+  dnspython
+
+RUN mkdir -p /etc/nginx/includes
+
+
+COPY data/Dockerfiles/bootstrap /bootstrap
+COPY data/Dockerfiles/nginx/docker-entrypoint.sh /
+COPY data/Dockerfiles/nginx/supervisord.conf /etc/supervisor/supervisord.conf
+COPY data/Dockerfiles/nginx/stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
+
+RUN chmod +x /docker-entrypoint.sh
+RUN chmod +x /usr/local/sbin/stop-supervisor.sh
+
+
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
--- a/data/Dockerfiles/nginx/docker-entrypoint.sh
+++ b/data/Dockerfiles/nginx/docker-entrypoint.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Run hooks
+for file in /hooks/*; do
+  if [ -x "${file}" ]; then
+    echo "Running hook ${file}"
+    "${file}"
+  fi
+done
+
+python3 -u /bootstrap/main.py
+BOOTSTRAP_EXIT_CODE=$?
+
+if [ $BOOTSTRAP_EXIT_CODE -ne 0 ]; then
+  echo "Bootstrap failed with exit code $BOOTSTRAP_EXIT_CODE. Not starting Nginx."
+  exit $BOOTSTRAP_EXIT_CODE
+fi
+
+echo "Bootstrap succeeded. Starting Nginx..."
+nginx -g "daemon off;"
--- a/data/Dockerfiles/nginx/stop-supervisor.sh
+++ b/data/Dockerfiles/nginx/stop-supervisor.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+printf "READY\n";
+
+while read line; do
+  echo "Processing Event: $line" >&2;
+  kill -3 $(cat "/var/run/supervisord.pid")
+done < /dev/stdin
--- a/data/Dockerfiles/nginx/supervisord.conf
+++ b/data/Dockerfiles/nginx/supervisord.conf
@@ -0,0 +1,27 @@
+[supervisord]
+nodaemon=true
+user=root
+
+[program:syslog-ng]
+command=/usr/sbin/syslog-ng --foreground  --no-caps
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autostart=true
+priority=1
+
+[program:bootstrap]
+command=/docker-entrypoint.sh
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+priority=2
+startretries=10
+autorestart=true
+stopwaitsecs=120
+
+[eventlistener:processes]
+command=/usr/local/sbin/stop-supervisor.sh
+events=PROCESS_STATE_STOPPED, PROCESS_STATE_EXITED, PROCESS_STATE_FATAL
--- a/data/Dockerfiles/olefy/Dockerfile
+++ b/data/Dockerfiles/olefy/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.20
+FROM alpine:3.21

 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"

--- a/data/Dockerfiles/olefy/olefy.py
+++ b/data/Dockerfiles/olefy/olefy.py
@@ -32,6 +32,13 @@ import time
 import magic
 import re

+skip_olefy = os.getenv('SKIP_OLEFY', '')
+
+if skip_olefy.lower() in ['yes', 'y']:
+    print("SKIP_OLEFY=y, skipping Olefy...")
+    time.sleep(365 * 24 * 60 * 60)
+    sys.exit(0)
+
 # merge variables from /etc/olefy.conf and the defaults
 olefy_listen_addr_string = os.getenv('OLEFY_BINDADDRESS', '127.0.0.1,::1')
 olefy_listen_port = int(os.getenv('OLEFY_BINDPORT', '10050'))
@@ -113,7 +120,7 @@ def oletools( stream, tmp_file_name, lid ):
        out = bytes(out.decode('utf-8', 'ignore').replace('  ', ' ').replace('\t', '').replace('\n', '').replace('XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)', ''), encoding="utf-8")
        failed = False
        if out.__len__() < 30:
-            logger.error('{} olevba returned <30 chars - rc: {!r}, response: {!r}, error: {!r}'.format(lid,cmd_tmp.returncode, 
+            logger.error('{} olevba returned <30 chars - rc: {!r}, response: {!r}, error: {!r}'.format(lid,cmd_tmp.returncode,
                out.decode('utf-8', 'ignore'), err.decode('utf-8', 'ignore')))
            out = b'[ { "error": "Unhandled error - too short olevba response" } ]'
            failed = True
--- a/data/Dockerfiles/phpfpm/Dockerfile
+++ b/data/Dockerfiles/phpfpm/Dockerfile
@@ -1,11 +1,11 @@
-FROM php:8.2-fpm-alpine3.20
+FROM php:8.2-fpm-alpine3.21

 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"

 # renovate: datasource=github-tags depName=krakjoe/apcu versioning=semver-coerced extractVersion=^v(?<version>.*)$
 ARG APCU_PECL_VERSION=5.1.24
 # renovate: datasource=github-tags depName=Imagick/imagick versioning=semver-coerced extractVersion=(?<version>.*)$
-ARG IMAGICK_PECL_VERSION=3.7.0
+ARG IMAGICK_PECL_VERSION=3.8.0
 # renovate: datasource=github-tags depName=php/pecl-mail-mailparse versioning=semver-coerced extractVersion=^v(?<version>.*)$
 ARG MAILPARSE_PECL_VERSION=3.1.8
 # renovate: datasource=github-tags depName=php-memcached-dev/php-memcached versioning=semver-coerced extractVersion=^v(?<version>.*)$
@@ -13,7 +13,7 @@ ARG MEMCACHED_PECL_VERSION=3.2.0
 # renovate: datasource=github-tags depName=phpredis/phpredis versioning=semver-coerced extractVersion=(?<version>.*)$
 ARG REDIS_PECL_VERSION=6.1.0
 # renovate: datasource=github-tags depName=composer/composer versioning=semver-coerced extractVersion=(?<version>.*)$
-ARG COMPOSER_VERSION=2.6.6
+ARG COMPOSER_VERSION=2.8.6

 RUN apk add -U --no-cache autoconf \
  aspell-dev \
@@ -63,6 +63,7 @@ RUN apk add -U --no-cache autoconf \
  samba-client \
  zlib-dev \
  tzdata \
+  python3 py3-pip \
  && pecl install APCu-${APCU_PECL_VERSION} \
  && pecl install imagick-${IMAGICK_PECL_VERSION} \
  && pecl install mailparse-${MAILPARSE_PECL_VERSION} \
@@ -72,12 +73,12 @@ RUN apk add -U --no-cache autoconf \
  && pecl clear-cache \
  && docker-php-ext-configure intl \
  && docker-php-ext-configure exif \
-  && docker-php-ext-configure gd --with-freetype=/usr/include/ \  
+  && docker-php-ext-configure gd --with-freetype=/usr/include/ \
    --with-jpeg=/usr/include/ \
    --with-webp \
    --with-xpm \
    --with-avif \
-  && docker-php-ext-install -j 4 exif gd gettext intl ldap opcache pcntl pdo pdo_mysql pspell soap sockets sysvsem zip bcmath gmp \
+  && docker-php-ext-install -j 4 exif gd gettext intl ldap opcache pcntl pdo pdo_mysql pspell soap sockets zip bcmath gmp \
  && docker-php-ext-configure imap --with-imap --with-imap-ssl \
  && docker-php-ext-install -j 4 imap \
  && curl --silent --show-error https://getcomposer.org/installer | php -- --version=${COMPOSER_VERSION} \
@@ -107,8 +108,26 @@ RUN apk add -U --no-cache autoconf \
    pcre-dev \
    zlib-dev

-COPY ./docker-entrypoint.sh /
+RUN apk add --no-cache --virtual .build-deps \
+      gcc \
+      musl-dev \
+      python3-dev \
+      linux-headers \
+  && pip install --break-system-packages psutil \
+  && apk del .build-deps
+
+RUN pip install  --break-system-packages \
+  mysql-connector-python \
+  jinja2 \
+  redis \
+  dnspython
+
+
+COPY data/Dockerfiles/bootstrap /bootstrap
+COPY data/Dockerfiles/phpfpm/docker-entrypoint.sh /
+
+RUN chmod +x /docker-entrypoint.sh
+

 ENTRYPOINT ["/docker-entrypoint.sh"]
-
 CMD ["php-fpm"]
--- a/data/Dockerfiles/phpfpm/docker-entrypoint.sh
+++ b/data/Dockerfiles/phpfpm/docker-entrypoint.sh
@@ -1,219 +1,5 @@
 #!/bin/bash

-function array_by_comma { local IFS=","; echo "$*"; }
-
-# Wait for containers
-while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
-  echo "Waiting for SQL..."
-  sleep 2
-done
-
-# Do not attempt to write to slave
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_HOST=$REDIS_SLAVEOF_IP
-  REDIS_PORT=$REDIS_SLAVEOF_PORT
-else
-  REDIS_HOST="redis"
-  REDIS_PORT="6379"
-fi
-REDIS_CMDLINE="redis-cli -h ${REDIS_HOST} -p ${REDIS_PORT}"
-
-until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
-  echo "Waiting for Redis..."
-  sleep 2
-done
-
-# Set redis session store
-echo -n '
-session.save_handler = redis
-session.save_path = "tcp://'${REDIS_HOST}':'${REDIS_PORT}'"
-' > /usr/local/etc/php/conf.d/session_store.ini
-
-# Check mysql_upgrade (master and slave)
-CONTAINER_ID=
-until [[ ! -z "${CONTAINER_ID}" ]] && [[ "${CONTAINER_ID}" =~ ^[[:alnum:]]*$ ]]; do
-  CONTAINER_ID=$(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" 2> /dev/null | jq -rc "select( .name | tostring | contains(\"mysql-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" 2> /dev/null)
-  echo "Could not get mysql-mailcow container id... trying again"
-  sleep 2
-done
-echo "MySQL @ ${CONTAINER_ID}"
-SQL_LOOP_C=0
-SQL_CHANGED=0
-until [[ ${SQL_UPGRADE_STATUS} == 'success' ]]; do
-  if [ ${SQL_LOOP_C} -gt 4 ]; then
-    echo "Tried to upgrade MySQL and failed, giving up after ${SQL_LOOP_C} retries and starting container (oops, not good)"
-    break
-  fi
-  SQL_FULL_UPGRADE_RETURN=$(curl --silent --insecure -XPOST https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/exec -d '{"cmd":"system", "task":"mysql_upgrade"}' --silent -H 'Content-type: application/json')
-  SQL_UPGRADE_STATUS=$(echo ${SQL_FULL_UPGRADE_RETURN} | jq -r .type)
-  SQL_LOOP_C=$((SQL_LOOP_C+1))
-  echo "SQL upgrade iteration #${SQL_LOOP_C}"
-  if [[ ${SQL_UPGRADE_STATUS} == 'warning' ]]; then
-    SQL_CHANGED=1
-    echo "MySQL applied an upgrade, debug output:"
-    echo ${SQL_FULL_UPGRADE_RETURN}
-    sleep 3
-    while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
-      echo "Waiting for SQL to return, please wait"
-      sleep 2
-    done
-    continue
-  elif [[ ${SQL_UPGRADE_STATUS} == 'success' ]]; then
-    echo "MySQL is up-to-date - debug output:"
-    echo ${SQL_FULL_UPGRADE_RETURN}
-  else
-    echo "No valid reponse for mysql_upgrade was received, debug output:"
-    echo ${SQL_FULL_UPGRADE_RETURN}
-  fi
-done
-
-# doing post-installation stuff, if SQL was upgraded (master and slave)
-if [ ${SQL_CHANGED} -eq 1 ]; then
-  POSTFIX=$(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" 2> /dev/null | jq -rc "select( .name | tostring | contains(\"postfix-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" 2> /dev/null)
-  if [[ -z "${POSTFIX}" ]] || ! [[ "${POSTFIX}" =~ ^[[:alnum:]]*$ ]]; then
-    echo "Could not determine Postfix container ID, skipping Postfix restart."
-  else
-    echo "Restarting Postfix"
-    curl -X POST --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${POSTFIX}/restart | jq -r '.msg'
-    echo "Sleeping 5 seconds..."
-    sleep 5
-  fi
-fi
-
-# Check mysql tz import (master and slave)
-TZ_CHECK=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT CONVERT_TZ('2019-11-02 23:33:00','Europe/Berlin','UTC') AS time;" -BN 2> /dev/null)
-if [[ -z ${TZ_CHECK} ]] || [[ "${TZ_CHECK}" == "NULL" ]]; then
-  SQL_FULL_TZINFO_IMPORT_RETURN=$(curl --silent --insecure -XPOST https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/exec -d '{"cmd":"system", "task":"mysql_tzinfo_to_sql"}' --silent -H 'Content-type: application/json')
-  echo "MySQL mysql_tzinfo_to_sql - debug output:"
-  echo ${SQL_FULL_TZINFO_IMPORT_RETURN}
-fi
-
-if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "We are master, preparing..."
-  # Set a default release format
-  if [[ -z $(${REDIS_CMDLINE} --raw GET Q_RELEASE_FORMAT) ]]; then
-    ${REDIS_CMDLINE} --raw SET Q_RELEASE_FORMAT raw
-  fi
-
-  # Set max age of q items - if unset
-  if [[ -z $(${REDIS_CMDLINE} --raw GET Q_MAX_AGE) ]]; then
-    ${REDIS_CMDLINE} --raw SET Q_MAX_AGE 365
-  fi
-
-  # Set default password policy - if unset
-  if [[ -z $(${REDIS_CMDLINE} --raw HGET PASSWD_POLICY length) ]]; then
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY length 6
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY chars 0
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY special_chars 0
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY lowerupper 0
-    ${REDIS_CMDLINE} --raw HSET PASSWD_POLICY numbers 0
-  fi
-
-  # Trigger db init
-  echo "Running DB init..."
-  php -c /usr/local/etc/php -f /web/inc/init_db.inc.php
-
-  # Recreating domain map
-  echo "Rebuilding domain map in Redis..."
-  declare -a DOMAIN_ARR
-    ${REDIS_CMDLINE} DEL DOMAIN_MAP > /dev/null
-  while read line
-  do
-    DOMAIN_ARR+=("$line")
-  done < <(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain" -Bs)
-  while read line
-  do
-    DOMAIN_ARR+=("$line")
-  done < <(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT alias_domain FROM alias_domain" -Bs)
-
-  if [[ ! -z ${DOMAIN_ARR} ]]; then
-  for domain in "${DOMAIN_ARR[@]}"; do
-    ${REDIS_CMDLINE} HSET DOMAIN_MAP ${domain} 1 > /dev/null
-  done
-  fi
-
-  # Set API options if env vars are not empty
-  if [[ ${API_ALLOW_FROM} != "invalid" ]] && [[ ! -z ${API_ALLOW_FROM} ]]; then
-    IFS=',' read -r -a API_ALLOW_FROM_ARR <<< "${API_ALLOW_FROM}"
-    declare -a VALIDATED_API_ALLOW_FROM_ARR
-    REGEX_IP6='^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$'
-    REGEX_IP4='^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+(/([0-9]|[1-2][0-9]|3[0-2]))?$'
-    for IP in "${API_ALLOW_FROM_ARR[@]}"; do
-      if [[ ${IP} =~ ${REGEX_IP6} ]] || [[ ${IP} =~ ${REGEX_IP4} ]]; then
-        VALIDATED_API_ALLOW_FROM_ARR+=("${IP}")
-      fi
-    done
-    VALIDATED_IPS=$(array_by_comma ${VALIDATED_API_ALLOW_FROM_ARR[*]})
-    if [[ ! -z ${VALIDATED_IPS} ]]; then
-      if [[ ${API_KEY} != "invalid" ]] && [[ ! -z ${API_KEY} ]]; then
-        mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-DELETE FROM api WHERE access = 'rw';
-INSERT INTO api (api_key, active, allow_from, access) VALUES ("${API_KEY}", "1", "${VALIDATED_IPS}", "rw");
-EOF
-      fi
-      if [[ ${API_KEY_READ_ONLY} != "invalid" ]] && [[ ! -z ${API_KEY_READ_ONLY} ]]; then
-        mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-DELETE FROM api WHERE access = 'ro';
-INSERT INTO api (api_key, active, allow_from, access) VALUES ("${API_KEY_READ_ONLY}", "1", "${VALIDATED_IPS}", "ro");
-EOF
-      fi
-    fi
-  fi
-
-  # Create events (master only, STATUS for event on slave will be SLAVESIDE_DISABLED)
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-DROP EVENT IF EXISTS clean_spamalias;
-DELIMITER //
-CREATE EVENT clean_spamalias
-ON SCHEDULE EVERY 1 DAY DO
-BEGIN
-  DELETE FROM spamalias WHERE validity < UNIX_TIMESTAMP();
-END;
-//
-DELIMITER ;
-DROP EVENT IF EXISTS clean_oauth2;
-DELIMITER //
-CREATE EVENT clean_oauth2
-ON SCHEDULE EVERY 1 DAY DO
-BEGIN
-  DELETE FROM oauth_refresh_tokens WHERE expires < NOW();
-  DELETE FROM oauth_access_tokens WHERE expires < NOW();
-  DELETE FROM oauth_authorization_codes WHERE expires < NOW();
-END;
-//
-DELIMITER ;
-DROP EVENT IF EXISTS clean_sasl_log;
-DELIMITER //
-CREATE EVENT clean_sasl_log
-ON SCHEDULE EVERY 1 DAY DO
-BEGIN
-  DELETE sasl_log.* FROM sasl_log
-    LEFT JOIN (
-      SELECT username, service, MAX(datetime) AS lastdate
-      FROM sasl_log
-      GROUP BY username, service
-    ) AS last ON sasl_log.username = last.username AND sasl_log.service = last.service
-    WHERE datetime < DATE_SUB(NOW(), INTERVAL 31 DAY) AND datetime < lastdate;
-  DELETE FROM sasl_log
-    WHERE username NOT IN (SELECT username FROM mailbox) AND
-    datetime < DATE_SUB(NOW(), INTERVAL 31 DAY);
-END;
-//
-DELIMITER ;
-EOF
-fi
-
-# Create dummy for custom overrides of mailcow style
-[[ ! -f /web/css/build/0081-custom-mailcow.css ]] && echo '/* Autogenerated by mailcow */' > /web/css/build/0081-custom-mailcow.css
-
-# Fix permissions for global filters
-chown -R 82:82 /global_sieve/*
-
-# Fix permissions on twig cache folder
-chown -R 82:82 /web/templates/cache
-# Clear cache
-find /web/templates/cache/* -not -name '.gitkeep' -delete
-
 # Run hooks
 for file in /hooks/*; do
  if [ -x "${file}" ]; then
@@ -222,4 +8,13 @@ for file in /hooks/*; do
  fi
 done

+python3 -u /bootstrap/main.py
+BOOTSTRAP_EXIT_CODE=$?
+
+if [ $BOOTSTRAP_EXIT_CODE -ne 0 ]; then
+  echo "Bootstrap failed with exit code $BOOTSTRAP_EXIT_CODE. Not starting PHP-FPM."
+  exit $BOOTSTRAP_EXIT_CODE
+fi
+
+echo "Bootstrap succeeded. Starting PHP-FPM..."
 exec "$@"
--- a/data/Dockerfiles/postfix/Dockerfile
+++ b/data/Dockerfiles/postfix/Dockerfile
@@ -34,23 +34,31 @@ RUN groupadd -g 102 postfix \
 	syslog-ng-core \
 	syslog-ng-mod-redis \
  	tzdata \
+	python3 python3-pip \
 	&& rm -rf /var/lib/apt/lists/* \
 	&& touch /etc/default/locale \
  && printf '#!/bin/bash\n/usr/sbin/postconf -c /opt/postfix/conf "$@"' > /usr/local/sbin/postconf \
  && chmod +x /usr/local/sbin/postconf

-COPY supervisord.conf /etc/supervisor/supervisord.conf
-COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
-COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
-COPY postfix.sh /opt/postfix.sh
-COPY rspamd-pipe-ham /usr/local/bin/rspamd-pipe-ham
-COPY rspamd-pipe-spam /usr/local/bin/rspamd-pipe-spam
-COPY whitelist_forwardinghosts.sh /usr/local/bin/whitelist_forwardinghosts.sh
-COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
-COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN pip install  --break-system-packages \
+  mysql-connector-python \
+  jinja2 \
+	redis \
+	dnspython \
+  psutil

-RUN chmod +x /opt/postfix.sh \
-  /usr/local/bin/rspamd-pipe-ham \
+COPY data/Dockerfiles/bootstrap /bootstrap
+COPY data/Dockerfiles/postfix/supervisord.conf /etc/supervisor/supervisord.conf
+COPY data/Dockerfiles/postfix/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
+COPY data/Dockerfiles/postfix/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY data/Dockerfiles/postfix/rspamd-pipe-ham /usr/local/bin/rspamd-pipe-ham
+COPY data/Dockerfiles/postfix/rspamd-pipe-spam /usr/local/bin/rspamd-pipe-spam
+COPY data/Dockerfiles/postfix/whitelist_forwardinghosts.sh /usr/local/bin/whitelist_forwardinghosts.sh
+COPY data/Dockerfiles/postfix/stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
+COPY data/Dockerfiles/postfix/docker-entrypoint.sh /docker-entrypoint.sh
+
+RUN chmod +x /usr/local/bin/rspamd-pipe-ham \
+	/docker-entrypoint.sh \
  /usr/local/bin/rspamd-pipe-spam \
  /usr/local/bin/whitelist_forwardinghosts.sh \
  /usr/local/sbin/stop-supervisor.sh
@@ -58,6 +66,5 @@ RUN rm -rf /tmp/* /var/tmp/*

 EXPOSE 588

-ENTRYPOINT ["/docker-entrypoint.sh"]

 CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
--- a/data/Dockerfiles/postfix/docker-entrypoint.sh
+++ b/data/Dockerfiles/postfix/docker-entrypoint.sh
@@ -8,8 +8,12 @@ for file in /hooks/*; do
  fi
 done

-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
+python3 -u /bootstrap/main.py
+BOOTSTRAP_EXIT_CODE=$?
+
+if [ $BOOTSTRAP_EXIT_CODE -ne 0 ]; then
+  echo "Bootstrap failed with exit code $BOOTSTRAP_EXIT_CODE. Not starting Postfix."
+  exit $BOOTSTRAP_EXIT_CODE
 fi

 # Fix OpenSSL 3.X TLS1.0, 1.1 support (https://community.mailcow.email/d/4062-hi-all/20)
@@ -21,6 +25,16 @@ if grep -qE '\!SSLv2|\!SSLv3|>=TLSv1(\.[0-1])?$' /opt/postfix/conf/main.cf /opt/
    echo "[tls_system_default]" >> /etc/ssl/openssl.cnf
    echo "MinProtocol = TLSv1" >> /etc/ssl/openssl.cnf
    echo "CipherString = DEFAULT@SECLEVEL=0" >> /etc/ssl/openssl.cnf
-fi  
+fi

-exec "$@"
+
+# Start Postfix
+postconf -c /opt/postfix/conf > /dev/null
+if [[ $? != 0 ]]; then
+  echo "Postfix configuration error, refusing to start."
+  exit 1
+else
+  echo "Bootstrap succeeded. Starting Postfix..."
+  postfix -c /opt/postfix/conf start
+  sleep 126144000
+fi
--- a/data/Dockerfiles/postfix/postfix.sh
+++ b/data/Dockerfiles/postfix/postfix.sh
@@ -1,519 +0,0 @@
-#!/bin/bash
-
-trap "postfix stop" EXIT
-
-[[ ! -d /opt/postfix/conf/sql/ ]] && mkdir -p /opt/postfix/conf/sql/
-
-# Wait for MySQL to warm-up
-while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
-  echo "Waiting for database to come up..."
-  sleep 2
-done
-
-until dig +short mailcow.email > /dev/null; do
-  echo "Waiting for DNS..."
-  sleep 1
-done
-
-cat <<EOF > /etc/aliases
-# Autogenerated by mailcow
-null: /dev/null
-watchdog: /dev/null
-ham: "|/usr/local/bin/rspamd-pipe-ham"
-spam: "|/usr/local/bin/rspamd-pipe-spam"
-EOF
-newaliases;
-
-# create sni configuration
-if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo -n "" > /opt/postfix/conf/sni.map
-else
-  echo -n "" > /opt/postfix/conf/sni.map;
-  for cert_dir in /etc/ssl/mail/*/ ; do
-    if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
-      continue;
-    fi
-    IFS=" " read -r -a domains <<< "$(cat "${cert_dir}domains")"
-    for domain in "${domains[@]}"; do
-      echo -n "${domain} ${cert_dir}key.pem ${cert_dir}cert.pem" >> /opt/postfix/conf/sni.map;
-      echo "" >> /opt/postfix/conf/sni.map;
-    done
-  done
-fi
-postmap -F hash:/opt/postfix/conf/sni.map;
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_relay_ne.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT IF(EXISTS(SELECT address, domain FROM alias
-      WHERE address = '%s'
-        AND domain IN (
-          SELECT domain FROM domain
-            WHERE backupmx = '1'
-              AND relay_all_recipients = '1'
-              AND relay_unknown_only = '1')
-
-      ), 'lmtp:inet:dovecot:24', NULL) AS 'transport'
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_relay_recipient_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT DISTINCT
-  CASE WHEN '%d' IN (
-    SELECT domain FROM domain
-      WHERE relay_all_recipients=1
-        AND domain='%d'
-        AND backupmx=1
-  )
-  THEN '%s' ELSE (
-    SELECT goto FROM alias WHERE address='%s' AND active='1'
-  )
-  END AS result;
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT CONCAT(policy, ' ', parameters) AS tls_policy FROM tls_policy_override WHERE active = '1' AND dest = '%s'
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT IF(EXISTS(
-  SELECT 'TLS_ACTIVE' FROM alias
-    LEFT OUTER JOIN mailbox ON mailbox.username = alias.goto
-      WHERE (address='%s'
-        OR address IN (
-          SELECT CONCAT('%u', '@', target_domain) FROM alias_domain
-            WHERE alias_domain='%d'
-        )
-      ) AND JSON_UNQUOTE(JSON_VALUE(attributes, '$.tls_enforce_in')) = '1' AND mailbox.active = '1'
-  ), 'reject_plaintext_session', NULL) AS 'tls_enforce_in';
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_sender_dependent_default_transport_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT GROUP_CONCAT(transport SEPARATOR '') AS transport_maps
-  FROM (
-    SELECT IF(EXISTS(SELECT 'smtp_type' FROM alias
-      LEFT OUTER JOIN mailbox ON mailbox.username = alias.goto
-        WHERE (address = '%s'
-          OR address IN (
-            SELECT CONCAT('%u', '@', target_domain) FROM alias_domain
-              WHERE alias_domain = '%d'
-          )
-        )
-        AND JSON_UNQUOTE(JSON_VALUE(attributes, '$.tls_enforce_out')) = '1'
-        AND mailbox.active = '1'
-    ), 'smtp_enforced_tls:', 'smtp:') AS 'transport'
-    UNION ALL
-    SELECT COALESCE(
-      (SELECT hostname FROM relayhosts
-      LEFT OUTER JOIN mailbox ON JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.relayhost')) = relayhosts.id
-        WHERE relayhosts.active = '1'
-          AND (
-            mailbox.username IN (SELECT alias.goto from alias
-              JOIN mailbox ON mailbox.username = alias.goto
-                WHERE alias.active = '1'
-                  AND alias.address = '%s'
-                  AND alias.address NOT LIKE '@%%'
-            )
-          )
-      ),
-      (SELECT hostname FROM relayhosts
-      LEFT OUTER JOIN domain ON domain.relayhost = relayhosts.id
-        WHERE relayhosts.active = '1'
-          AND (domain.domain = '%d'
-            OR domain.domain IN (
-              SELECT target_domain FROM alias_domain
-                WHERE alias_domain = '%d'
-            )
-          )
-      )
-    )
-  ) AS transport_view;
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_transport_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT CONCAT('smtp_via_transport_maps:', nexthop) AS transport FROM transports
-  WHERE active = '1'
-  AND destination = '%s';
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_resource_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT 'null@localhost' FROM mailbox
-  WHERE kind REGEXP 'location|thing|group' AND username = '%s';
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_sasl_passwd_maps_sender_dependent.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT CONCAT_WS(':', username, password) AS auth_data FROM relayhosts
-  WHERE id IN (
-    SELECT COALESCE(
-      (SELECT id FROM relayhosts
-      LEFT OUTER JOIN domain ON domain.relayhost = relayhosts.id
-      WHERE relayhosts.active = '1'
-        AND (domain.domain = '%d'
-          OR domain.domain IN (
-            SELECT target_domain FROM alias_domain
-            WHERE alias_domain = '%d'
-          )
-        )
-      ),
-      (SELECT id FROM relayhosts
-      LEFT OUTER JOIN mailbox ON JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.relayhost')) = relayhosts.id
-      WHERE relayhosts.active = '1'
-        AND (
-          mailbox.username IN (
-            SELECT alias.goto from alias
-              JOIN mailbox ON mailbox.username = alias.goto
-                WHERE alias.active = '1'
-                  AND alias.address = '%s'
-                  AND alias.address NOT LIKE '@%%'
-          )
-        )
-      )
-    )
-  )
-  AND active = '1'
-  AND username != '';
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_sasl_passwd_maps_transport_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT CONCAT_WS(':', username, password) AS auth_data FROM transports
-  WHERE nexthop = '%s'
-  AND active = '1'
-  AND username != ''
-  LIMIT 1;
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_alias_domain_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT username FROM mailbox, alias_domain
-  WHERE alias_domain.alias_domain = '%d'
-    AND mailbox.username = CONCAT('%u', '@', alias_domain.target_domain)
-    AND (mailbox.active = '1' OR mailbox.active = '2')
-    AND alias_domain.active='1'
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_alias_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT goto FROM alias
-  WHERE address='%s'
-    AND (active='1' OR active='2');
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_recipient_bcc_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT bcc_dest FROM bcc_maps
-  WHERE local_dest='%s'
-    AND type='rcpt'
-    AND active='1';
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_sender_bcc_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT bcc_dest FROM bcc_maps
-  WHERE local_dest='%s'
-    AND type='sender'
-    AND active='1';
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_recipient_canonical_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT new_dest FROM recipient_maps
-  WHERE old_dest='%s'
-    AND active='1';
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_domains_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT alias_domain from alias_domain WHERE alias_domain='%s' AND active='1'
-  UNION
-  SELECT domain FROM domain
-    WHERE domain='%s'
-      AND active = '1'
-      AND backupmx = '0'
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_mailbox_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format')), mailbox_path_prefix, '%d/%u/') FROM mailbox WHERE username='%s' AND (active = '1' OR active = '2')
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_relay_domain_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '1' AND active = '1'
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_sender_acl.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-# First select queries domain and alias_domain to determine if domains are active.
-query = SELECT goto FROM alias
-  WHERE id IN (
-      SELECT COALESCE (
-        (
-          SELECT id FROM alias
-            WHERE address='%s'
-            AND (active='1' OR active='2')
-        ), (
-          SELECT id FROM alias
-            WHERE address='@%d'
-            AND (active='1' OR active='2')
-        )
-      )
-    )
-    AND active='1'
-    AND (domain IN
-      (SELECT domain FROM domain
-        WHERE domain='%d'
-          AND active='1')
-      OR domain in (
-        SELECT alias_domain FROM alias_domain
-          WHERE alias_domain='%d'
-            AND active='1'
-      )
-    )
-  UNION
-  SELECT logged_in_as FROM sender_acl
-    WHERE send_as='@%d'
-      OR send_as='%s'
-      OR send_as='*'
-      OR send_as IN (
-        SELECT CONCAT('@',target_domain) FROM alias_domain
-          WHERE alias_domain = '%d')
-      OR send_as IN (
-        SELECT CONCAT('%u','@',target_domain) FROM alias_domain
-          WHERE alias_domain = '%d')
-      AND logged_in_as NOT IN (
-        SELECT goto FROM alias
-          WHERE address='%s')
-  UNION
-  SELECT username FROM mailbox, alias_domain
-    WHERE alias_domain.alias_domain = '%d'
-      AND mailbox.username = CONCAT('%u','@',alias_domain.target_domain)
-      AND (mailbox.active = '1' OR mailbox.active ='2')
-      AND alias_domain.active='1';
-EOF
-
-# MX based routing
-cat <<EOF > /opt/postfix/conf/sql/mysql_mbr_access_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT CONCAT('FILTER smtp_via_transport_maps:', nexthop) as transport FROM transports
-  WHERE '%s' REGEXP destination
-    AND active='1'
-    AND is_mx_based='1';
-EOF
-
-cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_spamalias_maps.cf
-# Autogenerated by mailcow
-user = ${DBUSER}
-password = ${DBPASS}
-hosts = unix:/var/run/mysqld/mysqld.sock
-dbname = ${DBNAME}
-query = SELECT goto FROM spamalias
-  WHERE address='%s'
-    AND validity >= UNIX_TIMESTAMP()
-EOF
-
-if [ ! -f /opt/postfix/conf/dns_blocklists.cf ]; then
-  cat <<EOF > /opt/postfix/conf/dns_blocklists.cf
-# This file can be edited. 
-# Delete this file and restart postfix container to revert any changes.
-postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
-  hostkarma.junkemailfilter.com=127.0.0.1*-2
-  list.dnswl.org=127.0.[0..255].0*-2
-  list.dnswl.org=127.0.[0..255].1*-4
-  list.dnswl.org=127.0.[0..255].2*-6
-  list.dnswl.org=127.0.[0..255].3*-8
-  ix.dnsbl.manitu.net*2
-  bl.spamcop.net*2
-  bl.suomispam.net*2
-  hostkarma.junkemailfilter.com=127.0.0.2*3
-  hostkarma.junkemailfilter.com=127.0.0.4*2
-  hostkarma.junkemailfilter.com=127.0.1.2*1
-  backscatter.spameatingmonkey.net*2
-  bl.ipv6.spameatingmonkey.net*2
-  bl.spameatingmonkey.net*2
-  b.barracudacentral.org=127.0.0.2*7
-  bl.mailspike.net=127.0.0.2*5
-  bl.mailspike.net=127.0.0.[10;11;12]*4
-EOF
-fi
-DNSBL_CONFIG=$(grep -v '^#' /opt/postfix/conf/dns_blocklists.cf | grep '\S')
-
-if [ ! -z "$DNSBL_CONFIG" ]; then
-  echo -e "\e[33mChecking if ASN for your IP is listed for Spamhaus Bad ASN List...\e[0m"
-  if [ -n "$SPAMHAUS_DQS_KEY" ]; then
-    echo -e "\e[32mDetected SPAMHAUS_DQS_KEY variable from mailcow.conf...\e[0m"
-    echo -e "\e[33mUsing DQS Blocklists from Spamhaus!\e[0m"
-    SPAMHAUS_DNSBL_CONFIG=$(cat <<EOF
-  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.[4..7]*6
-  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.[10;11]*8
-  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.3*4
-  ${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net=127.0.0.2*3
-postscreen_dnsbl_reply_map = texthash:/opt/postfix/conf/dnsbl_reply.map
-EOF
-
-  cat <<EOF > /opt/postfix/conf/dnsbl_reply.map
-# Autogenerated by mailcow, using Spamhaus DQS reply domains
-${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net     sbl.spamhaus.org
-${SPAMHAUS_DQS_KEY}.xbl.dq.spamhaus.net     xbl.spamhaus.org
-${SPAMHAUS_DQS_KEY}.pbl.dq.spamhaus.net     pbl.spamhaus.org
-${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net     zen.spamhaus.org
-${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net     dbl.spamhaus.org
-${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net     zrd.spamhaus.org
-EOF
-    )
-  else
-    if [ -f "/opt/postfix/conf/dnsbl_reply.map" ]; then
-      rm /opt/postfix/conf/dnsbl_reply.map
-    fi
-    response=$(curl --connect-timeout 15 --max-time 30 -s -o /dev/null -w "%{http_code}" "https://asn-check.mailcow.email")
-    if [ "$response" -eq 503 ]; then
-      echo -e "\e[31mThe AS of your IP is listed as a banned AS from Spamhaus!\e[0m"
-      echo -e "\e[33mNo SPAMHAUS_DQS_KEY found... Skipping Spamhaus blocklists entirely!\e[0m"
-      SPAMHAUS_DNSBL_CONFIG=""
-    elif [ "$response" -eq 200 ]; then
-      echo -e "\e[32mThe AS of your IP is NOT listed as a banned AS from Spamhaus!\e[0m"
-      echo -e "\e[33mUsing the open Spamhaus blocklists.\e[0m"
-      SPAMHAUS_DNSBL_CONFIG=$(cat <<EOF
-  zen.spamhaus.org=127.0.0.[10;11]*8
-  zen.spamhaus.org=127.0.0.[4..7]*6
-  zen.spamhaus.org=127.0.0.3*4
-  zen.spamhaus.org=127.0.0.2*3
-EOF
-      )
-
-    else
-      echo -e "\e[31mWe couldn't determine your AS... (maybe DNS/Network issue?) Response Code: $response\e[0m"
-      echo -e "\e[33mDeactivating Spamhaus DNS Blocklists to be on the safe site!\e[0m"
-      SPAMHAUS_DNSBL_CONFIG=""
-    fi
-  fi
-fi
-
-# Reset main.cf
-sed -i '/Overrides/q' /opt/postfix/conf/main.cf
-echo >> /opt/postfix/conf/main.cf
-# Append postscreen dnsbl sites to main.cf
-if [ ! -z "$DNSBL_CONFIG" ]; then
-  echo -e "${DNSBL_CONFIG}\n${SPAMHAUS_DNSBL_CONFIG}" >> /opt/postfix/conf/main.cf
-fi
-# Append user overrides
-echo -e "\n# User Overrides" >> /opt/postfix/conf/main.cf
-touch /opt/postfix/conf/extra.cf
-sed -i '/\$myhostname/! { /myhostname/d }' /opt/postfix/conf/extra.cf
-echo -e "myhostname = ${MAILCOW_HOSTNAME}\n$(cat /opt/postfix/conf/extra.cf)" > /opt/postfix/conf/extra.cf
-cat /opt/postfix/conf/extra.cf >> /opt/postfix/conf/main.cf
-
-if [ ! -f /opt/postfix/conf/custom_transport.pcre ]; then
-  echo "Creating dummy custom_transport.pcre"
-  touch /opt/postfix/conf/custom_transport.pcre
-fi
-
-if [[ ! -f /opt/postfix/conf/custom_postscreen_whitelist.cidr ]]; then
-  echo "Creating dummy custom_postscreen_whitelist.cidr"
-  cat <<EOF > /opt/postfix/conf/custom_postscreen_whitelist.cidr
-# Autogenerated by mailcow
-# Rules are evaluated in the order as specified.
-# Blacklist 192.168.* except 192.168.0.1.
-# 192.168.0.1          permit
-# 192.168.0.0/16       reject
-EOF
-fi
-
-# Fix Postfix permissions
-chown -R root:postfix /opt/postfix/conf/sql/ /opt/postfix/conf/custom_transport.pcre
-chmod 640 /opt/postfix/conf/sql/*.cf /opt/postfix/conf/custom_transport.pcre
-chgrp -R postdrop /var/spool/postfix/public
-chgrp -R postdrop /var/spool/postfix/maildrop
-postfix set-permissions
-
-# Check Postfix configuration
-postconf -c /opt/postfix/conf > /dev/null
-
-if [[ $? != 0 ]]; then
-  echo "Postfix configuration error, refusing to start."
-  exit 1
-else
-  postfix -c /opt/postfix/conf start
-  sleep 126144000
-fi
--- a/data/Dockerfiles/postfix/supervisord.conf
+++ b/data/Dockerfiles/postfix/supervisord.conf
@@ -11,13 +11,14 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autostart=true

-[program:postfix]
-command=/opt/postfix.sh
+[program:bootstrap]
+command=/docker-entrypoint.sh
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autorestart=true
+startsecs=10

 [eventlistener:processes]
 command=/usr/local/sbin/stop-supervisor.sh
--- a/data/Dockerfiles/postfix/syslog-ng-redis_slave.conf
+++ b/data/Dockerfiles/postfix/syslog-ng-redis_slave.conf
@@ -20,6 +20,7 @@ destination d_redis_ui_log {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis1")
    port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -28,6 +29,7 @@ destination d_redis_f2b_channel {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis2")
    port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
--- a/data/Dockerfiles/postfix/syslog-ng.conf
+++ b/data/Dockerfiles/postfix/syslog-ng.conf
@@ -20,6 +20,7 @@ destination d_redis_ui_log {
    host("redis-mailcow")
    persist-name("redis1")
    port(6379)
+    auth("`REDISPASS`")
    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -28,6 +29,7 @@ destination d_redis_f2b_channel {
    host("redis-mailcow")
    persist-name("redis2")
    port(6379)
+    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
--- a/data/Dockerfiles/rspamd/Dockerfile
+++ b/data/Dockerfiles/rspamd/Dockerfile
@@ -2,11 +2,11 @@ FROM debian:bookworm-slim
 LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"

 ARG DEBIAN_FRONTEND=noninteractive
-ARG RSPAMD_VER=rspamd_3.10.2-1~b8a232043
+ARG RSPAMD_VER=rspamd_3.11.1-1~ab0b44951
 ARG CODENAME=bookworm
 ENV LC_ALL=C

-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
  tzdata \
  ca-certificates \
  gnupg2 \
@@ -14,10 +14,11 @@ RUN apt-get update && apt-get install -y \
  dnsutils \
  netcat-traditional \
  wget \
-  redis-tools \ 
-  procps \ 
+  redis-tools \
+  procps \
  nano \
  lua-cjson \
+  python3 python3-pip \
  && arch=$(arch | sed s/aarch64/arm64/ | sed s/x86_64/amd64/) \
  && wget -P /tmp https://rspamd.com/apt-stable/pool/main/r/rspamd/${RSPAMD_VER}~${CODENAME}_${arch}.deb\
  && apt install -y /tmp/${RSPAMD_VER}~${CODENAME}_${arch}.deb \
@@ -29,12 +30,20 @@ RUN apt-get update && apt-get install -y \
  && echo 'alias ll="ls -la --color"' >> ~/.bashrc \
  && sed -i 's/#analysis_keyword_table > 0/analysis_cat_table.macro_exist == "M"/g' /usr/share/rspamd/lualib/lua_scanners/oletools.lua

-COPY settings.conf /etc/rspamd/settings.conf
-COPY set_worker_password.sh /set_worker_password.sh
-COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN pip install  --break-system-packages \
+  mysql-connector-python \
+  jinja2 \
+  redis \
+  dnspython \
+  psutil
+
+
+COPY data/Dockerfiles/bootstrap /bootstrap
+COPY data/Dockerfiles/rspamd/settings.conf /etc/rspamd/settings.conf
+COPY data/Dockerfiles/rspamd/set_worker_password.sh /set_worker_password.sh
+COPY data/Dockerfiles/rspamd/docker-entrypoint.sh /docker-entrypoint.sh

-ENTRYPOINT ["/docker-entrypoint.sh"]

 STOPSIGNAL SIGTERM
-
+ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["/usr/bin/rspamd", "-f", "-u", "_rspamd", "-g", "_rspamd"]
--- a/data/Dockerfiles/rspamd/docker-entrypoint.sh
+++ b/data/Dockerfiles/rspamd/docker-entrypoint.sh
@@ -1,121 +1,5 @@
 #!/bin/bash

-until nc phpfpm 9001 -z; do
-  echo "Waiting for PHP on port 9001..."
-  sleep 3
-done
-
-until nc phpfpm 9002 -z; do
-  echo "Waiting for PHP on port 9002..."
-  sleep 3
-done
-
-mkdir -p /etc/rspamd/plugins.d \
-  /etc/rspamd/custom
-
-touch /etc/rspamd/rspamd.conf.local \
-  /etc/rspamd/rspamd.conf.override
-
-chmod 755 /var/lib/rspamd
-
-
-[[ ! -f /etc/rspamd/override.d/worker-controller-password.inc ]] && echo '# Autogenerated by mailcow' > /etc/rspamd/override.d/worker-controller-password.inc
-
-echo ${IPV4_NETWORK}.0/24 > /etc/rspamd/custom/mailcow_networks.map
-echo ${IPV6_NETWORK} >> /etc/rspamd/custom/mailcow_networks.map
-
-DOVECOT_V4=
-DOVECOT_V6=
-until [[ ! -z ${DOVECOT_V4} ]]; do
-  DOVECOT_V4=$(dig a dovecot +short)
-  DOVECOT_V6=$(dig aaaa dovecot +short)
-  [[ ! -z ${DOVECOT_V4} ]] && break;
-  echo "Waiting for Dovecot..."
-  sleep 3
-done
-echo ${DOVECOT_V4}/32 > /etc/rspamd/custom/dovecot_trusted.map
-if [[ ! -z ${DOVECOT_V6} ]]; then
-  echo ${DOVECOT_V6}/128 >> /etc/rspamd/custom/dovecot_trusted.map
-fi
-
-RSPAMD_V4=
-RSPAMD_V6=
-until [[ ! -z ${RSPAMD_V4} ]]; do
-  RSPAMD_V4=$(dig a rspamd +short)
-  RSPAMD_V6=$(dig aaaa rspamd +short)
-  [[ ! -z ${RSPAMD_V4} ]] && break;
-  echo "Waiting for Rspamd..."
-  sleep 3
-done
-echo ${RSPAMD_V4}/32 > /etc/rspamd/custom/rspamd_trusted.map
-if [[ ! -z ${RSPAMD_V6} ]]; then
-  echo ${RSPAMD_V6}/128 >> /etc/rspamd/custom/rspamd_trusted.map
-fi
-
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  cat <<EOF > /etc/rspamd/local.d/redis.conf
-read_servers = "redis:6379";
-write_servers = "${REDIS_SLAVEOF_IP}:${REDIS_SLAVEOF_PORT}";
-timeout = 10;
-EOF
-  until [[ $(redis-cli -h redis-mailcow PING) == "PONG" ]]; do
-    echo "Waiting for Redis @redis-mailcow..."
-    sleep 2
-  done
-  until [[ $(redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} PING) == "PONG" ]]; do
-    echo "Waiting for Redis @${REDIS_SLAVEOF_IP}..."
-    sleep 2
-  done
-  redis-cli -h redis-mailcow SLAVEOF ${REDIS_SLAVEOF_IP} ${REDIS_SLAVEOF_PORT}
-else
-  cat <<EOF > /etc/rspamd/local.d/redis.conf
-servers = "redis:6379";
-timeout = 10;
-EOF
-  until [[ $(redis-cli -h redis-mailcow PING) == "PONG" ]]; do
-    echo "Waiting for Redis slave..."
-    sleep 2
-  done
-  redis-cli -h redis-mailcow SLAVEOF NO ONE
-fi
-
-# Provide additional lua modules
-ln -s /usr/lib/$(uname -m)-linux-gnu/liblua5.1-cjson.so.0.0.0 /usr/lib/rspamd/cjson.so
-
-chown -R _rspamd:_rspamd /var/lib/rspamd \
-  /etc/rspamd/local.d \
-  /etc/rspamd/override.d \
-  /etc/rspamd/rspamd.conf.local \
-  /etc/rspamd/rspamd.conf.override \
-  /etc/rspamd/plugins.d
-
-# Fix missing default global maps, if any
-# These exists in mailcow UI and should not be removed
-touch /etc/rspamd/custom/global_mime_from_blacklist.map \
-  /etc/rspamd/custom/global_rcpt_blacklist.map \
-  /etc/rspamd/custom/global_smtp_from_blacklist.map \
-  /etc/rspamd/custom/global_mime_from_whitelist.map \
-  /etc/rspamd/custom/global_rcpt_whitelist.map \
-  /etc/rspamd/custom/global_smtp_from_whitelist.map \
-  /etc/rspamd/custom/bad_languages.map \
-  /etc/rspamd/custom/sa-rules \
-  /etc/rspamd/custom/dovecot_trusted.map \
-  /etc/rspamd/custom/rspamd_trusted.map \
-  /etc/rspamd/custom/mailcow_networks.map \
-  /etc/rspamd/custom/ip_wl.map \
-  /etc/rspamd/custom/fishy_tlds.map \
-  /etc/rspamd/custom/bad_words.map \
-  /etc/rspamd/custom/bad_asn.map \
-  /etc/rspamd/custom/bad_words_de.map \
-  /etc/rspamd/custom/bulk_header.map \
-  /etc/rspamd/custom/bad_header.map
-
-# www-data (82) group needs to write to these files
-chown _rspamd:_rspamd /etc/rspamd/custom/
-chmod 0755 /etc/rspamd/custom/.
-chown -R 82:82 /etc/rspamd/custom/*
-chmod 644 -R /etc/rspamd/custom/*
-
 # Run hooks
 for file in /hooks/*; do
  if [ -x "${file}" ]; then
@@ -124,190 +8,13 @@ for file in /hooks/*; do
  fi
 done

-# If DQS KEY is set in mailcow.conf add Spamhaus DQS RBLs
-if [[ ! -z ${SPAMHAUS_DQS_KEY} ]]; then
-    cat <<EOF > /etc/rspamd/custom/dqs-rbl.conf
-  # Autogenerated by mailcow. DO NOT TOUCH!
-    spamhaus {
-        rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
-        from = false;
-    }
-    spamhaus_from {
-        from = true;
-        received = false;
-        rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
-        returncodes {
-          SPAMHAUS_ZEN = [ "127.0.0.2", "127.0.0.3", "127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7", "127.0.0.9", "127.0.0.10", "127.0.0.11" ];
-        }
-    }
-    spamhaus_authbl_received {
-        # Check if the sender client is listed in AuthBL (AuthBL is *not* part of ZEN)
-        rbl = "${SPAMHAUS_DQS_KEY}.authbl.dq.spamhaus.net";
-        from = false;
-        received = true;
-        ipv6 = true;
-        returncodes {
-          SH_AUTHBL_RECEIVED = "127.0.0.20"
-        }
-    }
-    spamhaus_dbl {
-        # Add checks on the HELO string
-        rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
-        helo = true;
-        rdns = true;
-        dkim = true;
-        disable_monitoring = true;
-        returncodes {
-            RBL_DBL_SPAM = "127.0.1.2";
-            RBL_DBL_PHISH = "127.0.1.4";
-            RBL_DBL_MALWARE = "127.0.1.5";
-            RBL_DBL_BOTNET = "127.0.1.6";
-            RBL_DBL_ABUSED_SPAM = "127.0.1.102";
-            RBL_DBL_ABUSED_PHISH = "127.0.1.104";
-            RBL_DBL_ABUSED_MALWARE = "127.0.1.105";
-            RBL_DBL_ABUSED_BOTNET = "127.0.1.106";
-            RBL_DBL_DONT_QUERY_IPS = "127.0.1.255";
-        }
-    }
-    spamhaus_dbl_fullurls {
-        ignore_defaults = true;
-        no_ip = true;
-        rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
-        selector = 'urls:get_host'
-        disable_monitoring = true;
-        returncodes {
-            DBLABUSED_SPAM_FULLURLS = "127.0.1.102";
-            DBLABUSED_PHISH_FULLURLS = "127.0.1.104";
-            DBLABUSED_MALWARE_FULLURLS = "127.0.1.105";
-            DBLABUSED_BOTNET_FULLURLS = "127.0.1.106";
-        }
-    }
-    spamhaus_zrd {
-        # Add checks on the HELO string also for DQS
-        rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net";
-        helo = true;
-        rdns = true;
-        dkim = true;
-        disable_monitoring = true;
-        returncodes {
-            RBL_ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
-            RBL_ZRD_FRESH_DOMAIN = [
-              "127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"
-            ];
-            RBL_ZRD_DONT_QUERY_IPS = "127.0.2.255";
-        }
-    }
-    "SPAMHAUS_ZEN_URIBL" {
-      enabled = true;
-      rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
-      resolve_ip = true;
-      checks = ['urls'];
-      replyto = true;
-      emails = true;
-      ipv4 = true;
-      ipv6 = true;
-      emails_domainonly = true;
-      returncodes {
-        URIBL_SBL = "127.0.0.2";
-        URIBL_SBL_CSS = "127.0.0.3";
-        URIBL_XBL = ["127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7"];
-        URIBL_PBL = ["127.0.0.10", "127.0.0.11"];
-        URIBL_DROP = "127.0.0.9";
-      }
-    }
-    SH_EMAIL_DBL {
-      ignore_defaults = true;
-      replyto = true;
-      emails_domainonly = true;
-      disable_monitoring = true;
-      rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
-      returncodes = {
-        SH_EMAIL_DBL = [
-          "127.0.1.2",
-          "127.0.1.4",
-          "127.0.1.5",
-          "127.0.1.6"
-        ];
-        SH_EMAIL_DBL_ABUSED = [
-          "127.0.1.102",
-          "127.0.1.104",
-          "127.0.1.105",
-          "127.0.1.106"
-        ];
-        SH_EMAIL_DBL_DONT_QUERY_IPS = [ "127.0.1.255" ];
-      }
-    }
-    SH_EMAIL_ZRD {
-      ignore_defaults = true;
-      replyto = true;
-      emails_domainonly = true;
-      disable_monitoring = true;
-      rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net";
-      returncodes = {
-        SH_EMAIL_ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
-        SH_EMAIL_ZRD_FRESH_DOMAIN = [
-          "127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"
-        ];
-        SH_EMAIL_ZRD_DONT_QUERY_IPS = [ "127.0.2.255" ];
-      }
-    }
-    "DBL" {
-        # override the defaults for DBL defined in modules.d/rbl.conf
-        rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
-        disable_monitoring = true;
-    }
-    "ZRD" {
-        ignore_defaults = true;
-        rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net";
-        no_ip = true;
-        dkim = true;
-        emails = true;
-        emails_domainonly = true;
-        urls = true;
-        returncodes = {
-            ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
-            ZRD_FRESH_DOMAIN = ["127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"];
-        }
-    }
-    spamhaus_sbl_url {
-        ignore_defaults = true
-        rbl = "${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net";
-        checks = ['urls'];
-        disable_monitoring = true;
-        returncodes {
-            SPAMHAUS_SBL_URL = "127.0.0.2";
-        }
-    }
+python3 -u /bootstrap/main.py
+BOOTSTRAP_EXIT_CODE=$?

-    SH_HBL_EMAIL {
-      ignore_defaults = true;
-      rbl = "_email.${SPAMHAUS_DQS_KEY}.hbl.dq.spamhaus.net";
-      emails_domainonly = false;
-      selector = "from('smtp').lower;from('mime').lower";
-      ignore_whitelist = true;
-      checks = ['emails', 'replyto'];
-      hash = "sha1";
-      returncodes = {
-        SH_HBL_EMAIL = [
-          "127.0.3.2"
-        ];
-      }
-    }
-
-    spamhaus_dqs_hbl {
-      symbol = "HBL_FILE_UNKNOWN";
-      rbl = "_file.${SPAMHAUS_DQS_KEY}.hbl.dq.spamhaus.net.";
-      selector = "attachments('rbase32', 'sha256')";
-      ignore_whitelist = true;
-      ignore_defaults = true;
-      returncodes {
-        SH_HBL_FILE_MALICIOUS = "127.0.3.10";
-        SH_HBL_FILE_SUSPICIOUS = "127.0.3.15";
-      }
-    }
-EOF
-else
-  rm -rf /etc/rspamd/custom/dqs-rbl.conf
+if [ $BOOTSTRAP_EXIT_CODE -ne 0 ]; then
+  echo "Bootstrap failed with exit code $BOOTSTRAP_EXIT_CODE. Not starting Rspamd."
+  exit $BOOTSTRAP_EXIT_CODE
 fi

+echo "Bootstrap succeeded. Starting Rspamd..."
 exec "$@"
--- a/data/Dockerfiles/sogo/Dockerfile
+++ b/data/Dockerfiles/sogo/Dockerfile
@@ -4,7 +4,7 @@ LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"

 ARG DEBIAN_FRONTEND=noninteractive
 ARG DEBIAN_VERSION=bookworm
-ARG SOGO_DEBIAN_REPOSITORY=http://www.axis.cz/linux/debian
+ARG SOGO_DEBIAN_REPOSITORY=https://packagingv2.sogo.nu/sogo-nightly-debian/
 # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
 ARG GOSU_VERSION=1.17
 ENV LC_ALL=C
@@ -27,15 +27,15 @@ RUN echo "Building from repository $SOGO_DEBIAN_REPOSITORY" \
  psmisc \
  wget \
  patch \
+  python3 python3-pip \
  && dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
  && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
  && chmod +x /usr/local/bin/gosu \
  && gosu nobody true \
  && mkdir /usr/share/doc/sogo \
  && touch /usr/share/doc/sogo/empty.sh \
-  && wget http://www.axis.cz/linux/debian/axis-archive-keyring.deb -O /tmp/axis-archive-keyring.deb \
-  && apt install -y /tmp/axis-archive-keyring.deb \
-  && echo "deb [trusted=yes] ${SOGO_DEBIAN_REPOSITORY} ${DEBIAN_VERSION} sogo-v5" > /etc/apt/sources.list.d/sogo.list \
+  && wget -O- https://keys.openpgp.org/vks/v1/by-fingerprint/74FFC6D72B925A34B5D356BDF8A27B36A6E2EAE9 | gpg --dearmor | apt-key add - \
+  && echo "deb [trusted=yes] ${SOGO_DEBIAN_REPOSITORY} ${DEBIAN_VERSION} main" > /etc/apt/sources.list.d/sogo.list \
  && apt-get update && apt-get install -y --no-install-recommends \
    sogo \
    sogo-activesync \
@@ -43,17 +43,21 @@ RUN echo "Building from repository $SOGO_DEBIAN_REPOSITORY" \
  && rm -rf /var/lib/apt/lists/* \
  && touch /etc/default/locale

-COPY ./bootstrap-sogo.sh /bootstrap-sogo.sh
-COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
-COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
-COPY supervisord.conf /etc/supervisor/supervisord.conf
-COPY acl.diff /acl.diff
-COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
-COPY docker-entrypoint.sh /
+RUN pip install  --break-system-packages \
+  mysql-connector-python \
+  jinja2 \
+  redis \
+  dnspython \
+  psutil

-RUN chmod +x /bootstrap-sogo.sh \
-  /usr/local/sbin/stop-supervisor.sh

-ENTRYPOINT ["/docker-entrypoint.sh"]
+COPY data/Dockerfiles/bootstrap /bootstrap
+COPY data/Dockerfiles/sogo/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
+COPY data/Dockerfiles/sogo/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
+COPY data/Dockerfiles/sogo/supervisord.conf /etc/supervisor/supervisord.conf
+COPY data/Dockerfiles/sogo/stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
+COPY data/Dockerfiles/sogo/docker-entrypoint.sh /

-CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
+RUN chmod +x /usr/local/sbin/stop-supervisor.sh
+
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]
--- a/data/Dockerfiles/sogo/acl.diff
+++ b/data/Dockerfiles/sogo/acl.diff
@@ -1,11 +0,0 @@
--- /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox    2018-08-17 18:29:57.987504204 +0200
-+++ /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox    2018-08-17 18:29:35.918291298 +0200
-@@ -46,7 +46,7 @@
-           </md-item-template>
-         </md-autocomplete>
-       </div>
-      <md-card ng-repeat="user in acl.users | orderBy:['userClass', 'cn']"
-+      <md-card ng-repeat="user in acl.users | filter:{ userClass: 'normal' } | orderBy:['cn']"
-                class="sg-collapsed"
-                ng-class="{ 'sg-expanded': user.uid == acl.selectedUid }">
-         <a class="md-flex md-button" ng-click="acl.selectUser(user, $event)">
--- a/data/Dockerfiles/sogo/bootstrap-sogo.sh
+++ b/data/Dockerfiles/sogo/bootstrap-sogo.sh
@@ -1,253 +0,0 @@
-#!/bin/bash
-
-# Wait for MySQL to warm-up
-while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
-  echo "Waiting for database to come up..."
-  sleep 2
-done
-
-# Wait until port becomes free and send sig
-until ! nc -z sogo-mailcow 20000;
-do
-  killall -TERM sogod
-  sleep 3
-done
-
-# Wait for updated schema
-DBV_NOW=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'db_schema';" -BN)
-DBV_NEW=$(grep -oE '\$db_version = .*;' init_db.inc.php | sed 's/$db_version = //g;s/;//g' | cut -d \" -f2)
-while [[ "${DBV_NOW}" != "${DBV_NEW}" ]]; do
-  echo "Waiting for schema update..."
-  DBV_NOW=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'db_schema';" -BN)
-  DBV_NEW=$(grep -oE '\$db_version = .*;' init_db.inc.php | sed 's/$db_version = //g;s/;//g' | cut -d \" -f2)
-  sleep 5
-done
-echo "DB schema is ${DBV_NOW}"
-
-# Recreate view
-if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "We are master, preparing sogo_view..."
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP VIEW IF EXISTS sogo_view"
-  while [[ ${VIEW_OK} != 'OK' ]]; do
-    mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-CREATE VIEW sogo_view (c_uid, domain, c_name, c_password, c_cn, mail, aliases, ad_aliases, ext_acl, kind, multiple_bookings) AS 
-SELECT
-   mailbox.username,
-   mailbox.domain,
-   mailbox.username,
-   IF(JSON_UNQUOTE(JSON_VALUE(attributes, '$.force_pw_update')) = '0', IF(JSON_UNQUOTE(JSON_VALUE(attributes, '$.sogo_access')) = 1, password, '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321'), '{SSHA256}A123A123A321A321A321B321B321B123B123B321B432F123E321123123321321'),
-   mailbox.name,
-   mailbox.username,
-   IFNULL(GROUP_CONCAT(ga.aliases ORDER BY ga.aliases SEPARATOR ' '), ''),
-   IFNULL(gda.ad_alias, ''),
-   IFNULL(external_acl.send_as_acl, ''),
-   mailbox.kind,
-   mailbox.multiple_bookings
-FROM
-   mailbox
-   LEFT OUTER JOIN
-      grouped_mail_aliases ga
-      ON ga.username REGEXP CONCAT('(^|,)', mailbox.username, '($|,)')
-   LEFT OUTER JOIN
-      grouped_domain_alias_address gda
-      ON gda.username = mailbox.username
-   LEFT OUTER JOIN
-      grouped_sender_acl_external external_acl
-      ON external_acl.username = mailbox.username
-WHERE
-   mailbox.active = '1'
-GROUP BY
-   mailbox.username;
-EOF
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'sogo_view'") ]]; then
-      VIEW_OK=OK
-    else
-      echo "Will retry to setup SOGo view in 3s..."
-      sleep 3
-    fi
-  done
-else
-  while [[ ${VIEW_OK} != 'OK' ]]; do
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'sogo_view'") ]]; then
-      VIEW_OK=OK
-    else
-      echo "Waiting for SOGo view to be created by master..."
-      sleep 3
-    fi
-  done
-fi
-
-# Wait for static view table if missing after update and update content
-if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "We are master, preparing _sogo_static_view..."
-  while [[ ${STATIC_VIEW_OK} != 'OK' ]]; do
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = '_sogo_static_view'") ]]; then
-      STATIC_VIEW_OK=OK
-      echo "Updating _sogo_static_view content..."
-      # If changed, also update init_db.inc.php
-      mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "REPLACE INTO _sogo_static_view (c_uid, domain, c_name, c_password, c_cn, mail, aliases, ad_aliases, ext_acl, kind, multiple_bookings) SELECT c_uid, domain, c_name, c_password, c_cn, mail, aliases, ad_aliases, ext_acl, kind, multiple_bookings from sogo_view;"
-      mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "DELETE FROM _sogo_static_view WHERE c_uid NOT IN (SELECT username FROM mailbox WHERE active = '1')"
-    else
-      echo "Waiting for database initialization..."
-      sleep 3
-    fi
-  done
-else
-  while [[ ${STATIC_VIEW_OK} != 'OK' ]]; do
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = '_sogo_static_view'") ]]; then
-      STATIC_VIEW_OK=OK
-    else
-      echo "Waiting for database initialization by master..."
-      sleep 3
-    fi
-  done
-fi
-
-
-# Recreate password update trigger
-if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "We are master, preparing update trigger..."
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TRIGGER IF EXISTS sogo_update_password"
-  while [[ ${TRIGGER_OK} != 'OK' ]]; do
-  mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
-DELIMITER -
-CREATE TRIGGER sogo_update_password AFTER UPDATE ON _sogo_static_view
-FOR EACH ROW
-BEGIN
-UPDATE mailbox SET password = NEW.c_password WHERE NEW.c_uid = username;
-END;
-
-DELIMITER ;
-EOF
-    if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TRIGGERS WHERE TRIGGER_NAME = 'sogo_update_password'") ]]; then
-      TRIGGER_OK=OK
-    else
-      echo "Will retry to setup SOGo password update trigger in 3s"
-      sleep 3
-    fi
-  done
-fi
-
-# cat /dev/urandom seems to hang here occasionally and is not recommended anyway, better use openssl
-RAND_PASS=$(openssl rand -base64 16 | tr -dc _A-Z-a-z-0-9)
-
-# Generate plist header with timezone data
-mkdir -p /var/lib/sogo/GNUstep/Defaults/
-cat <<EOF > /var/lib/sogo/GNUstep/Defaults/sogod.plist
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//GNUstep//DTD plist 0.9//EN" "http://www.gnustep.org/plist-0_9.xml">
-<plist version="0.9">
-<dict>
-    <key>OCSAclURL</key>
-    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_acl</string>
-    <key>SOGoIMAPServer</key>
-    <string>imap://${IPV4_NETWORK}.250:143/?TLS=YES&amp;tlsVerifyMode=none</string>
-    <key>SOGoSieveServer</key>
-    <string>sieve://${IPV4_NETWORK}.250:4190/?TLS=YES&amp;tlsVerifyMode=none</string>
-    <key>SOGoSMTPServer</key>
-    <string>smtp://${IPV4_NETWORK}.253:588/?TLS=YES&amp;tlsVerifyMode=none</string>
-    <key>SOGoTrustProxyAuthentication</key>
-    <string>YES</string>
-    <key>SOGoEncryptionKey</key>
-    <string>${RAND_PASS}</string>
-    <key>OCSAdminURL</key>
-    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_admin</string>
-    <key>OCSCacheFolderURL</key>
-    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_cache_folder</string>
-    <key>OCSEMailAlarmsFolderURL</key>
-    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_alarms_folder</string>
-    <key>OCSFolderInfoURL</key>
-    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_folder_info</string>
-    <key>OCSSessionsFolderURL</key>
-    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_sessions_folder</string>
-    <key>OCSStoreURL</key>
-    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_store</string>
-    <key>SOGoProfileURL</key>
-    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_user_profile</string>
-    <key>SOGoTimeZone</key>
-    <string>${TZ}</string>
-    <key>domains</key>
-    <dict>
-EOF
-
-# Generate multi-domain setup
-while read -r line gal
-  do
-  echo "        <key>${line}</key>
-        <dict>
-            <key>SOGoMailDomain</key>
-            <string>${line}</string>
-            <key>SOGoUserSources</key>
-            <array>
-                <dict>
-                    <key>MailFieldNames</key>
-                    <array>
-                        <string>aliases</string>
-                        <string>ad_aliases</string>
-                        <string>ext_acl</string>
-                    </array>
-                    <key>KindFieldName</key>
-                    <string>kind</string>
-                    <key>DomainFieldName</key>
-                    <string>domain</string>
-                    <key>MultipleBookingsFieldName</key>
-                    <string>multiple_bookings</string>
-                    <key>listRequiresDot</key>
-                    <string>NO</string>
-                    <key>canAuthenticate</key>
-                    <string>YES</string>
-                    <key>displayName</key>
-                    <string>GAL ${line}</string>
-                    <key>id</key>
-                    <string>${line}</string>
-                    <key>isAddressBook</key>
-                    <string>${gal}</string>
-                    <key>type</key>
-                    <string>sql</string>
-                    <key>userPasswordAlgorithm</key>
-                    <string>${MAILCOW_PASS_SCHEME}</string>
-                    <key>prependPasswordScheme</key>
-                    <string>YES</string>
-                    <key>viewURL</key>
-                    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/_sogo_static_view</string>
-                </dict>" >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
-  # Generate alternative LDAP authentication dict, when SQL authentication fails
-  # This will nevertheless read attributes from LDAP
-  line=${line} envsubst < /etc/sogo/plist_ldap >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
-  echo "            </array>
-        </dict>" >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
-done < <(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain, CASE gal WHEN '1' THEN 'YES' ELSE 'NO' END AS gal FROM domain;" -B -N)
-
-# Generate footer
-echo '    </dict>
-</dict>
-</plist>' >> /var/lib/sogo/GNUstep/Defaults/sogod.plist
-
-# Fix permissions
-chown sogo:sogo -R /var/lib/sogo/
-chmod 600 /var/lib/sogo/GNUstep/Defaults/sogod.plist
-
-# Patch ACLs
-#if [[ ${ACL_ANYONE} == 'allow' ]]; then
-#  #enable any or authenticated targets for ACL
-#  if patch -R -sfN --dry-run /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff > /dev/null; then
-#    patch -R /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff;
-#  fi
-#else
-#  #disable any or authenticated targets for ACL
-#  if patch -sfN --dry-run /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff > /dev/null; then
-#    patch /usr/lib/GNUstep/SOGo/Templates/UIxAclEditor.wox < /acl.diff;
-#  fi
-#fi
-
-# Copy logo, if any
-[[ -f /etc/sogo/sogo-full.svg ]] && cp /etc/sogo/sogo-full.svg /usr/lib/GNUstep/SOGo/WebServerResources/img/sogo-full.svg
-
-# Rsync web content
-echo "Syncing web content with named volume"
-rsync -a /usr/lib/GNUstep/SOGo/. /sogo_web/
-
-# Chown backup path
-chown -R sogo:sogo /sogo_backup
-
-exec gosu sogo /usr/sbin/sogod
--- a/data/Dockerfiles/sogo/docker-entrypoint.sh
+++ b/data/Dockerfiles/sogo/docker-entrypoint.sh
@@ -1,17 +1,5 @@
 #!/bin/bash

-if [[ "${SKIP_SOGO}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "SKIP_SOGO=y, skipping SOGo..."
-  sleep 365d
-  exit 0
-fi
-
-if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  cp /etc/syslog-ng/syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng.conf
-fi
-
-echo "$TZ" > /etc/timezone
-
 # Run hooks
 for file in /hooks/*; do
  if [ -x "${file}" ]; then
@@ -20,4 +8,13 @@ for file in /hooks/*; do
  fi
 done

-exec "$@"
+python3 -u /bootstrap/main.py
+BOOTSTRAP_EXIT_CODE=$?
+
+if [ $BOOTSTRAP_EXIT_CODE -ne 0 ]; then
+  echo "Bootstrap failed with exit code $BOOTSTRAP_EXIT_CODE. Not starting SOGo."
+  exit $BOOTSTRAP_EXIT_CODE
+fi
+
+echo "Bootstrap succeeded. Starting SOGo..."
+exec gosu sogo /usr/sbin/sogod
--- a/data/Dockerfiles/sogo/supervisord.conf
+++ b/data/Dockerfiles/sogo/supervisord.conf
@@ -11,8 +11,8 @@ stderr_logfile_maxbytes=0
 autostart=true
 priority=1

-[program:bootstrap-sogo]
-command=/bootstrap-sogo.sh
+[program:bootstrap]
+command=/docker-entrypoint.sh
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
--- a/data/Dockerfiles/sogo/syslog-ng-redis_slave.conf
+++ b/data/Dockerfiles/sogo/syslog-ng-redis_slave.conf
@@ -22,6 +22,7 @@ destination d_redis_ui_log {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis1")
    port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
    command("LPUSH" "SOGO_LOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -30,6 +31,7 @@ destination d_redis_f2b_channel {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis2")
    port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
--- a/data/Dockerfiles/sogo/syslog-ng.conf
+++ b/data/Dockerfiles/sogo/syslog-ng.conf
@@ -22,6 +22,7 @@ destination d_redis_ui_log {
    host("redis-mailcow")
    persist-name("redis1")
    port(6379)
+    auth("`REDISPASS`")
    command("LPUSH" "SOGO_LOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -30,6 +31,7 @@ destination d_redis_f2b_channel {
    host("redis-mailcow")
    persist-name("redis2")
    port(6379)
+    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
--- a/data/Dockerfiles/solr/Dockerfile
+++ b/data/Dockerfiles/solr/Dockerfile
@@ -1,31 +0,0 @@
-FROM solr:7.7-slim
-
-USER root
-
-# renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=(?<version>.*)$
-ARG GOSU_VERSION=1.17
-
-COPY solr.sh /
-COPY solr-config-7.7.0.xml /
-COPY solr-schema-7.7.0.xml /
-
-RUN dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
-  && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
-  && chmod +x /usr/local/bin/gosu \
-  && gosu nobody true \
-  && apt-get update && apt-get install -y --no-install-recommends \
-  tzdata \
-  curl \
-  bash \
-  zip \
-  && apt-get autoclean \
-  && rm -rf /var/lib/apt/lists/* \
-  && chmod +x /solr.sh \
-  && sync \
-  && bash /solr.sh --bootstrap
-  
-RUN zip -q -d /opt/solr/server/lib/ext/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
-
-RUN apt remove zip -y  
-
-CMD ["/solr.sh"]
--- a/data/Dockerfiles/solr/solr-config-7.7.0.xml
+++ b/data/Dockerfiles/solr/solr-config-7.7.0.xml
@@ -1,289 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" ?>
-
-<!-- This is the default config with stuff non-essential to Dovecot removed. -->
-
-<config>
-  <!-- Controls what version of Lucene various components of Solr
-       adhere to.  Generally, you want to use the latest version to
-       get all bug fixes and improvements. It is highly recommended
-       that you fully re-index after changing this setting as it can
-       affect both how text is indexed and queried.
-  -->
-  <luceneMatchVersion>7.7.0</luceneMatchVersion>
-
-  <!-- A 'dir' option by itself adds any files found in the directory
-       to the classpath, this is useful for including all jars in a
-       directory.
-
-       When a 'regex' is specified in addition to a 'dir', only the
-       files in that directory which completely match the regex
-       (anchored on both ends) will be included.
-
-       If a 'dir' option (with or without a regex) is used and nothing
-       is found that matches, a warning will be logged.
-
-       The examples below can be used to load some solr-contribs along
-       with their external dependencies.
-    -->
-  <lib dir="${solr.install.dir:../../../..}/contrib/extraction/lib" regex=".*\.jar" />
-  <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-cell-\d.*\.jar" />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/clustering/lib/" regex=".*\.jar" />
-  <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-clustering-\d.*\.jar" />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/langid/lib/" regex=".*\.jar" />
-  <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-langid-\d.*\.jar" />
-
-  <lib dir="${solr.install.dir:../../../..}/contrib/velocity/lib" regex=".*\.jar" />
-  <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-velocity-\d.*\.jar" />
-
-  <!-- Data Directory
-
-       Used to specify an alternate directory to hold all index data
-       other than the default ./data under the Solr home.  If
-       replication is in use, this should match the replication
-       configuration.
-    -->
-  <dataDir>${solr.data.dir:}</dataDir>
-
-  <!-- The default high-performance update handler -->
-  <updateHandler class="solr.DirectUpdateHandler2">
-
-    <!-- Enables a transaction log, used for real-time get, durability, and
-         and solr cloud replica recovery.  The log can grow as big as
-         uncommitted changes to the index, so use of a hard autoCommit
-         is recommended (see below).
-         "dir" - the target directory for transaction logs, defaults to the
-                solr data directory.
-         "numVersionBuckets" - sets the number of buckets used to keep
-                track of max version values when checking for re-ordered
-                updates; increase this value to reduce the cost of
-                synchronizing access to version buckets during high-volume
-                indexing, this requires 8 bytes (long) * numVersionBuckets
-                of heap space per Solr core.
-    -->
-    <updateLog>
-      <str name="dir">${solr.ulog.dir:}</str>
-      <int name="numVersionBuckets">${solr.ulog.numVersionBuckets:65536}</int>
-    </updateLog>
-
-    <!-- AutoCommit
-
-         Perform a hard commit automatically under certain conditions.
-         Instead of enabling autoCommit, consider using "commitWithin"
-         when adding documents.
-
-         http://wiki.apache.org/solr/UpdateXmlMessages
-
-         maxDocs - Maximum number of documents to add since the last
-                   commit before automatically triggering a new commit.
-
-         maxTime - Maximum amount of time in ms that is allowed to pass
-                   since a document was added before automatically
-                   triggering a new commit.
-         openSearcher - if false, the commit causes recent index changes
-           to be flushed to stable storage, but does not cause a new
-           searcher to be opened to make those changes visible.
-
-         If the updateLog is enabled, then it's highly recommended to
-         have some sort of hard autoCommit to limit the log size.
-      -->
-    <autoCommit>
-      <maxTime>${solr.autoCommit.maxTime:15000}</maxTime>
-      <openSearcher>false</openSearcher>
-    </autoCommit>
-
-    <!-- softAutoCommit is like autoCommit except it causes a
-         'soft' commit which only ensures that changes are visible
-         but does not ensure that data is synced to disk.  This is
-         faster and more near-realtime friendly than a hard commit.
-      -->
-    <autoSoftCommit>
-      <maxTime>${solr.autoSoftCommit.maxTime:-1}</maxTime>
-    </autoSoftCommit>
-
-    <!-- Update Related Event Listeners
-
-         Various IndexWriter related events can trigger Listeners to
-         take actions.
-
-         postCommit - fired after every commit or optimize command
-         postOptimize - fired after every optimize command
-      -->
-
-  </updateHandler>
-
-  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-       Query section - these settings control query time things like caches
-       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
-  <query>
-    <!-- Solr Internal Query Caches
-
-         There are two implementations of cache available for Solr,
-         LRUCache, based on a synchronized LinkedHashMap, and
-         FastLRUCache, based on a ConcurrentHashMap.
-
-         FastLRUCache has faster gets and slower puts in single
-         threaded operation and thus is generally faster than LRUCache
-         when the hit ratio of the cache is high (> 75%), and may be
-         faster under other scenarios on multi-cpu systems.
-    -->
-
-    <!-- Filter Cache
-
-         Cache used by SolrIndexSearcher for filters (DocSets),
-         unordered sets of *all* documents that match a query.  When a
-         new searcher is opened, its caches may be prepopulated or
-         "autowarmed" using data from caches in the old searcher.
-         autowarmCount is the number of items to prepopulate.  For
-         LRUCache, the autowarmed items will be the most recently
-         accessed items.
-
-         Parameters:
-           class - the SolrCache implementation LRUCache or
-               (LRUCache or FastLRUCache)
-           size - the maximum number of entries in the cache
-           initialSize - the initial capacity (number of entries) of
-               the cache.  (see java.util.HashMap)
-           autowarmCount - the number of entries to prepopulate from
-               and old cache.
-           maxRamMB - the maximum amount of RAM (in MB) that this cache is allowed
-                      to occupy. Note that when this option is specified, the size
-                      and initialSize parameters are ignored.
-      -->
-    <filterCache class="solr.FastLRUCache"
-                 size="512"
-                 initialSize="512"
-                 autowarmCount="0"/>
-
-    <!-- Query Result Cache
-
-         Caches results of searches - ordered lists of document ids
-         (DocList) based on a query, a sort, and the range of documents requested.
-         Additional supported parameter by LRUCache:
-            maxRamMB - the maximum amount of RAM (in MB) that this cache is allowed
-                       to occupy
-      -->
-    <queryResultCache class="solr.LRUCache"
-                      size="512"
-                      initialSize="512"
-                      autowarmCount="0"/>
-
-    <!-- Document Cache
-
-         Caches Lucene Document objects (the stored fields for each
-         document).  Since Lucene internal document ids are transient,
-         this cache will not be autowarmed.
-      -->
-    <documentCache class="solr.LRUCache"
-                   size="512"
-                   initialSize="512"
-                   autowarmCount="0"/>
-
-    <!-- custom cache currently used by block join -->
-    <cache name="perSegFilter"
-           class="solr.search.LRUCache"
-           size="10"
-           initialSize="0"
-           autowarmCount="10"
-           regenerator="solr.NoOpRegenerator" />
-
-    <!-- Lazy Field Loading
-
-         If true, stored fields that are not requested will be loaded
-         lazily.  This can result in a significant speed improvement
-         if the usual case is to not load all stored fields,
-         especially if the skipped fields are large compressed text
-         fields.
-    -->
-    <enableLazyFieldLoading>true</enableLazyFieldLoading>
-
-    <!-- Result Window Size
-
-         An optimization for use with the queryResultCache.  When a search
-         is requested, a superset of the requested number of document ids
-         are collected.  For example, if a search for a particular query
-         requests matching documents 10 through 19, and queryWindowSize is 50,
-         then documents 0 through 49 will be collected and cached.  Any further
-         requests in that range can be satisfied via the cache.
-      -->
-    <queryResultWindowSize>20</queryResultWindowSize>
-
-    <!-- Maximum number of documents to cache for any entry in the
-         queryResultCache.
-      -->
-    <queryResultMaxDocsCached>200</queryResultMaxDocsCached>
-
-    <!-- Use Cold Searcher
-
-         If a search request comes in and there is no current
-         registered searcher, then immediately register the still
-         warming searcher and use it.  If "false" then all requests
-         will block until the first searcher is done warming.
-      -->
-    <useColdSearcher>false</useColdSearcher>
-
-  </query>
-
-
-  <!-- Request Dispatcher
-
-       This section contains instructions for how the SolrDispatchFilter
-       should behave when processing requests for this SolrCore.
-
-    -->
-  <requestDispatcher>
-    <httpCaching never304="true" />
-  </requestDispatcher>
-
-  <!-- Request Handlers
-
-       http://wiki.apache.org/solr/SolrRequestHandler
-
-       Incoming queries will be dispatched to a specific handler by name
-       based on the path specified in the request.
-
-       If a Request Handler is declared with startup="lazy", then it will
-       not be initialized until the first request that uses it.
-
-    -->
-  <!-- SearchHandler
-
-       http://wiki.apache.org/solr/SearchHandler
-
-       For processing Search Queries, the primary Request Handler
-       provided with Solr is "SearchHandler" It delegates to a sequent
-       of SearchComponents (see below) and supports distributed
-       queries across multiple shards
-    -->
-  <requestHandler name="/select" class="solr.SearchHandler">
-    <!-- default values for query parameters can be specified, these
-         will be overridden by parameters in the request
-      -->
-    <lst name="defaults">
-      <str name="echoParams">explicit</str>
-      <int name="rows">10</int>
-    </lst>
-  </requestHandler>
-
-  <initParams path="/update/**,/select">
-    <lst name="defaults">
-      <str name="df">_text_</str>
-    </lst>
-  </initParams>
-
-  <!-- Response Writers
-
-       http://wiki.apache.org/solr/QueryResponseWriter
-
-       Request responses will be written using the writer specified by
-       the 'wt' request parameter matching the name of a registered
-       writer.
-
-       The "default" writer is the default and will be used if 'wt' is
-       not specified in the request.
-    -->
-  <queryResponseWriter name="xml"
-                       default="true"
-                       class="solr.XMLResponseWriter" />
-</config>
--- a/data/Dockerfiles/solr/solr-schema-7.7.0.xml
+++ b/data/Dockerfiles/solr/solr-schema-7.7.0.xml
@@ -1,49 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<schema name="dovecot-fts" version="2.0">
-  <fieldType name="string" class="solr.StrField" omitNorms="true" sortMissingLast="true"/>
-  <fieldType name="long" class="solr.LongPointField" positionIncrementGap="0"/>
-  <fieldType name="boolean" class="solr.BoolField" sortMissingLast="true"/>
-
-  <fieldType name="text" class="solr.TextField" autoGeneratePhraseQueries="true" positionIncrementGap="100">
-    <analyzer type="index">
-      <tokenizer class="solr.StandardTokenizerFactory"/>
-      <filter class="solr.EdgeNGramFilterFactory" minGramSize="3" maxGramSize="20"/>
-      <filter class="solr.StopFilterFactory" words="stopwords.txt" ignoreCase="true"/>
-      <filter class="solr.WordDelimiterGraphFilterFactory" catenateNumbers="1" generateNumberParts="1" splitOnCaseChange="1" generateWordParts="1" splitOnNumerics="1" catenateAll="1" catenateWords="1"/>
-      <filter class="solr.FlattenGraphFilterFactory"/>
-      <filter class="solr.LowerCaseFilterFactory"/>
-      <filter class="solr.KeywordMarkerFilterFactory" protected="protwords.txt"/>
-      <filter class="solr.PorterStemFilterFactory"/>
-    </analyzer>
-    <analyzer type="query">
-      <tokenizer class="solr.StandardTokenizerFactory"/>
-      <filter class="solr.SynonymGraphFilterFactory" expand="true" ignoreCase="true" synonyms="synonyms.txt"/>
-      <filter class="solr.FlattenGraphFilterFactory"/>
-      <filter class="solr.StopFilterFactory" words="stopwords.txt" ignoreCase="true"/>
-      <filter class="solr.WordDelimiterGraphFilterFactory" catenateNumbers="1" generateNumberParts="1" splitOnCaseChange="1" generateWordParts="1" splitOnNumerics="1" catenateAll="1" catenateWords="1"/>
-      <filter class="solr.LowerCaseFilterFactory"/>
-      <filter class="solr.KeywordMarkerFilterFactory" protected="protwords.txt"/>
-      <filter class="solr.PorterStemFilterFactory"/>
-    </analyzer>
-  </fieldType>
-
-  <field name="id" type="string" indexed="true" required="true" stored="true"/>
-  <field name="uid" type="long" indexed="true" required="true" stored="true"/>
-  <field name="box" type="string" indexed="true" required="true" stored="true"/>
-  <field name="user" type="string" indexed="true" required="true" stored="true"/>
-
-  <field name="hdr" type="text" indexed="true" stored="false"/>
-  <field name="body" type="text" indexed="true" stored="false"/>
-
-  <field name="from" type="text" indexed="true" stored="false"/>
-  <field name="to" type="text" indexed="true" stored="false"/>
-  <field name="cc" type="text" indexed="true" stored="false"/>
-  <field name="bcc" type="text" indexed="true" stored="false"/>
-  <field name="subject" type="text" indexed="true" stored="false"/>
-
-  <!-- Used by Solr internally: -->
-  <field name="_version_" type="long" indexed="true" stored="true"/>
-
-  <uniqueKey>id</uniqueKey>
-</schema>
--- a/data/Dockerfiles/solr/solr.sh
+++ b/data/Dockerfiles/solr/solr.sh
@@ -1,75 +0,0 @@
-#!/bin/bash
-
-if [[ "${FLATCURVE_EXPERIMENTAL}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "FLATCURVE_EXPERIMENTAL=y, skipping Solr but enabling Flatcurve as FTS for Dovecot!"
-  echo "Solr will be removed in the future!"
-  sleep 365d
-  exit 0
-elif [[ "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-  echo "SKIP_SOLR=y, skipping Solr..."
-  echo "HINT: You could try the newer FTS Backend Flatcurve, which is currently in experimental state..."
-  echo "Simply set FLATCURVE_EXPERIMENTAL=y inside your mailcow.conf and restart the stack afterwards!"
-  echo "Solr will be removed in the future!"
-  sleep 365d
-  exit 0
-fi
-
-MEM_TOTAL=$(awk '/MemTotal/ {print $2}' /proc/meminfo)
-
-if [[ "${1}" != "--bootstrap" ]]; then
-  if [ ${MEM_TOTAL} -lt "2097152" ]; then
-    echo "System memory less than 2 GB, skipping Solr..."
-    sleep 365d
-    exit 0
-  fi
-fi
-
-set -e
-
-# run the optional initdb
-. /opt/docker-solr/scripts/run-initdb
-
-# fixing volume permission
-[[ -d /opt/solr/server/solr/dovecot-fts/data ]] && chown -R solr:solr /opt/solr/server/solr/dovecot-fts/data
-if [[ "${1}" != "--bootstrap" ]]; then
-  sed -i '/SOLR_HEAP=/c\SOLR_HEAP="'${SOLR_HEAP:-1024}'m"' /opt/solr/bin/solr.in.sh
-else
-  sed -i '/SOLR_HEAP=/c\SOLR_HEAP="256m"' /opt/solr/bin/solr.in.sh
-fi
-
-if [[ "${1}" == "--bootstrap" ]]; then
-  echo "Creating initial configuration"
-  echo "Modifying default config set"
-  cp /solr-config-7.7.0.xml /opt/solr/server/solr/configsets/_default/conf/solrconfig.xml
-  cp /solr-schema-7.7.0.xml /opt/solr/server/solr/configsets/_default/conf/schema.xml
-  rm /opt/solr/server/solr/configsets/_default/conf/managed-schema
-
-  echo "Starting local Solr instance to setup configuration"
-  gosu solr start-local-solr
-
-  echo "Creating core \"dovecot-fts\""
-  gosu solr /opt/solr/bin/solr create -c "dovecot-fts"
-
-  # See https://github.com/docker-solr/docker-solr/issues/27
-  echo "Checking core"
-  while ! wget -O - 'http://localhost:8983/solr/admin/cores?action=STATUS' | grep -q instanceDir; do
-    echo "Could not find any cores, waiting..."
-    sleep 3
-  done
-
-  echo "Created core \"dovecot-fts\""
-
-  echo "Stopping local Solr"
-  gosu solr stop-local-solr
-
-  exit 0
-fi
-
-echo "Starting up Solr..."
-echo -e "\e[31mSolr is deprecated! You can try the new FTS System now by enabling FLATCURVE_EXPERIMENTAL=y inside mailcow.conf and restarting the stack\e[0m"
-echo -e "\e[31mSolr will be removed completely soon!\e[0m"
-
-sleep 15
-
-exec gosu solr solr-foreground
-
--- a/data/Dockerfiles/unbound/Dockerfile
+++ b/data/Dockerfiles/unbound/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.20
+FROM alpine:3.21

 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"

--- a/data/Dockerfiles/watchdog/Dockerfile
+++ b/data/Dockerfiles/watchdog/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.20
+FROM alpine:3.21

 LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"

@@ -34,7 +34,7 @@ RUN apk add --update \
  && curl https://raw.githubusercontent.com/mludvig/smtp-cli/v3.10/smtp-cli -o /smtp-cli \
  && chmod +x smtp-cli

-COPY watchdog.sh /watchdog.sh
-COPY check_mysql_slavestatus.sh /usr/lib/nagios/plugins/check_mysql_slavestatus.sh
+COPY data/Dockerfiles/watchdog/watchdog.sh /watchdog.sh
+COPY data/Dockerfiles/watchdog/check_mysql_slavestatus.sh /usr/lib/nagios/plugins/check_mysql_slavestatus.sh

 CMD ["/watchdog.sh"]
--- a/data/Dockerfiles/watchdog/check_mysql_slavestatus.sh
+++ b/data/Dockerfiles/watchdog/check_mysql_slavestatus.sh
@@ -49,7 +49,7 @@
 # 2013101601 Optical clean up                                           #
 # 2013101602 Rewrite help output                                        #
 # 2013101700 Handle Slave IO in 'Connecting' state                      #
-# 2013101701 Minor changes in output, handling UNKWNON situations now   #
+# 2013101701 Minor changes in output, handling UNKNOWN situations now   #
 # 2013101702 Exit CRITICAL when Slave IO in Connecting state            #
 # 2013123000 Slave_SQL_Running also matched Slave_SQL_Running_State     #
 # 2015011600 Added 'moving' check to catch possible connection issues   #
@@ -131,10 +131,10 @@ elif [[ -n "${socket}" && (-z "${user}" || -z "${password}") ]]; then
 fi

 # Connect to the DB server and store output in vars
-if [[ -n $socket ]]; then 
-  ConnectionResult=$(mysql ${optfile} ${socket} ${user} -e "show slave ${connection} status\G" 2>&1)
+if [[ -n $socket ]]; then
+  ConnectionResult=$(mariadb --skip-ssl ${optfile} ${socket} ${user} -e "show slave ${connection} status\G" 2>&1)
 else
-  ConnectionResult=$(mysql ${optfile} ${host} ${port} ${user} -e "show slave ${connection} status\G" 2>&1)
+  ConnectionResult=$(mariadb --skip-ssl ${optfile} ${host} ${port} ${user} -e "show slave ${connection} status\G" 2>&1)
 fi

 if [ -z "`echo "${ConnectionResult}" |grep Slave_IO_State`" ]; then
@@ -178,33 +178,33 @@ if [ ${check} = ${ok} ] && [ ${checkio} = ${ok} ]; then
  then echo "CRITICAL: Slave is ${delayinfo} seconds behind Master | delay=${delayinfo}s"; exit ${STATE_CRITICAL}
  elif [[ ${delayinfo} -ge ${warn_delay} ]]
  then echo "WARNING: Slave is ${delayinfo} seconds behind Master | delay=${delayinfo}s"; exit ${STATE_WARNING}
-  else 
+  else
    # Everything looks OK here but now let us check if the replication is moving
    if [[ -n ${moving} ]] && [[ -n ${tmpfile} ]] && [[ $readpos -eq $execpos ]]
-    then  
-      #echo "Debug: Read pos is $readpos - Exec pos is $execpos" 
+    then
+      #echo "Debug: Read pos is $readpos - Exec pos is $execpos"
      # Check if tmp file exists
      curtime=`date +%s`
-      if [[ -w $tmpfile ]] 
-      then 
+      if [[ -w $tmpfile ]]
+      then
        tmpfiletime=`date +%s -r $tmpfile`
        if [[ `expr $curtime - $tmpfiletime` -gt ${moving} ]]
        then
          exectmp=`cat $tmpfile`
          #echo "Debug: Exec pos in tmpfile is $exectmp"
          if [[ $exectmp -eq $execpos ]]
-          then 
+          then
            # The value read from the tmp file and from db are the same. Replication hasnt moved!
            echo "WARNING: Slave replication has not moved in ${moving} seconds. Manual check required."; exit ${STATE_WARNING}
-          else 
+          else
            # Replication has moved since the tmp file was written. Delete tmp file and output OK.
            rm $tmpfile
            echo "OK: Slave SQL running: ${check} Slave IO running: ${checkio} / master: ${masterinfo} / slave is ${delayinfo} seconds behind master | delay=${delayinfo}s"; exit ${STATE_OK};
          fi
-        else 
+        else
          echo "OK: Slave SQL running: ${check} Slave IO running: ${checkio} / master: ${masterinfo} / slave is ${delayinfo} seconds behind master | delay=${delayinfo}s"; exit ${STATE_OK};
        fi
-      else 
+      else
        echo "$execpos" > $tmpfile
        echo "OK: Slave SQL running: ${check} Slave IO running: ${checkio} / master: ${masterinfo} / slave is ${delayinfo} seconds behind master | delay=${delayinfo}s"; exit ${STATE_OK};
      fi
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -40,9 +40,9 @@ done

 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
+  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} --no-auth-warning"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379"
+  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS} --no-auth-warning"
 fi

 until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
@@ -234,7 +234,7 @@ external_checks() {
  diff_c=0
  THRESHOLD=${EXTERNAL_CHECKS_THRESHOLD}
  # Reduce error count by 2 after restarting an unhealthy container
-  GUID=$(mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'GUID'" -BN)
+  GUID=$(mariadb --skip-ssl -u${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT version FROM versions WHERE application = 'GUID'" -BN)
  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    err_c_cur=${err_count}
@@ -330,7 +330,7 @@ redis_checks() {
    touch /tmp/redis-mailcow; echo "$(tail -50 /tmp/redis-mailcow)" > /tmp/redis-mailcow
    host_ip=$(get_container_ip redis-mailcow)
    err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_tcp -4 -H redis-mailcow -p 6379 -E -s "PING\n" -q "QUIT" -e "PONG" 2>> /tmp/redis-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_tcp -4 -H redis-mailcow -p 6379 -E -s "AUTH ${REDISPASS}\nPING\n" -q "QUIT" -e "PONG" 2>> /tmp/redis-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
    progress "Redis" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
@@ -402,7 +402,7 @@ sogo_checks() {
  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    touch /tmp/sogo-mailcow; echo "$(tail -50 /tmp/sogo-mailcow)" > /tmp/sogo-mailcow
-    host_ip=$(get_container_ip sogo-mailcow)
+    host_ip=$SOGO_HOST
    err_c_cur=${err_count}
    /usr/lib/nagios/plugins/check_http -4 -H ${host_ip} -u /SOGo.index/ -p 20000 2>> /tmp/sogo-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
@@ -503,12 +503,12 @@ dovecot_repl_checks() {
  err_count=0
  diff_c=0
  THRESHOLD=${DOVECOT_REPL_THRESHOLD}
-  D_REPL_STATUS=$(redis-cli -h redis -r GET DOVECOT_REPL_HEALTH)
+  D_REPL_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning -r GET DOVECOT_REPL_HEALTH)
  # Reduce error count by 2 after restarting an unhealthy container
  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    err_c_cur=${err_count}
-    D_REPL_STATUS=$(redis-cli --raw -h redis GET DOVECOT_REPL_HEALTH)
+    D_REPL_STATUS=$(redis-cli --raw -h redis -a ${REDISPASS} --no-auth-warning GET DOVECOT_REPL_HEALTH)
    if [[ "${D_REPL_STATUS}" != "1" ]]; then
      err_count=$(( ${err_count} + 1 ))
    fi
@@ -578,19 +578,19 @@ ratelimit_checks() {
  err_count=0
  diff_c=0
  THRESHOLD=${RATELIMIT_THRESHOLD}
-  RL_LOG_STATUS=$(redis-cli -h redis LRANGE RL_LOG 0 0 | jq .qid)
+  RL_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning LRANGE RL_LOG 0 0 | jq .qid)
  # Reduce error count by 2 after restarting an unhealthy container
  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    err_c_cur=${err_count}
    RL_LOG_STATUS_PREV=${RL_LOG_STATUS}
-    RL_LOG_STATUS=$(redis-cli -h redis LRANGE RL_LOG 0 0 | jq .qid)
+    RL_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning LRANGE RL_LOG 0 0 | jq .qid)
    if [[ ${RL_LOG_STATUS_PREV} != ${RL_LOG_STATUS} ]]; then
      err_count=$(( ${err_count} + 1 ))
      echo 'Last 10 applied ratelimits (may overlap with previous reports).' > /tmp/ratelimit
      echo 'Full ratelimit buckets can be emptied by deleting the ratelimit hash from within mailcow UI (see /debug -> Protocols -> Ratelimit):' >> /tmp/ratelimit
      echo >> /tmp/ratelimit
-      redis-cli --raw -h redis LRANGE RL_LOG 0 10 | jq . >> /tmp/ratelimit
+      redis-cli --raw -h redis -a ${REDISPASS} --no-auth-warning LRANGE RL_LOG 0 10 | jq . >> /tmp/ratelimit
    fi
    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
@@ -673,7 +673,7 @@ acme_checks() {
  err_count=0
  diff_c=0
  THRESHOLD=${ACME_THRESHOLD}
-  ACME_LOG_STATUS=$(redis-cli -h redis GET ACME_FAIL_TIME)
+  ACME_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning GET ACME_FAIL_TIME)
  if [[ -z "${ACME_LOG_STATUS}" ]]; then
    ${REDIS_CMDLINE} SET ACME_FAIL_TIME 0
    ACME_LOG_STATUS=0
@@ -685,7 +685,7 @@ acme_checks() {
    ACME_LOG_STATUS_PREV=${ACME_LOG_STATUS}
    ACME_LC=0
    until [[ ! -z ${ACME_LOG_STATUS} ]] || [ ${ACME_LC} -ge 3 ]; do
-      ACME_LOG_STATUS=$(redis-cli -h redis GET ACME_FAIL_TIME 2> /dev/null)
+      ACME_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} --no-auth-warning GET ACME_FAIL_TIME 2> /dev/null)
      sleep 3
      ACME_LC=$((ACME_LC+1))
    done
@@ -994,6 +994,7 @@ PID=$!
 echo "Spawned cert_checks with PID ${PID}"
 BACKGROUND_TASKS+=(${PID})

+if [[ "${SKIP_OLEFY}" =~ ^([nN][oO]|[nN])+$ ]]; then
 (
 while true; do
  if ! olefy_checks; then
@@ -1005,6 +1006,7 @@ done
 PID=$!
 echo "Spawned olefy_checks with PID ${PID}"
 BACKGROUND_TASKS+=(${PID})
+fi

 (
 while true; do
--- a/data/assets/nextcloud/nextcloud.conf
+++ b/data/assets/nextcloud/nextcloud.conf
@@ -1,130 +0,0 @@
-map $http_x_forwarded_proto $client_req_scheme_nc {
-     default $scheme;
-     https https;
-}
-
-server {
-  include /etc/nginx/conf.d/listen_ssl.active;
-  include /etc/nginx/conf.d/listen_plain.active;
-  include /etc/nginx/mime.types;
-  charset utf-8;
-  override_charset on;
-
-  ssl_certificate /etc/ssl/mail/cert.pem;
-  ssl_certificate_key /etc/ssl/mail/key.pem;
-  ssl_protocols TLSv1.2 TLSv1.3;
-  ssl_prefer_server_ciphers on;
-  ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
-  ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
-  ssl_session_cache shared:SSL:50m;
-  ssl_session_timeout 1d;
-  ssl_session_tickets off;
-  add_header Referrer-Policy "no-referrer" always;
-  add_header X-Content-Type-Options "nosniff" always;
-  add_header X-Download-Options "noopen" always;
-  add_header X-Frame-Options "SAMEORIGIN" always;
-  add_header X-Permitted-Cross-Domain-Policies "none" always;
-  add_header X-Robots-Tag "noindex, nofollow" always;
-  add_header X-XSS-Protection "1; mode=block" always;
-
-  fastcgi_hide_header X-Powered-By;
-
-  server_name NC_SUBD;
-
-  root /web/nextcloud/;
-
-  location = /robots.txt {
-    allow all;
-    log_not_found off;
-    access_log off;
-  }
-
-  location = /.well-known/carddav {
-    return 301 $client_req_scheme_nc://$host/remote.php/dav;
-  }
-
-  location = /.well-known/caldav {
-    return 301 $client_req_scheme_nc://$host/remote.php/dav;
-  }
-
-  location = /.well-known/webfinger {
-    return 301 $client_req_scheme_nc://$host/index.php/.well-known/webfinger;
-  }
-
-  location = /.well-known/nodeinfo {
-    return 301 $client_req_scheme_nc://$host/index.php/.well-known/nodeinfo;
-  }
-
-  location ^~ /.well-known/acme-challenge/ {
-    default_type "text/plain";
-    root /web;
-  }
-
-  fastcgi_buffers 64 4K;
-
-  gzip on;
-  gzip_vary on;
-  gzip_comp_level 4;
-  gzip_min_length 256;
-  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-  gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
-  set_real_ip_from fc00::/7;
-  set_real_ip_from 10.0.0.0/8;
-  set_real_ip_from 172.16.0.0/12;
-  set_real_ip_from 192.168.0.0/16;
-  real_ip_header X-Forwarded-For;
-  real_ip_recursive on;
-
-  location / {
-    rewrite ^ /index.php$uri;
-  }
-
-  location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
-    deny all;
-  }
-  location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
-    deny all;
-  }
-
-  location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+)\.php(?:$|\/) {
-    fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
-    set $path_info $fastcgi_path_info;
-    try_files $fastcgi_script_name =404;
-    include fastcgi_params;
-    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-    fastcgi_param PATH_INFO $path_info;
-    fastcgi_param HTTPS on;
-    # Avoid sending the security headers twice
-    fastcgi_param modHeadersAvailable true;
-    # Enable pretty urls
-    fastcgi_param front_controller_active true;
-    fastcgi_pass phpfpm:9002;
-    fastcgi_intercept_errors on;
-    fastcgi_request_buffering off;
-    client_max_body_size 0;
-    fastcgi_read_timeout 1200;
-  }
-
-  location ~ ^\/(?:updater|ocs-provider)(?:$|\/) {
-    try_files $uri/ =404;
-    index index.php;
-  }
-
-  location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
-    try_files $uri /index.php$request_uri;
-    add_header Cache-Control "public, max-age=15778463";
-    add_header Referrer-Policy "no-referrer" always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-Download-Options "noopen" always;
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-Permitted-Cross-Domain-Policies "none" always;
-    add_header X-Robots-Tag "none" always;
-    add_header X-XSS-Protection "1; mode=block" always;
-    access_log off;
-  }
-
-  location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
-    try_files $uri /index.php$request_uri;
-    access_log off;
-  }
-}
--- a/data/assets/nextcloud/occ
+++ b/data/assets/nextcloud/occ
@@ -1,2 +0,0 @@
-#!/bin/bash
-docker exec -it -u www-data $(docker ps -f name=php-fpm-mailcow -q) php /web/nextcloud/occ ${@}
--- a/data/assets/ssl-example/dhparams.pem
+++ b/data/assets/ssl-example/dhparams.pem
@@ -1,8 +1,8 @@
 -----BEGIN DH PARAMETERS-----
-MIIBCAKCAQEA9iHB0CRDhV8wfBgqnmvuJpl0fzL3qL75R4ZvQHlfMNLrxuIz2x9D
-9zcDhPcBTVzV5Ay0AAkke4wP6r6wDQqXqBP4Y8IOkYAyLh3jM40jfHQzQt+5JdQl
-ond3kiscBsFOch/vMfSLMu3lAb0YhPNTvrxhMz7LcVAWYl82swASupdiKR+MgaQr
-XsugpmDKsHW60VmIM9B7K9Y+rNHwvMWkmISd0KxA8oOy1WJvsVEissMALZDE3c4w
-2xHmO2lXxgEx3aez28736t4m/KW3g9Zr31a1M0KusmfY//fGkPk4NUrLBOS2xrgp
-Y/rG1qSBdcVyerM0Ki93qCyHKYu4ene0OwIBAg==
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
 -----END DH PARAMETERS-----
--- a/data/conf/clamav/config.json
+++ b/data/conf/clamav/config.json
@@ -0,0 +1,15 @@
+[
+  {
+    "template": "whitelist.ign2.j2",
+    "output": "/var/lib/clamav/whitelist.ign2",
+    "clean_blank_lines": true
+  },
+  {
+    "template": "clamd.conf.j2",
+    "output": "/etc/clamav/clamd.conf"
+  },
+  {
+    "template": "freshclam.conf.j2",
+    "output": "/etc/clamav/freshclam.conf"
+  }
+]
--- a/data/conf/clamav/config_templates/clamd.conf.j2
+++ b/data/conf/clamav/config_templates/clamd.conf.j2
--- a/data/conf/clamav/config_templates/freshclam.conf.j2
+++ b/data/conf/clamav/config_templates/freshclam.conf.j2
--- a/data/conf/clamav/config_templates/whitelist.ign2.j2
+++ b/data/conf/clamav/config_templates/whitelist.ign2.j2
@@ -0,0 +1,5 @@
+# Please restart ClamAV after changing signatures
+Example-Signature.Ignore-1
+PUA.Win.Trojan.EmbeddedPDF-1
+PUA.Pdf.Trojan.EmbeddedJavaScript-1
+PUA.Pdf.Trojan.OpenActionObjectwithJavascript-1
--- a/data/conf/clamav/custom_templates/.gitkeep
+++ b/data/conf/clamav/custom_templates/.gitkeep
--- a/data/conf/dovecot/auth/mailcowauth.php
+++ b/data/conf/dovecot/auth/mailcowauth.php
@@ -0,0 +1,115 @@
+<?php
+ini_set('error_reporting', 0);
+header('Content-Type: application/json');
+
+$post = trim(file_get_contents('php://input'));
+if ($post) {
+  $post = json_decode($post, true);
+}
+
+
+$return = array("success" => false);
+if(!isset($post['username']) || !isset($post['password']) || !isset($post['real_rip'])){
+  error_log("MAILCOWAUTH: Bad Request");
+  http_response_code(400); // Bad Request
+  echo json_encode($return);
+  exit();
+}
+
+require_once('../../../web/inc/vars.inc.php');
+if (file_exists('../../../web/inc/vars.local.inc.php')) {
+  include_once('../../../web/inc/vars.local.inc.php');
+}
+require_once '../../../web/inc/lib/vendor/autoload.php';
+
+
+// Init Redis
+$redis = new Redis();
+try {
+  if (!empty(getenv('REDIS_SLAVEOF_IP'))) {
+    $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT'));
+  }
+  else {
+    $redis->connect('redis-mailcow', 6379);
+  }
+  $redis->auth(getenv("REDISPASS"));
+}
+catch (Exception $e) {
+  error_log("MAILCOWAUTH: " . $e . PHP_EOL);
+  http_response_code(500); // Internal Server Error
+  echo json_encode($return);
+  exit;
+}
+
+// Init database
+$dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
+$opt = [
+    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
+    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+    PDO::ATTR_EMULATE_PREPARES   => false,
+];
+try {
+  $pdo = new PDO($dsn, $database_user, $database_pass, $opt);
+}
+catch (PDOException $e) {
+  error_log("MAILCOWAUTH: " . $e . PHP_EOL);
+  http_response_code(500); // Internal Server Error
+  echo json_encode($return);
+  exit;
+}
+
+// Load core functions first
+require_once 'functions.inc.php';
+require_once 'functions.auth.inc.php';
+require_once 'sessions.inc.php';
+require_once 'functions.mailbox.inc.php';
+require_once 'functions.ratelimit.inc.php';
+require_once 'functions.acl.inc.php';
+
+
+$isSOGoRequest = $post['real_rip'] == getenv('SOGO_HOST');
+$result = false;
+if ($isSOGoRequest) {
+  // This is a SOGo Auth request. First check for SSO password.
+  $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
+  if ($sogo_sso_pass === $post['password']){
+    error_log('MAILCOWAUTH: SOGo SSO auth for user ' . $post['username']);
+    set_sasl_log($post['username'], $post['real_rip'], "SOGO");
+    $result = true;
+  }
+}
+if ($result === false){
+  // If it's a SOGo Request, don't check for protocol access
+  $service = ($isSOGoRequest) ? false : array($post['service'] => true);
+  $result = apppass_login($post['username'], $post['password'], $service, array(
+    'is_internal' => true,
+    'remote_addr' => $post['real_rip']
+  ));
+  if ($result) {
+    error_log('MAILCOWAUTH: App auth for user ' . $post['username']);
+    set_sasl_log($post['username'], $post['real_rip'], $post['service']);
+  }
+}
+if ($result === false){
+  // Init Identity Provider
+  $iam_provider = identity_provider('init');
+  $iam_settings = identity_provider('get');
+  $result = user_login($post['username'], $post['password'], array('is_internal' => true));
+  if ($result) {
+    error_log('MAILCOWAUTH: User auth for user ' . $post['username']);
+    set_sasl_log($post['username'], $post['real_rip'], $post['service']);
+  }
+}
+
+if ($result) {
+  http_response_code(200); // OK
+  $return['success'] = true;
+} else {
+  error_log("MAILCOWAUTH: Login failed for user " . $post['username']);
+  http_response_code(401); // Unauthorized
+}
+
+
+echo json_encode($return);
+session_destroy();
+exit;
--- a/data/conf/dovecot/auth/passwd-verify.lua
+++ b/data/conf/dovecot/auth/passwd-verify.lua
@@ -0,0 +1,57 @@
+function auth_password_verify(request, password)
+  if request.domain == nil then
+    return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
+  end
+
+  local json = require "cjson"
+  local ltn12 = require "ltn12"
+  local https = require "ssl.https"
+  https.TIMEOUT = 30
+
+  local req = {
+    username = request.user,
+    password = password,
+    real_rip = request.real_rip,
+    service = request.service
+  }
+  local req_json = json.encode(req)
+  local res = {}
+
+  local b, c = https.request {
+    method = "POST",
+    url = "https://nginx:9082",
+    source = ltn12.source.string(req_json),
+    headers = {
+      ["content-type"] = "application/json",
+      ["content-length"] = tostring(#req_json)
+    },
+    sink = ltn12.sink.table(res),
+    insecure = true
+  }
+
+  -- Returning PASSDB_RESULT_PASSWORD_MISMATCH will reset the user's auth cache entry.
+  -- Returning PASSDB_RESULT_INTERNAL_FAILURE keeps the existing cache entry,
+  -- even if the TTL has expired. Useful to avoid cache eviction during backend issues.
+  if c ~= 200 and c ~= 401 then
+    dovecot.i_info("HTTP request failed with " .. c .. " for user " .. request.user)
+    return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Upstream error"
+  end
+
+  local response_str = table.concat(res)
+  local is_response_valid, response_json = pcall(json.decode, response_str)
+
+  if not is_response_valid then
+    dovecot.i_info("Invalid JSON received: " .. response_str)
+    return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Invalid response format"
+  end
+
+  if response_json.success == true then
+    return dovecot.auth.PASSDB_RESULT_OK, ""
+  end
+
+  return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
+end
+
+function auth_passdb_lookup(req)
+   return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
+end
--- a/data/conf/dovecot/config.json
+++ b/data/conf/dovecot/config.json
@@ -0,0 +1,70 @@
+[
+  {
+    "template": "dovecot-dict-sql-quota.conf.j2",
+    "output":   "/etc/dovecot/sql/dovecot-dict-sql-quota.conf"
+  },
+  {
+    "template": "dovecot-dict-sql-userdb.conf.j2",
+    "output":   "/etc/dovecot/sql/dovecot-dict-sql-userdb.conf"
+  },
+  {
+    "template": "dovecot-dict-sql-sieve_before.conf.j2",
+    "output":   "/etc/dovecot/sql/dovecot-dict-sql-sieve_before.conf"
+  },
+  {
+    "template": "dovecot-dict-sql-sieve_after.conf.j2",
+    "output":   "/etc/dovecot/sql/dovecot-dict-sql-sieve_after.conf"
+  },
+  {
+    "template": "mail_plugins.j2",
+    "output":   "/etc/dovecot/mail_plugins"
+  },
+  {
+    "template": "mail_plugins_imap.j2",
+    "output":   "/etc/dovecot/mail_plugins_imap"
+  },
+  {
+    "template": "mail_plugins_lmtp.j2",
+    "output":   "/etc/dovecot/mail_plugins_lmtp"
+  },
+  {
+    "template": "global_sieve_after.sieve.j2",
+    "output":   "/var/vmail/sieve/global_sieve_after.sieve"
+  },
+  {
+    "template": "global_sieve_before.sieve.j2",
+    "output":   "/var/vmail/sieve/global_sieve_before.sieve"
+  },
+  {
+    "template": "dovecot-master.passwd.j2",
+    "output":   "/etc/dovecot/dovecot-master.passwd"
+  },
+  {
+    "template": "dovecot-master.userdb.j2",
+    "output":   "/etc/dovecot/dovecot-master.userdb"
+  },
+  {
+    "template": "sieve.creds.j2",
+    "output":   "/etc/sogo/sieve.creds"
+  },
+  {
+    "template": "sogo-sso.pass.j2",
+    "output":   "/etc/phpfpm/sogo-sso.pass"
+  },
+  {
+    "template": "cron.creds.j2",
+    "output":   "/etc/sogo/cron.creds"
+  },
+  {
+    "template": "source_env.sh.j2",
+    "output":   "/source_env.sh"
+  },
+  {
+    "template": "maildir_gc.sh.j2",
+    "output":   "/usr/local/bin/maildir_gc.sh"
+  },
+  {
+    "template": "dovecot.conf.j2",
+    "output":   "/etc/dovecot/dovecot.conf"
+  }
+]
--- a/data/conf/dovecot/config_templates/cron.creds.j2
+++ b/data/conf/dovecot/config_templates/cron.creds.j2
@@ -0,0 +1 @@
+{{ RAND_USER }}@mailcow.local:{{ RAND_PASS2 }}
--- a/data/conf/dovecot/config_templates/dovecot-dict-sql-quota.conf.j2
+++ b/data/conf/dovecot/config_templates/dovecot-dict-sql-quota.conf.j2
@@ -0,0 +1,14 @@
+{% set QUOTA_TABLE = "quota2" if MASTER|lower in ["y", "yes"] else "quota2replica" %}
+connect = "host=/var/run/mysqld/mysqld.sock dbname={{ DBNAME }} user={{ DBUSER }} password={{ DBPASS | escape_quotes }}"
+map {
+  pattern = priv/quota/storage
+  table = {{ QUOTA_TABLE }}
+  username_field = username
+  value_field = bytes
+}
+map {
+  pattern = priv/quota/messages
+  table = {{ QUOTA_TABLE }}
+  username_field = username
+  value_field = messages
+}
--- a/data/conf/dovecot/config_templates/dovecot-dict-sql-sieve_after.conf.j2
+++ b/data/conf/dovecot/config_templates/dovecot-dict-sql-sieve_after.conf.j2
@@ -0,0 +1,21 @@
+connect = "host=/var/run/mysqld/mysqld.sock dbname={{ DBNAME }} user={{ DBUSER }} password={{ DBPASS | escape_quotes }}"
+map {
+  pattern = priv/sieve/name/$script_name
+  table = sieve_after
+  username_field = username
+  value_field = id
+  fields {
+    script_name = $script_name
+  }
+}
+map {
+  pattern = priv/sieve/data/$id
+  table = sieve_after
+  username_field = username
+  value_field = script_data
+  fields {
+    id = $id
+  }
+}
+
+
--- a/data/conf/dovecot/config_templates/dovecot-dict-sql-sieve_before.conf.j2
+++ b/data/conf/dovecot/config_templates/dovecot-dict-sql-sieve_before.conf.j2
@@ -0,0 +1,19 @@
+connect = "host=/var/run/mysqld/mysqld.sock dbname={{ DBNAME }} user={{ DBUSER }} password={{ DBPASS | escape_quotes }}"
+map {
+  pattern = priv/sieve/name/$script_name
+  table = sieve_before
+  username_field = username
+  value_field = id
+  fields {
+    script_name = $script_name
+  }
+}
+map {
+  pattern = priv/sieve/data/$id
+  table = sieve_before
+  username_field = username
+  value_field = script_data
+  fields {
+    id = $id
+  }
+}
--- a/data/conf/dovecot/config_templates/dovecot-dict-sql-userdb.conf.j2
+++ b/data/conf/dovecot/config_templates/dovecot-dict-sql-userdb.conf.j2
@@ -0,0 +1,4 @@
+driver = mysql
+connect = "host=/var/run/mysqld/mysqld.sock dbname={{ DBNAME }} user={{ DBUSER }} password={{ DBPASS | escape_quotes }}"
+user_query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format')), mailbox_path_prefix, '%d/%n/{{ MAILDIR_SUB }}:VOLATILEDIR=/var/volatile/%u:INDEX=/var/vmail_index/%u') AS mail, '%s' AS protocol, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND (active = '1' OR active = '2')
+iterate_query = SELECT username FROM mailbox WHERE active = '1' OR active = '2';
--- a/data/conf/dovecot/config_templates/dovecot-master.passwd.j2
+++ b/data/conf/dovecot/config_templates/dovecot-master.passwd.j2
@@ -0,0 +1,3 @@
+{%- set master_user = DOVECOT_MASTER_USER or RAND_USER %}
+{%- set master_pass = DOVECOT_MASTER_PASS or RAND_PASS %}
+{{ master_user }}@mailcow.local:{SHA1}{{ master_pass | sha1 }}::::::
--- a/data/conf/dovecot/config_templates/dovecot-master.userdb.j2
+++ b/data/conf/dovecot/config_templates/dovecot-master.userdb.j2
@@ -0,0 +1 @@
+{{ DOVECOT_MASTER_USER or RAND_USER }}@mailcow.local::5000:5000::::
--- a/data/conf/dovecot/config_templates/dovecot.conf.j2
+++ b/data/conf/dovecot/config_templates/dovecot.conf.j2
@@ -1,23 +1,16 @@
-# --------------------------------------------------------------------------
-# Please create a file "extra.conf" for persistent overrides to dovecot.conf
-# --------------------------------------------------------------------------
-# LDAP example:
-#passdb {
-#  args = /etc/dovecot/ldap/passdb.conf
-#  driver = ldap
-#}
-
 auth_mechanisms = plain login
 #mail_debug = yes
 #auth_debug = yes
 #log_debug = category=fts-flatcurve # Activate Logging for Flatcurve FTS Searchings
 log_path = syslog
 disable_plaintext_auth = yes
+
 # Uncomment on NFS share
 #mmap_disable = yes
 #mail_fsync = always
 #mail_nfs_index = yes
 #mail_nfs_storage = yes
+
 login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k"
 mail_home = /var/vmail/%d/%n
 mail_location = maildir:~/
@@ -53,7 +46,7 @@ mail_shared_explicit_inbox = yes
 mail_prefetch_count = 30
 passdb {
  driver = lua
-  args = file=/etc/dovecot/lua/passwd-verify.lua blocking=yes
+  args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes cache_key=%s:%u:%w
  result_success = return-ok
  result_failure = continue
  result_internalfail = continue
@@ -69,7 +62,7 @@ passdb {
 # a return of the following passdb is mandatory
 passdb {
  driver = lua
-  args = file=/etc/dovecot/lua/passwd-verify.lua blocking=yes
+  args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes
 }
 # Set doveadm_password=your-secret-password in data/conf/dovecot/extra.conf (create if missing)
 service doveadm {
@@ -78,7 +71,9 @@ service doveadm {
  }
  vsz_limit=2048 MB
 }
-!include /etc/dovecot/dovecot.folders.conf
+
+{% include 'dovecot.folders.conf.j2' %}
+
 protocols = imap sieve lmtp pop3
 service dict {
  unix_listener dict {
@@ -125,6 +120,7 @@ service managesieve-login {
 }
 service imap-login {
  service_count = 1
+  process_min_avail = 2
  process_limit = 10000
  vsz_limit = 1G
  user = dovenull
@@ -140,6 +136,7 @@ service imap-login {
 }
 service pop3-login {
  service_count = 1
+  process_min_avail = 1
  vsz_limit = 1G
  inet_listener pop3_haproxy {
    port = 10110
@@ -191,7 +188,7 @@ protocol sieve {
 }
 plugin {
  # Allow "any" or "authenticated" to be used in ACLs
-  acl_anyone = </etc/dovecot/acl_anyone
+  acl_anyone = {{ ACL_ANYONE }}
  acl_shared_dict = file:/var/vmail/shared-mailboxes.db
  acl = vfile
  acl_user = %u
@@ -239,7 +236,7 @@ plugin {
  mail_crypt_global_public_key = </mail_crypt/ecpubkey.pem
  mail_crypt_save_version = 2

-  # Enable compression while saving, lz4 Dovecot v2.2.11+
+  # Enable compression while saving, lz4 Dovecot v2.3.17+
  zlib_save = lz4

  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
@@ -247,7 +244,7 @@ plugin {
  mail_log_cached_only = yes

  # Try set mail_replica
-  !include_try /etc/dovecot/mail_replica.conf
+  {% include 'mail_replica.conf.j2' %}
 }
 service quota-warning {
  executable = script /usr/local/bin/quota_notify.py
@@ -274,10 +271,11 @@ service stats {
  }
 }
 imap_max_line_length = 2 M
-#auth_cache_verify_password_with_worker = yes
-#auth_cache_negative_ttl = 0
-#auth_cache_ttl = 30 s
-#auth_cache_size = 2 M
+auth_cache_verify_password_with_worker = yes
+auth_cache_negative_ttl = 60s
+auth_cache_ttl = 300s
+auth_cache_size = 10M
+auth_verbose_passwords = sha1:6
 service replicator {
  process_min_avail = 1
 }
@@ -297,13 +295,15 @@ service replicator {
 replication_max_conns = 10
 doveadm_port = 12345
 replication_dsync_parameters = -d -l 30 -U -n INBOX
+
+{% include 'sogo_trusted_ip.conf.j2' %}
+{% include 'shared_namespace.conf.j2' %}
+{% include 'fts.conf.j2' %}
+{% include 'sni.conf.j2' %}
+
 # <Includes>
-!include_try /etc/dovecot/sni.conf
-!include_try /etc/dovecot/sogo_trusted_ip.conf
 !include_try /etc/dovecot/extra.conf
-!include_try /etc/dovecot/sogo-sso.conf
-!include_try /etc/dovecot/shared_namespace.conf
-!include_try /etc/dovecot/conf.d/fts.conf
 # </Includes>
+
 default_client_limit = 10400
 default_vsz_limit = 1024 M
--- a/data/conf/dovecot/config_templates/dovecot.folders.conf.j2
+++ b/data/conf/dovecot/config_templates/dovecot.folders.conf.j2
@@ -1,308 +1,308 @@
-namespace inbox {
-  inbox = yes
-  location =
-  separator = /
-  mailbox "Trash" {
-    auto = subscribe
-    special_use = \Trash
-  }
-  mailbox "Deleted Messages" {
-    special_use = \Trash
-  }
-  mailbox "Deleted Items" {
-    special_use = \Trash
-  }
-  mailbox "Rubbish" {
-    special_use = \Trash
-  }
-  mailbox "Gelöschte Objekte" {
-    special_use = \Trash
-  }
-  mailbox "Gelöschte Elemente" {
-    special_use = \Trash
-  }
-  mailbox "Papierkorb" {
-    special_use = \Trash
-  }
-  mailbox "Itens Excluidos" {
-    special_use = \Trash
-  }
-  mailbox "Itens Excluídos" {
-    special_use = \Trash
-  }
-  mailbox "Lixeira" {
-    special_use = \Trash
-  }
-  mailbox "Prullenbak" {
-    special_use = \Trash
-  }
-  mailbox "Odstránené položky" {
-    special_use = \Trash
-  }
-  mailbox "Koš" {
-    special_use = \Trash
-  }
-  mailbox "Verwijderde items" {
-    special_use = \Trash
-  }
-  mailbox "Удаленные" {
-    special_use = \Trash
-  }
-  mailbox "Удаленные элементы" {
-    special_use = \Trash
-  }
-  mailbox "Корзина" {
-    special_use = \Trash
-  }
-  mailbox "Видалені" {
-    special_use = \Trash
-  }
-  mailbox "Видалені елементи" {
-    special_use = \Trash
-  }
-  mailbox "Кошик" {
-    special_use = \Trash
-  }
-  mailbox "废件箱" {
-    special_use = \Trash
-  }
-  mailbox "已删除消息" {
-    special_use = \Trash
-  }
-  mailbox "已删除邮件" {
-    special_use = \Trash
-  }
-  mailbox "Archive" {
-    auto = subscribe
-    special_use = \Archive
-  }
-  mailbox "Archiv" {
-    special_use = \Archive
-  }
-  mailbox "Archives" {
-    special_use = \Archive
-  }
-  mailbox "Arquivo" {
-    special_use = \Archive
-  }
-  mailbox "Arquivos" {
-    special_use = \Archive
-  }
-  mailbox "Archief" {
-    special_use = \Archive
-  }
-  mailbox "Archív" {
-    special_use = \Archive
-  }
-  mailbox "Archivovať" {
-    special_use = \Archive
-  }
-  mailbox "归档" {
-    special_use = \Archive
-  }
-  mailbox "Архив" {
-    special_use = \Archive
-  }
-  mailbox "Архів" {
-    special_use = \Archive
-  }
-  mailbox "Sent" {
-    auto = subscribe
-    special_use = \Sent
-  }
-  mailbox "Sent Messages" {
-    special_use = \Sent
-  }
-  mailbox "Sent Items" {
-    special_use = \Sent
-  }
-  mailbox "已发送" {
-    special_use = \Sent
-  }
-  mailbox "已发送消息" {
-    special_use = \Sent
-  }
-  mailbox "已发送邮件" {
-    special_use = \Sent
-  }
-  mailbox "Отправленные" {
-    special_use = \Sent
-  }
-  mailbox "Отправленные элементы" {
-    special_use = \Sent
-  }
-  mailbox "Надіслані" {
-    special_use = \Sent
-  }
-  mailbox "Надіслані елементи" {
-    special_use = \Sent
-  }
-  mailbox "Gesendet" {
-    special_use = \Sent
-  }
-  mailbox "Gesendete Objekte" {
-    special_use = \Sent
-  }
-  mailbox "Gesendete Elemente" {
-    special_use = \Sent
-  }
-  mailbox "Itens Enviados" {
-    special_use = \Sent
-  }
-  mailbox "Enviados" {
-    special_use = \Sent
-  }
-  mailbox "Verzonden items" {
-    special_use = \Sent
-  }
-  mailbox "Verzonden" {
-    special_use = \Sent
-  }
-  mailbox "Odoslaná pošta" {
-    special_use = \Sent
-  }
-  mailbox "Odoslané" {
-    special_use = \Sent
-  }
-  mailbox "Drafts" {
-    auto = subscribe
-    special_use = \Drafts
-  }
-  mailbox "Entwürfe" {
-    special_use = \Drafts
-  }
-  mailbox "Rascunhos" {
-    special_use = \Drafts
-  }
-  mailbox "Concepten" {
-    special_use = \Drafts
-  }
-  mailbox "Koncepty" {
-    special_use = \Drafts
-  }
-  mailbox "草稿" {
-    special_use = \Drafts
-  }
-  mailbox "草稿箱" {
-    special_use = \Drafts
-  }
-  mailbox "Черновики" {
-    special_use = \Drafts
-  }
-  mailbox "Чернетки" {
-    special_use = \Drafts
-  }
-  mailbox "Junk" {
-    auto = subscribe
-    special_use = \Junk
-  }
-  mailbox "Junk-E-Mail" {
-    special_use = \Junk
-  }
-  mailbox "Junk E-Mail" {
-    special_use = \Junk
-  }
-  mailbox "Spam" {
-    special_use = \Junk
-  }
-  mailbox "Lixo Eletrônico" {
-    special_use = \Junk
-  }
-  mailbox "Nevyžiadaná pošta" {
-    special_use = \Junk
-  }
-  mailbox "Infikované položky" {
-    special_use = \Junk
-  }
-  mailbox "Ongewenste e-mail" {
-    special_use = \Junk
-  }
-  mailbox "垃圾" {
-    special_use = \Junk
-  }
-  mailbox "垃圾箱" {
-    special_use = \Junk
-  }
-  mailbox "Нежелательная почта" {
-    special_use = \Junk
-  }
-  mailbox "Спам" {
-    special_use = \Junk
-  }
-  mailbox "Небажана пошта" {
-    special_use = \Junk
-  }
-  mailbox "Koncepty" {
-    special_use = \Drafts
-  }
-  mailbox "Nevyžádaná pošta" {
-    special_use = \Junk
-  }
-  mailbox "Odstraněná pošta" {
-    special_use = \Trash
-  }
-  mailbox "Odeslaná pošta" {
-    special_use = \Sent
-  }
-  mailbox "Skräp" {
-    special_use = \Trash
-  }
-  mailbox "Borttagna Meddelanden" {
-    special_use = \Trash
-  }
-  mailbox "Arkiv" {
-    special_use = \Archive
-  }
-  mailbox "Arkeverat" {
-    special_use = \Archive
-  }
-  mailbox "Skickat" {
-    special_use = \Sent
-  }
-  mailbox "Skickade Meddelanden" {
-    special_use = \Sent
-  }
-  mailbox "Utkast" {
-    special_use = \Drafts
-  }
-  mailbox "Skraldespand" {
-    special_use = \Trash
-  }
-  mailbox "Slettet mails" {
-    special_use = \Trash
-  }
-  mailbox "Arkiv" {
-    special_use = \Archive
-  }
-  mailbox "Arkiveret mails" {
-    special_use = \Archive
-  }
-  mailbox "Sendt" {
-    special_use = \Sent
-  }
-  mailbox "Sendte mails" {
-    special_use = \Sent
-  }
-  mailbox "Udkast" {
-    special_use = \Drafts
-  }
-  mailbox "Kladde" {
-    special_use = \Drafts
-  }
-  mailbox "Πρόχειρα" {
-    special_use = \Drafts
-  }
-  mailbox "Απεσταλμένα" {
-    special_use = \Sent
-  }
-  mailbox "Κάδος απορριμάτων" {
-    special_use = \Trash
-  }
-  mailbox "Ανεπιθύμητα" {
-    special_use = \Junk
-  }
-  mailbox "Αρχειοθετημένα" {
-    special_use = \Archive
-  }
-  prefix =
-}
+namespace inbox {
+  inbox = yes
+  location =
+  separator = /
+  mailbox "Trash" {
+    auto = subscribe
+    special_use = \Trash
+  }
+  mailbox "Deleted Messages" {
+    special_use = \Trash
+  }
+  mailbox "Deleted Items" {
+    special_use = \Trash
+  }
+  mailbox "Rubbish" {
+    special_use = \Trash
+  }
+  mailbox "Gelöschte Objekte" {
+    special_use = \Trash
+  }
+  mailbox "Gelöschte Elemente" {
+    special_use = \Trash
+  }
+  mailbox "Papierkorb" {
+    special_use = \Trash
+  }
+  mailbox "Itens Excluidos" {
+    special_use = \Trash
+  }
+  mailbox "Itens Excluídos" {
+    special_use = \Trash
+  }
+  mailbox "Lixeira" {
+    special_use = \Trash
+  }
+  mailbox "Prullenbak" {
+    special_use = \Trash
+  }
+  mailbox "Odstránené položky" {
+    special_use = \Trash
+  }
+  mailbox "Koš" {
+    special_use = \Trash
+  }
+  mailbox "Verwijderde items" {
+    special_use = \Trash
+  }
+  mailbox "Удаленные" {
+    special_use = \Trash
+  }
+  mailbox "Удаленные элементы" {
+    special_use = \Trash
+  }
+  mailbox "Корзина" {
+    special_use = \Trash
+  }
+  mailbox "Видалені" {
+    special_use = \Trash
+  }
+  mailbox "Видалені елементи" {
+    special_use = \Trash
+  }
+  mailbox "Кошик" {
+    special_use = \Trash
+  }
+  mailbox "废件箱" {
+    special_use = \Trash
+  }
+  mailbox "已删除消息" {
+    special_use = \Trash
+  }
+  mailbox "已删除邮件" {
+    special_use = \Trash
+  }
+  mailbox "Archive" {
+    auto = subscribe
+    special_use = \Archive
+  }
+  mailbox "Archiv" {
+    special_use = \Archive
+  }
+  mailbox "Archives" {
+    special_use = \Archive
+  }
+  mailbox "Arquivo" {
+    special_use = \Archive
+  }
+  mailbox "Arquivos" {
+    special_use = \Archive
+  }
+  mailbox "Archief" {
+    special_use = \Archive
+  }
+  mailbox "Archív" {
+    special_use = \Archive
+  }
+  mailbox "Archivovať" {
+    special_use = \Archive
+  }
+  mailbox "归档" {
+    special_use = \Archive
+  }
+  mailbox "Архив" {
+    special_use = \Archive
+  }
+  mailbox "Архів" {
+    special_use = \Archive
+  }
+  mailbox "Sent" {
+    auto = subscribe
+    special_use = \Sent
+  }
+  mailbox "Sent Messages" {
+    special_use = \Sent
+  }
+  mailbox "Sent Items" {
+    special_use = \Sent
+  }
+  mailbox "已发送" {
+    special_use = \Sent
+  }
+  mailbox "已发送消息" {
+    special_use = \Sent
+  }
+  mailbox "已发送邮件" {
+    special_use = \Sent
+  }
+  mailbox "Отправленные" {
+    special_use = \Sent
+  }
+  mailbox "Отправленные элементы" {
+    special_use = \Sent
+  }
+  mailbox "Надіслані" {
+    special_use = \Sent
+  }
+  mailbox "Надіслані елементи" {
+    special_use = \Sent
+  }
+  mailbox "Gesendet" {
+    special_use = \Sent
+  }
+  mailbox "Gesendete Objekte" {
+    special_use = \Sent
+  }
+  mailbox "Gesendete Elemente" {
+    special_use = \Sent
+  }
+  mailbox "Itens Enviados" {
+    special_use = \Sent
+  }
+  mailbox "Enviados" {
+    special_use = \Sent
+  }
+  mailbox "Verzonden items" {
+    special_use = \Sent
+  }
+  mailbox "Verzonden" {
+    special_use = \Sent
+  }
+  mailbox "Odoslaná pošta" {
+    special_use = \Sent
+  }
+  mailbox "Odoslané" {
+    special_use = \Sent
+  }
+  mailbox "Drafts" {
+    auto = subscribe
+    special_use = \Drafts
+  }
+  mailbox "Entwürfe" {
+    special_use = \Drafts
+  }
+  mailbox "Rascunhos" {
+    special_use = \Drafts
+  }
+  mailbox "Concepten" {
+    special_use = \Drafts
+  }
+  mailbox "Koncepty" {
+    special_use = \Drafts
+  }
+  mailbox "草稿" {
+    special_use = \Drafts
+  }
+  mailbox "草稿箱" {
+    special_use = \Drafts
+  }
+  mailbox "Черновики" {
+    special_use = \Drafts
+  }
+  mailbox "Чернетки" {
+    special_use = \Drafts
+  }
+  mailbox "Junk" {
+    auto = subscribe
+    special_use = \Junk
+  }
+  mailbox "Junk-E-Mail" {
+    special_use = \Junk
+  }
+  mailbox "Junk E-Mail" {
+    special_use = \Junk
+  }
+  mailbox "Spam" {
+    special_use = \Junk
+  }
+  mailbox "Lixo Eletrônico" {
+    special_use = \Junk
+  }
+  mailbox "Nevyžiadaná pošta" {
+    special_use = \Junk
+  }
+  mailbox "Infikované položky" {
+    special_use = \Junk
+  }
+  mailbox "Ongewenste e-mail" {
+    special_use = \Junk
+  }
+  mailbox "垃圾" {
+    special_use = \Junk
+  }
+  mailbox "垃圾箱" {
+    special_use = \Junk
+  }
+  mailbox "Нежелательная почта" {
+    special_use = \Junk
+  }
+  mailbox "Спам" {
+    special_use = \Junk
+  }
+  mailbox "Небажана пошта" {
+    special_use = \Junk
+  }
+  mailbox "Koncepty" {
+    special_use = \Drafts
+  }
+  mailbox "Nevyžádaná pošta" {
+    special_use = \Junk
+  }
+  mailbox "Odstraněná pošta" {
+    special_use = \Trash
+  }
+  mailbox "Odeslaná pošta" {
+    special_use = \Sent
+  }
+  mailbox "Skräp" {
+    special_use = \Trash
+  }
+  mailbox "Borttagna Meddelanden" {
+    special_use = \Trash
+  }
+  mailbox "Arkiv" {
+    special_use = \Archive
+  }
+  mailbox "Arkeverat" {
+    special_use = \Archive
+  }
+  mailbox "Skickat" {
+    special_use = \Sent
+  }
+  mailbox "Skickade Meddelanden" {
+    special_use = \Sent
+  }
+  mailbox "Utkast" {
+    special_use = \Drafts
+  }
+  mailbox "Skraldespand" {
+    special_use = \Trash
+  }
+  mailbox "Slettet mails" {
+    special_use = \Trash
+  }
+  mailbox "Arkiv" {
+    special_use = \Archive
+  }
+  mailbox "Arkiveret mails" {
+    special_use = \Archive
+  }
+  mailbox "Sendt" {
+    special_use = \Sent
+  }
+  mailbox "Sendte mails" {
+    special_use = \Sent
+  }
+  mailbox "Udkast" {
+    special_use = \Drafts
+  }
+  mailbox "Kladde" {
+    special_use = \Drafts
+  }
+  mailbox "Πρόχειρα" {
+    special_use = \Drafts
+  }
+  mailbox "Απεσταλμένα" {
+    special_use = \Sent
+  }
+  mailbox "Κάδος απορριμάτων" {
+    special_use = \Trash
+  }
+  mailbox "Ανεπιθύμητα" {
+    special_use = \Junk
+  }
+  mailbox "Αρχειοθετημένα" {
+    special_use = \Archive
+  }
+  prefix =
+}
--- a/data/conf/dovecot/config_templates/fts.conf.j2
+++ b/data/conf/dovecot/config_templates/fts.conf.j2
@@ -0,0 +1,34 @@
+{% if SKIP_FTS|lower in ['n', 'no'] %}
+plugin {
+    fts_autoindex = yes
+    fts_autoindex_exclude = \Junk
+    fts_autoindex_exclude2 = \Trash
+    # Tweak this setting if you only want to ensure big and frequent folders are indexed, not all.
+    fts_autoindex_max_recent_msgs = 20
+    fts = flatcurve
+
+    # Maximum term length can be set via the 'maxlen' argument (maxlen is
+    # specified in bytes, not number of UTF-8 characters)
+    fts_tokenizer_email_address = maxlen=100
+    fts_tokenizer_generic = algorithm=simple maxlen=30
+
+    # These are not flatcurve settings, but required for Dovecot FTS. See
+    # Dovecot FTS Configuration link above for further information.
+    fts_languages = en es de
+    fts_tokenizers = generic email-address
+
+    # OPTIONAL: Recommended default FTS core configuration
+    fts_filters = normalizer-icu snowball stopwords
+    fts_filters_en = lowercase snowball english-possessive stopwords
+
+    fts_index_timeout = 300s
+}
+
+service indexer-worker {
+  # Max amount of simultaniously running indexer jobs.
+  process_limit = {{ FTS_PROCS }}
+
+  # Max amount of RAM used by EACH indexer process.
+  vsz_limit = {{ FTS_HEAP }} MB
+}
+{% endif %}
--- a/data/conf/dovecot/config_templates/global_sieve_after.sieve.j2
+++ b/data/conf/dovecot/config_templates/global_sieve_after.sieve.j2
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`{{ RAND_USER }}@mailcow.local:{{ RAND_PASS2 }}`
				`@@ -0,0 +1 @@`
				`{{ DOVECOT_MASTER_USER or RAND_USER }}@mailcow.local::5000:5000::::`