From fb25013334dcb05fa6a025c8fe0694b96c05001b Mon Sep 17 00:00:00 2001
From: mbraem <1116286+mbraem@users.noreply.github.com>
Date: Sun, 14 Apr 2019 20:17:43 +0200
Subject: [PATCH 01/18] user privileges is a set (#1551)

fixes #1540
---
 management/mailconfig.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/management/mailconfig.py b/management/mailconfig.py
index 28e1c623..5f253c14 100755
--- a/management/mailconfig.py
+++ b/management/mailconfig.py
@@ -150,7 +150,7 @@ def get_mail_users_ex(env, with_archived=False):
 					if email in active_accounts: continue
 					user = {
 						"email": email,
-						"privileges": "",
+						"privileges": [],
 						"status": "inactive",
 						"mailbox": mbox,
 					}

From 9b46637aff8851db98f9eac1f38b9a32f69a14fa Mon Sep 17 00:00:00 2001
From: dexbleeker <dex@bleeker.nl>
Date: Sun, 14 Apr 2019 20:19:21 +0200
Subject: [PATCH 02/18] Update Roundcube to version 1.3.9 (#1546)

---
 CHANGELOG.md     | 4 ++++
 setup/webmail.sh | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 089aa68d..32f04763 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,10 @@
 CHANGELOG
 =========
 
+In Development
+--------------
+ * Update to Roundcube 1.3.9.
+
 v0.41 (February 26, 2019)
 -------------------------
 
diff --git a/setup/webmail.sh b/setup/webmail.sh
index b0e11c9b..cbe6bfca 100755
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -28,8 +28,8 @@ apt_install \
 # Install Roundcube from source if it is not already present or if it is out of date.
 # Combine the Roundcube version number with the commit hash of plugins to track
 # whether we have the latest version of everything.
-VERSION=1.3.8
-HASH=90c7900ccf7b2f46fe49c650d5adb9b85ee9cc22
+VERSION=1.3.9
+HASH=02850972b416bbfa1c13580f16d06fd7ae2774aa
 PERSISTENT_LOGIN_VERSION=dc5ca3d3f4415cc41edb2fde533c8a8628a94c76
 HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5
 CARDDAV_VERSION=3.0.3

From 25fec63a03be972c8989eeada1ca09b9d7b7ae50 Mon Sep 17 00:00:00 2001
From: just4t <just4test@gmx.com>
Date: Sun, 14 Apr 2019 22:33:50 +0200
Subject: [PATCH 03/18] RAM limit to 502Mb to meet EC2 & Vultr 512Mb inst.
 (#1560)

AS told here: https://github.com/mail-in-a-box/mailinabox/pull/1534
---
 setup/preflight.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/preflight.sh b/setup/preflight.sh
index d087efe2..2547c410 100644
--- a/setup/preflight.sh
+++ b/setup/preflight.sh
@@ -26,7 +26,7 @@ fi
 #
 # Skip the check if we appear to be running inside of Vagrant, because that's really just for testing.
 TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}')
-if [ $TOTAL_PHYSICAL_MEM -lt 500000 ]; then
+if [ $TOTAL_PHYSICAL_MEM -lt 490000 ]; then
 if [ ! -d /vagrant ]; then
 	TOTAL_PHYSICAL_MEM=$(expr \( \( $TOTAL_PHYSICAL_MEM \* 1024 \) / 1000 \) / 1000)
 	echo "Your Mail-in-a-Box needs more memory (RAM) to function properly."

From aff80ac58cf85e6674a03cd2638db3442e774d4b Mon Sep 17 00:00:00 2001
From: jvolkenant <jeff@volkenant.net>
Date: Thu, 9 May 2019 10:13:24 -0700
Subject: [PATCH 04/18] Autodiscovery fix for additional hosted email domains,
 Fixes #941 (#1467)

---
 conf/nginx-alldomains.conf | 3 +++
 management/dns_update.py   | 9 +++++++++
 management/web_update.py   | 6 ++++++
 3 files changed, 18 insertions(+)

diff --git a/conf/nginx-alldomains.conf b/conf/nginx-alldomains.conf
index 1db7606c..1b3ad5a9 100644
--- a/conf/nginx-alldomains.conf
+++ b/conf/nginx-alldomains.conf
@@ -18,6 +18,9 @@
 	location = /.well-known/autoconfig/mail/config-v1.1.xml {
 		alias /var/lib/mailinabox/mozilla-autoconfig.xml;
 	}
+	location = /mail/config-v1.1.xml {
+		alias /var/lib/mailinabox/mozilla-autoconfig.xml;
+	}
 
 	# Roundcube Webmail configuration.
 	rewrite ^/mail$ /mail/ redirect;
diff --git a/management/dns_update.py b/management/dns_update.py
index 5c1969d7..006a00c2 100755
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -288,6 +288,15 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
 			if not has_rec(qname, "SRV"):
 				records.append((qname, "SRV", "0 0 443 " + env["PRIMARY_HOSTNAME"] + ".", "Recommended. Specifies the hostname of the server that handles CardDAV/CalDAV services for email addresses on this domain."))
 
+        # Adds autoconfiguration A records for all domains.
+        # This allows the following clients to automatically configure email addresses in the respective applications.
+        # autodiscover.* - Z-Push ActiveSync Autodiscover
+        # autoconfig.* - Thunderbird Autoconfig
+	if not has_rec("autodiscover", "A"):
+		records.append(("autodiscover", "A", env["PUBLIC_IP"], "Provides email configuration autodiscovery support for Z-Push ActiveSync Autodiscover."))
+	if not has_rec("autoconfig", "A"):
+		records.append(("autoconfig", "A", env["PUBLIC_IP"], "Provides email configuration autodiscovery support for Thunderbird Autoconfig."))
+
 	# Sort the records. The None records *must* go first in the nsd zone file. Otherwise it doesn't matter.
 	records.sort(key = lambda rec : list(reversed(rec[0].split(".")) if rec[0] is not None else ""))
 
diff --git a/management/web_update.py b/management/web_update.py
index 61b38a7b..12959632 100644
--- a/management/web_update.py
+++ b/management/web_update.py
@@ -29,6 +29,12 @@ def get_web_domains(env, include_www_redirects=True, exclude_dns_elsewhere=True)
 		# IP address than this box. Remove those domains from our list.
 		domains -= get_domains_with_a_records(env)
 
+	# Add Autoconfiguration domains, allowing us to serve correct SSL certs.
+	# 'autoconfig.' for Mozilla Thunderbird auto setup.
+	# 'autodiscover.' for Activesync autodiscovery.
+	domains |= set('autoconfig.' + maildomain for maildomain in get_mail_domains(env))
+	domains |= set('autodiscover.' + maildomain for maildomain in get_mail_domains(env))
+
 	# Ensure the PRIMARY_HOSTNAME is in the list so we can serve webmail
 	# as well as Z-Push for Exchange ActiveSync. This can't be removed
 	# by a custom A/AAAA record and is never a 'www.' redirect.

From 77b2246010f72e03ff4b57e6c003db77ad1fdb3d Mon Sep 17 00:00:00 2001
From: Pascal Garber <pascal@jumplink.eu>
Date: Sun, 12 May 2019 14:09:30 +0200
Subject: [PATCH 05/18] Backup Amazon S3: Added support for custom endpoints
 (#1427)

---
 management/backup.py                    |  9 +++++++-
 management/templates/system-backup.html | 29 +++++++++++++++++++++++--
 2 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/management/backup.py b/management/backup.py
index e15fbbbf..93136bf5 100755
--- a/management/backup.py
+++ b/management/backup.py
@@ -419,15 +419,22 @@ def list_target_files(config):
 		fix_boto() # must call prior to importing boto
 		import boto.s3
 		from boto.exception import BotoServerError
+		custom_region = False
 		for region in boto.s3.regions():
 			if region.endpoint == target.hostname:
 				break
 		else:
-			raise ValueError("Invalid S3 region/host.")
+			# If region is not found this is a custom region
+			custom_region = True
 
 		bucket = target.path[1:].split('/')[0]
 		path = '/'.join(target.path[1:].split('/')[1:]) + '/'
 
+		# Create a custom region with custom endpoint
+		if custom_region:
+			from boto.s3.connection import S3Connection
+			region = boto.s3.S3RegionInfo(name=bucket, endpoint=target.hostname, connection_cls=S3Connection)
+
 		# If no prefix is specified, set the path to '', otherwise boto won't list the files
 		if path == '/':
 			path = ''
diff --git a/management/templates/system-backup.html b/management/templates/system-backup.html
index be528f19..3860edb7 100644
--- a/management/templates/system-backup.html
+++ b/management/templates/system-backup.html
@@ -77,15 +77,22 @@
     </div>
   </div>
   <div class="form-group backup-target-s3">
-    <label for="backup-target-s3-host" class="col-sm-2 control-label">S3 Region</label>
+    <label for="backup-target-s3-host-select" class="col-sm-2 control-label">S3 Region</label>
     <div class="col-sm-8">
-      <select class="form-control" rows="1" id="backup-target-s3-host">
+      <select class="form-control" rows="1" id="backup-target-s3-host-select">
         {% for name, host in backup_s3_hosts %}
           <option value="{{host}}">{{name}}</option>
         {% endfor %}
+        <option value="other">Other</option>
       </select>
     </div>
   </div>
+  <div class="form-group backup-target-s3">
+    <label for="backup-target-s3-host" class="col-sm-2 control-label">S3 Host / Endpoint</label>
+    <div class="col-sm-8">
+      <input type="text" placeholder="Endpoint" class="form-control" rows="1" id="backup-target-s3-host">
+    </div>
+  </div>
   <div class="form-group backup-target-s3">
     <label for="backup-target-s3-path" class="col-sm-2 control-label">S3 Path</label>
     <div class="col-sm-8">
@@ -139,6 +146,8 @@ function toggle_form() {
   var target_type = $("#backup-target-type").val();
   $(".backup-target-local, .backup-target-rsync, .backup-target-s3").hide();
   $(".backup-target-" + target_type).show();
+
+  init_inputs(target_type);
 }
 
 function nice_size(bytes) {
@@ -278,4 +287,20 @@ function set_custom_backup() {
     });
   return false;
 }
+
+function init_inputs(target_type) {
+  function set_host(host) {
+    if(host !== 'other') {
+      $("#backup-target-s3-host").val(host);
+    } else {
+      $("#backup-target-s3-host").val('');
+    }
+  }
+  if (target_type == "s3") {
+    $('#backup-target-s3-host-select').off('change').on('change', function() {
+      set_host($('#backup-target-s3-host-select').val());
+    });
+    set_host($('#backup-target-s3-host-select').val());
+  }
+}
 </script>

From 0d4c6937927a498bf7faf8e468cba4d37eafe745 Mon Sep 17 00:00:00 2001
From: Michael Heuberger <michael.heuberger@binarykitchen.com>
Date: Mon, 13 May 2019 00:10:34 +1200
Subject: [PATCH 06/18] Add missing login form method to keep LastPass happy
 (#1565)

---
 management/templates/login.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/management/templates/login.html b/management/templates/login.html
index 04c27279..b6e74df6 100644
--- a/management/templates/login.html
+++ b/management/templates/login.html
@@ -17,13 +17,13 @@ sudo tools/mail.py user make-admin me@{{hostname}}</pre>
   {% endif %}
   <hr>
 </div>
-</div>  
+</div>
 {% endif %}
 
 <p style="margin: 2em; text-align: center;">Log in here for your Mail-in-a-Box control panel.</p>
 
 <div style="margin: 0 auto; max-width: 32em;">
-  <form class="form-horizontal" role="form" onsubmit="do_login(); return false;">
+  <form class="form-horizontal" role="form" onsubmit="do_login(); return false;" method="get">
     <div class="form-group">
       <label for="inputEmail3" class="col-sm-3 control-label">Email</label>
       <div class="col-sm-9">
@@ -76,7 +76,7 @@ function do_login() {
   "/me",
   "GET",
   { },
-  function(response){ 
+  function(response){
     // This API call always succeeds. It returns a JSON object indicating
     // whether the request was authenticated or not.
     if (response.status != "ok") {

From 4232a1205c300254be8052c1e9f105b519e44d66 Mon Sep 17 00:00:00 2001
From: jvolkenant <jeff@volkenant.net>
Date: Wed, 15 May 2019 11:46:52 -0700
Subject: [PATCH 07/18] fix dovecot message about SSLv2 not supported by
 OpenSSL (#1580)

---
 setup/mail-dovecot.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh
index 4bcc53aa..6098e295 100755
--- a/setup/mail-dovecot.sh
+++ b/setup/mail-dovecot.sh
@@ -80,11 +80,12 @@ tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \
 # Enable SSL, specify the location of the SSL certificate and private key files.
 # Disable obsolete SSL protocols and allow only good ciphers per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/.
 # Enable strong ssl dh parameters
+
 tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
 	ssl=required \
 	"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
 	"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
-	"ssl_protocols=!SSLv3 !SSLv2" \
+	"ssl_protocols=!SSLv3" \
 	"ssl_cipher_list=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" \
 	"ssl_prefer_server_ciphers = yes" \
 	"ssl_dh_parameters_length = 2048"

From 85e59245fdfd2a2e633a890927a89adba79e1bf5 Mon Sep 17 00:00:00 2001
From: cmharper <1422608+cmharper@users.noreply.github.com>
Date: Wed, 15 May 2019 18:57:06 +0000
Subject: [PATCH 08/18] hide 'RTNETLINK answers: Network is unreachable' error
 message during setup if IPv6 is not available (#1576)

---
 setup/functions.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/setup/functions.sh b/setup/functions.sh
index 1a74edfd..3bb96b7a 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -1,7 +1,7 @@
 # Turn on "strict mode." See http://redsymbol.net/articles/unofficial-bash-strict-mode/.
 # -e: exit if any command unexpectedly fails.
 # -u: exit if we have a variable typo.
-# -o pipefail: don't ignore errors in the non-last command in a pipeline 
+# -o pipefail: don't ignore errors in the non-last command in a pipeline
 set -euo pipefail
 
 function hide_output {
@@ -127,7 +127,7 @@ function get_default_privateip {
 	if [ "$1" == "6" ]; then target=2001:4860:4860::8888; fi
 
 	# Get the route information.
-	route=$(ip -$1 -o route get $target | grep -v unreachable)
+	route=$(ip -$1 -o route get $target 2>/dev/null | grep -v unreachable)
 
 	# Parse the address out of the route information.
 	address=$(echo $route | sed "s/.* src \([^ ]*\).*/\1/")

From c6fa0d23df986f9065108b58f984026204cd4e20 Mon Sep 17 00:00:00 2001
From: jvolkenant <jeff@volkenant.net>
Date: Wed, 15 May 2019 11:58:40 -0700
Subject: [PATCH 09/18] check that munin-cron is not running (via cron) when it
 is run in setup, fixes #660 (#1579)

---
 setup/munin.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/setup/munin.sh b/setup/munin.sh
index 3cb1cd9d..df7af601 100755
--- a/setup/munin.sh
+++ b/setup/munin.sh
@@ -76,4 +76,8 @@ restart_service munin-node
 # generate initial statistics so the directory isn't empty
 # (We get "Pango-WARNING **: error opening config file '/root/.config/pango/pangorc': Permission denied"
 # if we don't explicitly set the HOME directory when sudo'ing.)
-sudo -H -u munin munin-cron
+# We check to see if munin-cron is already running, if it is, there is no need to run it simultaneously
+# generating an error.
+if [ ! -f /var/run/munin/munin-update.lock ]; then
+	sudo -H -u munin munin-cron
+fi

From 6e5ceab0f8d6496ae9dda5ae4cb134f16fa11626 Mon Sep 17 00:00:00 2001
From: jvolkenant <jeff@volkenant.net>
Date: Wed, 15 May 2019 11:59:32 -0700
Subject: [PATCH 10/18] hide virtualenv output (#1578)

---
 setup/management.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/management.sh b/setup/management.sh
index f7621a8b..3a6e187b 100755
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -38,7 +38,7 @@ inst_dir=/usr/local/lib/mailinabox
 mkdir -p $inst_dir
 venv=$inst_dir/env
 if [ ! -d $venv ]; then
-	virtualenv -ppython3 $venv
+	hide_output virtualenv -ppython3 $venv
 fi
 
 # Upgrade pip because the Ubuntu-packaged version is out of date.

From 79759ea5a39c9398460d33453d986c90db9d7d54 Mon Sep 17 00:00:00 2001
From: jvolkenant <jeff@volkenant.net>
Date: Sun, 16 Jun 2019 08:07:45 -0700
Subject: [PATCH 11/18] Upgrade Z-Push to 2.5.0 (#1581)

---
 CHANGELOG.md   | 3 +++
 setup/zpush.sh | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 32f04763..14afe39d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,9 @@ In Development
 --------------
  * Update to Roundcube 1.3.9.
 
+Z-Push:
+ * Upgraded Z-Push from 2.4.4 to 2.5.0.
+
 v0.41 (February 26, 2019)
 -------------------------
 
diff --git a/setup/zpush.sh b/setup/zpush.sh
index 32fc4992..0cbd30ad 100755
--- a/setup/zpush.sh
+++ b/setup/zpush.sh
@@ -22,8 +22,8 @@ apt_install \
 phpenmod -v php imap
 
 # Copy Z-Push into place.
-VERSION=2.4.4
-TARGETHASH=104d44426852429dac8ec2783a4e9ad7752d4682
+VERSION=2.5.0
+TARGETHASH=30ce5c1af3f10939036361b6032d1187651b621e
 needs_update=0 #NODOC
 if [ ! -f /usr/local/lib/z-push/version ]; then
 	needs_update=1 #NODOC

From 193763f8f0a6e113053e2c8b5ae2bb12bbd5eb03 Mon Sep 17 00:00:00 2001
From: jvolkenant <jeff@volkenant.net>
Date: Sun, 16 Jun 2019 08:10:53 -0700
Subject: [PATCH 12/18] Update to Nextcloud 15.0.8, Contacts to 3.1.1, and
 Calendar to 1.6.5 (#1577)

* Update to Nextcloud 15.0.7, Contacts to 3.1.1, and Calendar to 1.6.5
* Enabled localhost-only insecure IMAP login for localhost Nextcloud auth
* Add package php-imagick and BigInt conversion
* added support for /cloud/oc[sm]-provider/ endpoint
---
 CHANGELOG.md                | 11 ++++++++++-
 conf/nginx-primaryonly.conf |  9 +++++++++
 setup/mail-dovecot.sh       |  8 ++++++++
 setup/nextcloud.sh          | 38 +++++++++++++++++++++++++++----------
 4 files changed, 55 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 14afe39d..faa4a918 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,7 +3,16 @@ CHANGELOG
 
 In Development
 --------------
- * Update to Roundcube 1.3.9.
+
+Mail:
+
+* Update to Roundcube 1.3.9.
+
+Contacts/Calendar:
+
+* Upgraded Nextcloud from 14.0.6 to 15.0.8.
+* Upgraded Contacts from 2.1.8 to 3.1.1.
+* Upgraded Calendar from 1.6.4 to 1.6.5.
 
 Z-Push:
  * Upgraded Z-Push from 2.4.4 to 2.5.0.
diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf
index d8d912ca..288fce40 100644
--- a/conf/nginx-primaryonly.conf
+++ b/conf/nginx-primaryonly.conf
@@ -19,6 +19,7 @@
 	rewrite ^/cloud/$ /cloud/index.php;
 	rewrite ^/cloud/(contacts|calendar|files)$ /cloud/index.php/apps/$1/ redirect;
 	rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html;
+	rewrite ^(/cloud/oc[sm]-provider)/$ $1/index.php redirect;
 	location /cloud/ {
 		alias /usr/local/lib/owncloud/;
 	 	location ~ ^/cloud/(build|tests|config|lib|3rdparty|templates|data|README)/ {
@@ -27,6 +28,14 @@
 	 	location ~ ^/cloud/(?:\.|autotest|occ|issue|indie|db_|console) {
 	 		deny all;
 	 	}
+		# Enable paths for service and cloud federation discovery
+		# Resolves warning in Nextcloud Settings panel
+                location ~ ^/cloud/(oc[sm]-provider)?/([^/]+\.php)$ {
+                        index index.php;
+                        include fastcgi_params;
+                        fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$1/$2;
+                        fastcgi_pass php-fpm;
+                }
 	}
 	location ~ ^(/cloud)((?:/ocs)?/[^/]+\.php)(/.*)?$ {
 		# note: ~ has precendence over a regular location block
diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh
index 6098e295..c3d2ee57 100755
--- a/setup/mail-dovecot.sh
+++ b/setup/mail-dovecot.sh
@@ -136,6 +136,14 @@ service lmtp {
   }
 }
 
+# Enable imap-login on localhost to allow the user_external plugin
+# for Nextcloud to do imap authentication. (See #1577)
+service imap-login {
+  inet_listener imap {
+    address = 127.0.0.1
+    port = 143
+  }
+}
 protocol imap {
   mail_max_userip_connections = 20
 }
diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index 9476bbf8..8dc8d35a 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -13,7 +13,8 @@ apt-get purge -qq -y owncloud* # we used to use the package manager
 
 apt_install php php-fpm \
 	php-cli php-sqlite3 php-gd php-imap php-curl php-pear curl \
-	php-dev php-gd php-xml php-mbstring php-zip php-apcu php-json php-intl
+	php-dev php-gd php-xml php-mbstring php-zip php-apcu php-json \
+	php-intl php-imagick
 
 InstallNextcloud() {
 
@@ -39,14 +40,20 @@ InstallNextcloud() {
 	# their github repositories.
 	mkdir -p /usr/local/lib/owncloud/apps
 
-	wget_verify https://github.com/nextcloud/contacts/releases/download/v2.1.8/contacts.tar.gz b5d5bbee33f0c32b124b46cb6aaab90c695ac170 /tmp/contacts.tgz
+	wget_verify https://github.com/nextcloud/contacts/releases/download/v3.1.1/contacts.tar.gz a06bd967197dcb03c94ec1dbd698c037018669e5 /tmp/contacts.tgz
 	tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/contacts.tgz
 
-	wget_verify https://github.com/nextcloud/calendar/releases/download/v1.6.4/calendar.tar.gz d8a7950dba14803472b6c19625a8ceb23d6fd4ef /tmp/calendar.tgz
+	wget_verify https://github.com/nextcloud/calendar/releases/download/v1.6.5/calendar.tar.gz 79941255521a5172f7e4ce42dc7773838b5ede2f /tmp/calendar.tgz
 	tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/calendar.tgz
 
+	# Starting with Nextcloud 15, the app user_external is no longer included in Nextcloud core,
+	# we will install from their github repository.
+	wget_verify https://github.com/nextcloud/user_external/releases/download/v0.6.3/user_external-0.6.3.tar.gz 0f756d35fef6b64a177d6a16020486b76ea5799c /tmp/user_external.tgz
+	tar -xf /tmp/user_external.tgz -C /usr/local/lib/owncloud/apps/
+	rm /tmp/user_external.tgz
+
 	# Fix weird permissions.
 	chmod 750 /usr/local/lib/owncloud/{apps,config}
 
@@ -75,12 +82,14 @@ InstallNextcloud() {
 
 		# Add missing indices. NextCloud didn't include this in the normal upgrade because it might take some time.
 		sudo -u www-data php /usr/local/lib/owncloud/occ db:add-missing-indices
+
+		# Run conversion to BigInt identifiers, this process may take some time on large tables.
+		sudo -u www-data php /usr/local/lib/owncloud/occ db:convert-filecache-bigint --no-interaction
 	fi
 }
 
-nextcloud_ver=14.0.6
-nextcloud_hash=4e43a57340f04c2da306c8eea98e30040399ae5a
-
+nextcloud_ver=15.0.8
+nextcloud_hash=4129d8d4021c435f2e86876225fb7f15adf764a3
 # Check if Nextcloud dir exist, and check if version matches nextcloud_ver (if either doesn't - install/upgrade)
 if [ ! -d /usr/local/lib/owncloud/ ] \
 		|| ! grep -q $nextcloud_ver /usr/local/lib/owncloud/version.php; then
@@ -115,6 +124,11 @@ if [ ! -d /usr/local/lib/owncloud/ ] \
 			echo "Upgrades from Mail-in-a-Box prior to v0.28 (dated July 30, 2018) with Nextcloud < 13.0.6 (you have ownCloud 10, 11 or 12) are not supported. Upgrade to Mail-in-a-Box version v0.30 first. Setup aborting."
 			exit 1
 		fi
+		# During the upgrade from Nextcloud 14 to 15, user_external may cause the upgrade to fail.
+		# We will disable it here before the upgrade and install it again after the upgrade.
+		if grep -q "OC_VersionString = '14\." /usr/local/lib/owncloud/version.php; then
+			hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:disable user_external
+		fi
 	fi
 
 	InstallNextcloud $nextcloud_ver $nextcloud_hash
@@ -142,10 +156,12 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
   'overwritewebroot' => '/cloud',
   'overwrite.cli.url' => '/cloud',
   'user_backends' => array(
-	array(
-	  'class'=>'OC_User_IMAP',
-	  'arguments'=>array('{127.0.0.1:993/imap/ssl/novalidate-cert}')
-	)
+    array(
+      'class' => 'OC_User_IMAP',
+        'arguments' => array(
+          '127.0.0.1', 143, null
+         ),
+    ),
   ),
   'memcache.local' => '\OC\Memcache\APCu',
   'mail_smtpmode' => 'sendmail',
@@ -217,6 +233,8 @@ include("$STORAGE_ROOT/owncloud/config.php");
 
 \$CONFIG['mail_domain'] = '$PRIMARY_HOSTNAME';
 
+\$CONFIG['user_backends'] = array(array('class' => 'OC_User_IMAP','arguments' => array('127.0.0.1', 143, null),),);
+
 echo "<?php\n\\\$CONFIG = ";
 var_export(\$CONFIG);
 echo ";";

From c0f4d5479fe1f4fd9a64240d0ded8f5320ae3b69 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sun, 16 Jun 2019 11:40:40 -0400
Subject: [PATCH 13/18] changelog updates

---
 CHANGELOG.md | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index faa4a918..0f232670 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,18 +4,20 @@ CHANGELOG
 In Development
 --------------
 
-Mail:
+Changes:
 
-* Update to Roundcube 1.3.9.
+* Decreased the minimum supported RAM to 502 Mb.
+* Improved mail client autoconfiguration.
+* Added support for S3-compatible backup services besides Amazon S3.
+* Fixed the control panel login page to let LastPass save passwords.
+* Fixed an error in the user privileges API.
+* Silenced some spurrious messages.
 
-Contacts/Calendar:
+Software updates:
 
-* Upgraded Nextcloud from 14.0.6 to 15.0.8.
-* Upgraded Contacts from 2.1.8 to 3.1.1.
-* Upgraded Calendar from 1.6.4 to 1.6.5.
-
-Z-Push:
- * Upgraded Z-Push from 2.4.4 to 2.5.0.
+* Upgraded Roundcube from 1.3.8 to 1.3.9.
+* Upgraded Nextcloud from 14.0.6 to 15.0.8 (with Contacts from 2.1.8 to 3.1.1 and Calendar from 1.6.4 to 1.6.5).
+* Upgraded Z-Push from 2.4.4 to 2.5.0.
 
 v0.41 (February 26, 2019)
 -------------------------

From 39fd4ce16c6b665f1df886083dcc0a6afda6c08e Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Thu, 4 Jul 2019 21:34:55 -0400
Subject: [PATCH 14/18] v0.42

---
 CHANGELOG.md       | 4 ++--
 README.md          | 4 ++--
 setup/bootstrap.sh | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0f232670..15311c84 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,8 +1,8 @@
 CHANGELOG
 =========
 
-In Development
---------------
+v0.42 (July 4, 2019)
+--------------------
 
 Changes:
 
diff --git a/README.md b/README.md
index 01997fd4..d93a0847 100644
--- a/README.md
+++ b/README.md
@@ -58,7 +58,7 @@ by him:
 	$ curl -s https://keybase.io/joshdata/key.asc | gpg --import
 	gpg: key C10BDD81: public key "Joshua Tauberer <jt@occams.info>" imported
 
-	$ git verify-tag v0.41
+	$ git verify-tag v0.42
 	gpg: Signature made ..... using RSA key ID C10BDD81
 	gpg: Good signature from "Joshua Tauberer <jt@occams.info>"
 	gpg: WARNING: This key is not certified with a trusted signature!
@@ -71,7 +71,7 @@ and on his [personal homepage](https://razor.occams.info/). (Of course, if this
 
 Checkout the tag corresponding to the most recent release:
 
-	$ git checkout v0.41
+	$ git checkout v0.42
 
 Begin the installation.
 
diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh
index 74bf5e16..b8dfcc64 100644
--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@@ -20,7 +20,7 @@ if [ -z "$TAG" ]; then
 	# want to display in status checks.
 	if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" == "Ubuntu 18.04 LTS" ]; then
 		# This machine is running Ubuntu 18.04.
-		TAG=v0.41
+		TAG=v0.42
 
 	elif [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' `" == "Ubuntu 14.04 LTS" ]; then
 		# This machine is running Ubuntu 14.04.

From 5fc1944f04dba9e111f3c8787a5969d4c296468f Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Fri, 5 Jul 2019 11:56:54 -0400
Subject: [PATCH 15/18] pull v0.42, go back to v0.41

---
 setup/bootstrap.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh
index b8dfcc64..74bf5e16 100644
--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@@ -20,7 +20,7 @@ if [ -z "$TAG" ]; then
 	# want to display in status checks.
 	if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" == "Ubuntu 18.04 LTS" ]; then
 		# This machine is running Ubuntu 18.04.
-		TAG=v0.42
+		TAG=v0.41
 
 	elif [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' `" == "Ubuntu 14.04 LTS" ]; then
 		# This machine is running Ubuntu 14.04.

From fd5b11823ce01cd7e9bf68a247758adb46f4f146 Mon Sep 17 00:00:00 2001
From: jvolkenant <jeff@volkenant.net>
Date: Wed, 10 Jul 2019 03:28:37 -0700
Subject: [PATCH 16/18] Add AAAA records for autodiscover & autoconfig (#1606)

---
 management/dns_update.py | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/management/dns_update.py b/management/dns_update.py
index 006a00c2..7e006d0b 100755
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -288,14 +288,20 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
 			if not has_rec(qname, "SRV"):
 				records.append((qname, "SRV", "0 0 443 " + env["PRIMARY_HOSTNAME"] + ".", "Recommended. Specifies the hostname of the server that handles CardDAV/CalDAV services for email addresses on this domain."))
 
-        # Adds autoconfiguration A records for all domains.
-        # This allows the following clients to automatically configure email addresses in the respective applications.
-        # autodiscover.* - Z-Push ActiveSync Autodiscover
-        # autoconfig.* - Thunderbird Autoconfig
-	if not has_rec("autodiscover", "A"):
-		records.append(("autodiscover", "A", env["PUBLIC_IP"], "Provides email configuration autodiscovery support for Z-Push ActiveSync Autodiscover."))
-	if not has_rec("autoconfig", "A"):
-		records.append(("autoconfig", "A", env["PUBLIC_IP"], "Provides email configuration autodiscovery support for Thunderbird Autoconfig."))
+	# Adds autoconfiguration A records for all domains.
+	# This allows the following clients to automatically configure email addresses in the respective applications.
+	# autodiscover.* - Z-Push ActiveSync Autodiscover
+	# autoconfig.* - Thunderbird Autoconfig
+	autodiscover_records = [
+		("autodiscover", "A", env["PUBLIC_IP"], "Provides email configuration autodiscovery support for Z-Push ActiveSync Autodiscover."),
+		("autodiscover", "AAAA", env["PUBLIC_IPV6"], "Provides email configuration autodiscovery support for Z-Push ActiveSync Autodiscover."),
+		("autoconfig", "A", env["PUBLIC_IP"], "Provides email configuration autodiscovery support for Thunderbird Autoconfig."),
+		("autoconfig", "AAAA", env["PUBLIC_IPV6"], "Provides email configuration autodiscovery support for Thunderbird Autoconfig.")
+	]
+	for qname, rtype, value, explanation in autodiscover_records:
+		if value is None or value.strip() == "": continue # skip IPV6 if not set
+		if not has_rec(qname, rtype):
+			records.append((qname, rtype, value, explanation))
 
 	# Sort the records. The None records *must* go first in the nsd zone file. Otherwise it doesn't matter.
 	records.sort(key = lambda rec : list(reversed(rec[0].split(".")) if rec[0] is not None else ""))

From bea5eb0dda083478ce0a27d0b8e6740bae26e2ab Mon Sep 17 00:00:00 2001
From: jvolkenant <jeff@volkenant.net>
Date: Fri, 12 Jul 2019 03:41:16 -0700
Subject: [PATCH 17/18] Add interm upgrade step from Nextcloud 13 -> 14 (#1605)

---
 setup/nextcloud.sh | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index 8dc8d35a..9f36ee56 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -50,9 +50,11 @@ InstallNextcloud() {
 
 	# Starting with Nextcloud 15, the app user_external is no longer included in Nextcloud core,
 	# we will install from their github repository.
-	wget_verify https://github.com/nextcloud/user_external/releases/download/v0.6.3/user_external-0.6.3.tar.gz 0f756d35fef6b64a177d6a16020486b76ea5799c /tmp/user_external.tgz
-	tar -xf /tmp/user_external.tgz -C /usr/local/lib/owncloud/apps/
-	rm /tmp/user_external.tgz
+	if [[ $version =~ ^15 ]]; then
+		wget_verify https://github.com/nextcloud/user_external/releases/download/v0.6.3/user_external-0.6.3.tar.gz 0f756d35fef6b64a177d6a16020486b76ea5799c /tmp/user_external.tgz
+		tar -xf /tmp/user_external.tgz -C /usr/local/lib/owncloud/apps/
+		rm /tmp/user_external.tgz
+	fi
 
 	# Fix weird permissions.
 	chmod 750 /usr/local/lib/owncloud/{apps,config}
@@ -124,6 +126,11 @@ if [ ! -d /usr/local/lib/owncloud/ ] \
 			echo "Upgrades from Mail-in-a-Box prior to v0.28 (dated July 30, 2018) with Nextcloud < 13.0.6 (you have ownCloud 10, 11 or 12) are not supported. Upgrade to Mail-in-a-Box version v0.30 first. Setup aborting."
 			exit 1
 		fi
+		# If we are running Nextcloud 13, upgrade to Nextcloud 14
+		if grep -q "OC_VersionString = '13\." /usr/local/lib/owncloud/version.php; then
+			InstallNextcloud 14.0.6 4e43a57340f04c2da306c8eea98e30040399ae5a
+
+		fi
 		# During the upgrade from Nextcloud 14 to 15, user_external may cause the upgrade to fail.
 		# We will disable it here before the upgrade and install it again after the upgrade.
 		if grep -q "OC_VersionString = '14\." /usr/local/lib/owncloud/version.php; then

From e37768ca8680106b037822975445de88e3e0da14 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 3 Aug 2019 11:49:32 -0400
Subject: [PATCH 18/18] v0.42b

---
 CHANGELOG.md       | 6 ++++--
 README.md          | 4 ++--
 setup/bootstrap.sh | 2 +-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 15311c84..a07304b6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,8 +1,8 @@
 CHANGELOG
 =========
 
-v0.42 (July 4, 2019)
---------------------
+v0.42b (August 3, 2019)
+-----------------------
 
 Changes:
 
@@ -19,6 +19,8 @@ Software updates:
 * Upgraded Nextcloud from 14.0.6 to 15.0.8 (with Contacts from 2.1.8 to 3.1.1 and Calendar from 1.6.4 to 1.6.5).
 * Upgraded Z-Push from 2.4.4 to 2.5.0.
 
+Note that v0.42 (July 4, 2019) was pulled shortly after it was released to fix a Nextcloud upgrade issue.
+
 v0.41 (February 26, 2019)
 -------------------------
 
diff --git a/README.md b/README.md
index d93a0847..925e62aa 100644
--- a/README.md
+++ b/README.md
@@ -58,7 +58,7 @@ by him:
 	$ curl -s https://keybase.io/joshdata/key.asc | gpg --import
 	gpg: key C10BDD81: public key "Joshua Tauberer <jt@occams.info>" imported
 
-	$ git verify-tag v0.42
+	$ git verify-tag v0.42b
 	gpg: Signature made ..... using RSA key ID C10BDD81
 	gpg: Good signature from "Joshua Tauberer <jt@occams.info>"
 	gpg: WARNING: This key is not certified with a trusted signature!
@@ -71,7 +71,7 @@ and on his [personal homepage](https://razor.occams.info/). (Of course, if this
 
 Checkout the tag corresponding to the most recent release:
 
-	$ git checkout v0.42
+	$ git checkout v0.42b
 
 Begin the installation.
 
diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh
index 74bf5e16..1135107b 100644
--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@@ -20,7 +20,7 @@ if [ -z "$TAG" ]; then
 	# want to display in status checks.
 	if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" == "Ubuntu 18.04 LTS" ]; then
 		# This machine is running Ubuntu 18.04.
-		TAG=v0.41
+		TAG=v0.42b
 
 	elif [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' `" == "Ubuntu 14.04 LTS" ]; then
 		# This machine is running Ubuntu 14.04.