Merge branch 'jammyjellyfish2204' of https://github.com/mail-in-a-box/mailinabox into jammyjellyfish2204

# Conflicts: # README.md # setup/mail-dovecot.sh # setup/system.sh # setup/webmail.sh # setup/zpush.sh # tests/test_mail.py
2026-03-05 15:57:23 +01:00 · 2022-01-11 16:39:39 -05:00
parent d6cd4e826c 3998214e87
commit 4e6550ed22
31 changed files with 259 additions and 194 deletions
--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@@ -9,32 +9,37 @@
 if [ -z "$TAG" ]; then
 	# If a version to install isn't explicitly given as an environment
 	# variable, then install the latest version. But the latest version
-	# depends on the operating system. Existing Ubuntu 14.04 users need
-	# to be able to upgrade to the latest version supporting Ubuntu 14.04,
-	# in part because an upgrade is required before jumping to Ubuntu 18.04.
-	# New users on Ubuntu 18.04 need to get the latest version number too.
+	# depends on the machine's version of Ubuntu. Existing users need to
+	# be able to upgrade to the latest version available for that version
+	# of Ubuntu to satisfy the migration requirements.
 	#
 	# Also, the system status checks read this script for TAG = (without the
 	# space, but if we put it in a comment it would confuse the status checks!)
 	# to get the latest version, so the first such line must be the one that we
 	# want to display in status checks.
-	if [ "$(lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' )" == "Ubuntu 18.04 LTS" ]; then
-		# This machine is running Ubuntu 18.04.
-		TAG=v55
-
-	elif [ "$(lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' )" == "Ubuntu 14.04 LTS" ]; then
-		# This machine is running Ubuntu 14.04.
-		echo "You are installing the last version of Mail-in-a-Box that will"
-		echo "support Ubuntu 14.04. If this is a new installation of Mail-in-a-Box,"
-		echo "stop now and switch to a machine running Ubuntu 18.04. If you are"
-		echo "upgrading an existing Mail-in-a-Box --- great. After upgrading this"
-		echo "box, please visit https://mailinabox.email for notes on how to upgrade"
-		echo "to Ubuntu 18.04."
-		echo ""
+	#
+	# Allow point-release versions of the major releases, e.g. 22.04.1 is OK.
+	UBUNTU_VERSION=$( lsb_release -d | sed 's/.*:\s*//' | sed 's/\([0-9]*\.[0-9]*\)\.[0-9]/\1/' )"
+	if [ "$UBUNTU_VERSION" == "Ubuntu 22.04 LTS" ]; then
+		# This machine is running Ubuntu 22.04, which is supported by
+		# Mail-in-a-Box versions 60 and later.
+		TAG=v60
+	elif [ "$UBUNTU_VERSION" == "Ubuntu 18.04 LTS" ]; then
+		# This machine is running Ubuntu 18.04, which is supported by
+		# Mail-in-a-Box versions 0.40 through 5x.
+		echo "Support is ending for Ubuntu 18.04."
+		echo "Please immediately begin to migrate your information to"
+		echo "a new machine running Ubuntu 22.04. See:"
+		echo "https://mailinabox.email/maintenance.html#upgrade"
+		TAG=v56
+	elif [ "$UBUNTU_VERSION" == "Ubuntu 14.04 LTS" ]; then
+		# This machine is running Ubuntu 14.04, which is supported by
+		# Mail-in-a-Box versions 1 through v0.30.
+		echo "Ubuntu 14.04 is no longer supported."
+		echo "The last version of Mail-in-a-Box supporting Ubuntu 14.04 will be installed."
 		TAG=v0.30
-
 	else
-		echo "This script must be run on a system running Ubuntu 18.04 or Ubuntu 14.04."
+		echo "This script may be used only on a machine running Ubuntu 14.04, 18.04, or 22.04."
 		exit 1
 	fi
 fi
--- a/setup/dns.sh
+++ b/setup/dns.sh
@@ -10,17 +10,13 @@
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars

-# Install the packages.
-#
-# * nsd: The non-recursive nameserver that publishes our DNS records.
-# * ldnsutils: Helper utilities for signing DNSSEC zones.
-# * openssh-client: Provides ssh-keyscan which we use to create SSHFP records.
-echo "Installing nsd (DNS server)..."
-apt_install nsd ldnsutils openssh-client
-
 # Prepare nsd's configuration.
-
+# We configure nsd before installation as we only want it to bind to some addresses
+# and it otherwise will have port / bind conflicts with bind9 used as the local resolver
 mkdir -p /var/run/nsd
+mkdir -p /etc/nsd
+mkdir -p /etc/nsd/zones
+touch /etc/nsd/zones.conf

 cat > /etc/nsd/nsd.conf << EOF;
 # Do not edit. Overwritten by Mail-in-a-Box setup.
@@ -42,18 +38,6 @@ server:

 EOF

-# Add log rotation
-cat > /etc/logrotate.d/nsd <<EOF;
-/var/log/nsd.log {
-  weekly
-  missingok
-  rotate 12
-  compress
-  delaycompress
-  notifempty
-}
-EOF
-
 # Since we have bind9 listening on localhost for locally-generated
 # DNS queries that require a recursive nameserver, and the system
 # might have other network interfaces for e.g. tunnelling, we have
@@ -88,6 +72,26 @@ echo "include: /etc/nsd/nsd.conf.d/*.conf" >> /etc/nsd/nsd.conf;
 # now be stored in /etc/nsd/nsd.conf.d.
 rm -f /etc/nsd/zones.conf

+# Add log rotation
+cat > /etc/logrotate.d/nsd <<EOF;
+/var/log/nsd.log {
+  weekly
+  missingok
+  rotate 12
+  compress
+  delaycompress
+  notifempty
+}
+EOF
+
+# Install the packages.
+#
+# * nsd: The non-recursive nameserver that publishes our DNS records.
+# * ldnsutils: Helper utilities for signing DNSSEC zones.
+# * openssh-client: Provides ssh-keyscan which we use to create SSHFP records.
+echo "Installing nsd (DNS server)..."
+apt_install nsd ldnsutils openssh-client
+
 # Create DNSSEC signing keys.

 mkdir -p "$STORAGE_ROOT/dns/dnssec";
--- a/setup/ldap.sh
+++ b/setup/ldap.sh
@@ -158,7 +158,13 @@ EOF
 	
 	# Install packages
 	say "Installing OpenLDAP server..."
-	apt_install slapd ldap-utils python3-ldap3 python3-ldif3 ca-certificates xz-utils
+	
+	# we must install slapd without DEBIAN_FRONTEND=noninteractive or
+	# debconf selections are ignored
+	hide_output apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" install slapd
+
+	# install additional packages
+	apt_install ldap-utils python3-ldap3 ca-certificates xz-utils

 	# If slapd was not installed by us, the selections above did
 	# nothing.  To check this we see if SLAPD_CONF in
@@ -169,7 +175,8 @@ EOF
 	# we do #2 ....
 	local SLAPD_CONF=""
 	eval "$(grep ^SLAPD_CONF= /etc/default/slapd)"
-	local cursuffix="$(slapcat -s "cn=config" | grep "^olcSuffix: ")"
+	local cursuffix="$(slapcat -b "cn=config" | grep "^olcSuffix: ")"
+	say_debug "current slapd suffix=$cursuffix"
 	if [ -z "$SLAPD_CONF" ] &&
 		   ! grep "$LDAP_DOMAIN" <<<"$cursuffix" >/dev/null
 	then
@@ -191,7 +198,7 @@ EOF
 	# Ensure slapd is running
 	systemctl start slapd && wait_slapd_start

-	# Change the admin password hash format in the server from slapd's
+	# Change the root password hash format in the server from slapd's
 	# default {SSHA} to SHA-512 {CRYPT} with 16 characters of salt
 	get_attribute "cn=config" "olcSuffix=${LDAP_BASE}" "olcRootPW"
 	if [ ${#ATTR_VALUE[*]} -eq 1 -a $(grep -c "{SSHA}" <<< "$ATTR_VALUE") -eq 1 ]; then
@@ -201,14 +208,17 @@ EOF
 dn: $ATTR_DN
 replace: olcRootPW
 olcRootPW: $hash
-EOF
-		say_verbose "Updating admin hash to SHA512-CRYPT"
-		ldapmodify -H ldap://127.0.0.1/ -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD"  >/dev/null <<EOF
-dn: $LDAP_ADMIN_DN
-replace: userPassword
-userPassword: $hash
 EOF
 	fi
+
+	get_attribute "cn=config" "olcSuffix=${LDAP_BASE}" "olcRootDN"
+	if [ "$ATTR_VALUE" != "$LDAP_ADMIN_DN" ]; then
+		say ""
+		say "UNEXPECTED: oldRootDN under $ATTR_DN"
+		say "  is set to: $ATTR_VALUE"
+		say "  expected : $LDAP_ADMIN_DN"
+		die
+	fi		
 }

 relocate_slapd_data() {
@@ -669,6 +679,8 @@ process_cmdline() {
 			apply_access_control
 		elif [ "$2" == "apparmor" ]; then
 			update_apparmor
+		elif [ "$2" == "system-packages" ]; then
+			install_system_packages
 		else
 			echo "Invalid: '$2'. Only 'server' and 'apparmor' supported"
 			exit 1
@@ -706,7 +718,7 @@ process_cmdline() {
 		if [ "$s" == "all" ]; then
 			echo ""
 			echo '--------------------------------'
-			slapcat ${slapcat_args[@]} -s "$LDAP_BASE" | grep -Ev "^$hide_attrs:"
+			slapcat ${slapcat_args[@]} -b "$LDAP_BASE" | grep -Ev "^$hide_attrs:"
 		fi
 		if [ "$s" == "all" -o "$s" == "config" ]; then
 			echo ""
@@ -714,12 +726,12 @@ process_cmdline() {
 			cat "$MIAB_SLAPD_CONF/cn=config.ldif" | grep -Ev "^$hide_attrs:"
 			get_attribute "cn=config" "olcSuffix=${LDAP_BASE}" "dn"
 			echo ""
-			slapcat ${slapcat_args[@]} -s "$ATTR_DN" | grep -Ev "^$hide_attrs:"
+			slapcat ${slapcat_args[@]} -b "$ATTR_DN" | grep -Ev "^$hide_attrs:"
 		fi
 		if [ "$s" == "all" -o "$s" == "schema" ]; then
 			echo ""
 			echo '--------------------------------'
-			slapcat ${slapcat_args[@]} -s "cn=schema,cn=config" | grep -Ev "^$hide_attrs:"
+			slapcat ${slapcat_args[@]} -b "cn=schema,cn=config" | grep -Ev "^$hide_attrs:"
 		fi
 		if [ "$s" == "all" -o "$s" == "frontend" ]; then
 			echo ""
@@ -901,5 +913,5 @@ restart_service slapd
 cat > /etc/cron.d/mailinabox-ldap << EOF
 # Mail-in-a-Box
 # Dump database to ldif
-30 2 * * *	root	/usr/sbin/slapcat -F "$MIAB_SLAPD_CONF" -o ldif-wrap=no -s "$LDAP_BASE" | /usr/bin/xz > "$STORAGE_LDAP_ROOT/db.ldif.xz"; chmod 600 "$STORAGE_LDAP_ROOT/db.ldif.xz"
+30 2 * * *	root	/usr/sbin/slapcat -F "$MIAB_SLAPD_CONF" -o ldif-wrap=no -b "$LDAP_BASE" | /usr/bin/xz > "$STORAGE_LDAP_ROOT/db.ldif.xz"; chmod 600 "$STORAGE_LDAP_ROOT/db.ldif.xz"
 EOF
--- a/setup/mail-dovecot.sh
+++ b/setup/mail-dovecot.sh
@@ -84,9 +84,7 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
 	ssl=required \
 	"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
 	"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
-	"ssl_protocols=!SSLv3" \
-	"ssl_prefer_server_ciphers = yes" \
-	"ssl_protocols=TLSv1.2" \
+	"ssl_min_protocol=TLSv1.2" \
 	"ssl_cipher_list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
 	"ssl_prefer_server_ciphers=no" \
 	"ssl_dh_parameters_length=2048"
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@@ -13,8 +13,8 @@
 # destinations according to aliases, and passses email on to
 # another service for local mail delivery.
 #
-# The first hop in local mail delivery is to Spamassassin via
-# LMTP. Spamassassin then passes mail over to Dovecot for
+# The first hop in local mail delivery is to spampd via
+# LMTP. spampd then passes mail over to Dovecot for
 # storage in the user's mailbox.
 #
 # Postfix also listens on ports 465/587 (SMTPS, SMTP+STARTLS) for
@@ -205,16 +205,17 @@ tools/editconf.py /etc/postfix/main.cf \

 # ### Incoming Mail

-# Pass any incoming mail over to a local delivery agent. Spamassassin
-# will act as the LDA agent at first. It is listening on port 10025
-# with LMTP. Spamassassin will pass the mail over to Dovecot after.
+# Pass mail to spampd, which acts as the local delivery agent (LDA),
+# which then passes the mail over to the Dovecot LMTP server after.
+# spampd runs on port 10025 by default.
 #
 # In a basic setup we would pass mail directly to Dovecot by setting
 # virtual_transport to `lmtp:unix:private/dovecot-lmtp`.
 tools/editconf.py /etc/postfix/main.cf "virtual_transport=lmtp:[127.0.0.1]:10025"
-# Because of a spampd bug, limit the number of recipients in each connection.
+# Clear the lmtp_destination_recipient_limit setting which in previous
+# versions of Mail-in-a-Box was set to 1 because of a spampd bug.
 # See https://github.com/mail-in-a-box/mailinabox/issues/1523.
-tools/editconf.py /etc/postfix/main.cf lmtp_destination_recipient_limit=1
+tools/editconf.py /etc/postfix/main.cf  -e lmtp_destination_recipient_limit=


 # Who can send mail to us? Some basic filters.
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -25,7 +25,7 @@ done
 #
 # certbot installs EFF's certbot which we use to
 # provision free TLS certificates.
-apt_install duplicity python-pip virtualenv certbot rsync
+apt_install duplicity python3-pip virtualenv certbot rsync

 # b2sdk is used for backblaze backups.
 # boto is used for amazon aws backups.
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -23,14 +23,14 @@ echo "Installing Nextcloud (contacts/calendar)..."
 #   we automatically install intermediate versions as needed.
 # * The hash is the SHA1 hash of the ZIP package, which you can find by just running this script and
 #   copying it from the error message when it doesn't match what is below.
-nextcloud_ver=20.0.14
-nextcloud_hash=92cac708915f51ee2afc1787fd845476fd090c81
+nextcloud_ver=23.0.0
+nextcloud_hash=0d496eb0808c292502479e93cd37fe2daf95786a

 # Nextcloud apps
 # --------------
 # * Find the most recent tag that is compatible with the Nextcloud version above by
 #   consulting the <dependencies>...<nextcloud> node at:
-#   https://github.com/nextcloud-releases/contacts/blob/maaster/appinfo/info.xml
+#   https://github.com/nextcloud-releases/contacts/blob/master/appinfo/info.xml
 #   https://github.com/nextcloud-releases/calendar/blob/master/appinfo/info.xml
 #   https://github.com/nextcloud/user_external/blob/master/appinfo/info.xml
 # * The hash is the SHA1 hash of the ZIP package, which you can find by just running this script and
@@ -155,8 +155,8 @@ fi
 # from the version currently installed, do the install/upgrade
 if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextcloud_ver ]]; then

-	# Stop php-fpm if running. If theyre not running (which happens on a previously failed install), dont bail.
-	service php7.2-fpm stop &> /dev/null || /bin/true
+	# Stop php-fpm if running. If they are not running (which happens on a previously failed install), dont bail.
+	service php8.0-fpm stop &> /dev/null || /bin/true

 	# Backup the existing ownCloud/Nextcloud.
 	# Create a backup directory to store the current installation and database to
@@ -183,42 +183,19 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc
 		elif [[ ${CURRENT_NEXTCLOUD_VER} =~ ^1[012] ]]; then
 			echo "Upgrades from Mail-in-a-Box prior to v0.28 (dated July 30, 2018) with Nextcloud < 13.0.6 (you have ownCloud 10, 11 or 12) are not supported. Upgrade to Mail-in-a-Box version v0.30 first. Setup will continue, but skip the Nextcloud migration."
 			return 0
-		elif [[ ${CURRENT_NEXTCLOUD_VER} =~ ^13 ]]; then
-			# If we are running Nextcloud 13, upgrade to Nextcloud 14
-			InstallNextcloud 14.0.6 4e43a57340f04c2da306c8eea98e30040399ae5a 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466
-			CURRENT_NEXTCLOUD_VER="14.0.6"
-		fi
-		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^14 ]]; then
-			# During the upgrade from Nextcloud 14 to 15, user_external may cause the upgrade to fail.
-			# We will disable it here before the upgrade and install it again after the upgrade.
-			hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:disable user_external
-			InstallNextcloud 15.0.8 4129d8d4021c435f2e86876225fb7f15adf764a3 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
-			CURRENT_NEXTCLOUD_VER="15.0.8"
-		fi
-		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^15 ]]; then
-                        InstallNextcloud 16.0.6 0bb3098455ec89f5af77a652aad553ad40a88819 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
-                        CURRENT_NEXTCLOUD_VER="16.0.6"
-        	fi
-	        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^16 ]]; then
-                        InstallNextcloud 17.0.6 50b98d2c2f18510b9530e558ced9ab51eb4f11b0 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
-                        CURRENT_NEXTCLOUD_VER="17.0.6"
-	        fi
-	        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^17 ]]; then
-			# Don't exit the install if this column already exists (see #2076)
-			(echo "ALTER TABLE oc_flow_operations ADD COLUMN entity VARCHAR;" | sqlite3 $STORAGE_ROOT/owncloud/owncloud.db 2>/dev/null) || true
-                        InstallNextcloud 18.0.10 39c0021a8b8477c3f1733fddefacfa5ebf921c68 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
-                        CURRENT_NEXTCLOUD_VER="18.0.10"
-	        fi
-	        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^18 ]]; then
-                        InstallNextcloud 19.0.4 01e98791ba12f4860d3d4047b9803f97a1b55c60 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
-                        CURRENT_NEXTCLOUD_VER="19.0.4"
-	        fi
+		elif [[ ${CURRENT_NEXTCLOUD_VER} =~ ^1[3456789] ]]; then
+			echo "Upgrades from Mail-in-a-Box prior to v60 with Nextcloud 19 or earlier are not supported. Upgrade to the latest Mail-in-a-Box version supported on your machine first. Setup will continue, but skip the Nextcloud migration."
+			return 0
+    elif [[ ${CURRENT_NEXTCLOUD_VER} =~ ^20 ]]; then
+      InstallNextcloud 21.0.7 f5c7079c5b56ce1e301c6a27c0d975d608bb01c9 4.0.7 8ab31d205408e4f12067d8a4daa3595d46b513e3 3.0.4 6fb1e998d307c53245faf1c37a96eb982bbee8ba 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
+      CURRENT_NEXTCLOUD_VER="21.0.7"
+    elif [[ ${CURRENT_NEXTCLOUD_VER} =~ ^21 ]]; then
+      InstallNextcloud 22.2.2 489eaf4147ad1b59385847b7d7db293712cced88 4.0.7 8ab31d205408e4f12067d8a4daa3595d46b513e3 3.0.4 6fb1e998d307c53245faf1c37a96eb982bbee8ba 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
+      CURRENT_NEXTCLOUD_VER="22.2.2"
+    fi
 	fi

 	InstallNextcloud $nextcloud_ver $nextcloud_hash $contacts_ver $contacts_hash $calendar_ver $calendar_hash $user_external_ver $user_external_hash
-
-	# Nextcloud 20 needs to have some optional columns added
-	sudo -u www-data php /usr/local/lib/owncloud/occ db:add-missing-columns
 fi

 # ### Configuring Nextcloud
@@ -309,6 +286,8 @@ php <<EOF > $CONFIG_TEMP && mv $CONFIG_TEMP $STORAGE_ROOT/owncloud/config.php;
 <?php
 include("$STORAGE_ROOT/owncloud/config.php");

+\$CONFIG['config_is_read_only'] = true; # should prevent warnings from occ tool but doesn't
+
 \$CONFIG['trusted_domains'] = array('$PRIMARY_HOSTNAME');

 \$CONFIG['memcache.local'] = '\OC\Memcache\APCu';
@@ -351,7 +330,7 @@ sudo -u www-data \

 # Set PHP FPM values to support large file uploads
 # (semicolon is the comment character in this file, hashes produce deprecation warnings)
-tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/8.0/fpm/php.ini -c ';' \
 	upload_max_filesize=16G \
 	post_max_size=16G \
 	output_buffering=16384 \
@@ -360,7 +339,7 @@ tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \
 	short_open_tag=On

 # Set Nextcloud recommended opcache settings
-tools/editconf.py /etc/php/7.2/cli/conf.d/10-opcache.ini -c ';' \
+tools/editconf.py /etc/php/8.0/cli/conf.d/10-opcache.ini -c ';' \
 	opcache.enable=1 \
 	opcache.enable_cli=1 \
 	opcache.interned_strings_buffer=8 \
@@ -370,8 +349,8 @@ tools/editconf.py /etc/php/7.2/cli/conf.d/10-opcache.ini -c ';' \
 	opcache.revalidate_freq=1

 # If apc is explicitly disabled we need to enable it
-if grep -q apc.enabled=0 /etc/php/7.2/mods-available/apcu.ini; then
-	tools/editconf.py /etc/php/7.2/mods-available/apcu.ini -c ';' \
+if grep -q apc.enabled=0 /etc/php/8.0/mods-available/apcu.ini; then
+	tools/editconf.py /etc/php/8.0/mods-available/apcu.ini -c ';' \
 		apc.enabled=1
 fi

@@ -396,4 +375,4 @@ rm -f /etc/cron.hourly/mailinabox-owncloud
 # ```

 # Enable PHP modules and restart PHP.
-restart_service php7.2-fpm
+restart_service php8.0-fpm
--- a/setup/preflight.sh
+++ b/setup/preflight.sh
@@ -7,11 +7,11 @@ if [[ $EUID -ne 0 ]]; then
 	exit 1
 fi

-# Check that we are running on Ubuntu 18.04 LTS (or 18.04.xx).
-if [ "$(lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' )" != "Ubuntu 18.04 LTS" ]; then
-	echo "Mail-in-a-Box only supports being installed on Ubuntu 18.04, sorry. You are running:"
+# Check that we are running on Ubuntu 20.04 LTS (or 20.04.xx).
+if [ "$( lsb_release --id --short )" != "Ubuntu" ] || [ "$( lsb_release --release --short )" != "22.04" ]; then
+	echo "Mail-in-a-Box only supports being installed on Ubuntu 22.04, sorry. You are running:"
 	echo
-	lsb_release -d | sed 's/.*:\s*//'
+	lsb_release --description --short
 	echo
 	echo "We can't write scripts that run on every possible setup, sorry."
 	exit 1
--- a/setup/system.sh
+++ b/setup/system.sh
@@ -97,26 +97,6 @@ fi
 # come from there and minimal Ubuntu installs may have it turned off.
 hide_output add-apt-repository -y universe

-# Install the certbot PPA.
-if [ $(. /etc/os-release; echo $VERSION_ID | awk -F. '{print $1}') -le 18 ]
-then
-    hide_output add-apt-repository -y ppa:certbot/certbot
-else
-    hide_output snap install core
-    hide_output snap refresh core
-    if ! snap list certbot 1>/dev/null 2>&1; then
-        # a ppa was required on ubuntu 18, but snaps are used in ubuntu 19+
-        # remove the ppa and certbot per eff's instructions
-        hide_output add-apt-repository -r -y ppa:certbot/certbot
-        hide_output apt-get remove -y certbot
-    fi
-    hide_output snap install --classic certbot
-    ln -sf /snap/bin/certbot /usr/bin/certbot
-fi
-
-# Install the duplicity PPA.
-hide_output add-apt-repository -y ppa:duplicity-team/duplicity-release-git
-
 # ### Update Packages

 # Update system packages to make sure we have the latest upstream versions
@@ -347,7 +327,7 @@ fi #NODOC
 #  	If more queries than specified are sent, bind9 returns SERVFAIL. After flushing the cache during system checks,
 #	we ran into the limit thus we are increasing it from 75 (default value) to 100.
 apt_install bind9
-tools/editconf.py /etc/default/bind9 \
+tools/editconf.py /etc/default/named \
 	"OPTIONS=\"-u bind -4\""
 if ! grep -q "listen-on " /etc/bind/named.conf.options; then
 	# Add a listen-on directive if it doesn't exist inside the options block.
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -46,15 +46,15 @@ tools/editconf.py /etc/nginx/nginx.conf -s \
 	ssl_protocols="TLSv1.2 TLSv1.3;"

 # Tell PHP not to expose its version number in the X-Powered-By header.
-tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/8.0/fpm/php.ini -c ';' \
 	expose_php=Off

 # Set PHPs default charset to UTF-8, since we use it. See #367.
-tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/8.0/fpm/php.ini -c ';' \
        default_charset="UTF-8"

 # Configure the path environment for php-fpm
-tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
+tools/editconf.py /etc/php/8.0/fpm/pool.d/www.conf -c ';' \
 	env[PATH]=/usr/local/bin:/usr/bin:/bin \

 # Configure php-fpm based on the amount of memory the machine has
@@ -64,7 +64,7 @@ tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
 TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}' || /bin/true)
 if [ $TOTAL_PHYSICAL_MEM -lt 1000000 ]
 then
-        tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
+        tools/editconf.py /etc/php/8.0/fpm/pool.d/www.conf -c ';' \
                pm=ondemand \
                pm.max_children=8 \
                pm.start_servers=2 \
@@ -72,7 +72,7 @@ then
                pm.max_spare_servers=3
 elif [ $TOTAL_PHYSICAL_MEM -lt 2000000 ]
 then
-        tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
+        tools/editconf.py /etc/php/8.0/fpm/pool.d/www.conf -c ';' \
                pm=ondemand \
                pm.max_children=16 \
                pm.start_servers=4 \
@@ -80,14 +80,14 @@ then
                pm.max_spare_servers=6
 elif [ $TOTAL_PHYSICAL_MEM -lt 3000000 ]
 then
-        tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
+        tools/editconf.py /etc/php/8.0/fpm/pool.d/www.conf -c ';' \
                pm=dynamic \
                pm.max_children=60 \
                pm.start_servers=6 \
                pm.min_spare_servers=3 \
                pm.max_spare_servers=9
 else
-        tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \
+        tools/editconf.py /etc/php/8.0/fpm/pool.d/www.conf -c ';' \
                pm=dynamic \
                pm.max_children=120 \
                pm.start_servers=12 \
@@ -147,7 +147,7 @@ chown -R $STORAGE_USER $STORAGE_ROOT/www

 # Start services.
 restart_service nginx
-restart_service php7.2-fpm
+restart_service php8.0-fpm

 # Open ports.
 ufw_allow http
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -24,7 +24,7 @@ echo "Installing Roundcube (webmail)..."
 apt_install \
 	dbconfig-common \
 	php-cli php-sqlite3 php-intl php-json php-common php-curl php-ldap \
-	php-gd php-pspell tinymce libjs-jquery libjs-jquery-mousewheel libmagic1 php-mbstring
+	php-gd php-pspell libjs-jquery libjs-jquery-mousewheel libmagic1 php-mbstring

 # Install Roundcube from source if it is not already present or if it is out of date.
 # Combine the Roundcube version number with the commit hash of plugins to track
@@ -237,4 +237,4 @@ chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite

 # Enable PHP modules.
 phpenmod -v php mcrypt imap ldap
-restart_service php7.2-fpm
+restart_service php8.0-fpm
--- a/setup/zpush.sh
+++ b/setup/zpush.sh
@@ -17,7 +17,7 @@ source /etc/mailinabox.conf # load global vars

 echo "Installing Z-Push (Exchange/ActiveSync server)..."
 apt_install \
-	php-soap php-imap libawl-php ${PHP_XSL_PACKAGE:-php-xsl}
+	php-soap php-imap libawl-php php8.0-xml

 phpenmod -v php imap

@@ -102,7 +102,7 @@ EOF

 # Restart service.

-restart_service php7.2-fpm
+restart_service php8.0-fpm

 # Fix states after upgrade