diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9338b052..aef6cf95 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,35 @@
 CHANGELOG
 =========
 
+In Development
+--------------
+
+Mail:
+
+* "SMTPUTF8" is now disabled in Postfix. Because Dovecot still does not support SMTPUTF8, incoming mail to internationalized addresses was bouncing. This fixes incoming mail to internationalized domains (which was probably working prior to v0.40), but it will prevent sending outbound mail to addresses with internationalized local-parts.
+* Upgraded to Roundcube 1.5 Release Candidate.
+
+Firewall:
+
+* Fail2ban's IPv6 support is enabled.
+
+Control panel:
+
+* The control panel menus are now hidden before login, but now non-admins can log in to access the mail and contacts/calendar instruction pages.
+* The login form now disables browser autocomplete in the two-factor authentication code field.
+* After logging in, the default page is now a fast-loading welcome page rather than the slow-loading system status checks page.
+* The backup retention period option now displays for B2 backup targets.
+* The DNSSEC DS record recommendations are cleaned up and now recommend changing records that use SHA1.
+* The Munin monitoring pages no longer require a separate HTTP basic authentication login and can be used if two-factor authentication is turned on.
+* Control panel logins are now tied to a session backend that allows true logouts (rather than an encrypted cookie).
+* Failed logins no longer directly reveal whether the email address corresponds to a user account.
+* Browser dark mode now inverts the color scheme.
+
+Other:
+
+* The mail log tool now doesn't crash if there are email addresess in log messages with invalid UTF-8 characters.
+* Additional nsd.conf files can be placed in /etc/nsd.conf.d.
+
 v0.54 (June 20, 2021)
 ---------------------
 
diff --git a/conf/postfix.schema b/conf/postfix.schema
deleted file mode 100644
index e0a5df43..00000000
--- a/conf/postfix.schema
+++ /dev/null
@@ -1,60 +0,0 @@
-# LDAP Admin Extensions for Postfix MTA support
-
-attributetype ( 1.3.6.1.4.1.15347.2.102 
-	NAME 'transport' 
-	SUP name)
-
-attributetype ( 1.3.6.1.4.1.15347.2.101 
-	NAME 'mailRoutingAddress' 
-	SUP mail )
-
-attributetype ( 1.3.6.1.4.1.15347.2.110 NAME 'maildest'
-	DESC 'Restricted to send only to local network'
-	EQUALITY caseIgnoreMatch
-	SUBSTR caseIgnoreSubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
-
-attributetype ( 1.3.6.1.4.1.15347.2.111 NAME 'mailaccess'
-	DESC 'Can be mailed to restricted groups'
-	EQUALITY caseIgnoreMatch
-	SUBSTR caseIgnoreSubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
-
-attributetype ( 1.3.6.1.4.1.15347.2.100
-	NAME ( 'maildrop' )
-	DESC 'RFC1274: RFC822 Mailbox'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
-
-attributetype ( 1.3.6.1.4.1.10018.1.1.1 NAME 'mailbox'
-	DESC 'The absolute path to the mailbox for a mail account in a non-default location'
-	EQUALITY caseExactIA5Match
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
-
-objectclass ( 1.3.6.1.4.1.15347.2.1
-	NAME 'mailUser'
-    	DESC 'E-Mail User'
-	SUP top
-	AUXILIARY
-	MUST ( uid $ mail $ maildrop )
-	MAY ( cn $ mailbox $ maildest $ mailaccess )
-	)
-
-objectclass ( 1.3.6.1.4.1.15347.2.2
-	NAME 'mailGroup'
-    	DESC 'E-Mail Group'
-	SUP top
-	STRUCTURAL
-	MUST ( cn $ mail )
-	MAY ( mailRoutingAddress $ member $ description )
-	)
-
-objectclass ( 1.3.6.1.4.1.15347.2.3
-	NAME 'transportTable'
-    	DESC 'MTA Transport Table'
-	SUP top
-	STRUCTURAL
-	MUST ( cn $ transport )
-	)
-
diff --git a/conf/mfa-totp.schema b/conf/schema/mfa-totp.schema
similarity index 89%
rename from conf/mfa-totp.schema
rename to conf/schema/mfa-totp.schema
index 89f65dca..bf8ca35b 100644
--- a/conf/mfa-totp.schema
+++ b/conf/schema/mfa-totp.schema
@@ -1,11 +1,6 @@
 #
 # MiaB-LDAP's directory schema for time-based one time passwords (TOTP)
 #
-# MiaB LDAP UUID(v4): 7392cdda-5ec8-431f-9936-0000273c0167
-#                 or: 1939000794.24264.17183.39222.658243943
-#
-
-objectIdentifier MiabLDAProot 2.25.1939000794.24264.17183.39222.658243943
 
 objectIdentifier MiabLDAPmfa MiabLDAProot:1
 objectIdentifier MiabLDAPmfaAttributeType MiabLDAPmfa:2
diff --git a/conf/schema/namedProperties.schema b/conf/schema/namedProperties.schema
new file mode 100644
index 00000000..9f146e32
--- /dev/null
+++ b/conf/schema/namedProperties.schema
@@ -0,0 +1,23 @@
+#
+# Auxiliary objectclass to add named properties to an entry
+#
+
+objectIdentifier MiabLDAPadmin MiabLDAProot:3
+objectIdentifier MiabLDAPadminAttributeType MiabLDAPadmin:1
+objectIdentifier MiabLDAPadminObjectClass MiabLDAPadmin:2
+
+attributetype ( MiabLDAPadminAttributeType:1
+	DESC 'Named property'
+	NAME 'namedProperty'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+	)
+
+objectClass ( MiabLDAPadminObjectClass:1
+	NAME 'namedProperties'
+	DESC 'Entry contains named properties'
+	SUP top
+	AUXILIARY
+	MAY ( namedProperty )
+	)
diff --git a/conf/schema/postfix.schema b/conf/schema/postfix.schema
new file mode 100644
index 00000000..0f4c99f8
--- /dev/null
+++ b/conf/schema/postfix.schema
@@ -0,0 +1,77 @@
+# LDAP Admin Extensions for Postfix MTA support
+#
+# MiaB LDAP UUID(v4): 7392cdda-5ec8-431f-9936-0000273c0167
+#                 or: 1939000794.24264.17183.39222.658243943
+#
+
+objectIdentifier MiabLDAProot 2.25.1939000794.24264.17183.39222.658243943
+objectIdentifier MiabLDAPmail MiabLDAProot:2
+objectIdentifier MiabLDAPmailAttributeType MiabLDAPmail:1
+objectIdentifier MiabLDAPmailObjectClass MiabLDAPmail:2
+
+attributetype ( 1.3.6.1.4.1.15347.2.102 
+	NAME 'transport' 
+	SUP name)
+
+attributetype ( 1.3.6.1.4.1.15347.2.101 
+	NAME 'mailRoutingAddress' 
+	SUP mail )
+
+attributetype ( 1.3.6.1.4.1.15347.2.110 NAME 'maildest'
+	DESC 'Restricted to send only to local network'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+
+attributetype ( 1.3.6.1.4.1.15347.2.111 NAME 'mailaccess'
+	DESC 'Can be mailed to restricted groups'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+
+attributetype ( 1.3.6.1.4.1.15347.2.100
+	NAME ( 'maildrop' )
+	DESC 'RFC1274: RFC822 Mailbox'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+attributetype ( 1.3.6.1.4.1.10018.1.1.1 NAME 'mailbox'
+	DESC 'The absolute path to the mailbox for a mail account in a non-default location'
+	EQUALITY caseExactMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+
+# create a mailMember for utf8 email addresses in mailGroups
+attributetype ( MiabLDAPmailAttributeType:1 NAME 'mailMember' DESC 'RFC6532 utf8 email address of group member(s)' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+# create a utf8 version of core 'domainComponent'
+attributetype ( MiabLDAPmailAttributeType:2 NAME 'dcIntl' DESC 'UTF8 domain component' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+
+objectclass ( 1.3.6.1.4.1.15347.2.1
+	NAME 'mailUser'
+	DESC 'E-Mail User'
+	SUP top
+	AUXILIARY
+	MUST ( uid $ mail $ maildrop )
+	MAY ( cn $ mailbox $ maildest $ mailaccess )
+	)
+
+objectclass ( 1.3.6.1.4.1.15347.2.2
+	NAME 'mailGroup'
+	DESC 'E-Mail Group'
+	SUP top
+	STRUCTURAL
+	MUST ( cn $ mail )
+	MAY ( mailRoutingAddress $ member $ mailMember $ description )
+	)
+
+objectclass ( 1.3.6.1.4.1.15347.2.3
+	NAME 'transportTable'
+	DESC 'MTA Transport Table'
+	SUP top
+	STRUCTURAL
+	MUST ( cn $ transport )
+	)
+
+# create an auxiliary class to attach to 'domain' objects
+objectClass ( MiabLDAPmailObjectClass:1 NAME 'mailDomain' DESC 'Domain we handle mail for' SUP top AUXILIARY MUST ( dcIntl ) )
diff --git a/management/auth.py b/management/auth.py
index 683446a0..f606a9ec 100644
--- a/management/auth.py
+++ b/management/auth.py
@@ -73,14 +73,9 @@ class AuthService:
 			return (None, ["admin"])
 
 		# If the password corresponds with a session token for the user, grant access for that user.
-		if password in self.sessions and self.sessions[password]["email"] == username and not login_only:
+		if self.get_session(username, password, "login", env) and not login_only:
 			sessionid = password
 			session = self.sessions[sessionid]
-			if session["password_token"] != self.create_user_password_state_token(username, env):
-				# This session is invalid because the user's password/MFA state changed
-				# after the session was created.
-				del self.sessions[sessionid]
-				raise ValueError("Session expired.")
 			if logout:
 				# Clear the session.
 				del self.sessions[sessionid]
@@ -144,5 +139,14 @@ class AuthService:
 		self.sessions[token] = {
 			"email": username,
 			"password_token": self.create_user_password_state_token(username, env),
+			"type": type,
 		}
 		return token
+
+	def get_session(self, user_email, session_key, session_type, env):
+		if session_key not in self.sessions: return None
+		session = self.sessions[session_key]
+		if session_type == "login" and session["email"] != user_email: return None
+		if session["type"] != session_type: return None
+		if session["password_token"] != self.create_user_password_state_token(session["email"], env): return None
+		return session
diff --git a/management/daemon.py b/management/daemon.py
index 49d4d891..7f3a5a88 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -244,7 +244,7 @@ def mail_aliases():
 	if request.args.get("format", "") == "json":
 		return json_response(get_mail_aliases_ex(env))
 	else:
-		return "".join(address+"\t"+receivers+"\t"+(senders or "")+"\n" for address, receivers, senders in get_mail_aliases(env))
+		return "".join(address+"\t"+receivers+"\t"+(senders or "")+"\n" for address, receivers, senders, auto in get_mail_aliases(env))
 
 @app.route('/mail/aliases/add', methods=['POST'])
 @authorized_personnel_only
@@ -691,16 +691,42 @@ def postgrey_whitelist_handler():
 # MUNIN
 
 @app.route('/munin/')
-@app.route('/munin/<path:filename>')
 @authorized_personnel_only
-def munin(filename=""):
-	# Checks administrative access (@authorized_personnel_only) and then just proxies
-	# the request to static files.
+def munin_start():
+	# Munin pages, static images, and dynamically generated images are served
+	# outside of the AJAX API. We'll start with a 'start' API that sets a cookie
+	# that subsequent requests will read for authorization. (We don't use cookies
+	# for the API to avoid CSRF vulnerabilities.)
+	response = make_response("OK")
+	response.set_cookie("session", auth_service.create_session_key(request.user_email, env, type='cookie'),
+	    max_age=60*30, secure=True, httponly=True, samesite="Strict") # 30 minute duration
+	return response
+
+def check_request_cookie_for_admin_access():
+	session = auth_service.get_session(None, request.cookies.get("session", ""), "cookie", env)
+	if not session: return False
+	privs = get_mail_user_privileges(session["email"], env)
+	if not isinstance(privs, list): return False
+	if "admin" not in privs: return False
+	return True
+
+def authorized_personnel_only_via_cookie(f):
+	@wraps(f)
+	def g(*args, **kwargs):
+		if not check_request_cookie_for_admin_access():
+			return Response("Unauthorized", status=403, mimetype='text/plain', headers={})
+		return f(*args, **kwargs)
+	return g
+
+@app.route('/munin/<path:filename>')
+@authorized_personnel_only_via_cookie
+def munin_static_file(filename=""):
+	# Proxy the request to static files.
 	if filename == "": filename = "index.html"
 	return send_from_directory("/var/cache/munin/www", filename)
 
 @app.route('/munin/cgi-graph/<path:filename>')
-@authorized_personnel_only
+@authorized_personnel_only_via_cookie
 def munin_cgi(filename):
 	""" Relay munin cgi dynazoom requests
 	/usr/lib/munin/cgi/munin-cgi-graph is a perl cgi script in the munin package
diff --git a/management/dns_update.py b/management/dns_update.py
index ad972f6d..80f4f528 100755
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -604,7 +604,7 @@ def get_dns_zonefile(zone, env):
 
 def write_nsd_conf(zonefiles, additional_records, env):
 	# Write the list of zones to a configuration file.
-	nsd_conf_file = "/etc/nsd/zones.conf"
+	nsd_conf_file = "/etc/nsd/nsd.conf.d/zones.conf"
 	nsdconf = ""
 
 	# Append the zones.
diff --git a/management/mail_log.py b/management/mail_log.py
index 26c3a924..d3a2d2ef 100755
--- a/management/mail_log.py
+++ b/management/mail_log.py
@@ -114,8 +114,8 @@ def scan_mail_log(env):
 
     try:
         import mailconfig
-        users = mailconfig.get_mail_users(env, as_map=True)
-        aliases = mailconfig.get_mail_aliases(env, as_map=True)
+        users = mailconfig.get_mail_users(env, as_map=True, map_by="mail")
+        aliases = mailconfig.get_mail_aliases(env, as_map=True, map_by="mail")
         collector["known_addresses"] = (set(users.keys()) |
                                         set(aliases.keys()))
     except ImportError:
diff --git a/management/mailconfig.py b/management/mailconfig.py
index 33640ef8..2b432f6c 100755
--- a/management/mailconfig.py
+++ b/management/mailconfig.py
@@ -14,6 +14,9 @@ import subprocess, shutil, os, sqlite3, re, ldap3, uuid, hashlib
 import utils, backend
 from email_validator import validate_email as validate_email_, EmailNotValidError
 import idna
+import logging
+
+log = logging.getLogger(__name__)
 
 
 #
@@ -23,13 +26,13 @@ import idna
 #    attribute for the email address. For historical reasons, the
 #    management interface only permits lowercase email addresses.
 #
-#    In the current implementation, both attributes will have the same
-#    lowercase value, but it's not a requirement of the underlying
-#    postfix and dovecot configurations that it be this way. Postfix
-#    and dovecot use the mail attribute to find the user and maildrop
-#    is where the mail is delivered. We use maildrop in the management
-#    interface because that's the address that will always map
-#    directly to the filesystem for archived users.
+#    In the current implementation, maildrop will be lowercase and
+#    mail will as-entered. If a user's email address requires IDNA
+#    encoding, then both the idna and utf8 versions of the email
+#    address will be populated in the mail attribute.
+
+#    Postfix and dovecot use the mail attribute to find the user and
+#    maildrop is where the mail is delivered.
 #
 #    Email addresses and domain comparisons performed by the LDAP
 #    server are not case sensitive because their respective schemas
@@ -44,12 +47,14 @@ import idna
 #    lowercase, again for historical reasons.
 #
 #    All alias and permitted-sender email addresses in the database
-#    are IDNA encoded. International domains for users is not
-#    supported or permitted.
+#    are IDNA encoded. Like users, if these address contain non-ascii
+#    characters, both the IDNA encoded address and the utf8 version
+#    are stored.
 #
 #    Domains that are handled by this mail server are maintained
 #    on-the-fly as users are added and deleted. They have an
-#    objectClass of domain with attribute dc.
+#    objectClass of mailDomain with attributes dc (idna-encoded) and
+#    dcIntl (utf8 encoded).
 #
 #    LDAP "records" in this code are dictionaries containing the
 #    attributes and distinguished name of the entry.
@@ -57,8 +62,8 @@ import idna
 
 def validate_email(email, mode=None):
 	# Checks that an email address is syntactically valid. Returns True/False.
-	# Until Postfix supports SMTPUTF8, an email address may contain ASCII
-	# characters only; IDNs must be IDNA-encoded.
+	# An email address may contain ASCII characters only because Dovecot's
+	# authentication mechanism gets confused with other character encodings.
 	#
 	# When mode=="user", we're checking that this can be a user account name.
 	# Dovecot has tighter restrictions - letters, numbers, underscore, and
@@ -132,6 +137,13 @@ def is_dcv_address(email):
 			return True
 	return False
 
+def utf8_from_idna(domain_idna):
+	try:
+		return idna.decode(domain_idna.encode("ascii"))
+	except (UnicodeError, idna.IDNAError):
+		# Failed to decode IDNA, should never happen
+		return domain_idna
+
 def open_database(env):
 		return backend.connect(env)
 
@@ -147,7 +159,7 @@ def find_mail_user(env, email, attributes=None, conn=None):
 	# The ldap record for the user is returned or None if not found.
 	if not conn: conn = open_database(env)
 	id=conn.search(env.LDAP_USERS_BASE,
-		       "(&(objectClass=mailUser)(maildrop=%s))" % email,
+		       "(&(objectClass=mailUser)(mail=%s))" % email,
 		       attributes=attributes)
 	response = conn.wait(id)
 	if response.count() > 1:
@@ -156,46 +168,66 @@ def find_mail_user(env, email, attributes=None, conn=None):
 	else:
 		return response.next()
 	
-def find_mail_alias(env, email, attributes=None, conn=None):
+def find_mail_alias(env, email_idna, attributes=None, conn=None, auto=None):
 	# Find the alias with the given address and return the ldap
 	# records for it and the associated permitted senders (if one).
 	#
 	# email is the alias address. It must be IDNA encoded.
 	#
 	# attributes are a list of attributes to return, eg
-	# ["member","rfc822MailMember"]
+	# ["member","mailMember"]
 	#
 	# conn is a ldap database connection, if not specified a new one
 	# is established.
 	#
+	# if auto is True, entry must have namedProperty=auto
+	# if auto if False entry must not have namedProperty=auto
+	# if auto is None, ignore namedProperty
+	#
 	# A tuple having the two ldap records for the alias and it's
 	# permitted senders (alias, permitted_senders) is returned. If
 	# either is not found, the corresponding tuple value will be None.
 	# 
 	if not conn: conn = open_database(env)
 	# get alias
-	id=conn.search(env.LDAP_ALIASES_BASE,
-		       "(&(objectClass=mailGroup)(mail=%s))" % email,
-		       attributes=attributes)
+	q = [
+		"(objectClass=mailGroup)",
+		"(mail=%s)" % email_idna
+	]
+	if auto is False:
+		q.append("(!(namedProperty=auto))")
+	elif auto:
+		q.append("(namedProperty=auto)")
+	q = "(&" + "".join(q) + ")"
+	id=conn.search(env.LDAP_ALIASES_BASE, q, attributes=attributes)
 	response = conn.wait(id)
 	if response.count() > 1:
 		dns = [ rec['dn'] for rec in response ]
-		raise LookupError("Detected more than one alias with the same email address (%s): %s" % (email, ";".join(dns)))
+		raise LookupError("Detected more than one alias with the same email address (%s): %s" % (email_idna, ";".join(dns)))
 	alias = response.next()
 
 	# get permitted senders for alias
 	id=conn.search(env.LDAP_PERMITTED_SENDERS_BASE,
-		       "(&(objectClass=mailGroup)(mail=%s))" % email,
+		       "(&(objectClass=mailGroup)(mail=%s))" % email_idna,
 		       attributes=attributes)
 	response = conn.wait(id)
 	if response.count() > 1:
 		dns = [ rec['dn'] for rec in response ]
-		raise LookupError("Detected more than one permitted senders group with the same email address (%s): %s" % (email, ";".join(dns)))
+		raise LookupError("Detected more than one permitted senders group with the same email address (%s): %s" % (email_idna, ";".join(dns)))
 	permitted_senders = response.next()
 	return (alias, permitted_senders)
 	
 
-def get_mail_users(env, as_map=False):
+def primary_address(mail):
+	# return the first IDNA-encoded email address
+	for addr in mail:
+		if get_domain(addr, as_unicode=False).startswith("xn--"):
+			return addr
+	# or, if none, the first listed address
+	return mail[0]
+
+
+def get_mail_users(env, as_map=False, map_by="maildrop"):
 	# When `as_map` is False, this function returns a flat, sorted
 	# array of all user accounts. If True, it returns a dict where key
 	# is the user and value is a dict having, dn, maildrop and
@@ -204,16 +236,24 @@ def get_mail_users(env, as_map=False):
 	pager = c.paged_search(env.LDAP_USERS_BASE, "(objectClass=mailUser)", attributes=['maildrop','mail','cn'])
 	if as_map:
 		users = {}
+		if not isinstance(map_by, list):
+			map_by = [ map_by ]
 		for rec in pager:
-			users[rec['maildrop'][0]] = {
-				"dn":   rec['dn'],
-				"mail": rec['mail'],
-				"maildrop": rec['maildrop'][0],
-				"display_name": rec['cn'][0]
-			}
+			for map_by_key in map_by:
+				if map_by_key == 'primary_address':
+					map_key_values = [ primary_address(rec['mail']) ]
+				else:
+					map_key_values = rec[map_by_key]
+				for map_key_value in map_key_values:
+					users[map_key_value.lower()] = {
+						"dn":   rec['dn'],
+						"mail": rec['mail'],
+						"maildrop": rec['maildrop'][0],
+						"display_name": rec['cn'][0]
+					}
 		return users
 	else:
-		users = [ rec['maildrop'][0] for rec in pager ]
+		users = [ primary_address(rec['mail']).lower() for rec in pager ]
 		return utils.sort_email_addresses(users, env)
 
 	
@@ -241,10 +281,11 @@ def get_mail_users_ex(env, with_archived=False):
 	users = []
 	active_accounts = set()
 	c = open_database(env)
-	response = c.wait( c.search(env.LDAP_USERS_BASE, "(objectClass=mailUser)", attributes=['maildrop','mailaccess','cn']) )
+	response = c.wait( c.search(env.LDAP_USERS_BASE, "(objectClass=mailUser)", attributes=['mail','maildrop','mailaccess','cn']) )
 
 	for rec in response:
-		email = rec['maildrop'][0]
+		#email = rec['maildrop'][0]
+		email = rec['mail'][0]
 		privileges = rec['mailaccess']
 		display_name = rec['cn'][0]
 		active_accounts.add(email)
@@ -304,21 +345,22 @@ def get_admins(env):
 	return users
 
 
-def get_mail_aliases(env, as_map=False):
+def get_mail_aliases(env, as_map=False, map_by="primary_address"):
 	# Retrieve all mail aliases.
 	#
 	# If as_map is False, the function returns a sorted array of tuples:
 	#
-	#   (address(lowercase), forward-tos{string,csv}, permitted-senders{string,csv})
+	#   (address(lowercase), forward-tos{string,csv}, permitted-senders{string,csv}, auto:{boolean})
 	#
 	# If as-map is True, it returns a dict whose keys are
 	# address(lowercase) and whose values are:
 	#
 	#    { dn: {string},
-	#      mail: {string}
+	#      mail: {array of string}
 	#      forward_tos: {array of string},
 	#      permited_senders: {array of string},
-	#      description: {string}
+	#      description: {string},
+	#      auto: {boolean}
 	#    }
 	#
 	c = open_database(env)
@@ -326,41 +368,56 @@ def get_mail_aliases(env, as_map=False):
 	pager = c.paged_search(env.LDAP_PERMITTED_SENDERS_BASE, "(objectClass=mailGroup)", attributes=["mail", "member"])
 	
 	# make a dict of permitted senders, key=mail(lowercase) value=members
-	permitted_senders = { rec["mail"][0].lower(): rec["member"] for rec in pager }
+	permitted_senders = { }
+	for rec in pager:
+		email = primary_address(rec["mail"])
+		permitted_senders[email.lower()] = rec["member"]
 
-	# get all alias groups
-	pager = c.paged_search(env.LDAP_ALIASES_BASE, "(objectClass=mailGroup)", attributes=['mail','member','rfc822MailMember', 'description'])
+	# get all aliases
+	pager = c.paged_search(
+		env.LDAP_ALIASES_BASE,
+		"(objectClass=mailGroup)",
+		attributes=[
+			'mail','member','mailMember','description','namedProperty'
+		])
 	
 	# make a dict of aliases
-	# key=email(lowercase), value=(email, forward-tos, permitted-senders).
+	# key=email(lowercase), value=(email, forward-tos, permitted-senders, auto).
 	aliases = {}
 	for alias in pager:
-		alias_email = alias['mail'][0]
-		alias_email_lc = alias_email.lower()
-		
 		# chase down each member's email address, because a member is a dn
 		forward_tos = []
 		for fwd_to in c.chase_members(alias['member'], 'mail', env):
-			forward_tos.append(fwd_to[0])
-			
-		for fwd_to in alias['rfc822MailMember']:
+			forward_tos.append(primary_address(fwd_to))
+
+		for fwd_to in alias['mailMember']:
 			forward_tos.append(fwd_to)
-		
+				
 		# chase down permitted senders' email addresses
 		allowed_senders = []
-		if alias_email_lc in permitted_senders:
-			members = permitted_senders[alias_email_lc]
+		primary_email_lc = primary_address(alias['mail']).lower()
+		if primary_email_lc in permitted_senders:
+			members = permitted_senders[primary_email_lc]
 			for mail_list in c.chase_members(members, 'mail', env):
 				for mail in mail_list:
 					allowed_senders.append(mail)
 
-		aliases[alias_email_lc] = {
-			"dn": alias["dn"],
-			"mail": alias_email,
-			"forward_tos": forward_tos,
-			"permitted_senders": allowed_senders,
-			"description": alias["description"][0]
-		}
+		# only map the primary address when returning a list or
+		# primary_address was given as the map_by attribute
+		if not as_map or map_by=='primary_address':
+			map_key_values = [ primary_email_lc ]
+		else:
+			map_key_values = alias[map_by]
+
+		for map_key_value in map_key_values:
+			aliases[map_key_value.lower()] = {
+				"dn": alias["dn"],
+				"mail": alias['mail'], # alias_email,
+				"forward_tos": forward_tos,
+				"permitted_senders": allowed_senders,
+				"description": alias["description"][0],
+				"auto": "auto" in alias["namedProperty"]
+			}
 
 	if not as_map:
 		# put in a canonical order: sort by domain, then by email address lexicographically
@@ -369,7 +426,7 @@ def get_mail_aliases(env, as_map=False):
 			alias = aliases[address]
 			xft = ",".join(alias["forward_tos"])
 			xas = ",".join(alias["permitted_senders"])
-			list.append( (address, xft, None if xas == "" else xas) )
+			list.append( (address, xft, None if xas == "" else xas, alias["auto"]) )
 		return list
 	
 	else:
@@ -389,8 +446,8 @@ def get_mail_aliases_ex(env):
 	#         address_display: "name@domain.tld", # full Unicode
 	#         forwards_to: ["user1@domain.com", "receiver-only1@domain.com", ...],
 	#         permitted_senders: ["user1@domain.com", "sender-only1@domain.com", ...] OR null,
-	#         required: True|False,
 	#         description: ""
+	#         auto: True|False
 	#       },
 	#       ...
 	#     ]
@@ -398,20 +455,23 @@ def get_mail_aliases_ex(env):
 	#   ...
 	# ]
 
-	aliases=get_mail_aliases(env, as_map=True)
-	required_aliases = get_required_aliases(env)
+	aliases=get_mail_aliases(env, as_map=True, map_by="primary_address")
 	domains = {}
 	
-	for alias_lc in aliases:
-		alias=aliases[alias_lc]
-		address=alias_lc
+	for mail in aliases:
+		alias=aliases[mail]
+		address=primary_address(alias['mail']).lower()
 		
 		# get alias info
 		forwards_to=alias["forward_tos"]
 		permitted_senders=alias["permitted_senders"]
 		description=alias["description"]
+		auto=alias["auto"]
+		
+		# skip auto domain maps since these are not informative in the control panel's aliases list
+		if auto and address.startswith("@"): continue
+		
 		domain = get_domain(address)
-		required = (address in required_aliases)
 		
 		# add to list
 		if not domain in domains:
@@ -425,8 +485,8 @@ def get_mail_aliases_ex(env):
 			"address_display": prettify_idn_email_address(address),
 			"forwards_to": [prettify_idn_email_address(r.strip()) for r in forwards_to],
 			"permitted_senders": [prettify_idn_email_address(s.strip()) for s in permitted_senders] if permitted_senders is not None and len(permitted_senders)>0 else None,
-			"required": required,
-			"description": description
+			"description": description,
+			"auto": auto
 		})
 
 
@@ -435,7 +495,7 @@ def get_mail_aliases_ex(env):
 
 	# Sort aliases within each domain first by required-ness then lexicographically by address.
 	for domain in domains:
-		domain["aliases"].sort(key = lambda alias : (alias["required"], alias["address"]))
+		domain["aliases"].sort(key = lambda alias : (alias["auto"], alias["address"]))
 	return domains
 
 def get_domain(emailaddr, as_unicode=True):
@@ -451,8 +511,9 @@ def get_domain(emailaddr, as_unicode=True):
 			pass
 	return ret
 
-def get_mail_domains(env, as_map=False, filter_aliases=lambda alias: True, category=None, users_only=False):
-	# Retrieves all domains, IDNA-encoded, we accept mail for.
+def get_mail_domains(env, as_map=False, category=None, users_only=False):
+	# Retrieves all domains, IDNA-encoded, we accept mail for. Exclude
+	# Unicode forms of domain names that are marked as auto.
 	#
 	# If as_map is False, the function returns the lowercase domain
 	# names (IDNA-encoded) as an array.
@@ -460,117 +521,104 @@ def get_mail_domains(env, as_map=False, filter_aliases=lambda alias: True, categ
 	# If as_map is True, it returns a dict whose keys are
 	# domain(idna,lowercase) and whose values are:
 	#
-	#   { dn:{string}, domain:{string(idna)} }
+	#   {
+	#      dn:{string},
+	#      domain:{string(idna)},
+	#      domain_utf8:{string(utf8)}
+	#   }
 	#
-	# filter_aliases is an inclusion filter - a True return value from
-	# this lambda function indicates an alias to include.
-	#
-	# With filter_aliases, there has to be at least one user or
-	# filtered (included) alias in the domain for the domain to be
-	# part of the returned set. If None, all domains are returned.
-	#
-	# category is another type of filter. Set to a string value to
-	# return only those domains of that category. ie. the
-	# "businessCategory" attribute of the domain must include this
-	# category. [TODO: this doesn't really belong here, it is here to
-	# make it easy for dns_update to get ssl domains]
+	# category is type of filter. Set to a string value to return only
+	# those domains of that category. ie. the "businessCategory"
+	# attribute of the domain must include this category. [TODO: this
+	# doesn't really belong here, it is here to make it easy for
+	# dns_update to get ssl domains]
 	#
 	# If users_only is True, only return domains with email addresses
 	# that correspond to user accounts.
 	#
 	conn = open_database(env)
-	filter = "(&(objectClass=domain)(businessCategory=mail))"
+	filter = "(&(objectClass=mailDomain)(businessCategory=mail))"
 	if category:
-		filter = "(&(objectClass=domain)(businessCategory=%s))" % category
+		filter = "(&(objectClass=mailDomain)(businessCategory=%s))" % category
 
 	domains=None
 
-	# user mail domains
-	id = conn.search(env.LDAP_DOMAINS_BASE, filter, attributes="dc")
+	# get all mail domains
+	id = conn.search(env.LDAP_DOMAINS_BASE, filter,
+					 attributes=[ "dc", "dcIntl" ])
 	response = conn.wait(id)
 	if as_map:
 		domains = {}
 		for rec in response:
-			domains[ rec["dc"][0].lower() ] = {
+			key = rec["dc"][0].lower()
+			domains[ key ] = {
 				"dn": rec["dn"],
-				"domain": rec["dc"][0]
+				"domain": rec["dc"][0],
+				"domain_utf8": rec["dcIntl"][0]
 			}
-			if filter_aliases: filter_candidates.append(rec['dc'][0].lower())
 	else:
 		domains = set([ rec["dc"][0].lower() for rec in response ])
 
-
-	# alias domains
-	#
-	# Ignore aliases that have no forward-to. We don't need DNS
-	# handling in that case becuase the alias is there only for the
-	# permitted-senders. We don't accept mail locally for the alias.
-	#
-	# Aliases with only permitted-senders are useful when a server has
-	# a configured smarthost (eg. sendmail with a smarthost, or using
-	# ssmtp on Ubuntu, etc). The server drops mail off for delivery to
-	# the smarthost (MiaB) using its MiaB login but needs to MAIL FROM
-	# a host login (user@host.tld). Replies should bounce.
-	#
-	# A smarthost configuration should be a catch-all, one for each server:
-	#   Alias=@host.tld
-	#   Forward-to=<blank>
-	#   Permitted-senders:<the email that the smarthost used to authenticate with MiaB>
-	#
 	if not users_only:
-		pager = conn.paged_search(env.LDAP_ALIASES_BASE, "(objectClass=mailGroup)", attributes=["mail","member","rfc822MailMember"])
-		if as_map:
-			for rec in pager:
-				if filter_aliases(rec["mail"][0].lower()) and ( len(rec["member"]) >0 or len(rec["rfc822MailMember"]) >0 ):
-					domain = get_domain(rec["mail"][0].lower(),as_unicode=False)
-					domains[domain] = {
-						"dn": None,
-						"domain": domain
-					}
+		return domains
 
+
+	# eliminate domains that have no users
+	eliminate=[]
+	for domain_idna in domains:
+		id = conn.search(env.LDAP_USERS_BASE,
+						 "(&(objectClass=mailUser)(mail=*@%s))" % domain_idna,
+						 size_limit=1)
+		if conn.wait(id).count() == 0:
+			# no mail users are using that domain!
+			eliminate.append(domain_idna)
+	for domain_idna in eliminate:
+		if isinstance(domains, set):
+			domains.remove(domain_idna)
 		else:
-			alias_domains = set([
-				get_domain(rec["mail"][0].lower(), as_unicode=False)
-				for rec in pager if filter_aliases(rec["mail"][0].lower()) and
-				( len(rec["member"]) >0 or len(rec["rfc822MailMember"]) >0 )
-			])			
-			domains = domains.union( alias_domains )
-					
+			del domains[domain_idna]
+
 	return domains
+	
 
 
-def add_mail_domain(env, domain, validate=True):
+def add_mail_domain(env, domain_idna, validate=True):
 	# Create domain entry indicating that we are handling
 	# mail for that domain.
 	#
 	# We only care about domains for users, not for aliases.
 	#
-	# domain: IDNA encoded domain name.
-	# validate: If True, ensure there is at least one user on the
-	# system using that domain.
+	# domain: IDNA encoded domain name.  validate: If True, ensure
+	# there is at least one user or alias on the system using that
+	# domain.
 	#
 	# returns True if added, False if it already exists or fails
 	# validation.
-	
+
 	conn = open_database(env)
 	if validate:
-		# check to ensure there is at least one user with that domain
+		# check to ensure there is at least one user or alias with
+		# that domain
 		id = conn.search(env.LDAP_USERS_BASE,
-						 "(&(objectClass=mailUser)(mail=*@%s))" % domain,
+						 "(mail=*@%s)" % domain_idna,
 						 size_limit=1)
 		if conn.wait(id).count() == 0:
 			# no mail users are using that domain!
 			return False
 		
-	dn = 'dc=%s,%s' % (domain, env.LDAP_DOMAINS_BASE)
+	dn = 'dc=%s,%s' % (domain_idna, env.LDAP_DOMAINS_BASE)
+	domain_utf8 = utf8_from_idna(domain_idna)	
 	try:
-		response = conn.wait( conn.add(dn, [ 'domain' ], {
+		response = conn.wait( conn.add(dn, [ 'domain', 'mailDomain' ], {
+			"dcIntl": domain_utf8,
 			"businessCategory": "mail"
 		}) )
+		log.debug("add_mail_domain: %s: success", domain_idna)
 		return True
 	except ldap3.core.exceptions.LDAPEntryAlreadyExistsResult:
 		try:
 			# add 'mail' as a businessCategory
+			log.debug("add_mail_domain: %s: already exists", domain_idna)
 			changes = {	"businessCategory": [(ldap3.MODIFY_ADD, ['mail'])] }
 			response = conn.wait ( conn.modify(dn, changes) )
 		except ldap3.core.exceptions.LDAPAttributeOrValueExistsResult:
@@ -578,32 +626,34 @@ def add_mail_domain(env, domain, validate=True):
 		return False
 
 	
-def remove_mail_domain(env, domain, validate=True):
+def remove_mail_domain(env, domain_idna, validate=True):
 	# Remove the specified domain from the list of domains that we
 	# handle mail for. The domain must be IDNA encoded.
 	#
-	# If validate is True, ensure there are no valid users on the system
-	# currently using the domain.
+	# If validate is True, ensure there are no valid users or aliases
+	# on the system currently using the domain.
 	#
 	# Returns True if removed or does not exist, False if the domain
 	# fails validation.
 	conn = open_database(env)
 	if validate:
-		# check to ensure no users are using the domain
+		# check to ensure no users or non-auto aliases are using the domain
 		id = conn.search(env.LDAP_USERS_BASE,
-						 "(&(objectClass=mailUser)(mail=*@%s))" % domain,
+						 "(|(&(objectClass=mailUser)(mail=*@%s))(&(objectClass=mailGroup)(mail=*@%s)(!(namedProperty=auto))))" % (domain_idna, domain_idna),
 						 size_limit=1)
 		if conn.wait(id).count() > 0:
-			# there is one or more mailUser's with that domain
+			# there is one or more user or alias with that domain
+			log.debug("remove_mail_domain: %s: has users and/or aliases", domain_idna)
 			return False
 		
 	id = conn.search(env.LDAP_DOMAINS_BASE,
-					 "(&(objectClass=domain)(dc=%s))" % domain,
+					 "(&(objectClass=domain)(dc=%s))" % domain_idna,
 					 attributes=['businessCategory'])
 	
 	existing = conn.wait(id).next()
 	if existing is None:
 		# the domain doesn't exist!
+		log.debug("remove_mail_domain: %s: doesn't exist", domain_idna)
 		return True
 
 	newvals=existing['businessCategory'].copy()
@@ -615,6 +665,7 @@ def remove_mail_domain(env, domain, validate=True):
 
 	if len(newvals)==0:
 		conn.wait ( conn.delete(existing['dn']) )
+		log.debug("remove_mail_domain: %s: deleted", domain_idna)
 	else:
 		conn.wait ( conn.modify_record(existing, {'businessCategory', newvals}))
 	return True
@@ -623,7 +674,7 @@ def remove_mail_domain(env, domain, validate=True):
 def add_mail_user(email, pw, privs, display_name, env):
 	# Add a new mail user.
 	#
-	# email: the new user's email address
+	# email: the new user's email address (idna)
 	# pw: the new user's password
 	# privs: either an array of privilege strings, or a newline
 	# separated string of privilege names
@@ -679,16 +730,20 @@ def add_mail_user(email, pw, privs, display_name, env):
 	uid = m.hexdigest()
 
 	# choose a common name and surname (required attributes)
+	email_name = email.split("@")[0]
 	if display_name:
 		cn = display_name
 	else:
-		cn = email.split("@")[0].replace('.',' ').replace('_',' ')
+		cn = email_name.replace('.',' ').replace('_',' ')
 	sn = cn[cn.find(' ')+1:]
+
+	# get the utf8 version if an idna domain was given
+	email_utf8 = email_name + "@" + get_domain(email, as_unicode=True)
 	
 	# compile user's attributes
 	# for historical reasons, make the email address lowercase
 	attrs = {
-		"mail" : email,
+		"mail" : email if email==email_utf8 else [ email, email_utf8 ],
 		"maildrop" : email.lower(),
 		"uid" : uid,
 		"mailaccess": privs,
@@ -699,20 +754,36 @@ def add_mail_user(email, pw, privs, display_name, env):
 
 	# add the user to the database
 	dn = 'uid=%s,%s' % (uid, env.LDAP_USERS_BASE)
-	id=conn.add(dn, [ 'inetOrgPerson','mailUser','shadowAccount' ], attrs);
+	id=conn.add(dn, [
+		'inetOrgPerson','mailUser','shadowAccount'
+	], attrs);
 	conn.wait(id)
 
 	# set the password - the ldap server will hash it
 	conn.extend.standard.modify_password(user=dn, new_password=pw)
-
+	
 	# tell postfix the domain is local, if needed
-	add_mail_domain(env, get_domain(email, as_unicode=False), validate=False)
+	return_status = "mail user added"
+	domain_idna = get_domain(email, as_unicode=False)
+	domain_added = add_mail_domain(env, domain_idna, validate=False)
 
-	# convert alias's rfc822MailMember to member
-	convert_rfc822MailMember(env, conn, dn, email)
+	if domain_added:
+		results = add_required_aliases(env,	conn, domain_idna)
+		for result in results:
+			if isinstance(result, tuple):
+				# error occurred
+				return result
+			elif result != '':
+				return_status += "\n" + result
+	
+	# convert alias's mailMember to member
+	convert_mailMember(env, conn, dn, email)
 	
 	# Update things in case any new domains are added.
-	return kick(env, "mail user added")
+	if domain_added:
+		return kick(env, return_status)
+	else:
+		return return_status
 
 def set_mail_password(email, pw, env):
 	# validate that the password is acceptable
@@ -782,7 +853,7 @@ def get_mail_password(email, env):
 	return user['userPassword']
 
 
-def remove_mail_user(email, env):
+def remove_mail_user(email_idna, env):
 	# Remove the user as a valid user of the system.
 	# If an error occurs, the function returns a tuple of (message,
 	# http-status).
@@ -791,18 +862,32 @@ def remove_mail_user(email, env):
 	conn = open_database(env)
 	
 	# find the user
-	user = find_mail_user(env, email, conn=conn)
+	user = find_mail_user(env, email_idna, conn=conn)
 	if user is None:
-		return ("That's not a user (%s)." % email, 400)
+		return ("That's not a user (%s)." % email_idna, 400)
 	
 	# delete the user
 	conn.wait( conn.delete(user['dn']) )
 
 	# remove as a handled domain, if needed
-	remove_mail_domain(env, get_domain(email, as_unicode=False))
+	domain_idna = get_domain(email_idna, as_unicode=False)
+	domain_removed = remove_mail_domain(env, domain_idna)
+	return_status = "mail user removed"
+
+	if domain_removed:
+		results = remove_required_aliases(env, conn, domain_idna)
+		for result in results:
+			if isinstance(result, tuple):
+				# error occurred
+				return result
+			elif result != '':
+				return_status += "\n" + result
 
 	# Update things in case any domains are removed.
-	return kick(env, "mail user removed")
+	if domain_removed:
+		return kick(env, return_status)
+	else:
+		return return_status
 
 def parse_privs(value):
 	return [p for p in value.split("\n") if p.strip() != ""]
@@ -872,20 +957,66 @@ def add_remove_mail_user_privilege(email, priv, action, env):
 
 
 
-def convert_rfc822MailMember(env, conn, dn, mail):
-	# if a newly added alias or user exists as an rfc822MailMember,
+required_alias_names = ['postmaster', 'admin', 'abuse']
+
+def add_required_aliases(env, conn, domain_idna):
+	# returns a list of results for each alias, each entry being
+	# either a string (indicating success, eg: "alias added") or a
+	# tuple (indicating error, eg: (error, 400))
+	#
+	domain_utf8 = utf8_from_idna(domain_idna)
+	administrator = get_system_administrator(env)
+	results = []
+	for name in required_alias_names + ["hostmaster@"+env['PRIMARY_HOSTNAME']]:
+		email_utf8 = name if "@" in name else name + "@" + domain_utf8
+		results.append( add_mail_alias(
+			email_utf8,
+			"Required alias",
+			administrator,
+			"",
+			env,
+			auto=True,
+			update_if_exists="ignore",
+			do_kick=False,
+			verbose_result=True
+		))
+		log.debug("add_required_alias: %s: %r", email_utf8, results[-1])
+		
+	return results
+
+def remove_required_aliases(env, conn, domain_idna):
+	domain_utf8 = utf8_from_idna(domain_idna)
+	results = []
+	for name in required_alias_names:
+		email_utf8 = name + "@" + domain_utf8
+		results.append( remove_mail_alias(
+			email_utf8,
+			env,
+			do_kick=False,
+			auto=True,
+			verbose_result=True,
+			ignore_if_not_exists=True
+		))
+		log.debug("remove_required_alias: %s: %r", email_utf8, results[-1])
+		
+	return results
+
+
+
+def convert_mailMember(env, conn, dn, mail):
+	# if a newly added alias or user exists as an mMailMember,
 	# convert it to a member dn
 	# the new alias or user is specified by arguments mail and dn.
 	# mail is the new alias or user's email address
 	# dn is the new alias or user's distinguished name
 	# conn is an existing ldap database connection
 	id=conn.search(env.LDAP_ALIASES_BASE,
-				   "(&(objectClass=mailGroup)(rfc822MailMember=%s))" % mail,
-				   attributes=[ 'member','rfc822MailMember' ])
+				   "(&(objectClass=mailGroup)(mailMember=%s))" % mail,
+				   attributes=[ 'member','mailMember' ])
 	response = conn.wait(id)
 	for rec in response:
-		# remove mail from rfc822MailMember
-		changes={ "rfc822MailMember": [(ldap3.MODIFY_DELETE, [mail])] }
+		# remove mail from mailMember
+		changes={ "mailMember": [(ldap3.MODIFY_DELETE, [mail])] }
 		conn.wait( conn.modify(rec['dn'], changes) )
 
 		# add dn to member
@@ -897,25 +1028,26 @@ def convert_rfc822MailMember(env, conn, dn, mail):
 			pass
 
 		
-def add_mail_alias(address, description, forwards_to, permitted_senders, env, update_if_exists=False, do_kick=True):
+def add_mail_alias(address_utf8, description, forwards_to, permitted_senders, env, auto=False, update_if_exists=False, do_kick=True, verbose_result=False):
 	# Add a new alias group with permitted senders.
 	#
-	# address: the email address of the alias
+	# address: the email address of the alias (utf-8)
 	# description: a text description of the alias
 	# forwards_to: a string of newline and comma separated email address
 	# where mail is delivered
 	# permitted_senders: a string of newline and comma separated email addresses of local users that are permitted to MAIL FROM the alias.
-	# update_if_exists: if False and the alias exists fail, otherwise update the existing alias with the new values
+	# update_if_exists: if False and the alias exists fail, otherwise update the existing alias with the new values. If "ignore" and the alias exists, return empty string.
+	# verbose_result: if True the returned string will include the address
 	#
 	# If an error occurs, the function returns a tuple of (message,
 	# http-status).
 	#
-	# If successful, the string "OK" is returned.
+	# If successful, a string status is returned.
 
 	# convert Unicode domain to IDNA
-	address = sanitize_idn_email_address(address)
+	address = sanitize_idn_email_address(address_utf8)
 
-	# for historical reasons, force the address to lowercase
+	# for historical reasons, force the IDNA address to lowercase
 	address = address.lower()
 
 	# validate address
@@ -925,10 +1057,15 @@ def add_mail_alias(address, description, forwards_to, permitted_senders, env, up
 	if not validate_email(address, mode='alias'):
 		return ("Invalid email address (%s)." % address, 400)
 
-	# retrieve all logins as a map ( email.lower() => {mail,dn} )
-	valid_logins = get_mail_users( env, as_map=True )
-	
-	# validate forwards_to
+	# retrieve all logins as a map, keyed by lowercase email
+	#     mail.lower() => {mail,maildrop,dn}
+	valid_logins = get_mail_users(env, as_map=True, map_by="mail")
+
+	# retrieve all aliases as a map, keyed by lowercase email
+	#     mail.lower() => {mail,maildrop,dn}
+	valid_aliases = get_mail_aliases(env, as_map=True, map_by="mail")
+
+	# validate forwards_to. array of { email_idna:string, email_utf8:string }
 	validated_forwards_to = [ ]
 	forwards_to = forwards_to.strip()
 
@@ -942,26 +1079,32 @@ def add_mail_alias(address, description, forwards_to, permitted_senders, env, up
 	# DCV source addresses.
 	r1 = sanitize_idn_email_address(forwards_to)
 	if validate_email(r1, mode='alias') and not is_dcv_source:
-		validated_forwards_to.append(r1)
+		validated_forwards_to.append({
+			"email_idna": r1,
+			"email_utf8": forwards_to
+		})
 
 	else:
 		# Parse comma and \n-separated destination emails & validate. In this
 		# case, the forwards_to must be complete email addresses.
 		for line in forwards_to.split("\n"):
-			for email in line.split(","):
-				email = email.strip()
-				if email == "": continue
-				email = sanitize_idn_email_address(email) # Unicode => IDNA
+			for email_utf8 in line.split(","):
+				email_utf8 = email_utf8.strip()
+				if email_utf8 == "": continue
+				email_idna = sanitize_idn_email_address(email_utf8) # Unicode => IDNA
 				# Strip any +tag from email alias and check privileges
-				privileged_email = re.sub(r"(?=\+)[^@]*(?=@)",'',email)
-				if not validate_email(email):
-					return ("Invalid receiver email address (%s)." % email, 400)
-				if is_dcv_source and not is_dcv_address(email) and "admin" not in get_mail_user_privileges(privileged_email, env, empty_on_error=True):
+				privileged_email = re.sub(r"(?=\+)[^@]*(?=@)",'',email_idna)
+				if not validate_email(email_idna):
+					return ("Invalid receiver email address (%s)." % email_utf8, 400)
+				if is_dcv_source and not is_dcv_address(email_idna) and "admin" not in get_mail_user_privileges(privileged_email, env, empty_on_error=True):
 					# Make domain control validation hijacking a little harder to mess up by
 					# requiring aliases for email addresses typically used in DCV to forward
 					# only to accounts that are administrators on this system.
 					return ("This alias can only have administrators of this system as destinations because the address is frequently used for domain control validation.", 400)
-				validated_forwards_to.append(email)
+				validated_forwards_to.append({
+					"email_idna": email_idna,
+					"email_utf8": email_utf8
+				})
 
 	# validate permitted_senders
 	validated_permitted_senders = [ ]  # list of dns
@@ -987,21 +1130,34 @@ def add_mail_alias(address, description, forwards_to, permitted_senders, env, up
 	# exist on this system
 
 	vfwd_tos_local = []   # list of dn's
-	vfwd_tos_remote = []  # list of email
+	vfwd_tos_remote = []  # list of "email_idna":string
 	for fwd_to in validated_forwards_to:
-		fwd_to_lc = fwd_to.lower()
-		if fwd_to_lc in valid_logins:
-			dn = valid_logins[fwd_to_lc]['dn']
+		fwd_to_idna_lc = fwd_to["email_idna"].lower()
+		if fwd_to_idna_lc in valid_logins:
+			dn = valid_logins[fwd_to_idna_lc]['dn']
+			vfwd_tos_local.append(dn)
+		elif fwd_to_idna_lc in valid_aliases:
+			dn = valid_aliases[fwd_to_idna_lc]['dn']
 			vfwd_tos_local.append(dn)
 		else:
-			vfwd_tos_remote.append(fwd_to)
+			vfwd_tos_remote.append(fwd_to["email_idna"])
 			
 	# save to db
 
 	conn = open_database(env)
-	existing_alias, existing_permitted_senders = find_mail_alias(env, address, ['member','rfc822MailMember', 'description'], conn)
+	attributes = [
+		'mail', 'description', 'member', 'mailMember', 'namedProperty'
+	]
+	existing_alias, existing_permitted_senders = find_mail_alias(
+		env,
+		address,
+		attributes,
+		conn
+	)
 	if existing_alias and not update_if_exists:
 		return ("Alias already exists (%s)." % address, 400)
+	if existing_alias and update_if_exists == 'ignore':
+		return ""
 	
 	cn="%s" % uuid.uuid4()
 	dn="cn=%s,%s" % (cn, env.LDAP_ALIASES_BASE)
@@ -1024,21 +1180,28 @@ def add_mail_alias(address, description, forwards_to, permitted_senders, env, up
 			description=" "
 	
 	attrs = {
-		"mail": address,
+		"mail": address if address == address_utf8.lower() else [ address, address_utf8 ],
 		"description": description,
 		"member": vfwd_tos_local,
-		"rfc822MailMember": vfwd_tos_remote
+		"mailMember": vfwd_tos_remote,
+		"namedProperty": ['auto'] if auto else []
 	}
+
+	op = conn.add_or_modify(
+		dn,
+		existing_alias,
+		attributes,
+		[ 'mailGroup', 'namedProperties' ],
+		attrs)
 	
-	op = conn.add_or_modify(dn, existing_alias,
-			['member', 'rfc822MailMember', 'description' ],
-			['mailGroup'],
-			attrs)
 	if op == 'modify':
 		return_status = "alias updated"
 	else:
 		return_status = "alias added"
-		convert_rfc822MailMember(env, conn, dn, address)
+		convert_mailMember(env, conn, dn, address)
+
+	if verbose_result:
+		return_status += ": " + address_utf8
 		
 	# add or modify permitted-senders group
 	
@@ -1054,80 +1217,134 @@ def add_mail_alias(address, description, forwards_to, permitted_senders, env, up
 			dn = existing_permitted_senders['dn']
 			conn.wait( conn.delete(dn) )
 	else:
-		op=conn.add_or_modify(dn, existing_permitted_senders,
-							  [ 'member' ], [ 'mailGroup' ],
-							  attrs)
+		conn.add_or_modify(dn, existing_permitted_senders,
+						   [ 'member' ], [ 'mailGroup' ],
+						   attrs)
 
-	if do_kick:
+	# tell postfix the domain is local, if needed
+	domain_idna = get_domain(address, as_unicode=False)
+
+	# but, don't add mail domain when there are no forward to's and
+	# remove the domain if there are no forward to's (modify)
+	count_vfwd = len(vfwd_tos_local) + len(vfwd_tos_remote)
+	domain_added = False
+	if op == 'modify' and count_vfwd == 0:
+		remove_mail_domain(env, domain_idna, validate=False)
+	elif count_vfwd > 0:
+		domain_added = add_mail_domain(env,	domain_idna, validate=False)
+	
+	if domain_added:
+		results = add_required_aliases(env,	conn, domain_idna)
+		for result in results:
+			if isinstance(result, tuple):
+				# error occurred
+				return result
+			elif result != '':
+				return_status += "\n" + result
+	
+	if do_kick and domain_added:
 		# Update things in case any new domains are added.
 		return kick(env, return_status)
+	else:
+		return return_status
 	
 
-def remove_mail_alias(address, env, do_kick=True):
+def remove_mail_alias(address_utf8, env, do_kick=True, auto=None, ignore_if_not_exists=False, verbose_result=False):
 	# Remove an alias group and it's associated permitted senders
 	# group.
 	#
 	# address is the email address of the alias
 	#
+	# if auto is None - remove the entry regardless of status
+	#            True - remove only if marked as auto
+	#            False - remove only if not auto
+	#
 	# If an error occurs, the function returns a tuple of (message,
 	# http-status).
 	#
 	# If successful, the string "OK" is returned.
 	
 	# convert Unicode domain to IDNA
-	address = sanitize_idn_email_address(address)
+	address = sanitize_idn_email_address(address_utf8)
 
 	# remove
 	conn = open_database(env)
-	existing_alias, existing_permitted_senders = find_mail_alias(env, address, conn=conn)
+	existing_alias, existing_permitted_senders = find_mail_alias(env, address, conn=conn, auto=auto)
 	if existing_alias:
 		conn.delete(existing_alias['dn'])
+	elif ignore_if_not_exists:
+		return ""
 	else:
 		return ("That's not an alias (%s)." % address, 400)
 
 	if existing_permitted_senders:
 		conn.delete(existing_permitted_senders['dn'])
-		
-	if do_kick:
+
+	# remove as a handled domain, if needed
+	domain_idna = get_domain(address, as_unicode=False)
+	domain_removed = remove_mail_domain(env, domain_idna)
+	return_status = "alias removed"
+	if verbose_result:
+		return_status += ": " + address_utf8
+
+	if domain_removed:
+		results = remove_required_aliases(env, conn, domain_idna)
+		for result in results:
+			if isinstance(result, tuple):
+				# error occurred
+				return result
+			elif result != '':
+				return_status += "\n" + result
+
+	if do_kick and domain_removed:
 		# Update things in case any domains are removed.
-		return kick(env, "alias removed")
+		return kick(env, return_status)
+	else:
+		return return_status
+
+def add_auto_aliases(aliases, env):
+	conn, c = open_database(env, with_connection=True)
+	c.execute("DELETE FROM auto_aliases");
+	for source, destination in aliases.items():
+		c.execute("INSERT INTO auto_aliases (source, destination) VALUES (?, ?)", (source, destination))
+	conn.commit()
 
 def get_system_administrator(env):
 	return "administrator@" + env['PRIMARY_HOSTNAME']
 
-def get_required_aliases(env):
-	# These are the aliases that must exist.
-	# Returns a set of email addresses.
+# def get_required_aliases(env):
+# 	# These are the aliases that must exist.
+# 	# Returns a set of email addresses.
 	
-	aliases = set()
+# 	aliases = set()
 
-	# The system administrator alias is required.
-	aliases.add(get_system_administrator(env))
+# 	# The system administrator alias is required.
+# 	aliases.add(get_system_administrator(env))
 
-	# The hostmaster alias is exposed in the DNS SOA for each zone.
-	aliases.add("hostmaster@" + env['PRIMARY_HOSTNAME'])
+# 	# The hostmaster alias is exposed in the DNS SOA for each zone.
+# 	aliases.add("hostmaster@" + env['PRIMARY_HOSTNAME'])
 
-	# Get a list of domains we serve mail for, except ones for which the only
-	# email on that domain are the required aliases or a catch-all/domain-forwarder.
-	real_mail_domains = get_mail_domains(env,
-		filter_aliases = lambda alias :
-			not alias.startswith("postmaster@")
-			and not alias.startswith("admin@")
-			and not alias.startswith("abuse@")
-			and not alias.startswith("@")
-			)
+# 	# Get a list of domains we serve mail for, except ones for which the only
+# 	# email on that domain are the required aliases or a catch-all/domain-forwarder.
+# 	real_mail_domains = get_mail_domains(env,
+# 		filter_aliases = lambda alias :
+# 			not alias.startswith("postmaster@")
+# 			and not alias.startswith("admin@")
+# 			and not alias.startswith("abuse@")
+# 			and not alias.startswith("@")
+# 			)
 
-	# Create postmaster@, admin@ and abuse@ for all domains we serve
-	# mail on. postmaster@ is assumed to exist by our Postfix configuration.
-	# admin@isn't anything, but it might save the user some trouble e.g. when
-	# buying an SSL certificate.
-	# abuse@ is part of RFC2142: https://www.ietf.org/rfc/rfc2142.txt
-	for domain in real_mail_domains:
-		aliases.add("postmaster@" + domain)
-		aliases.add("admin@" + domain)
-		aliases.add("abuse@" + domain)
+# 	# Create postmaster@, admin@ and abuse@ for all domains we serve
+# 	# mail on. postmaster@ is assumed to exist by our Postfix configuration.
+# 	# admin@isn't anything, but it might save the user some trouble e.g. when
+# 	# buying an SSL certificate.
+# 	# abuse@ is part of RFC2142: https://www.ietf.org/rfc/rfc2142.txt
+# 	for domain in real_mail_domains:
+# 		aliases.add("postmaster@" + domain)
+# 		aliases.add("admin@" + domain)
+# 		aliases.add("abuse@" + domain)
 
-	return aliases
+# 	return aliases
 
 def kick(env, mail_result=None):
 	results = []
@@ -1137,42 +1354,6 @@ def kick(env, mail_result=None):
 	if mail_result is not None:
 		results.append(mail_result + "\n")
 
-	# Ensure every required alias exists.
-
-	existing_users = get_mail_users(env, as_map=True)
-	existing_aliases = get_mail_aliases(env, as_map=True)
-	required_aliases = get_required_aliases(env)
-
-	def ensure_admin_alias_exists(address):
-		# If a user account exists with that address, we're good.
-		if address in existing_users:
-			return
-
-		# If the alias already exists, we're good.
-		if address in existing_aliases:
-			return
-
-		# Doesn't exist.
-		administrator = get_system_administrator(env)
-		if address == administrator: return # don't make an alias from the administrator to itself --- this alias must be created manually
-		add_mail_alias(address, "Required alias", administrator, "", env, do_kick=False)
-		if administrator not in existing_aliases: return # don't report the alias in output if the administrator alias isn't in yet -- this is a hack to supress confusing output on initial setup
-		results.append("added alias %s (=> %s)\n" % (address, administrator))
-
-	for address in required_aliases:
-		ensure_admin_alias_exists(address)
-
-	# Remove auto-generated postmaster/admin on domains we no
-	# longer have any other email addresses for.
-	for address in existing_aliases:
-		user, domain = address.split("@")
-		forwards_to = ",".join(existing_aliases[address]["forward_tos"])
-		if user in ("postmaster", "admin", "abuse") \
-			and address not in required_aliases \
-			and forwards_to == get_system_administrator(env):
-			remove_mail_alias(address, env, do_kick=False)
-			results.append("removed alias %s (was to %s; domain no longer used for email)\n" % (address, forwards_to))
-
 	# Update DNS and nginx in case any domains are added/removed.
 
 	from dns_update import do_dns_update
diff --git a/management/status_checks.py b/management/status_checks.py
index 6167ad40..bc2a12b6 100755
--- a/management/status_checks.py
+++ b/management/status_checks.py
@@ -476,7 +476,7 @@ def check_primary_hostname_dns(domain, env, output, dns_domains, dns_zonefiles):
 	check_alias_exists("Hostmaster contact address", "hostmaster@" + domain, env, output)
 
 def check_alias_exists(alias_name, alias, env, output):
-	mail_aliases = get_mail_aliases(env, as_map=True)
+	mail_aliases = get_mail_aliases(env, as_map=True, map_by="mail")
 	if alias in mail_aliases:
 		if mail_aliases[alias]["forward_tos"]:
 			output.print_ok("%s exists as a mail alias. [%s ↦ %s]" % (alias_name, alias, ",".join(mail_aliases[alias]["forward_tos"])))
diff --git a/management/templates/aliases.html b/management/templates/aliases.html
index bd1e93a2..2175458d 100644
--- a/management/templates/aliases.html
+++ b/management/templates/aliases.html
@@ -1,6 +1,6 @@
 <style>
 #alias_table .actions > * { padding-right: 3px; }
-#alias_table .alias-required .remove { display: none }
+#alias_table .alias-auto .actions > * { display: none }
 </style>
 
 <h2>Aliases</h2>
@@ -174,7 +174,7 @@ function show_aliases() {
           var n = $("#alias-template").clone();
           n.attr('id', '');
 
-          if (alias.required) n.addClass('alias-required');
+          if (alias.auto) n.addClass('alias-auto');
           n.attr('data-address', alias.address_display); // this is decoded from IDNA, but will get re-coded to IDNA on the backend
           n.find('td.address').text(alias.address_display)
           for (var j = 0; j < alias.forwards_to.length; j++)
diff --git a/management/templates/index.html b/management/templates/index.html
index d462680f..7a93f0e3 100644
--- a/management/templates/index.html
+++ b/management/templates/index.html
@@ -124,7 +124,7 @@
                 <li class="dropdown-header">Advanced Pages</li>
                 <li><a href="#custom_dns" onclick="return show_panel(this);">Custom DNS</a></li>
                 <li><a href="#external_dns" onclick="return show_panel(this);">External DNS</a></li>
-                <li><a href="/admin/munin" target="_blank">Munin Monitoring</a></li>
+                <li><a href="#munin" onclick="return show_panel(this);">Munin Monitoring</a></li>
                 <li><a href="#postgrey_whitelist" onclick="return show_panel(this);">Postgrey Whitelist</a></li>
               </ul>
             </li>
@@ -208,6 +208,10 @@
       {% include "ssl.html" %}
       </div>
 
+      <div id="panel_munin" class="admin_panel">
+      {% include "munin.html" %}
+      </div>
+
       <hr>
 
       <footer>
diff --git a/management/templates/munin.html b/management/templates/munin.html
new file mode 100644
index 00000000..ab2a01ce
--- /dev/null
+++ b/management/templates/munin.html
@@ -0,0 +1,20 @@
+<h2>Munin Monitoring</h2>
+
+<style>
+</style>
+
+<p>Opening munin in a new tab... You may need to allow pop-ups for this site.</p>
+
+<script>
+function show_munin() {
+  // Set the cookie.
+  api(
+    "/munin",
+    "GET",
+    { },
+    function(r) {
+      // Redirect.
+      window.open("/admin/munin/index.html", "_blank");
+    });
+}
+</script>
diff --git a/setup/dns.sh b/setup/dns.sh
index f5a9ba8d..9ec32796 100755
--- a/setup/dns.sh
+++ b/setup/dns.sh
@@ -80,7 +80,13 @@ remote-control:
 EOF
 fi
 
-echo "include: /etc/nsd/zones.conf" >> /etc/nsd/nsd.conf;
+# Create a directory for additional configuration directives, including
+# the zones.conf file written out by our management daemon.
+echo "include: /etc/nsd/nsd.conf.d/*.conf" >> /etc/nsd/nsd.conf;
+
+# Remove the old location of zones.conf that we generate. It will
+# now be stored in /etc/nsd/nsd.conf.d.
+rm -f /etc/nsd/zones.conf
 
 # Create DNSSEC signing keys.
 
diff --git a/setup/functions-ldap.sh b/setup/functions-ldap.sh
index 5711bc69..e6c0cbd9 100644
--- a/setup/functions-ldap.sh
+++ b/setup/functions-ldap.sh
@@ -13,8 +13,13 @@ get_attribute_from_ldif() {
 	local line
 	while read line; do
 		[ -z "$line" ] && break
-		local v=$(awk "/^$attr:/ { print substr(\$0, length(\"$attr\")+3) }" <<<$line)
-		[ ! -z "$v" ] && ATTR_VALUE+=( "$v" )
+		local v=$(awk "/^$attr: / { print substr(\$0, length(\"$attr\")+3) }" <<<"$line")
+		if [ ! -z "$v" ]; then
+			ATTR_VALUE+=( "$v" )
+		else
+			v=$(awk "/^$attr:: / { print substr(\$0, length(\"$attr\")+4) }" <<<"$line")
+			[ ! -z "$v" ] && ATTR_VALUE+=( $(base64 --decode --wrap=0 <<<"$v") )
+		fi
 	done <<< "$ldif"
 	return 0
 }
diff --git a/setup/ldap.sh b/setup/ldap.sh
index eb7cee85..4621e793 100755
--- a/setup/ldap.sh
+++ b/setup/ldap.sh
@@ -295,8 +295,8 @@ schema_to_ldif() {
 	local cn="$3"	   # schema common name, eg "postfix"
 	local cat='cat'
 	if [ ! -e "$schema" ]; then
-		if [ -e "conf/$(basename $schema)" ]; then
-			schema="conf/$(basename $schema)"
+		if [ -e "conf/schema/$(basename $schema)" ]; then
+			schema="conf/schema/$(basename $schema)"
 		else
 			cat="curl -s"
 		fi
@@ -316,56 +316,57 @@ EOF
 		| sed 's/^\s*$/#/g' >> "$ldif"
 }
 
+change_core_mail_syntax() {
+	# output the ldif to change mail to utf8 from ia5 in the core schema
+	get_attribute "cn=schema,cn=config" "(cn={0}core)" "olcAttributeTypes"
+	case "${ATTR_VALUE[48]}" in
+		*\'mail\'*caseIgnoreIA5Match* )
+			newval=$(sed 's/SYNTAX[ \t][^ ]*/SYNTAX 1.3.6.1.4.1.1466.115.121.1.15/g' <<<"${ATTR_VALUE[48]}" |
+					 sed 's/caseIgnoreIA5Match/caseIgnoreMatch/g' |
+					 sed 's/caseIgnoreIA5SubstringsMatch/caseIgnoreSubstringsMatch/g')
+			cat <<EOF
+dn: cn={0}core,cn=schema,cn=config
+changetype: modify
+delete: olcAttributeTypes
+olcAttributeTypes: ${ATTR_VALUE[48]}
+-
+add: olcAttributeTypes
+olcAttributeTypes: $newval
+EOF
+			;;
+	esac
+}
+
 
 add_schemas() {
-	# Add necessary schema's for MiaB operaion
+	# Add necessary schema's for MiaB operaion		 
 	#
-	# First, apply rfc822MailMember from OpenLDAP's "misc"
-	# schema. Don't apply the whole schema file because much is from
-	# expired RFC's, and we just need rfc822MailMember
-	local cn="misc"
-	get_attribute "cn=schema,cn=config" "(&(cn={*}$cn)(objectClass=olcSchemaConfig))" "cn"
-	if [ -z "$ATTR_DN" ]; then
-		say_verbose "Adding '$cn' schema"
-		cat "/etc/ldap/schema/misc.ldif" | awk 'BEGIN {C=0}
-/^(dn|objectClass|cn):/ { print $0; next }
-/^olcAttributeTypes:/ && /27\.2\.1\.15/ { print $0; C=1; next }
-/^(olcAttributeTypes|olcObjectClasses):/ { C=0; next }
-/^ / && C==1 { print $0 }' | ldapadd -Q -Y EXTERNAL -H ldapi:/// >/dev/null
-	fi
-	
-	# Next, apply the postfix schema from the ldapadmin project
-	# (GPL)(*).
+	# Note: the postfix schema originally came from the ldapadmin
+	# project (GPL)(*), but has been modified to support the needs of
+	# this project.
 	#	see: http://ldapadmin.org
 	#		 http://ldapadmin.org/docs/postfix.schema
 	#		 http://www.postfix.org/LDAP_README.html
-	# (*) mailGroup modified to include rfc822MailMember
-	local schema="http://ldapadmin.org/docs/postfix.schema"
-	local cn="postfix"
-	get_attribute "cn=schema,cn=config" "(&(cn={*}$cn)(objectClass=olcSchemaConfig))" "cn"
-	if [ -z "$ATTR_DN" ]; then
-		local ldif="/tmp/$cn.$$.ldif"
-		schema_to_ldif "$schema" "$ldif" "$cn"
-		sed -i 's/\$ member \$/$ member $ rfc822MailMember $/' "$ldif"
-		say_verbose "Adding '$cn' schema"
-		[ ${verbose:-0} -gt 1 ] && cat "$ldif"
-		ldapadd -Q -Y EXTERNAL -H ldapi:/// -f "$ldif" >/dev/null
-		rm -f "$ldif"
-	fi
-
-	# apply the mfa-totp schema
-	# this adds the totpUser class to store the totp secret
-	local schema="mfa-totp.schema"
-	local cn="mfa-totp"
-	get_attribute "cn=schema,cn=config" "(&(cn={*}$cn)(objectClass=olcSchemaConfig))" "cn"
-	if [ -z "$ATTR_DN" ]; then
-		local ldif="/tmp/$cn.$$.ldif"
-		schema_to_ldif "$schema" "$ldif" "$cn"
-		say_verbose "Adding '$cn' schema"
-		[ ${verbose:-0} -gt 1 ] && cat "$ldif"
-		ldapadd -Q -Y EXTERNAL -H ldapi:/// -f "$ldif" >/dev/null
-		rm -f "$ldif"
-	fi
+	for cn in "postfix" "mfa-totp" "namedProperties"; do
+		schema="$cn.schema"
+		get_attribute "cn=schema,cn=config" "(&(cn={*}$cn)(objectClass=olcSchemaConfig))" "cn"
+		if [ -z "$ATTR_DN" ]; then
+			local ldif="/tmp/$cn.$$.ldif"
+			schema_to_ldif "$schema" "$ldif" "$cn"
+			if [ "$cn" = "postfix" ]; then
+				local ldif2="/tmp/$cn.$$-2.ldif"
+				change_core_mail_syntax >"$ldif2"
+				echo "" >>"$ldif2"
+				sed 's/^dn: cn=postfix,\(.*\)$/dn: cn=postfix,\1\nchangetype: add/g' "$ldif" >> "$ldif2"
+				rm "$ldif"
+				ldif="$ldif2"
+			fi
+			say_verbose "Adding '$cn' schema"
+			[ ${verbose:-0} -gt 1 ] && cat "$ldif"
+			ldapadd -Q -Y EXTERNAL -H ldapi:/// -f "$ldif" >/dev/null
+			rm -f "$ldif"
+		fi
+	done	
 }
 
 
@@ -504,7 +505,7 @@ add_indexes() {
 	# Add the indexes
 	get_attribute "$cdn" "(objectClass=*)" "olcDbIndex" base
 	local attr
-	for attr in mail maildrop mailaccess dc rfc822MailMember; do
+	for attr in mail maildrop mailaccess dc dcIntl mailMember; do
 		local type="eq" atype="" aindex=""
 		[ "$attr" == "mail" ] && type="eq,sub"
 
@@ -661,6 +662,7 @@ process_cmdline() {
 	elif [ "$1" == "-config" ]; then
 		# Apply a certain configuration
 		if [ "$2" == "server" ]; then
+			add_schemas
 			modify_global_config
 			add_overlays
 			add_indexes
@@ -675,8 +677,23 @@ process_cmdline() {
 
 	elif [ "$1" == "-search" ]; then
 		# search for email addresses, distinguished names and general
-		# ldap filters
-		debug_search "$2"
+		# ldap filters. Args:
+		#    search filter [optional]
+		#    base dn [optional]
+		#    remaining args are attributes to output [optional]
+		shift
+		if [ $# -eq 0 ]; then
+			debug_search "(objectclass=*)"
+		else
+			debug_search "$@"
+		fi
+		exit 0
+
+	elif [ "$1" == "-schema-to-ldif" ]; then
+		cn="$2"
+		output="${3:-/dev/stdout}"
+		schema="$cn.schema"
+		schema_to_ldif "$schema" "$output" "$cn"
 		exit 0
 
 	elif [ "$1" == "-dumpdb" ]; then
@@ -699,6 +716,11 @@ process_cmdline() {
 			echo ""
 			slapcat ${slapcat_args[@]} -s "$ATTR_DN" | grep -Ev "^$hide_attrs:"
 		fi
+		if [ "$s" == "all" -o "$s" == "schema" ]; then
+			echo ""
+			echo '--------------------------------'
+			slapcat ${slapcat_args[@]} -s "cn=schema,cn=config" | grep -Ev "^$hide_attrs:"
+		fi
 		if [ "$s" == "all" -o "$s" == "frontend" ]; then
 			echo ""
 			echo '--------------------------------'
@@ -716,7 +738,7 @@ process_cmdline() {
 		if [ "$s" == "aliases" ]; then
 			echo ""
 			echo '--------------------------------'
-			local attrs=(mail member mailRoutingAddress rfc822MailMember)
+			local attrs=(mail member mailRoutingAddress mailMember namedProperty)
 			[ ${verbose:-0} -gt 0 ] && attrs=()
 			debug_search "(objectClass=mailGroup)" "$LDAP_ALIASES_BASE" ${attrs[@]}
 		fi
diff --git a/setup/mail-users.sh b/setup/mail-users.sh
index 3d51abb4..c2458398 100755
--- a/setup/mail-users.sh
+++ b/setup/mail-users.sh
@@ -63,7 +63,7 @@ base = ${LDAP_USERS_BASE}
 #   filter below. If found, the user is authenticated against this dn
 #   (a bind is attempted as that user). The attribute 'mail' is
 #   multi-valued and contains all the user's email addresses. We use
-#   maildrop as the dovecot mailbox address and forbid then from using
+#   maildrop as the dovecot mailbox address and forbid them from using
 #   it for authentication by excluding maildrop from the filter.
 pass_filter = (&(objectClass=mailUser)(mail=%u))
 pass_attrs = maildrop=user
@@ -166,6 +166,7 @@ chmod 0640 /etc/postfix/sender-login-maps-aliases.cf
 # Check whether a destination email address exists, and to perform any
 # email alias rewrites in Postfix.
 tools/editconf.py /etc/postfix/main.cf \
+	smtputf8_enable=no \
 	virtual_mailbox_domains=ldap:/etc/postfix/virtual-mailbox-domains.cf \
 	virtual_mailbox_maps=ldap:/etc/postfix/virtual-mailbox-maps.cf \
 	virtual_alias_maps=ldap:/etc/postfix/virtual-alias-maps.cf \
@@ -180,7 +181,7 @@ bind_dn = ${LDAP_POSTFIX_DN}
 bind_pw = ${LDAP_POSTFIX_PASSWORD}
 version = 3
 search_base = ${LDAP_DOMAINS_BASE}
-query_filter = (&(dc=%s)(businessCategory=mail))
+query_filter = (&(|(dc=%s)(dcIntl=%s))(businessCategory=mail))
 result_attribute = dc
 EOF
 chgrp postfix /etc/postfix/virtual-mailbox-domains.cf
@@ -228,7 +229,6 @@ chmod 0640 /etc/postfix/virtual-mailbox-maps.cf
 # it might have just permitted_senders, skip any records with an
 # empty destination here so that other lower priority rules might match.
 
-
 #
 # This is the ldap version of aliases(5) but for virtual
 # addresses. Postfix queries this recursively to determine delivery
@@ -242,7 +242,7 @@ bind_pw = ${LDAP_POSTFIX_PASSWORD}
 version = 3
 search_base = ${LDAP_USERS_BASE}
 query_filter = (mail=%s)
-result_attribute = maildrop, rfc822MailMember
+result_attribute = maildrop, mailMember
 special_result_attribute = member
 EOF
 chgrp postfix /etc/postfix/virtual-alias-maps.cf
diff --git a/setup/migrate.py b/setup/migrate.py
index 43a0b30b..a2f75483 100755
--- a/setup/migrate.py
+++ b/setup/migrate.py
@@ -187,6 +187,11 @@ def migration_13(env):
 	db = os.path.join(env["STORAGE_ROOT"], 'mail/users.sqlite')
 	shell("check_call", ["sqlite3", db, "CREATE TABLE mfa (id INTEGER PRIMARY KEY AUTOINCREMENT, user_id INTEGER NOT NULL, type TEXT NOT NULL, secret TEXT NOT NULL, mru_token TEXT, label TEXT, FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE);"])
 
+def migration_14(env):
+	# Add the "auto_aliases" table.
+	db = os.path.join(env["STORAGE_ROOT"], 'mail/users.sqlite')
+	shell("check_call", ["sqlite3", db, "CREATE TABLE auto_aliases (id INTEGER PRIMARY KEY AUTOINCREMENT, source TEXT NOT NULL UNIQUE, destination TEXT NOT NULL, permitted_senders TEXT);"])
+
 ###########################################################
 
 
@@ -245,9 +250,77 @@ def migration_miabldap_1(env):
 	aliases=m13.create_aliases(env, conn, ldap, ldap_aliases_base)
 	permitted=m13.create_permitted_senders(conn, ldap, ldap_users_base, ldap_permitted_senders_base)
 	m13.populate_aliases(conn, ldap, users, aliases)
-		
+
 	ldap.unbind()
 	conn.close()
+
+
+def migration_miabldap_2(env):
+	# This migration step changes the ldap schema to support utf8 email
+	#
+	# possible states at this point:
+	#   miabldap was installed and is being upgraded
+	#      -> old pre-utf8 schema present
+	#   a miab install was present and step 1 upgaded it to miabldap
+	#      -> new utf8 schema present
+	#
+	sys.path.append(os.path.realpath(os.path.join(os.path.dirname(__file__), "../management")))
+	import ldap3
+	from backend import connect
+	import migration_14 as m14
+
+	# 1. get ldap site details
+	ldapvars = load_env_vars_from_file(os.path.join(env["STORAGE_ROOT"], "ldap/miab_ldap.conf"), strip_quotes=True)
+	ldap_domains_base = ldapvars.LDAP_DOMAINS_BASE
+	ldap_aliases_base = ldapvars.LDAP_ALIASES_BASE
+	ldap_users_base = ldapvars.LDAP_USERS_BASE
+
+	# connect before schema changes to ensure admin password works
+	ldap = connect(ldapvars)
+
+	# 2. if this is a miab -> maibldap install, the new schema is
+	# already in place and no schema changes are needed. however,
+	# if this is a miabldap/1 to miabldap/2 migration, we must
+	# upgrade the schema.
+	ret = shell("check_output", [
+		"ldapsearch",
+		"-Q",
+		"-Y", "EXTERNAL",
+		"-H", "ldapi:///",
+		"(&(objectClass=olcSchemaConfig)(cn={*}postfix))",
+		"-b", "cn=schema,cn=config",
+		"-LLL",
+		"olcObjectClasses"
+	])
+	
+	if "rfc822MailMember" in ret:
+		def ldif_change_fn(ldif):
+			return ldif.replace("rfc822MailMember: ", "mailMember: ")
+		# apply schema changes miabldap/1 -> miabldap/2
+		ldap.unbind()
+		print("Apply schema changes")
+		m14.apply_schema_changes(env, ldapvars, ldif_change_fn)
+		# reconnect
+		ldap = connect(ldapvars)
+
+	# 3. migrate to utf8: users, aliases and domains
+	print("Create utf8 entries for users and aliases having IDNA domains")
+	m14.add_utf8_mail_addresses(env, ldap, ldap_users_base)
+
+	print("Add namedProperties objectclass to aliases")
+	m14.add_namedProperties_objectclass(env, ldap, ldap_aliases_base)
+
+	print("Add mailDomain objectclass to domains")
+	m14.add_mailDomain_objectclass(env, ldap, ldap_domains_base)
+
+	print("Mark required aliases with 'auto' property")
+	m14.add_auto_tag(env, ldap, ldap_aliases_base)
+
+	print("Ensure all required aliases are created")
+	m14.ensure_required_aliases(env, ldapvars, ldap)
+	
+	ldap.unbind()
+
 	
 def get_current_migration():
 	ver = 0
@@ -327,11 +400,20 @@ def run_miabldap_migrations():
 	env = load_environment()
 
 	migration_id_file = os.path.join(env['STORAGE_ROOT'], 'mailinabox-ldap.version')
-	migration_id = 0
+	migration_id = None
 	if os.path.exists(migration_id_file):
 		with open(migration_id_file) as f:
 			migration_id = f.read().strip();
+		if migration_id.strip()=='': migration_id = None
 
+	if migration_id is None:
+		if os.path.exists(os.path.join(env['STORAGE_ROOT'], 'mailinabox.version')):
+			migration_id = 0
+		else:
+			print()
+			print("%s file doesn't exists. Skipping migration..." % (migration_id_file,))
+			return
+	
 	ourver = int(migration_id)
 
 	while True:
diff --git a/setup/migration_14.py b/setup/migration_14.py
new file mode 100644
index 00000000..f78ef235
--- /dev/null
+++ b/setup/migration_14.py
@@ -0,0 +1,232 @@
+#!/usr/bin/python3
+# -*- indent-tabs-mode: t; tab-width: 4; python-indent-offset: 4; -*-
+
+#
+# helper functions for migration #14 / miabldap-migration #2
+#
+
+import sys, os, ldap3, idna
+from utils import shell
+from mailconfig import (
+	add_required_aliases,
+	required_alias_names,
+	get_mail_domains
+)
+
+
+def utf8_from_idna(domain_idna):
+	try:
+		return idna.decode(domain_idna.encode("ascii"))
+	except (UnicodeError, idna.IDNAError):
+		# Failed to decode IDNA, should never happen
+		return domain_idna
+
+
+def apply_schema_changes(env, ldapvars, ldif_change_fn):
+	# 1. save LDAP_BASE data to ldif
+	slapd_conf = os.path.join(env["STORAGE_ROOT"], "ldap/slapd.d")
+	fail_fn = os.path.join(env["STORAGE_ROOT"], "ldap/failed_migration.txt")
+	ldif = shell("check_output", [
+		"/usr/sbin/slapcat",
+		"-F", slapd_conf,
+		"-b", ldapvars.LDAP_BASE
+	])
+
+	# 2. wipe out existing database configuration and database
+	#    2a. set the creation parameters
+	ORGANIZATION="Mail-In-A-Box"
+	LDAP_DOMAIN="mailinabox"
+	shell("check_output", [
+		"/usr/bin/debconf-set-selections"
+	], input=f'''slapd shared/organization string {ORGANIZATION}
+slapd slapd/domain string {LDAP_DOMAIN}
+slapd slapd/password1 password {ldapvars.LDAP_ADMIN_PASSWORD}
+slapd slapd/password2 password {ldapvars.LDAP_ADMIN_PASSWORD}
+'''.encode('utf-8')
+	)
+
+	#    2b. recreate ldap config and database
+	shell("check_call", [
+		"/usr/sbin/dpkg-reconfigure",
+		"--frontend=noninteractive",
+		"slapd"
+	])
+
+	#    2c. clear passwords from debconf
+	shell("check_output", [
+		"/usr/bin/debconf-set-selections"
+	], input='''slapd slapd/password1 password
+slapd slapd/password2 password
+'''.encode('utf-8')
+	)
+
+	# 3. make desired ldif changes
+	#   3a. first, remove dc=mailinabox and
+	#       cn=admin,dc=mailinabox. they were both created during
+	#       dpkg-reconfigure and can't be readded
+	entries = ldif.split("\n\n")
+	keep = []
+	removed = []
+	remove = [
+		"dn: " + ldapvars.LDAP_BASE,
+		"dn: " + ldapvars.LDAP_ADMIN_DN
+	]
+	for entry in entries:
+		dn = entry.split("\n")[0]
+		if dn not in remove:
+			keep.append(entry)
+		else:
+			removed.append(entry)
+			
+	#   3b. call the given ldif change function
+	ldif = ldif_change_fn("\n\n".join(keep))
+	#ldif = ldif_change_fn(ldif)
+	
+	# 4. re-create schemas and other config
+	shell("check_call", [
+		"setup/ldap.sh",
+		"-v",
+		"-config", "server"
+	])
+
+	# 5. restore LDAP_BASE data
+	code, ret = shell("check_output", [
+		"/usr/sbin/slapadd",
+		"-F", slapd_conf,
+		"-b", ldapvars.LDAP_BASE,
+		"-v",
+		"-c"
+	], input=ldif.encode('utf-8'), trap=True, capture_stderr=True)
+	
+	if code != 0:
+		try:
+			with open(fail_fn, "w") as of:
+				of.write("# slapadd -F %s -b %s -v -c\n" %
+						 (slapd_conf, ldapvars.LDAP_BASE))
+				of.write(ldif)
+			print("See saved data in %s" % fail_fn)
+		except Exception:
+			pass
+		
+		raise ValueError("Could not restore data: exit code=%s: output=%s" % (code, ret))
+
+
+
+def add_utf8_mail_addresses(env, ldap, ldap_users_base):
+	# if the mail attribute of users or aliases is idna encoded, also
+	# add a utf8 version of the address to the mail attribute so the
+	# user or alias will be known by multiple addresses (idna and
+	# utf8)
+	pager = ldap.paged_search(ldap_users_base, "(|(objectClass=mailGroup)(objectClass=mailUser))", attributes=['mail'])
+	changes = []
+	for rec in pager:
+		mail_idna_lc = []
+		for addr in rec['mail']:
+			mail_idna_lc = addr.lower()
+		
+		changed = False
+		new_mail = []
+		for addr in rec['mail']:
+			new_mail.append(addr)
+			name = addr.split('@')[0]
+			domain = addr.split('@', 1)[1]
+			addr_utf8 = name + '@' + utf8_from_idna(domain)
+			addr_utf8_lc = addr_utf8.lower()
+			if addr_utf8 != addr and addr_utf8_lc not in mail_lc:
+				new_mail.append(addr_utf8)
+				print("Add '%s' for %s" % (addr_utf8, addr))
+				changed = True
+		if changed:
+			changes.append({"rec":rec, "mail":new_mail})
+
+	for change in changes:
+		ldap.modify_record(
+			change["rec"],
+			{ "mail": change["mail"] }
+		)
+
+
+
+def add_namedProperties_objectclass(env, ldap, ldap_aliases_base):
+	# ensure every alias has a namedProperties objectClass attached
+	pager = ldap.paged_search(ldap_aliases_base, "(&(objectClass=mailGroup)(!(objectClass=namedProperties)))", attributes=['objectClass'])
+	changes = []
+	for rec in pager:
+		newoc = rec['objectClass'].copy()
+		newoc.append('namedProperties')
+		changelist = {
+			'objectClass': newoc,
+		}
+		changes.append({'rec': rec, 'changelist': changelist})
+
+	for change in changes:
+		ldap.modify_record(change['rec'], change['changelist'])
+
+		
+def add_auto_tag(env, ldap, ldap_aliases_base):
+	# add namedProperty=auto to existing required aliases
+	# this step is needed to upgrade miabldap systems
+	name_q = [
+		"(mail=hostmaster@"+env['PRIMARY_HOSTNAME']+")"
+	]
+	for name in required_alias_names:
+		name_q.append("(mail=%s@*)" % name)
+		
+	q = [
+		"(objectClass=mailGroup)",
+		"(!(namedProperty=auto))",
+		"(|%s)" % "".join(name_q)
+	]
+	pager = ldap.paged_search(
+		ldap_aliases_base,
+		"(&%s)" % "".join(q),
+		attributes=['namedProperty']
+	)
+	changes = []
+	for rec in pager:
+		newval = rec["namedProperty"].copy()
+		newval.append("auto")
+		changes.append({"rec": rec, "namedProperty": newval})
+		
+	for change in changes:
+		ldap.modify_record(
+			change["rec"],
+			{"namedProperty": change["namedProperty"]}
+		)
+
+
+
+def add_mailDomain_objectclass(env, ldap, ldap_domains_base):
+	# ensure every domain has a mailDomain objectClass attached
+	pager = ldap.paged_search(ldap_domains_base, "(&(objectClass=domain)(!(objectClass=mailDomain)))", attributes=['objectClass', 'dc', 'dcIntl'])
+	changes = []
+	for rec in pager:
+		newoc = rec['objectClass'].copy()
+		newoc.append('mailDomain')
+		changelist = {
+			'objectClass': newoc,
+			'dcIntl': [ utf8_from_idna(rec['dc'][0]) ]
+		}
+		changes.append({'rec': rec, 'changelist': changelist})
+
+	for change in changes:
+		ldap.modify_record(change['rec'], change['changelist'])
+
+
+def ensure_required_aliases(env, ldapvars, ldap):
+	# ensure every domain has its required aliases
+	env_combined = env.copy()
+	env_combined.update(ldapvars)
+	errors = []
+	for domain_idna in get_mail_domains(ldapvars):
+		results = add_required_aliases(env_combined, ldap, domain_idna)
+		for result in results:
+			if isinstance(result, str):
+				print(result)
+			else:
+				print("Error: %s" % result[0])
+				errors.append(result[0])
+	if len(errors)>0:
+		raise ValueError("Some required aliases could not be added")
+	
+
diff --git a/tests/lib/installed-state.sh b/tests/lib/installed-state.sh
index 8cc2c83b..860e7e62 100644
--- a/tests/lib/installed-state.sh
+++ b/tests/lib/installed-state.sh
@@ -13,6 +13,7 @@ installed_state_capture() {
     # TOOD: tls certificates: expected CN's
 
     local state_dir="$1"
+    local install_dir="${2:-.}"
     local info="$state_dir/info.txt"
 
     H1 "Capture installed state to $state_dir"
@@ -22,11 +23,18 @@ installed_state_capture() {
     mkdir -p "$state_dir"
 
     # create info.json
+    if ! pushd "$install_dir" >/dev/null; then
+        echo "Directory '$install_dir' no accessible"
+        return 1
+    fi
     H2 "create info.txt"
     echo "STATE_VERSION=1" > "$info"
-    echo "GIT_VERSION='$(git describe --abbrev=0)'" >>"$info"
+    echo "GIT_VERSION='$(git describe)'" >>"$info"
+    git describe | awk -F- '{ split($1,a,"."); print "MAJOR="substr(a[1],2); print "MINOR="a[2]; print "RELEASE="$2 }' >>"$info"
     echo "GIT_ORIGIN='$(git remote -v | grep ^origin | grep 'fetch)$' | awk '{print $2}')'" >>"$info"
-    echo "MIGRATION_VERSION=$(cat "$STORAGE_ROOT/mailinabox.version")" >>"$info"
+    echo "MIGRATION_VERSION=$([ -e "$STORAGE_ROOT/mailinabox.version" ] && cat "$STORAGE_ROOT/mailinabox.version")" >>"$info"
+    echo "MIGRATION_ML_VERSION=$([ -e "$STORAGE_ROOT/mailinabox-ldap.version" ] && cat "$STORAGE_ROOT/mailinabox-ldap.version")" >>"$info"
+    popd >/dev/null
 
     # record users
     H2 "record users"
@@ -75,17 +83,21 @@ installed_state_compare() {
     #
     # determine compare type id (incorporating repo, branch, version, etc)
     #
-    local compare_type="all"
+    source "$s1/info.txt"
+    MAJOR_A="$MAJOR"
+    MINOR_A="$MINOR"
+    RELEASE_A="${RELEASE:-0}"
+    PROD_A="miab"
+    grep "mailinabox-ldap" <<<"$GIT_ORIGIN" >/dev/null && PROD_A="miabldap"
     
     source "$s2/info.txt"
-    if grep "mailinabox-ldap" <<<"$GIT_ORIGIN" >/dev/null; then
-        GIT_ORIGIN=""
-        source "$s1/info.txt"
-        if ! grep "mailinabox-ldap.git" <<<"$GIT_ORIGIN" >/dev/null; then
-            compare_type="miab2miab-ldap"
-        fi
-    fi
-    echo "Compare type: $compare_type"
+    MAJOR_B="$MAJOR"
+    MINOR_B="$MINOR"
+    RELEASE_B="${RELEASE:-0}"
+    PROD_B="miab"
+    grep "mailinabox-ldap" <<<"$GIT_ORIGIN" >/dev/null && PROD_B="miabldap"
+
+    cmptype="${PROD_A}2${PROD_B}"
 
     #
     # filter data for compare type
@@ -95,7 +107,7 @@ installed_state_compare() {
     cp "$s2/users.json" "$s2/users-cmp.json" || changed="true"
     cp "$s2/aliases.json" "$s2/aliases-cmp.json" || changed="true"
     
-    if [ "$compare_type" == "miab2miab-ldap" ]
+    if [ "$cmptype" = "miab2miabldap" ]
     then
         # user display names is a feature added to MiaB-LDAP that is
         # not in MiaB
@@ -104,7 +116,19 @@ installed_state_compare() {
         # alias descriptions is a feature added to MiaB-LDAP that is
         # not in MiaB
         grep -v '"description":' "$s2/aliases.json" > "$s2/aliases-cmp.json" || changed="true"        
-    fi    
+    fi
+
+    # cmp: v0.54 to current
+    if [ "$cmptype" = "miabldap2miabldap" -a $MAJOR_A -eq 0 -a $MINOR_A -le 54 -a $RELEASE_A -eq 0 ]
+    then
+        # s1: convert aliases 'required' to 'auto' and resort
+        jq -c ".[] | .aliases | sort_by(.address) | .[] | {address:.address, forwards_to:.forwards_to, permitted_senders:.permitted_senders, auto:.required, description:.description}"  "$s1/aliases.json" > "$s1/aliases-cmp.json"
+        sed -i 's/\("address":"administrator@.*"auto":\)true/\1false/' "$s1/aliases-cmp.json"
+
+        # s2: re-sort aliases
+        jq -c ".[] | .aliases | sort_by(.address) | .[] | {address:.address, forwards_to:.forwards_to, permitted_senders:.permitted_senders, auto:.auto, description:.description}"  "$s2/aliases.json" > "$s2/aliases-cmp.json"
+    fi
+    
     
     #
     # users
@@ -122,6 +146,7 @@ installed_state_compare() {
     #
     # aliases
     #
+    
     H2 "Aliases"
     output="$(diff "$s1/aliases-cmp.json" "$s2/aliases-cmp.json" 2>&1)"
     if [ $? -ne 0 ]; then
@@ -154,36 +179,36 @@ installed_state_compare() {
     done
     echo "$count added"
 
-    H2 "DNS - zones changed"
-    count=0
-    for zone in $(cd "$s1/zones"; ls *.signed); do
-        if [ -e "$s2/zones/$zone" ]; then
-            # all the signatures change if we're using self-signed certs
-            # ignore ttl changes
-            local t1="/tmp/s1.$$.txt"
-            local t2="/tmp/s2.$$.txt"
-            awk '\
-$4 == "RRSIG" || $4 == "NSEC3" { next; } \
-$4 == "SOA" { print $1" "$3" "$4" "$5" "$6" "$8" "$10" "$12; next } \
-{ for(i=1;i<=NF;i++) if (i!=2) printf("%s ",$i); print ""; }' \
-                "$s1/zones/$zone" > "$t1"
+#     H2 "DNS - zones changed"
+#     count=0
+#     for zone in $(cd "$s1/zones"; ls *.signed); do
+#         if [ -e "$s2/zones/$zone" ]; then
+#             # all the signatures change if we're using self-signed certs
+#             # ignore ttl changes
+#             local t1="/tmp/s1.$$.txt"
+#             local t2="/tmp/s2.$$.txt"
+#             awk '\
+# $4 == "RRSIG" || $4 == "NSEC3" { next; } \
+# $4 == "SOA" { print $1" "$3" "$4" "$5" "$6" "$8" "$10" "$12; next } \
+# { for(i=1;i<=NF;i++) if (i!=2) printf("%s ",$i); print ""; }' \
+#                 "$s1/zones/$zone" > "$t1"
             
-            awk '\
-$4 == "RRSIG" || $4 == "NSEC3" { next; } \
-$4 == "SOA" { print $1" "$3" "$4" "$5" "$6" "$8" "$10" "$12; next } \
-{ for(i=1;i<=NF;i++) if (i!=2) printf("%s ",$i); print ""; }' \
-                "$s2/zones/$zone" > "$t2"
+#             awk '\
+# $4 == "RRSIG" || $4 == "NSEC3" { next; } \
+# $4 == "SOA" { print $1" "$3" "$4" "$5" "$6" "$8" "$10" "$12; next } \
+# { for(i=1;i<=NF;i++) if (i!=2) printf("%s ",$i); print ""; }' \
+#                 "$s2/zones/$zone" > "$t2"
             
-            output="$(diff "$t1" "$t2" 2>&1)"
-            if [ $? -ne 0 ]; then
-                echo "CHANGED zone: $zone"
-                echo "$output"
-                changed="true"
-                let count+=1
-            fi
-        fi
-    done
-    echo "$count zone files had differences"
+#             output="$(diff "$t1" "$t2" 2>&1)"
+#             if [ $? -ne 0 ]; then
+#                 echo "CHANGED zone: $zone"
+#                 echo "$output"
+#                 changed="true"
+#                 let count+=1
+#             fi
+#         fi
+#     done
+#    echo "$count zone files had differences"
 
     if $changed; then
         return 1
diff --git a/tests/suites/_init.sh b/tests/suites/_init.sh
index e0fe26a8..f06a95e7 100644
--- a/tests/suites/_init.sh
+++ b/tests/suites/_init.sh
@@ -133,6 +133,7 @@ test_success() {
 test_failure() {
 	local why="$1"
 	[ -z "$TEST_OF" ] && return
+	record "** TEST_FAILURE: $why **"
 	TEST_STATE="FAILURE"
 	TEST_STATE_MSG+=( "$why" )
 }
diff --git a/tests/suites/_ldap-functions.sh b/tests/suites/_ldap-functions.sh
index 1d34b63a..2ee838f3 100644
--- a/tests/suites/_ldap-functions.sh
+++ b/tests/suites/_ldap-functions.sh
@@ -147,8 +147,8 @@ EOF
 	for member; do
 		case $member in
 			*@* )
-				echo "rfc822MailMember: $member" >>$TEST_OF
-				echo "rfc822MailMember: $member" >>$of 2>>$TEST_OF
+				echo "mailMember: $member" >>$TEST_OF
+				echo "mailMember: $member" >>$of 2>>$TEST_OF
 				;;
 			* )
 				echo "member: $member" >>$TEST_OF
diff --git a/tests/suites/mail-aliases.sh b/tests/suites/mail-aliases.sh
index d1814dd2..2a49e3cd 100644
--- a/tests/suites/mail-aliases.sh
+++ b/tests/suites/mail-aliases.sh
@@ -134,7 +134,7 @@ test_shared_alias_delivery() {
 
 test_trial_nonlocal_alias_delivery() {
 	# verify that mail sent to an alias with a non-local address
-	# (rfc822MailMember) can be delivered
+	# (mailMember) can be delivered
 	test_start "trial-nonlocal-alias-delivery"
 	if skip_test remote-smtp; then
 		test_end
diff --git a/tests/suites/management-users.sh b/tests/suites/management-users.sh
index a13415ba..db8b51f4 100644
--- a/tests/suites/management-users.sh
+++ b/tests/suites/management-users.sh
@@ -136,6 +136,8 @@ test_intl_domains() {
 	# remote intl user / forward-to
 	local intl_person="hans@bücher.example"
 	local intl_person_idna="hans@xn--bcher-kva.example"
+	local intl_person_domain=$(email_domainpart "$intl_person")
+	local intl_person_idna_domain=$(email_domainpart "$intl_person_idna")
 
 	# local users
 	local bob="bob@somedomain.com"
@@ -149,10 +151,50 @@ test_intl_domains() {
 	if mgmt_create_user "$intl_person" "$bob_pw"; then
 		test_failure "A user account is not permitted to have an international domain"
 		# ensure user is removed as is expected by the remaining tests
-		mgmt_delele_user "$intl_person"
+		mgmt_delete_user "$intl_person"
 		delete_user "$intl_person"
 		delete_user "$intl_person_idna"
 	fi
+
+	# given an idna encoded user - the user should have 2 mail addresses
+	if ! mgmt_create_user "$intl_person_idna" "$bob_pw"; then
+		test_failure "Could not create idna-encoded user account $intl_person_idna"
+	else
+		get_attribute "$LDAP_USERS_BASE" "(mail=$intl_person_idna)" "mail"
+		if [ -z "$ATTR_DN" ] || \
+			   ! array_contains "$intl_person" "${ATTR_VALUE[@]}" || \
+			   ! array_contains "$intl_person_idna" "${ATTR_VALUE[@]}"
+		then
+			test_failure "Alias's ($intl_person) mail attribute expected to have both the idna and utf8 names, got ${#ATTR_VALUE[@]}: ${ATTR_VALUE[*]}, expected: $intl_person,$intl_person_idna"
+			[ ! -z "$ATTR_DN" ] && record_search "$ATTR_DN"
+		else
+			record_search "$ATTR_DN"
+			
+			# required aliases are automatically created and should
+			# have both mail addresses (idna and utf8)
+			get_attribute "$LDAP_ALIASES_BASE" "(mail=abuse@$intl_person_idna_domain)" "mail"
+			if [ -z "$ATTR_DN" ]; then
+				test_failure "Required alias not created!"
+				debug_search "(objectClass=mailGroup)" >>$TEST_OF
+			elif  ! array_contains "abuse@$intl_person_domain" "${ATTR_VALUE[@]}" || \
+					! array_contains "abuse@$intl_person_idna_domain" "${ATTR_VALUE[@]}"
+			then
+				test_failure "Require alias abuse@$intl_person_idna_domain expected to contain both idna and utf8 mail addresses"
+				record_search "$ATTR_DN"
+			fi
+			
+			# ensure user is removed as is expected by the remaining tests
+			mgmt_delete_user "$intl_person_idna"
+		fi
+	fi
+
+	# at this point intl_person does not exist, so all required aliases
+	# should also not be present
+	get_attribute "$LDAP_ALIASES_BASE" "(mail=*@$intl_person_idna_domain)"
+	if [ ! -z "$ATTR_DN" ]; then
+		test_failure "No required alias should not exist for the $intl_person_domain domain"
+		record_search "$ATTR_DN"
+	fi
 	
 	# create local users bob and mary
 	mgmt_assert_create_user "$bob" "$bob_pw"
@@ -161,11 +203,27 @@ test_intl_domains() {
 	# create intl alias with local user bob and intl_person in it
 	if mgmt_assert_create_alias_group "$alias" "$bob" "$intl_person"; then
 		# examine LDAP server to verify IDNA-encodings
-		get_attribute "$LDAP_ALIASES_BASE" "(mail=$alias_idna)" "rfc822MailMember"
+		
+		# 1. the mail attribute for the alias should have both the
+		# idna and utf8 addresses
+		get_attribute "$LDAP_ALIASES_BASE" "(mail=$alias)" "mail"
+		if [ -z "$ATTR_DN" ] || \
+			   ! array_contains "$alias" "${ATTR_VALUE[@]}" || \
+			   ! array_contains "$alias_idna" "${ATTR_VALUE[@]}"
+		then
+			test_failure "Alias's ($alias) mail attribute expected to have both the idna and utf8 names, got: ${ATTR_VALUE[*]}, expected: $alias,$alias_idna"
+			[ ! -z "$ATTR_DN" ] && record_search "$ATTR_DN"
+		fi
+
+		record_search "$ATTR_DN"
+
+		# 2. the mailMember attribute for the alias should contain the
+		# idna encoded intl_person (who is external - not a system user)
+		get_attribute "$LDAP_ALIASES_BASE" "(mail=$alias_idna)" "mailMember"
 		if [ -z "$ATTR_DN" ]; then
 			test_failure "IDNA-encoded alias group not found! created as:$alias expected:$alias_idna"
 		elif [ "$ATTR_VALUE" != "$intl_person_idna" ]; then
-			test_failure "Alias group with user having an international domain was not ecoded properly. added as:$intl_person expected:$intl_person_idna"
+			test_failure "Alias group with user having an international domain was not encoded properly. added as:$intl_person expected:$intl_person_idna"
 		fi
 	fi
 
diff --git a/tests/system-setup/setup-defaults.sh b/tests/system-setup/setup-defaults.sh
index f4316840..333d4a2c 100755
--- a/tests/system-setup/setup-defaults.sh
+++ b/tests/system-setup/setup-defaults.sh
@@ -39,3 +39,7 @@ export NC_ADMIN_PASSWORD="${NC_ADMIN_PASSWORD:-Test_1234}"
 # For setup scripts that install upstream versions
 export MIAB_UPSTREAM_GIT="${MIAB_UPSTREAM_GIT:-https://github.com/mail-in-a-box/mailinabox.git}"
 export UPSTREAM_TAG="${UPSTREAM_TAG:-}"
+
+# For setup scripts that install miabldap releases
+export MIABLDAP_GIT="${MIABLDAP_GIT:-https://github.com/downtownallday/mailinabox-ldap.git}"
+export MIABLDAP_RELEASE_TAG="${MIABLDAP_RELEASE_TAG:-v0.54}"
diff --git a/tests/system-setup/setup-funcs.sh b/tests/system-setup/setup-funcs.sh
index 94a07cbc..8ec75826 100755
--- a/tests/system-setup/setup-funcs.sh
+++ b/tests/system-setup/setup-funcs.sh
@@ -224,6 +224,14 @@ miab_ldap_install() {
         die "Cannot install: the working directory is not MiaB-LDAP!"
     fi
 
+    # setup/questions.sh installs the email_validator python3 module
+    # but only when in interactive mode. make sure it's also installed
+    # in non-interactive mode
+    if [ ! -z "${NONINTERACTIVE:-}" ]; then
+        H2 "Install email_validator python3 module"
+        pip3 install -q "email_validator>=1.0.0" || die "Unable to install email_validator python3 module!"
+    fi
+
     # if EHDD_KEYFILE is set, use encryption-at-rest support
     if [ ! -z "$EHDD_KEYFILE" ]; then
         ehdd/start-encrypted.sh
diff --git a/tests/system-setup/upgrade-from-upstream.sh b/tests/system-setup/upgrade-from-upstream.sh
index b528198f..3d789a96 100755
--- a/tests/system-setup/upgrade-from-upstream.sh
+++ b/tests/system-setup/upgrade-from-upstream.sh
@@ -96,13 +96,13 @@ upstream_install() {
         echo "$F_RESET"
         die "Upstream setup failed!"
     fi
-    popd >/dev/null
     
     workaround_dovecot_sieve_bug
 
     H2 "Upstream info"
     echo "Code version: $(git describe)"
     echo "Migration version: $(cat "$STORAGE_ROOT/mailinabox.version")"
+    popd >/dev/null
 }
 
 
@@ -154,9 +154,7 @@ else
     fi
 
     # capture upstream state
-    pushd "$upstream_dir" >/dev/null
-    installed_state_capture "/tmp/state/upstream"
-    popd >/dev/null
+    installed_state_capture "/tmp/state/upstream" "$upstream_dir"
 fi
 
 # install miab-ldap and capture state
diff --git a/tests/system-setup/upgrade.sh b/tests/system-setup/upgrade.sh
new file mode 100755
index 00000000..ae18a7b5
--- /dev/null
+++ b/tests/system-setup/upgrade.sh
@@ -0,0 +1,111 @@
+#!/bin/bash
+
+# setup MiaB-LDAP by:
+#    1. installing upstream MiaB
+#    2. adding some data (users/aliases/etc)
+#    3. upgrading to MiaB-LDAP
+#
+# See setup-defaults.sh for usernames and passwords.
+#
+
+
+usage() {
+    echo "Usage: $(basename "$0")"
+    echo "Install MiaB-LDAP after installing upstream MiaB"
+    exit 1
+}
+
+# ensure working directory
+if [ ! -d "tests/system-setup" ]; then
+    echo "This script must be run from the MiaB root directory"
+    exit 1
+fi
+
+# load helper scripts
+. "tests/lib/all.sh" "tests/lib" || die "Could not load lib scripts"
+. "tests/system-setup/setup-defaults.sh" || die "Could not load setup-defaults"
+. "tests/system-setup/setup-funcs.sh" || die "Could not load setup-funcs"
+
+# ensure running as root
+if [ "$EUID" != "0" ]; then
+    die "This script must be run as root (sudo)"
+fi
+
+
+init() {
+    H1 "INIT"
+    init_test_system
+    init_miab_testing || die "Initialization failed"
+}
+
+install_release() {
+    install_dir="$1"
+    H1 "INSTALL RELEASE $MIABLDAP_RELEASE_TAG"
+    [ ! -x /usr/bin/git ] && apt-get install -y -qq git
+    
+    if [ ! -d "$install_dir" ] || [ -z "$(ls -A "$install_dir")" ] ; then
+        H2 "Cloning $MIABLDAP_GIT"
+        rm -rf "$install_dir"
+        git clone "$MIABLDAP_GIT" "$install_dir"
+        if [ $? -ne 0 ]; then
+            rm -rf "$install_dir"
+            die "git clone failed!"
+        fi
+    fi
+
+    pushd "$install_dir" >/dev/null
+    H2 "Checkout $MIABLDAP_RELEASE_TAG"
+    git checkout "$MIABLDAP_RELEASE_TAG" || die "git checkout $MIABLDAP_RELEASE_TAG failed"
+    
+    H2 "Run setup"
+    if ! setup/start.sh; then
+        echo "$F_WARN"
+        dump_file /var/log/syslog 100
+        echo "$F_RESET"
+        die "Release $RELEASE_TAG setup failed!"
+    fi
+    
+    workaround_dovecot_sieve_bug
+
+    H2 "Release info"
+    echo "Code version: $(git describe)"
+    echo "Migration version (miabldap): $(cat "$STORAGE_ROOT/mailinabox-ldap.version")"
+    popd >/dev/null
+}
+
+
+# install basic stuff, set the hostname, time, etc
+init
+
+# install release
+release_dir="$HOME/miabldap_$MIABLDAP_RELEASE_TAG"
+install_release "$release_dir"
+. /etc/mailinabox.conf
+    
+# populate some data
+if [ $# -gt 0 ]; then
+    populate_by_name "$@"
+else
+    populate_by_name "basic" "totpuser"
+fi
+
+# capture release state
+installed_state_capture "/tmp/state/release" "$release_dir"
+
+# install master miab-ldap and capture state
+H2 "New miabldap"
+echo "git branch: $(git branch | grep '*')"
+miab_ldap_install
+installed_state_capture "/tmp/state/master"
+
+# compare states
+if ! installed_state_compare "/tmp/state/release" "/tmp/state/master"; then
+    dump_file "/tmp/state/release/info.txt"
+    dump_file "/tmp/state/master/info.txt"
+    die "Release $RELEASE_TAG and master states are different !"
+fi
+
+#
+# actual verification that mail sends/receives properly is done via
+# the test runner ...
+#
diff --git a/tests/vagrant/Vagrantfile b/tests/vagrant/Vagrantfile
index f3270777..b4ccda3b 100644
--- a/tests/vagrant/Vagrantfile
+++ b/tests/vagrant/Vagrantfile
@@ -49,6 +49,23 @@ tests/runner.sh upgrade-basic upgrade-totpuser default || exit 2
 SH
   end
 
+  # upgrade
+  
+  # this test is only needed when testing migrations from miabldap
+  # to a newer miabldap with a migration step
+  #
+  # upgrade will handle testing upgrades of
+  # miabldap with or without a new migration step
+  config.vm.define "upgrade" do |m1|
+    m1.vm.provision :shell, :inline => <<-SH
+cd /mailinabox
+source tests/vagrant/globals.sh || exit 1
+export PRIMARY_HOSTNAME=upgrade.abc.com
+tests/system-setup/upgrade.sh basic totpuser || exit 1
+tests/runner.sh upgrade-basic upgrade-totpuser default || exit 2
+SH
+  end
+
   # unsetvars: because miab sets bash '-e' to fail any setup script
   # when a script command returns a non-zero exit code, and more
   # importantly '-u' which fails scripts when any unset variable is