From ae3feebd80195bd467262208f2cdada1b3fc458b Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Mon, 3 May 2021 19:04:59 -0400
Subject: [PATCH 01/13] Fix warnings reported by shellcheck

* SC2068: Double quote array expansions to avoid re-splitting elements.
* SC2186: tempfile is deprecated. Use mktemp instead.
* SC2124: Assigning an array to a string! Assign as array, or use * instead of @ to concatenate.
* SC2102: Ranges can only match single chars (mentioned due to duplicates).
* SC2005: Useless echo? Instead of 'echo $(cmd)', just use 'cmd'.
---
 setup/functions.sh    | 9 ++++-----
 setup/mail-postfix.sh | 2 +-
 setup/start.sh        | 2 +-
 3 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/setup/functions.sh b/setup/functions.sh
index 90c4c55d..718a2283 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -9,12 +9,12 @@ function hide_output {
 	# and returns a non-zero exit code.
 
 	# Get a temporary file.
-	OUTPUT=$(tempfile)
+	OUTPUT=$(mktemp)
 
 	# Execute command, redirecting stderr/stdout to the temporary file. Since we
 	# check the return code ourselves, disable 'set -e' temporarily.
 	set +e
-	$@ &> $OUTPUT
+	"$@" &> $OUTPUT
 	E=$?
 	set -e
 
@@ -22,7 +22,7 @@ function hide_output {
 	if [ $E != 0 ]; then
 		# Something failed.
 		echo
-		echo FAILED: $@
+		echo FAILED: "$@"
 		echo -----------------------------------------
 		cat $OUTPUT
 		echo -----------------------------------------
@@ -53,8 +53,7 @@ function apt_install {
 	# install' for all of the packages.  Calling `dpkg` on each package is slow,
 	# and doesn't affect what we actually do, except in the messages, so let's
 	# not do that anymore.
-	PACKAGES=$@
-	apt_get_quiet install $PACKAGES
+	apt_get_quiet install "$@"
 }
 
 function get_default_hostname {
diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh
index 0a66cb0f..b16fd94a 100755
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@@ -191,7 +191,7 @@ tools/editconf.py /etc/postfix/main.cf \
 #
 # In a basic setup we would pass mail directly to Dovecot by setting
 # virtual_transport to `lmtp:unix:private/dovecot-lmtp`.
-tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:[127.0.0.1]:10025
+tools/editconf.py /etc/postfix/main.cf "virtual_transport=lmtp:[127.0.0.1]:10025"
 # Because of a spampd bug, limit the number of recipients in each connection.
 # See https://github.com/mail-in-a-box/mailinabox/issues/1523.
 tools/editconf.py /etc/postfix/main.cf lmtp_destination_recipient_limit=1
diff --git a/setup/start.sh b/setup/start.sh
index cedc426d..b4e38e65 100755
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -78,7 +78,7 @@ if [ ! -d $STORAGE_ROOT ]; then
 	mkdir -p $STORAGE_ROOT
 fi
 if [ ! -f $STORAGE_ROOT/mailinabox.version ]; then
-	echo $(setup/migrate.py --current) > $STORAGE_ROOT/mailinabox.version
+	setup/migrate.py --current > $STORAGE_ROOT/mailinabox.version
 	chown $STORAGE_USER.$STORAGE_USER $STORAGE_ROOT/mailinabox.version
 fi
 

From 9b07d86bf786bda73bc8c5ad95d2d9cb9e08be3f Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Mon, 3 May 2021 19:28:23 -0400
Subject: [PATCH 02/13] Use $(...) notation instead of legacy backtick notation
 for embedded shell commands

shellcheck reported

    SC2006: Use $(...) notation instead of legacy backticked `...`.

Fixed by applying shellcheck's diff output as a patch.
---
 setup/bootstrap.sh    | 8 ++++----
 setup/dns.sh          | 2 +-
 setup/firstuser.sh    | 4 ++--
 setup/mail-dovecot.sh | 4 ++--
 setup/management.sh   | 4 ++--
 setup/nextcloud.sh    | 2 +-
 setup/preflight.sh    | 2 +-
 setup/start.sh        | 2 +-
 setup/webmail.sh      | 2 +-
 setup/zpush.sh        | 2 +-
 10 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh
index d804cadf..a9bc2ce8 100644
--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@@ -18,11 +18,11 @@ if [ -z "$TAG" ]; then
 	# space, but if we put it in a comment it would confuse the status checks!)
 	# to get the latest version, so the first such line must be the one that we
 	# want to display in status checks.
-	if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" == "Ubuntu 18.04 LTS" ]; then
+	if [ "$(lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' )" == "Ubuntu 18.04 LTS" ]; then
 		# This machine is running Ubuntu 18.04.
 		TAG=v0.53
 
-	elif [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' `" == "Ubuntu 14.04 LTS" ]; then
+	elif [ "$(lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' )" == "Ubuntu 14.04 LTS" ]; then
 		# This machine is running Ubuntu 14.04.
 		echo "You are installing the last version of Mail-in-a-Box that will"
 		echo "support Ubuntu 14.04. If this is a new installation of Mail-in-a-Box,"
@@ -68,11 +68,11 @@ fi
 cd $HOME/mailinabox
 
 # Update it.
-if [ "$TAG" != `git describe` ]; then
+if [ "$TAG" != $(git describe) ]; then
 	echo Updating Mail-in-a-Box to $TAG . . .
 	git fetch --depth 1 --force --prune origin tag $TAG
 	if ! git checkout -q $TAG; then
-		echo "Update failed. Did you modify something in `pwd`?"
+		echo "Update failed. Did you modify something in $(pwd)?"
 		exit 1
 	fi
 	echo
diff --git a/setup/dns.sh b/setup/dns.sh
index 2a1b6da0..b64a6580 100755
--- a/setup/dns.sh
+++ b/setup/dns.sh
@@ -132,7 +132,7 @@ cat > /etc/cron.daily/mailinabox-dnssec << EOF;
 #!/bin/bash
 # Mail-in-a-Box
 # Re-sign any DNS zones with DNSSEC because the signatures expire periodically.
-`pwd`/tools/dns_update
+$(pwd)/tools/dns_update
 EOF
 chmod +x /etc/cron.daily/mailinabox-dnssec
 
diff --git a/setup/firstuser.sh b/setup/firstuser.sh
index e2d6531c..7caec35d 100644
--- a/setup/firstuser.sh
+++ b/setup/firstuser.sh
@@ -1,5 +1,5 @@
 # If there aren't any mail users yet, create one.
-if [ -z "`management/cli.py user`" ]; then
+if [ -z "$(management/cli.py user)" ]; then
 	# The outut of "management/cli.py user" is a list of mail users. If there
 	# aren't any yet, it'll be empty.
 
@@ -10,7 +10,7 @@ if [ -z "`management/cli.py user`" ]; then
 			input_box "Mail Account" \
 				"Let's create your first mail account.
 				\n\nWhat email address do you want?" \
-				me@`get_default_hostname` \
+				me@$(get_default_hostname) \
 				EMAIL_ADDR
 
 			if [ -z "$EMAIL_ADDR" ]; then
diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh
index c6e6cb3a..b569c40d 100755
--- a/setup/mail-dovecot.sh
+++ b/setup/mail-dovecot.sh
@@ -45,8 +45,8 @@ apt_install \
 # - https://www.dovecot.org/list/dovecot/2012-August/137569.html
 # - https://www.dovecot.org/list/dovecot/2011-December/132455.html
 tools/editconf.py /etc/dovecot/conf.d/10-master.conf \
-	default_process_limit=$(echo "`nproc` * 250" | bc) \
-	default_vsz_limit=$(echo "`free -tm  | tail -1 | awk '{print $2}'` / 3" | bc)M \
+	default_process_limit=$(echo "$(nproc) * 250" | bc) \
+	default_vsz_limit=$(echo "$(free -tm  | tail -1 | awk '{print $2}') / 3" | bc)M \
 	log_path=/var/log/mail.log
 
 # The inotify `max_user_instances` default is 128, which constrains
diff --git a/setup/management.sh b/setup/management.sh
index dcef0891..1c57bb2e 100755
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -97,7 +97,7 @@ export LANG=en_US.UTF-8
 export LC_TYPE=en_US.UTF-8
 
 source $venv/bin/activate
-exec python `pwd`/management/daemon.py
+exec python $(pwd)/management/daemon.py
 EOF
 chmod +x $inst_dir/start
 cp --remove-destination conf/mailinabox.service /lib/systemd/system/mailinabox.service # target was previously a symlink so remove it first
@@ -112,7 +112,7 @@ minute=$((RANDOM % 60))  # avoid overloading mailinabox.email
 cat > /etc/cron.d/mailinabox-nightly << EOF;
 # Mail-in-a-Box --- Do not edit / will be overwritten on update.
 # Run nightly tasks: backup, status checks.
-$minute 3 * * *	root	(cd `pwd` && management/daily_tasks.sh)
+$minute 3 * * *	root	(cd $(pwd) && management/daily_tasks.sh)
 EOF
 
 # Start the management server.
diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index 200eba9e..98645987 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -128,7 +128,7 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc
 
 	# Backup the existing ownCloud/Nextcloud.
 	# Create a backup directory to store the current installation and database to
-	BACKUP_DIRECTORY=$STORAGE_ROOT/owncloud-backup/`date +"%Y-%m-%d-%T"`
+	BACKUP_DIRECTORY=$STORAGE_ROOT/owncloud-backup/$(date +"%Y-%m-%d-%T")
 	mkdir -p "$BACKUP_DIRECTORY"
 	if [ -d /usr/local/lib/owncloud/ ]; then
 		echo "Upgrading Nextcloud --- backing up existing installation, configuration, and database to directory to $BACKUP_DIRECTORY..."
diff --git a/setup/preflight.sh b/setup/preflight.sh
index acaf80c9..9d2715c5 100644
--- a/setup/preflight.sh
+++ b/setup/preflight.sh
@@ -8,7 +8,7 @@ if [[ $EUID -ne 0 ]]; then
 fi
 
 # Check that we are running on Ubuntu 18.04 LTS (or 18.04.xx).
-if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" != "Ubuntu 18.04 LTS" ]; then
+if [ "$(lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' )" != "Ubuntu 18.04 LTS" ]; then
 	echo "Mail-in-a-Box only supports being installed on Ubuntu 18.04, sorry. You are running:"
 	echo
 	lsb_release -d | sed 's/.*:\s*//'
diff --git a/setup/start.sh b/setup/start.sh
index b4e38e65..0cca66be 100755
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -46,7 +46,7 @@ fi
 # in the first dialog prompt, so we should do this before that starts.
 cat > /usr/local/bin/mailinabox << EOF;
 #!/bin/bash
-cd `pwd`
+cd $(pwd)
 source setup/start.sh
 EOF
 chmod +x /usr/local/bin/mailinabox
diff --git a/setup/webmail.sh b/setup/webmail.sh
index 98e12d1a..55fea631 100755
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -47,7 +47,7 @@ needs_update=0 #NODOC
 if [ ! -f /usr/local/lib/roundcubemail/version ]; then
 	# not installed yet #NODOC
 	needs_update=1 #NODOC
-elif [[ "$UPDATE_KEY" != `cat /usr/local/lib/roundcubemail/version` ]]; then
+elif [[ "$UPDATE_KEY" != $(cat /usr/local/lib/roundcubemail/version) ]]; then
 	# checks if the version is what we want
 	needs_update=1 #NODOC
 fi
diff --git a/setup/zpush.sh b/setup/zpush.sh
index 1a84e86a..783f39a4 100755
--- a/setup/zpush.sh
+++ b/setup/zpush.sh
@@ -27,7 +27,7 @@ TARGETHASH=4b312d64227ef887b24d9cc8f0ae17519586f6e2
 needs_update=0 #NODOC
 if [ ! -f /usr/local/lib/z-push/version ]; then
 	needs_update=1 #NODOC
-elif [[ $VERSION != `cat /usr/local/lib/z-push/version` ]]; then
+elif [[ $VERSION != $(cat /usr/local/lib/z-push/version) ]]; then
 	# checks if the version
 	needs_update=1 #NODOC
 fi

From 69fc2fdd3aa0e1c88d7fa7434560025e1b97848c Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Mon, 3 May 2021 19:41:00 -0400
Subject: [PATCH 03/13] Hide spurrious Nextcloud setup output

---
 setup/nextcloud.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index 98645987..3d865359 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -312,7 +312,9 @@ sudo -u www-data php /usr/local/lib/owncloud/occ upgrade
 if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi
 
 # Disable default apps that we don't support
-sudo -u www-data php /usr/local/lib/owncloud/occ app:disable photos dashboard activity
+sudo -u www-data \
+	php /usr/local/lib/owncloud/occ app:disable photos dashboard activity \
+	| grep -v "No such app enabled"
 
 # Set PHP FPM values to support large file uploads
 # (semicolon is the comment character in this file, hashes produce deprecation warnings)

From 8a5f9f464ad170da78c0595314cf598ed80797db Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 8 May 2021 07:59:51 -0400
Subject: [PATCH 04/13] Download Z-Push from alternate site

The old server has been down for a few days.

Solution from https://discourse.mailinabox.email/t/temporary-fix-for-failed-wget-o-tmp-z-push-zip-https-stash-z-hub-io/8028. Fixes #1974.
---
 setup/zpush.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/setup/zpush.sh b/setup/zpush.sh
index 1a84e86a..fa564188 100755
--- a/setup/zpush.sh
+++ b/setup/zpush.sh
@@ -23,7 +23,7 @@ phpenmod -v php imap
 
 # Copy Z-Push into place.
 VERSION=2.6.2
-TARGETHASH=4b312d64227ef887b24d9cc8f0ae17519586f6e2
+TARGETHASH=f0e8091a8030e5b851f5ba1f9f0e1a05b8762d80
 needs_update=0 #NODOC
 if [ ! -f /usr/local/lib/z-push/version ]; then
 	needs_update=1 #NODOC
@@ -33,12 +33,12 @@ elif [[ $VERSION != `cat /usr/local/lib/z-push/version` ]]; then
 fi
 if [ $needs_update == 1 ]; then
 	# Download
-	wget_verify "https://stash.z-hub.io/rest/api/latest/projects/ZP/repos/z-push/archive?at=refs%2Ftags%2F$VERSION&format=zip" $TARGETHASH /tmp/z-push.zip
+	wget_verify "https://github.com/Z-Hub/Z-Push/archive/refs/tags/$VERSION.zip" $TARGETHASH /tmp/z-push.zip
 
 	# Extract into place.
 	rm -rf /usr/local/lib/z-push /tmp/z-push
 	unzip -q /tmp/z-push.zip -d /tmp/z-push
-	mv /tmp/z-push/src /usr/local/lib/z-push
+	mv /tmp/z-push/*/src /usr/local/lib/z-push
 	rm -rf /tmp/z-push.zip /tmp/z-push
 
 	rm -f /usr/sbin/z-push-{admin,top}

From 2e7f2835e734ff1bd02830953b5476fa66866336 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 8 May 2021 08:12:53 -0400
Subject: [PATCH 05/13] v0.53a

---
 CHANGELOG.md       | 5 +++++
 README.md          | 2 +-
 setup/bootstrap.sh | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a75a9a43..09b4c15e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+v0.53a (May 8, 2021)
+--------------------
+
+The download URL for Z-Push has been revised becaue the old URL stopped working.
+
 v0.53 (April 12, 2021)
 ----------------------
 
diff --git a/README.md b/README.md
index 2813ed73..e08312fa 100644
--- a/README.md
+++ b/README.md
@@ -58,7 +58,7 @@ Clone this repository and checkout the tag corresponding to the most recent rele
 
 	$ git clone https://github.com/mail-in-a-box/mailinabox
 	$ cd mailinabox
-	$ git checkout v0.53
+	$ git checkout v0.53a
 
 Begin the installation.
 
diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh
index d804cadf..80ea2078 100644
--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@@ -20,7 +20,7 @@ if [ -z "$TAG" ]; then
 	# want to display in status checks.
 	if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' `" == "Ubuntu 18.04 LTS" ]; then
 		# This machine is running Ubuntu 18.04.
-		TAG=v0.53
+		TAG=v0.53a
 
 	elif [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' `" == "Ubuntu 14.04 LTS" ]; then
 		# This machine is running Ubuntu 14.04.

From 16e81e14392ed70ce36c241b53c83e2751060e5f Mon Sep 17 00:00:00 2001
From: jvolkenant <jeff@volkenant.net>
Date: Sat, 8 May 2021 05:18:49 -0700
Subject: [PATCH 06/13] Fix to allow for non forced "enforce" MTA_STS_MODE
 (#1970)

---
 setup/start.sh |  2 +-
 setup/web.sh   | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/setup/start.sh b/setup/start.sh
index 0cca66be..bd743ac5 100755
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -94,7 +94,7 @@ PUBLIC_IP=$PUBLIC_IP
 PUBLIC_IPV6=$PUBLIC_IPV6
 PRIVATE_IP=$PRIVATE_IP
 PRIVATE_IPV6=$PRIVATE_IPV6
-MTA_STS_MODE=${MTA_STS_MODE-}
+MTA_STS_MODE=${DEFAULT_MTA_STS_MODE:-enforce}
 EOF
 
 # Start service configuration.
diff --git a/setup/web.sh b/setup/web.sh
index 42c301ec..4433ff0d 100755
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -126,13 +126,13 @@ chmod a+r /var/lib/mailinabox/mozilla-autoconfig.xml
 # nginx configuration at /.well-known/mta-sts.txt
 # more documentation is available on: 
 # https://www.uriports.com/blog/mta-sts-explained/
-# default mode is "enforce". Change to "testing" which means
-# "Messages will be delivered as though there was no failure
-# but a report will be sent if TLS-RPT is configured" if you
-# are not sure you want this yet. Or "none".
+# default mode is "enforce". In /etc/mailinabox.conf change
+# "MTA_STS_MODE=testing" which means "Messages will be delivered
+# as though there was no failure but a report will be sent if
+# TLS-RPT is configured" if you are not sure you want this yet. Or "none".
 PUNY_PRIMARY_HOSTNAME=$(echo "$PRIMARY_HOSTNAME" | idn2)
 cat conf/mta-sts.txt \
-        | sed "s/MODE/${MTA_STS_MODE:-enforce}/" \
+        | sed "s/MODE/${MTA_STS_MODE}/" \
         | sed "s/PRIMARY_HOSTNAME/$PUNY_PRIMARY_HOSTNAME/" \
          > /var/lib/mailinabox/mta-sts.txt
 chmod a+r /var/lib/mailinabox/mta-sts.txt

From 49813534bdaeaa82e3ac1ee70b78e91af5783dba Mon Sep 17 00:00:00 2001
From: jvolkenant <jeff@volkenant.net>
Date: Sat, 8 May 2021 05:24:04 -0700
Subject: [PATCH 07/13] Updated Nextcloud to 20.0.8, contacts to 3.5.1,
 calendar to 2.2.0 (#1960)

---
 setup/nextcloud.sh | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index 3d865359..57e5e039 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -97,12 +97,12 @@ InstallNextcloud() {
 }
 
 # Nextcloud Version to install. Checks are done down below to step through intermediate versions.
-nextcloud_ver=20.0.1
-nextcloud_hash=f2b3faa570c541df73f209e873a1c2852e79eab8
-contacts_ver=3.4.1
-contacts_hash=aee680a75e95f26d9285efd3c1e25cf7f3bfd27e
-calendar_ver=2.1.2
-calendar_hash=930c07863bb7a65652dec34793802c8d80502336
+nextcloud_ver=20.0.8
+nextcloud_hash=372b0b4bb07c7984c04917aff86b280e68fbe761
+contacts_ver=3.5.1
+contacts_hash=d2ffbccd3ed89fa41da20a1dff149504c3b33b93
+calendar_ver=2.2.0
+calendar_hash=673ad72ca28adb8d0f209015ff2dca52ffad99af
 user_external_ver=1.0.0
 user_external_hash=3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
 

From 12aaebfc54972cab4edd990f1eec519535314a69 Mon Sep 17 00:00:00 2001
From: Jawad Seddar <jawad.seddar@gmail.com>
Date: Sat, 8 May 2021 14:25:33 +0200
Subject: [PATCH 08/13] `custom.yaml`: add support for X-Frame-Options header
 and proxy_redirect off (#1954)

---
 management/web_update.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/management/web_update.py b/management/web_update.py
index 83aa91bf..5048cbab 100644
--- a/management/web_update.py
+++ b/management/web_update.py
@@ -160,17 +160,27 @@ def make_domain_config(domain, templates, ssl_certificates, env):
 			for path, url in yaml.get("proxies", {}).items():
 				# Parse some flags in the fragment of the URL.
 				pass_http_host_header = False
+				proxy_redirect_off = False
+				frame_options_header_sameorigin = False
 				m = re.search("#(.*)$", url)
 				if m:
 					for flag in m.group(1).split(","):
 						if flag == "pass-http-host":
 							pass_http_host_header = True
+						elif flag == "no-proxy-redirect":
+							proxy_redirect_off = True
+						elif flag == "frame-options-sameorigin":
+							frame_options_header_sameorigin = True
 					url = re.sub("#(.*)$", "", url)
 
 				nginx_conf_extra += "\tlocation %s {" % path
 				nginx_conf_extra += "\n\t\tproxy_pass %s;" % url
+				if proxy_redirect_off:
+					nginx_conf_extra += "\n\t\tproxy_redirect off;"
 				if pass_http_host_header:
 					nginx_conf_extra += "\n\t\tproxy_set_header Host $http_host;"
+				if frame_options_header_sameorigin:
+					nginx_conf_extra += "\n\t\tproxy_set_header X-Frame-Options SAMEORIGIN;"
 				nginx_conf_extra += "\n\t\tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
 				nginx_conf_extra += "\n\t\tproxy_set_header X-Forwarded-Host $http_host;"
 				nginx_conf_extra += "\n\t\tproxy_set_header X-Forwarded-Proto $scheme;"
@@ -251,3 +261,4 @@ def get_web_domains_info(env):
 		}
 		for domain in get_web_domains(env)
 	]
+

From bc4ae51c2d19c7753d1c2e65bc26b443dd5048c8 Mon Sep 17 00:00:00 2001
From: Hala Alajlan <36444614+halaalajlan@users.noreply.github.com>
Date: Sat, 8 May 2021 15:26:40 +0300
Subject: [PATCH 09/13] Handle query dns timeout unhandled error (#1950)

Co-authored-by: hala alajlan <halalajlan@gmail.com>
---
 management/status_checks.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/management/status_checks.py b/management/status_checks.py
index 607fd578..1b2a16ca 100755
--- a/management/status_checks.py
+++ b/management/status_checks.py
@@ -664,6 +664,8 @@ def check_mail_domain(domain, env, output):
 
 	if mx is None:
 		mxhost = None
+	elif mx == "[timeout]":
+        mxhost = None
 	else:
 		# query_dns returns a semicolon-delimited list
 		# of priority-host pairs.

From 3701e05d925fe780e1a43e4d54b247473136f841 Mon Sep 17 00:00:00 2001
From: Thomas Urban <soletan@users.noreply.github.com>
Date: Sat, 8 May 2021 14:30:53 +0200
Subject: [PATCH 10/13] Rewrite envelope from address in sieve forwards (#1949)

Fixes #1946.
---
 setup/mail-dovecot.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh
index b569c40d..26d32895 100755
--- a/setup/mail-dovecot.sh
+++ b/setup/mail-dovecot.sh
@@ -183,6 +183,7 @@ plugin {
   sieve_after = $STORAGE_ROOT/mail/sieve/global_after
   sieve = $STORAGE_ROOT/mail/sieve/%d/%n.sieve
   sieve_dir = $STORAGE_ROOT/mail/sieve/%d/%n
+  sieve_redirect_envelope_from = recipient
 }
 EOF
 

From d4c5872547ee0222759be7c195a358698c5dfa66 Mon Sep 17 00:00:00 2001
From: "John @ S4" <64874788+John-S4@users.noreply.github.com>
Date: Sat, 8 May 2021 05:32:58 -0700
Subject: [PATCH 11/13] Make clear that non-AWS S3 backups are supported
 (#1947)

Just a few wording changes to show that it is possible to make S3 backups to other services than AWS - prompted by a thread on MIAB discourse.
---
 management/templates/system-backup.html | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/management/templates/system-backup.html b/management/templates/system-backup.html
index 7cdc3803..a63b38e6 100644
--- a/management/templates/system-backup.html
+++ b/management/templates/system-backup.html
@@ -5,7 +5,7 @@
 
 <h2>Backup Status</h2>
 
-<p>The box makes an incremental backup each night. By default the backup is stored on the machine itself, but you can also have it stored on Amazon S3.</p>
+<p>The box makes an incremental backup each night. By default the backup is stored on the machine itself, but you can also store in on S3-compatible services like Amazon Web Services (AWS).</p>
 
 <h3>Configuration</h3>
 
@@ -17,7 +17,7 @@
         <option value="off">Nowhere (Disable Backups)</option>
         <option value="local">{{hostname}}</option>
         <option value="rsync">rsync</option>
-        <option value="s3">Amazon S3</option>
+        <option value="s3">S3 (Amazon or compatible) </option>
         <option value="b2">Backblaze B2</option>
       </select>
     </div>
@@ -73,8 +73,8 @@
   <!-- S3 BACKUP -->
   <div class="form-group backup-target-s3">
     <div class="col-sm-10 col-sm-offset-2">
-      <p>Backups are stored in an Amazon Web Services S3 bucket. You must have an AWS account already.</p>
-      <p>You MUST manually copy the encryption password from <tt class="backup-encpassword-file"></tt> to a safe and secure location. You will need this file to decrypt backup files. It is NOT stored in your Amazon S3 bucket.</p>
+      <p>Backups are stored in an S3-compatible bucket. You must have an AWS or other S3 service account already.</p>
+      <p>You MUST manually copy the encryption password from <tt class="backup-encpassword-file"></tt> to a safe and secure location. You will need this file to decrypt backup files. It is <b>NOT</b> stored in your S3 bucket.</p>
     </div>
   </div>
   <div class="form-group backup-target-s3">
@@ -84,7 +84,7 @@
         {% for name, host in backup_s3_hosts %}
           <option value="{{host}}">{{name}}</option>
         {% endfor %}
-        <option value="other">Other</option>
+        <option value="other">Other (non AWS)</option>
       </select>
     </div>
   </div>
@@ -343,4 +343,4 @@ function init_inputs(target_type) {
     set_host($('#backup-target-s3-host-select').val());
   }
 }
-</script>
\ No newline at end of file
+</script>

From dbd6dae5ceda7cc0ce2c132be1f0b795f0a2c363 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 8 May 2021 09:01:40 -0400
Subject: [PATCH 12/13] Fix exit status issue cased by 69fc2fdd

---
 setup/nextcloud.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index 57e5e039..af848344 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -314,7 +314,7 @@ if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi
 # Disable default apps that we don't support
 sudo -u www-data \
 	php /usr/local/lib/owncloud/occ app:disable photos dashboard activity \
-	| grep -v "No such app enabled"
+	| (grep -v "No such app enabled" || /bin/true)
 
 # Set PHP FPM values to support large file uploads
 # (semicolon is the comment character in this file, hashes produce deprecation warnings)

From aaa81ec87979decb50a352bee30d93e3d748439d Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 8 May 2021 09:06:18 -0400
Subject: [PATCH 13/13] Fix indentation issue in
 bc4ae51c2d19c7753d1c2e65bc26b443dd5048c8

---
 management/status_checks.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/management/status_checks.py b/management/status_checks.py
index 1b2a16ca..67b26974 100755
--- a/management/status_checks.py
+++ b/management/status_checks.py
@@ -665,7 +665,7 @@ def check_mail_domain(domain, env, output):
 	if mx is None:
 		mxhost = None
 	elif mx == "[timeout]":
-        mxhost = None
+		mxhost = None
 	else:
 		# query_dns returns a semicolon-delimited list
 		# of priority-host pairs.