Merge branch 'master' into reversedns

2017-04-01 11:57:58 +02:00 · 2017-04-01 11:57:58 +02:00 · 74cefa30fd
parent 7fc37a267d 255a65ac98
commit 74cefa30fd
59 changed files with 2587 additions and 522 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,30 @@
 # EditorConfig helps developers define and maintain consistent
 # coding styles between different editors and IDEs
 # editorconfig.org
 root = true
 [*]
 indent_style = space
 indent_size = 4
 end_of_line = lf
 charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
 [Makefile]
 indent_style = tabs
 indent_size = 4
 [Vagrantfile]
 indent_size = 2
 [*.rb]
 indent_size = 2
 [*.py]
 indent_style = tabs
 [*.js]
 indent_size = 2
--- a/.gitignore
+++ b/.gitignore
@ -4,3 +4,4 @@ management/__pycache__/
 tools/__pycache__/
 externals/
 .env
 .vagrant
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,6 +1,195 @@
 CHANGELOG
 =========
 In Development
 --------------
 Mail:
 * The CardDAV plugin has been added to Roundcube so that your ownCloud contacts are available in webmail.
 * Upgraded to Roundcube 1.2.4 and updated the persistent login plugin.
 * Allow larger messages to be checked by SpamAssassin.
 * Dovecot's vsz memory limit has been increased proportional to system memory.
 * Newly set user passwords must be at least eight characters.
 ownCloud:
 * Upgraded to ownCloud 9.1.4.
 Control Panel/Management:
 * The status checks page crashed when the mailinabox.email website was down - that's fixed.
 * Made nightly re-provisioning of TLS certificates less noisy.
 * Fixed bugs in rsync backup method and in the list of recent backups.
 * Fixed incorrect status checks errors about IPv6 addresses.
 * Fixed incorrect status checks errors for secondary nameservers if round-robin custom A records are set.
 * The management mail_log.py tool has been rewritten.
 DNS:
 * Added support for DSA, ED25519, and custom SSHFP records.
 System:
 * The SSH fail2ban jail was not activated.
 Installation:
 * At the end of installation, the SHA256 -- rather than SHA1 -- hash of the system's TLS certificate is shown.
 v0.21c (February 1, 2017)
 -------------------------
 Installations and upgrades started failing about 10 days ago with the error "ImportError: No module named 'packaging'" after an upstream package (Python's setuptools) was updated by its maintainers. The updated package conflicted with Ubuntu 14.04's version of another package (Python's pip). This update upgrades both packages to remove the conflict.
 If you already encountered the error during installation or upgrade of Mail-in-a-Box, this update may not correct the problem on your existing system. See https://discourse.mailinabox.email/t/v0-21c-release-fixes-python-package-installation-issue/1881 for help if the problem persists after upgrading to this version of Mail-in-a-Box.
 v0.21b (December 4, 2016)
 -------------------------
 This update corrects a first-time installation issue introduced in v0.21 caused by the new Exchange/ActiveSync feature.
 v0.21 (November 30, 2016)
 -------------------------
 This version updates ownCloud, which may include security fixes, and makes some other smaller improvements.
 Mail:
 * Header privacy filters were improperly running on the contents of forwarded email --- that's fixed.
 * We have another go at fixing a long-standing issue with training the spam filter (because of a file permissions issue).
 * Exchange/ActiveSync will now use your display name set in Roundcube in the From: line of outgoing email.
 ownCloud:
 * Updated ownCloud to version 9.1.1.
 Control panel:
 * Backups can now be made using rsync-over-ssh!
 * Status checks failed if the system doesn't support iptables or doesn't have ufw installed.
 * Added support for SSHFP records when sshd listens on non-standard ports.
 * Recommendations for TLS certificate providers were removed now that everyone mostly uses Let's Encrypt.
 System:
 * Ubuntu's "Upgrade to 16.04" notice is suppressed since you should not do that.
 * Lowered memory requirements to 512MB, display a warning if system memory is below 768MB.
 v0.20 (September 23, 2016)
 --------------------------
 ownCloud:
 * Updated to ownCloud to 8.2.7.
 Control Panel:
 * Fixed a crash that occurs when there are IPv6 DNS records due to a bug in dnspython 1.14.0.
 * Improved the wonky low disk space check.
 v0.19b (August 20, 2016)
 ------------------------
 This update corrects a security issue introduced in v0.18.
 * A remote code execution vulnerability is corrected in how the munin system monitoring graphs are generated for the control panel. The vulnerability involves an administrative user visiting a carefully crafted URL.
 v0.19a (August 18, 2016)
 ------------------------
 This update corrects a security issue in v0.19.
 * fail2ban won't start if Roundcube had not yet been used - new installations probably do not have fail2ban running.
 v0.19 (August 13, 2016)
 -----------------------
 Mail:
 * Roundcube is updated to version 1.2.1.
 * SSLv3 and RC4 are now no longer supported in incoming and outgoing mail (SMTP port 25).
 Control panel:
 * The users and aliases APIs are now documented on their control panel pages.
 * The HSTS header was missing.
 * New status checks were added for the ufw firewall.
 DNS:
 * Add SRV records for CardDAV/CalDAV to facilitate autoconfiguration (e.g. in DavDroid, whose latest version didn't seem to work to configure with entering just a hostname).
 System:
 * fail2ban jails added for SMTP submission, Roundcube, ownCloud, the control panel, and munin.
 * Mail-in-a-Box can now be installed on the i686 architecture.
 v0.18c (June 2, 2016)
 ---------------------
 * Domain aliases (and misconfigured aliases/catch-alls with non-existent local targets) would accept mail and deliver it to new mailbox folders on disk even if the target address didn't correspond with an existing mail user, instead of rejecting the mail. This issue was introduced in v0.18.
 * The Munin Monitoring link in the control panel now opens a new window.
 * Added an undocumented before-backup script.
 v0.18b (May 16, 2016)
 ---------------------
 * Fixed a Roundcube user accounts issue introduced in v0.18.
 v0.18 (May 15, 2016)
 --------------------
 ownCloud:
 * Updated to ownCloud to 8.2.3 
 Mail:
 * Roundcube is updated to version 1.1.5 and the Roundcube login screen now says "[hostname] Webmail" instead of "Mail-in-a-Box/Roundcube webmail".
 * Fixed a long-standing issue with training the spam filter not working (because of a file permissions issue).
 Control panel:
 * Munin system monitoring graphs are now zoomable.
 * When a reboot is required (due to Ubuntu security updates automatically installed), a Reboot Box button now appears on the System Status Checks page of the control panel.
 * It is now possible to add SRV and secondary MX records in the Custom DNS page.
 * Other minor fixes.
 System:
 * The fail2ban recidive jail, which blocks long-duration brute force attacks, now no longer sends the administrator emails (which were not helpful).
 Setup:
 * The system hostname is now set during setup.
 * A swap file is now created if system memory is less than 2GB, 5GB of free disk space is available, and if no swap file yet exists.
 * We now install Roundcube from the official GitHub repository instead of our own mirror, which we had previously created to solve problems with SourceForge.
 * DKIM was incorrectly set up on machines where "localhost" was defined as something other than "127.0.0.1".
 v0.17c (April 1, 2016)
 ----------------------
 This update addresses some minor security concerns and some installation issues.
 ownCoud:
 * Block web access to the configuration parameters (config.php). There is no immediate impact (see [#776](https://github.com/mail-in-a-box/mailinabox/pull/776)), although advanced users may want to take note.
 Mail:
 * Roundcube html5_notifier plugin updated from version 0.6 to 0.6.2 to fix Roundcube getting stuck for some people.
 Control panel:
 * Prevent click-jacking of the management interface by adding HTTP headers.
 * Failed login no longer reveals whether an account exists on the system.
 Setup:
 * Setup dialogs did not appear correctly when connecting to SSH using Putty on Windows.
 * We now install Roundcube from our own mirror because Sourceforge's downloads experience frequent intermittant unavailability.
 v0.17b (March 1, 2016)
 ----------------------
@ -39,7 +228,6 @@ v0.16 (January 30, 2016)
 ------------------------
 This update primarily adds automatic SSL (now "TLS") certificate provisioning from Let's Encrypt (https://letsencrypt.org/).
 * The Sieve port is now open so tools like the Thunderbird Sieve program can be used to edit mail filters.
 Control Panel:
@ -478,4 +666,4 @@ v0.02 (September 21, 2014)
 v0.01 (August 19, 2014)
 -----------------------
-First release.
+First versioned release after a year of unversioned development.
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@ -0,0 +1,48 @@
 # Mail-in-a-Box Code of Conduct
 Mail-in-a-Box is an open source community project about working, as a group, to empower ourselves and others to have control over our own digital communications. Just as we hope to increase technological diversity on the Internet through decentralization, we also believe that diverse viewpoints and voices among our community members foster innovation and creative solutions to the challenges we face.
 We are committed to providing a safe, welcoming, and harrassment-free space for collaboration, for everyone, without regard to age, disability, economic situation, ethnicity, gender identity and expression, language fluency, level of knowledge or experience, nationality, personal appearance, race, religion, sexual identity and orientation, or any other attribute. Community comes first. This policy supersedes all other project goals.
 The maintainers of Mail-in-a-Box share the dual responsibility of leading by example and enforcing these policies as necessary to maintain an open and welcoming environment. All community members should be excellent to each other.
 ## Scope
 This Code of Conduct applies to all places where Mail-in-a-Box community activity is ocurring, including on GitHub, in discussion forums, on Slack, on social media, and in real life. The Code of Conduct applies not only on websites/at events run by the Mail-in-a-Box community (e.g. our GitHub organization, our Slack team) but also at any other location where the Mail-in-a-Box community is present (e.g. in issues of other GitHub organizations where Mail-in-a-Box community members are discussing problems related to Mail-in-a-Box, or real-life professional conferences), or whenever a Mail-in-a-Box community member is representing Mail-in-a-Box to the public at large or acting on behalf of Mail-in-a-Box.
 This code does not apply to activity on a server running Mail-in-a-Box software, unless your server is hosting a service for the Mail-in-a-Box community at large.
 ## Our Standards
 Examples of behavior that contributes to creating a positive environment include:
 * Using welcoming and inclusive language
 * Being respectful of differing viewpoints and experiences
 * Gracefully accepting constructive criticism
 * Showing empathy towards other community members
 * Making room for new and quieter voices
 Examples of unacceptable behavior by participants include:
 * The use of sexualized language or imagery and unwelcome sexual attention or advances
 * Trolling, insulting/derogatory/unwelcome comments, and personal or political attacks
 * Public or private harassment
 * Publishing others' private information, such as a physical or electronic address, without explicit permission
 * Aggressive and micro-aggressive behavior, such as unconstructive criticism, providing corrections that do not improve the conversation (sometimes referred to as "well actually"s), repeatedly interrupting or talking over someone else, feigning surprise at someone's lack of knowledge or awareness about a topic, or subtle prejudice (for example, comments like "That's so easy my grandmother could do it.", which is prejudicial toward grandmothers).
 * Other conduct which could reasonably be considered inappropriate in a professional setting
 * Retaliating against anyone who reports a violation of this code.
 We will not tolerate harassment. Harassment is any unwelcome or hostile behavior towards another person for any reason. This includes, but is not limited to, offensive verbal comments related to personal characteristics or choices, sexual images or comments, deliberate intimidation, bullying, stalking, following, harassing photography or recording, sustained disruption of discussion or events, nonconsensual publication of private comments, inappropriate physical contact, or unwelcome sexual attention. Conduct need not be intentional to be harassment.
 ## Enforcement
 We will remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not consistent with this Code of Conduct. We may ban, temporarily or permanently, any contributor for violating this code, when appropriate.
 Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project lead, [Joshua Tauberer](https://razor.occams.info/). All reports will be treated confidentially, impartially, consistently, and swiftly.
 Because the need for confidentiality for all parties involved in an enforcement action outweighs the goals of openness, limited information will be shared with the Mail-in-a-Box community regarding enforcement actions that have taken place.
 ## Attribution
 This Code of Conduct is adapted from the [Contributor Covenant, version 1.4](http://contributor-covenant.org/version/1/4) and the code of conduct of [Code for DC](http://codefordc.org/resources/codeofconduct.html).
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -5,3 +5,7 @@ This project is in the public domain. Copyright and related rights in the work w
 All contributions to this project must be released under the same CC0 wavier. By submitting a pull request or patch, you are agreeing to comply with this waiver of copyright interest.
 [CC0]: http://creativecommons.org/publicdomain/zero/1.0/
 ## Code of Conduct
 This project has a [Code of Conduct](CODE_OF_CONDUCT.md). Please review it when joining our community.
--- a/README.md
+++ b/README.md
@ -9,15 +9,15 @@ Mail-in-a-Box helps individuals take back control of their email by defining a o
 * * *
-I am trying to:
+Our goals are to:
 * Make deploying a good mail server easy.
 * Promote [decentralization](http://redecentralize.org/), innovation, and privacy on the web.
-* Have automated, auditable, and [idempotent](http://sharknet.us/2014/02/01/automated-configuration-management-challenges-with-idempotency/) configuration.
+* Have automated, auditable, and [idempotent](https://sharknet.us/2014/02/01/automated-configuration-management-challenges-with-idempotency/) configuration.
 * **Not** make a totally unhackable, NSA-proof server.
 * **Not** make something customizable by power users.
-This setup is what has been powering my own personal email since September 2013.
+Additionally, this project has a [Code of Conduct](CODE_OF_CONDUCT.md), which supersedes the goals above. Please review it when joining our community.
 The Box
 -------
@ -28,10 +28,10 @@ It is a one-click email appliance. There are no user-configurable setup options.
 The components installed are:
-* SMTP ([postfix](http://www.postfix.org/)), IMAP ([dovecot](http://dovecot.org/)), CardDAV/CalDAV ([ownCloud](http://owncloud.org/)), Exchange ActiveSync ([z-push](https://github.com/fmbiete/Z-Push-contrib))
+* SMTP ([postfix](http://www.postfix.org/)), IMAP ([dovecot](http://dovecot.org/)), CardDAV/CalDAV ([ownCloud](https://owncloud.org/)), Exchange ActiveSync ([z-push](https://github.com/fmbiete/Z-Push-contrib))
 * Webmail ([Roundcube](http://roundcube.net/)), static website hosting ([nginx](http://nginx.org/))
 * Spam filtering ([spamassassin](https://spamassassin.apache.org/)), greylisting ([postgrey](http://postgrey.schweikert.ch/))
-* DNS ([nsd4](http://www.nlnetlabs.nl/projects/nsd/)) with [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework), DKIM ([OpenDKIM](http://www.opendkim.org/)), [DMARC](https://en.wikipedia.org/wiki/DMARC), [DNSSEC](https://en.wikipedia.org/wiki/DNSSEC), [DANE TLSA](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities), and [SSHFP](https://tools.ietf.org/html/rfc4255) records automatically set
+* DNS ([nsd4](https://www.nlnetlabs.nl/projects/nsd/)) with [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework), DKIM ([OpenDKIM](http://www.opendkim.org/)), [DMARC](https://en.wikipedia.org/wiki/DMARC), [DNSSEC](https://en.wikipedia.org/wiki/DNSSEC), [DANE TLSA](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities), and [SSHFP](https://tools.ietf.org/html/rfc4255) records automatically set
 * Backups ([duplicity](http://duplicity.nongnu.org/)), firewall ([ufw](https://launchpad.net/ufw)), intrusion protection ([fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page)), system monitoring ([munin](http://munin-monitoring.org/))
 It also includes:
@ -59,7 +59,7 @@ by me:
 	$ curl -s https://keybase.io/joshdata/key.asc | gpg --import
 	gpg: key C10BDD81: public key "Joshua Tauberer <jt@occams.info>" imported
-	$ git verify-tag v0.17b
+	$ git verify-tag v0.21c
 	gpg: Signature made ..... using RSA key ID C10BDD81
 	gpg: Good signature from "Joshua Tauberer <jt@occams.info>"
 	gpg: WARNING: This key is not certified with a trusted signature!
@ -72,7 +72,7 @@ and on my [personal homepage](https://razor.occams.info/). (Of course, if this r
 Checkout the tag corresponding to the most recent release:
-	$ git checkout v0.17b
+	$ git checkout v0.21c
 Begin the installation.
@ -85,7 +85,7 @@ Post your question on the [discussion forum](https://discourse.mailinabox.email/
 The Acknowledgements
 --------------------
-This project was inspired in part by the ["NSA-proof your email in 2 hours"](http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/) blog post by Drew Crawford, [Sovereign](https://github.com/al3x/sovereign) by Alex Payne, and conversations with <a href="http://twitter.com/shevski" target="_blank">@shevski</a>, <a href="https://github.com/konklone" target="_blank">@konklone</a>, and <a href="https://github.com/gregelin" target="_blank">@GregElin</a>.
+This project was inspired in part by the ["NSA-proof your email in 2 hours"](http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/) blog post by Drew Crawford, [Sovereign](https://github.com/sovereign/sovereign) by Alex Payne, and conversations with <a href="https://twitter.com/shevski" target="_blank">@shevski</a>, <a href="https://github.com/konklone" target="_blank">@konklone</a>, and <a href="https://github.com/gregelin" target="_blank">@GregElin</a>.
 Mail-in-a-Box is similar to [iRedMail](http://www.iredmail.org/) and [Modoboa](https://github.com/tonioo/modoboa).
@ -95,5 +95,5 @@ The History
 * In 2007 I wrote a relatively popular Mozilla Thunderbird extension that added client-side SPF and DKIM checks to mail to warn users about possible phishing: [add-on page](https://addons.mozilla.org/en-us/thunderbird/addon/sender-verification-anti-phish/), [source](https://github.com/JoshData/thunderbird-spf).
 * In August 2013 I began Mail-in-a-Box by combining my own mail server configuration with the setup in ["NSA-proof your email in 2 hours"](http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/) and making the setup steps reproducible with bash scripts.
 * Mail-in-a-Box was a semifinalist in the 2014 [Knight News Challenge](https://www.newschallenge.org/challenge/2014/submissions/mail-in-a-box), but it was not selected as a winner.
-* Mail-in-a-Box hit the front page of Hacker News in [April](https://news.ycombinator.com/item?id=7634514) 2014, [September](https://news.ycombinator.com/item?id=8276171) 2014, and [May](https://news.ycombinator.com/item?id=9624267) 2015.
+* Mail-in-a-Box hit the front page of Hacker News in [April](https://news.ycombinator.com/item?id=7634514) 2014, [September](https://news.ycombinator.com/item?id=8276171) 2014, [May](https://news.ycombinator.com/item?id=9624267) 2015, and [November](https://news.ycombinator.com/item?id=13050500) 2016.
 * FastCompany mentioned Mail-in-a-Box a [roundup of privacy projects](http://www.fastcompany.com/3047645/your-own-private-cloud) on June 26, 2015.
--- a/14
+++ b/14
@ -5,23 +5,27 @@ Vagrant.configure("2") do |config|
  config.vm.box = "ubuntu14.04"
  config.vm.box_url = "http://cloud-images.ubuntu.com/vagrant/trusty/current/trusty-server-cloudimg-amd64-vagrant-disk1.box"
  if Vagrant.has_plugin?("vagrant-cachier")
    # Configure cached packages to be shared between instances of the same base box.
    # More info on http://fgrehm.viewdocs.io/vagrant-cachier/usage
    config.cache.scope = :box
  end
  # Network config: Since it's a mail server, the machine must be connected
  # to the public web. However, we currently don't want to expose SSH since
  # the machine's box will let anyone log into it. So instead we'll put the
  # machine on a private network.
-  config.vm.hostname = "mailinabox"
+  config.vm.hostname = "mailinabox.lan"
  config.vm.network "private_network", ip: "192.168.50.4"
  config.vm.provision :shell, :inline => <<-SH
 	# Set environment variables so that the setup script does
 	# not ask any questions during provisioning. We'll let the
-	# machine figure out its own public IP and it'll take a
+	# machine figure out its own public IP.
 	# subdomain on our justtesting.email domain so we can get
 	# started quickly.
    export NONINTERACTIVE=1
    export PUBLIC_IP=auto
    export PUBLIC_IPV6=auto
-    export PRIMARY_HOSTNAME=auto-easy
+    export PRIMARY_HOSTNAME=auto
    #export SKIP_NETWORK_CHECKS=1
    # Start the setup script.
--- a/conf/fail2ban/filter.d/dovecotimap.conf
+++ b/conf/fail2ban/filter.d/dovecotimap.conf
--- a/conf/fail2ban/filter.d/miab-management-daemon.conf
+++ b/conf/fail2ban/filter.d/miab-management-daemon.conf
@ -0,0 +1,12 @@
 # Fail2Ban filter Mail-in-a-Box management daemon
 [INCLUDES]
 before = common.conf
 [Definition]
 _daemon = mailinabox
 failregex = Mail-in-a-Box Management Daemon: Failed login attempt from ip <HOST> - timestamp .*
 ignoreregex =
--- a/conf/fail2ban/filter.d/miab-munin.conf
+++ b/conf/fail2ban/filter.d/miab-munin.conf
@ -0,0 +1,7 @@
 [INCLUDES]
 before = common.conf
 [Definition]
 failregex=<HOST> - .*GET /admin/munin/.* HTTP/1.1\" 401.*
 ignoreregex =
--- a/conf/fail2ban/filter.d/miab-owncloud.conf
+++ b/conf/fail2ban/filter.d/miab-owncloud.conf
@ -0,0 +1,7 @@
 [INCLUDES]
 before = common.conf
 [Definition]
 failregex=Login failed: .*Remote IP: '<HOST>[\)']
 ignoreregex =
--- a/conf/fail2ban/filter.d/miab-postfix-submission.conf
+++ b/conf/fail2ban/filter.d/miab-postfix-submission.conf
@ -0,0 +1,7 @@
 [INCLUDES]
 before = common.conf
 [Definition]
 failregex=postfix/submission/smtpd.*warning.*\[<HOST>\]: .* authentication (failed|aborted)
 ignoreregex =
--- a/conf/fail2ban/filter.d/miab-roundcube.conf
+++ b/conf/fail2ban/filter.d/miab-roundcube.conf
@ -0,0 +1,9 @@
 [INCLUDES]
 before = common.conf
 [Definition]
 failregex = IMAP Error: Login failed for .*? from <HOST>\. AUTHENTICATE.*
 ignoreregex = 
--- a/conf/fail2ban/jail.local
+++ b/conf/fail2ban/jail.local
@ -1,29 +0,0 @@
 # Fail2Ban configuration file for Mail-in-a-Box
 [DEFAULT]
 # Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks
 # ping services over the public interface so we should whitelist that address of
 # ours too. The string is substituted during installation.
 ignoreip = 127.0.0.1/8 PUBLIC_IP
 # JAILS
 [ssh]
 maxretry = 7
 bantime = 3600
 [ssh-ddos]
 enabled  = true
 [sasl]
 enabled  = true
 [dovecot]
 enabled = true
 filter  = dovecotimap
 findtime = 30
 maxretry = 20
 [recidive]
 enabled  = true
 maxretry = 10
--- a/conf/fail2ban/jails.conf
+++ b/conf/fail2ban/jails.conf
@ -0,0 +1,81 @@
 # Fail2Ban configuration file for Mail-in-a-Box. Do not edit.
 # This file is re-generated on updates.
 [DEFAULT]
 # Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks
 # ping services over the public interface so we should whitelist that address of
 # ours too. The string is substituted during installation.
 ignoreip = 127.0.0.1/8 PUBLIC_IP
 [dovecot]
 enabled = true
 filter  = dovecotimap
 logpath = /var/log/mail.log
 findtime = 30
 maxretry = 20
 [miab-management]
 enabled = true
 filter = miab-management-daemon
 port = http,https
 logpath = /var/log/syslog
 maxretry = 20
 findtime = 30
 [miab-munin]
 enabled  = true
 port     = http,https
 filter   = miab-munin
 logpath  = /var/log/nginx/access.log
 maxretry = 20
 findtime = 30
 [miab-owncloud]
 enabled  = true
 port     = http,https
 filter   = miab-owncloud
 logpath  = STORAGE_ROOT/owncloud/owncloud.log
 maxretry = 20
 findtime = 120
 [miab-postfix587]
 enabled  = true
 port     = 587
 filter   = miab-postfix-submission
 logpath  = /var/log/mail.log
 maxretry = 20
 findtime = 30
 [miab-roundcube]
 enabled  = true
 port     = http,https
 filter   = miab-roundcube
 logpath  = /var/log/roundcubemail/errors
 maxretry = 20
 findtime = 30
 [recidive]
 enabled  = true
 maxretry = 10
 action   = iptables-allports[name=recidive]
 # In the recidive section of jail.conf the action contains:
 #
 # action   = iptables-allports[name=recidive]
 #            sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
 #
 # The last line on the action will sent an email to the configured address. This mail will
 # notify the administrator that someone has been repeatedly triggering one of the other jails.
 # By default we don't configure this address and no action is required from the admin anyway.
 # So the notification is ommited. This will prevent message appearing in the mail.log that mail
 # can't be delivered to fail2ban@$HOSTNAME.
 [sasl]
 enabled  = true
 [ssh]
 enabled = true
 maxretry = 7
 bantime = 3600
 [ssh-ddos]
 enabled  = true
--- a/conf/nginx-primaryonly.conf
+++ b/conf/nginx-primaryonly.conf
@ -6,6 +6,10 @@
 	location /admin/ {
 		proxy_pass http://127.0.0.1:10222/;
 		proxy_set_header X-Forwarded-For $remote_addr;
 		add_header X-Frame-Options "DENY";
 		add_header X-Content-Type-Options nosniff;
 		add_header Content-Security-Policy "frame-ancestors 'none';";
 		add_header Strict-Transport-Security max-age=31536000;
 	}
 	# ownCloud configuration.
@ -15,7 +19,10 @@
 	rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html;
 	location /cloud/ {
 		alias /usr/local/lib/owncloud/;
-		location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
+	 	location ~ ^/cloud/(build|tests|config|lib|3rdparty|templates|data|README)/ {
 	 		deny all;
 	 	}
 	 	location ~ ^/cloud/(?:\.|autotest|occ|issue|indie|db_|console) {
 	 		deny all;
 	 	}
 	}
--- a/conf/zpush/backend_caldav.php
+++ b/conf/zpush/backend_caldav.php
@ -6,7 +6,7 @@
 ************************************************/
 define('CALDAV_PROTOCOL', 'https');
-define('CALDAV_SERVER', 'localhost');
+define('CALDAV_SERVER', '127.0.0.1');
 define('CALDAV_PORT', '443');
 define('CALDAV_PATH', '/caldav/calendars/%u/');
 define('CALDAV_PERSONAL', 'PRINCIPAL');
--- a/conf/zpush/backend_carddav.php
+++ b/conf/zpush/backend_carddav.php
@ -7,7 +7,7 @@
 define('CARDDAV_PROTOCOL', 'https'); /* http or https */
-define('CARDDAV_SERVER', 'localhost');
+define('CARDDAV_SERVER', '127.0.0.1');
 define('CARDDAV_PORT', '443');
 define('CARDDAV_PATH', '/carddav/addressbooks/%u/');
 define('CARDDAV_DEFAULT_PATH', '/carddav/addressbooks/%u/contacts/'); /* subdirectory of the main path */
--- a/conf/zpush/backend_imap.php
+++ b/conf/zpush/backend_imap.php
@ -5,10 +5,10 @@
 * Descr     :   IMAP backend configuration file
 ************************************************/
-define('IMAP_SERVER', 'localhost');
+define('IMAP_SERVER', '127.0.0.1');
 define('IMAP_PORT', 993);
 define('IMAP_OPTIONS', '/ssl/norsh/novalidate-cert');
-define('IMAP_DEFAULTFROM', '');
+define('IMAP_DEFAULTFROM', 'sql');
 define('SYSTEM_MIME_TYPES_MAPPING', '/etc/mime.types');
 define('IMAP_AUTOSEEN_ON_DELETE', false);
@ -23,15 +23,16 @@ define('IMAP_FOLDER_TRASH', 'TRASH');
 define('IMAP_FOLDER_SPAM', 'SPAM');
 define('IMAP_FOLDER_ARCHIVE', 'ARCHIVE');
-
+define('IMAP_FROM_SQL_DSN', 'sqlite:STORAGE_ROOT/mail/roundcube/roundcube.sqlite');
 // not used
 define('IMAP_FROM_SQL_DSN', '');
 define('IMAP_FROM_SQL_USER', '');
 define('IMAP_FROM_SQL_PASSWORD', '');
 define('IMAP_FROM_SQL_OPTIONS', serialize(array(PDO::ATTR_PERSISTENT => true)));
-define('IMAP_FROM_SQL_QUERY', "select first_name, last_name, mail_address from users where mail_address = '#username@#domain'");
+define('IMAP_FROM_SQL_QUERY', "SELECT name, email FROM identities i INNER JOIN users u ON i.user_id = u.user_id WHERE u.username = '#username' AND i.standard = 1 AND i.del = 0 AND i.name <> ''");
-define('IMAP_FROM_SQL_FIELDS', serialize(array('first_name', 'last_name', 'mail_address')));
+define('IMAP_FROM_SQL_FIELDS', serialize(array('name', 'email')));
-define('IMAP_FROM_SQL_FROM', '#first_name #last_name <#mail_address>');
+define('IMAP_FROM_SQL_FROM', '#name <#email>');
 define('IMAP_FROM_SQL_FULLNAME', '#name');
 // not used
 define('IMAP_FROM_LDAP_SERVER', '');
 define('IMAP_FROM_LDAP_SERVER_PORT', '389');
 define('IMAP_FROM_LDAP_USER', 'cn=zpush,ou=servers,dc=zpush,dc=org');
@ -40,11 +41,12 @@ define('IMAP_FROM_LDAP_BASE', 'dc=zpush,dc=org');
 define('IMAP_FROM_LDAP_QUERY', '(mail=#username@#domain)');
 define('IMAP_FROM_LDAP_FIELDS', serialize(array('givenname', 'sn', 'mail')));
 define('IMAP_FROM_LDAP_FROM', '#givenname #sn <#mail>');
 define('IMAP_FROM_LDAP_FULLNAME', '#givenname #sn');
 define('IMAP_SMTP_METHOD', 'sendmail');
 global $imap_smtp_params;
-$imap_smtp_params = array('host' => 'ssl://localhost', 'port' => 587, 'auth' => true, 'username' => 'imap_username', 'password' => 'imap_password');
+$imap_smtp_params = array('host' => 'ssl://127.0.0.1', 'port' => 587, 'auth' => true, 'username' => 'imap_username', 'password' => 'imap_password');
 define('MAIL_MIMEPART_CRLF', "\r\n");
--- a/management/backup.py
+++ b/management/backup.py
@ -2,15 +2,22 @@
 # This script performs a backup of all user data:
 # 1) System services are stopped.
-# 2) An incremental encrypted backup is made using duplicity.
+# 2) STORAGE_ROOT/backup/before-backup is executed if it exists.
-# 3) The stopped services are restarted.
+# 3) An incremental encrypted backup is made using duplicity.
-# 4) STORAGE_ROOT/backup/after-backup is executd if it exists.
+# 4) The stopped services are restarted.
 # 5) STORAGE_ROOT/backup/after-backup is executed if it exists.
 import os, os.path, shutil, glob, re, datetime, sys
 import dateutil.parser, dateutil.relativedelta, dateutil.tz
 import rtyaml
 from exclusiveprocess import Lock
-from utils import exclusive_process, load_environment, shell, wait_for_service, fix_boto
+from utils import load_environment, shell, wait_for_service, fix_boto
 rsync_ssh_options = [
 	"--ssh-options='-i /root/.ssh/id_rsa_miab'",
 	"--rsync-options=-e \"/usr/bin/ssh -oStrictHostKeyChecking=no -oBatchMode=yes -p 22 -i /root/.ssh/id_rsa_miab\"",
 ]
 def backup_status(env):
 	# Root folder
@ -32,6 +39,8 @@ def backup_status(env):
 	def reldate(date, ref, clip):
 		if ref < date: return clip
 		rd = dateutil.relativedelta.relativedelta(ref, date)
 		if rd.years > 1: return "%d years, %d months" % (rd.years, rd.months)
 		if rd.years == 1: return "%d year, %d months" % (rd.years, rd.months)
 		if rd.months > 1: return "%d months, %d days" % (rd.months, rd.days)
 		if rd.months == 1: return "%d month, %d days" % (rd.months, rd.days)
 		if rd.days >= 7: return "%d days" % rd.days
@ -51,6 +60,7 @@ def backup_status(env):
 			"size": 0, # collection-status doesn't give us the size
 			"volumes": keys[2], # number of archive volumes for this backup (not really helpful)
 		}
 	code, collection_status = shell('check_output', [
 		"/usr/bin/duplicity",
 		"collection-status",
@ -58,7 +68,7 @@ def backup_status(env):
 		"--gpg-options", "--cipher-algo=AES256",
 		"--log-fd", "1",
 		config["target"],
-		],
+		] + rsync_ssh_options,
 		get_env(env),
 		trap=True)
 	if code != 0:
@ -197,13 +207,16 @@ def get_target_type(config):
 def perform_backup(full_backup):
 	env = load_environment()
-	exclusive_process("backup")
+	# Create an global exclusive lock so that the backup script
 	# cannot be run more than one.
 	Lock(die=True).forever()
 	config = get_backup_config(env)
 	backup_root = os.path.join(env["STORAGE_ROOT"], 'backup')
 	backup_cache_dir = os.path.join(backup_root, 'cache')
 	backup_dir = os.path.join(backup_root, 'encrypted')
-	# Are backups dissbled?
+	# Are backups disabled?
 	if config["target"] == "off":
 		return
@ -258,6 +271,15 @@ def perform_backup(full_backup):
 	service_command("postfix", "stop", quit=True)
 	service_command("dovecot", "stop", quit=True)
 	# Execute a pre-backup script that copies files outside the homedir.
 	# Run as the STORAGE_USER user, not as root. Pass our settings in
 	# environment variables so the script has access to STORAGE_ROOT.
 	pre_script = os.path.join(backup_root, 'before-backup')
 	if os.path.exists(pre_script):
 		shell('check_call',
 			['su', env['STORAGE_USER'], '-c', pre_script, config["target"]],
 			env=env)
 	# Run a backup of STORAGE_ROOT (but excluding the backups themselves!).
 	# --allow-source-mismatch is needed in case the box's hostname is changed
 	# after the first backup. See #396.
@ -273,7 +295,7 @@ def perform_backup(full_backup):
 			env["STORAGE_ROOT"],
 			config["target"],
 			"--allow-source-mismatch"
-			],
+			] + rsync_ssh_options,
 			get_env(env))
 	finally:
 		# Start services again.
@ -295,7 +317,7 @@ def perform_backup(full_backup):
 		"--archive-dir", backup_cache_dir,
 		"--force",
 		config["target"]
-		],
+		] + rsync_ssh_options,
 		get_env(env))
 	# From duplicity's manual:
@ -310,7 +332,7 @@ def perform_backup(full_backup):
 		"--archive-dir", backup_cache_dir,
 		"--force",
 		config["target"]
-		],
+		] + rsync_ssh_options,
 		get_env(env))
 	# Change ownership of backups to the user-data user, so that the after-bcakup
@ -349,7 +371,7 @@ def run_duplicity_verification():
 		"--exclude", backup_root,
 		config["target"],
 		env["STORAGE_ROOT"],
-	], get_env(env))
+	] + rsync_ssh_options, get_env(env))
 def run_duplicity_restore(args):
 	env = load_environment()
@ -360,32 +382,74 @@ def run_duplicity_restore(args):
 		"restore",
 		"--archive-dir", backup_cache_dir,
 		config["target"],
-		] + args,
+		] + rsync_ssh_options + args,
 	get_env(env))
 def list_target_files(config):
 	import urllib.parse
 	try:
-		p = urllib.parse.urlparse(config["target"])
+		target = urllib.parse.urlparse(config["target"])
 	except ValueError:
 		return "invalid target"
-	if p.scheme == "file":
+	if target.scheme == "file":
-		return [(fn, os.path.getsize(os.path.join(p.path, fn))) for fn in os.listdir(p.path)]
+		return [(fn, os.path.getsize(os.path.join(target.path, fn))) for fn in os.listdir(target.path)]
-	elif p.scheme == "s3":
+	elif target.scheme == "rsync":
 		rsync_fn_size_re = re.compile(r'.*    ([^ ]*) [^ ]* [^ ]* (.*)')
 		rsync_target = '{host}:{path}'
 		if not target.path.endswith('/'):
 			target_path = target.path + '/'
 		if target.path.startswith('/'):
 			target_path = target.path[1:]
 		rsync_command = [ 'rsync',
 					'-e',
 					'/usr/bin/ssh -i /root/.ssh/id_rsa_miab -oStrictHostKeyChecking=no -oBatchMode=yes',
 					'--list-only',
 					'-r',
 					rsync_target.format(
 						host=target.netloc,
 						path=target_path)
 				]
 		code, listing = shell('check_output', rsync_command, trap=True, capture_stderr=True)
 		if code == 0:
 			ret = []
 			for l in listing.split('\n'):
 				match = rsync_fn_size_re.match(l)
 				if match:
 					ret.append( (match.groups()[1], int(match.groups()[0].replace(',',''))) )
 			return ret
 		else:
 			if 'Permission denied (publickey).' in listing:
 				reason = "Invalid user or check you correctly copied the SSH key."
 			elif 'No such file or directory' in listing:
 				reason = "Provided path {} is invalid.".format(target_path)
 			elif 'Network is unreachable' in listing:
 				reason = "The IP address {} is unreachable.".format(target.hostname)
 			elif 'Could not resolve hostname':
 				reason = "The hostname {} cannot be resolved.".format(target.hostname)
 			else:
 				reason = "Unknown error." \
 						"Please check running 'python management/backup.py --verify'" \
 						"from mailinabox sources to debug the issue."
 			raise ValueError("Connection to rsync host failed: {}".format(reason))
 	elif target.scheme == "s3":
 		# match to a Region
 		fix_boto() # must call prior to importing boto
 		import boto.s3
 		from boto.exception import BotoServerError
 		for region in boto.s3.regions():
-			if region.endpoint == p.hostname:
+			if region.endpoint == target.hostname:
 				break
 		else:
 			raise ValueError("Invalid S3 region/host.")
-		bucket = p.path[1:].split('/')[0]
+		bucket = target.path[1:].split('/')[0]
-		path = '/'.join(p.path[1:].split('/')[1:]) + '/'
+		path = '/'.join(target.path[1:].split('/')[1:]) + '/'
 		# If no prefix is specified, set the path to '', otherwise boto won't list the files
 		if path == '/':
@ -472,6 +536,9 @@ def get_backup_config(env, for_save=False, for_ui=False):
 	if config["target"] == "local":
 		# Expand to the full URL.
 		config["target"] = "file://" + config["file_target_directory"]
 	ssh_pub_key = os.path.join('/root', '.ssh', 'id_rsa_miab.pub')
 	if os.path.exists(ssh_pub_key):
 		config["ssh_pub_key"] = open(ssh_pub_key, 'r').read()
 	return config
@ -487,6 +554,12 @@ if __name__ == "__main__":
 		# are readable, and b) report if they are up to date.
 		run_duplicity_verification()
 	elif sys.argv[-1] == "--list":
 		# Run duplicity's verification command to check a) the backup files
 		# are readable, and b) report if they are up to date.
 		for fn, size in list_target_files(get_backup_config(load_environment())):
 			print("{}\t{}".format(fn, size))
 	elif sys.argv[-1] == "--status":
 		# Show backup status.
 		ret = backup_status(load_environment())
--- a/management/daemon.py
+++ b/management/daemon.py
@ -1,10 +1,11 @@
 #!/usr/bin/python3
-import os, os.path, re, json
+import os, os.path, re, json, time
 import subprocess
 from functools import wraps
-from flask import Flask, request, render_template, abort, Response, send_from_directory
+from flask import Flask, request, render_template, abort, Response, send_from_directory, make_response
 import auth, utils, multiprocessing.pool
 from mailconfig import get_mail_users, get_mail_users_ex, get_admins, add_mail_user, set_mail_password, remove_mail_user
@ -43,7 +44,10 @@ def authorized_personnel_only(viewfunc):
 		except ValueError as e:
 			# Authentication failed.
 			privs = []
-			error = str(e)
+			error = "Incorrect username or password"
 			# Write a line in the log recording the failed login
 			log_failed_login(request)
 		# Authorized to access an API view?
 		if "admin" in privs:
@ -117,9 +121,12 @@ def me():
 	try:
 		email, privs = auth_service.authenticate(request, env)
 	except ValueError as e:
 		# Log the failed login
 		log_failed_login(request)
 		return json_response({
 			"status": "invalid",
-			"reason": str(e),
+			"reason": "Incorrect username or password",
 			})
 	resp = {
@ -453,6 +460,27 @@ def do_updates():
 		"DEBIAN_FRONTEND": "noninteractive"
 	})
@app.route('/system/reboot', methods=["GET"])
@authorized_personnel_only
 def needs_reboot():
 	from status_checks import is_reboot_needed_due_to_package_installation
 	if is_reboot_needed_due_to_package_installation():
 		return json_response(True)
 	else:
 		return json_response(False)
@app.route('/system/reboot', methods=["POST"])
@authorized_personnel_only
 def do_reboot():
 	# To keep the attack surface low, we don't allow a remote reboot if one isn't necessary.
 	from status_checks import is_reboot_needed_due_to_package_installation
 	if is_reboot_needed_due_to_package_installation():
 		return utils.shell("check_output", ["/sbin/shutdown", "-r", "now"], capture_stderr=True)
 	else:
 		return "No reboot is required, so it is not allowed."
@app.route('/system/backup/status')
@authorized_personnel_only
 def backup_status():
@ -504,6 +532,77 @@ def munin(filename=""):
 	if filename == "": filename = "index.html"
 	return send_from_directory("/var/cache/munin/www", filename)
@app.route('/munin/cgi-graph/<path:filename>')
@authorized_personnel_only
 def munin_cgi(filename):
 	""" Relay munin cgi dynazoom requests
 	/usr/lib/munin/cgi/munin-cgi-graph is a perl cgi script in the munin package
 	that is responsible for generating binary png images _and_ associated HTTP
 	headers based on parameters in the requesting URL. All output is written
 	to stdout which munin_cgi splits into response headers and binary response
 	data.
 	munin-cgi-graph reads environment variables to determine
 	what it should do. It expects a path to be in the env-var PATH_INFO, and a
 	querystring to be in the env-var QUERY_STRING.
 	munin-cgi-graph has several failure modes. Some write HTTP Status headers and
 	others return nonzero exit codes.
 	Situating munin_cgi between the user-agent and munin-cgi-graph enables keeping
 	the cgi script behind mailinabox's auth mechanisms and avoids additional
 	support infrastructure like spawn-fcgi.
 	"""
 	COMMAND = 'su - munin --preserve-environment --shell=/bin/bash -c /usr/lib/munin/cgi/munin-cgi-graph'
 	# su changes user, we use the munin user here
 	# --preserve-environment retains the environment, which is where Popen's `env` data is
 	# --shell=/bin/bash ensures the shell used is bash
 	# -c "/usr/lib/munin/cgi/munin-cgi-graph" passes the command to run as munin
 	# "%s" is a placeholder for where the request's querystring will be added
 	if filename == "":
 		return ("a path must be specified", 404)
 	query_str = request.query_string.decode("utf-8", 'ignore')
 	env = {'PATH_INFO': '/%s/' % filename, 'REQUEST_METHOD': 'GET', 'QUERY_STRING': query_str}
 	code, binout = utils.shell('check_output',
 							   COMMAND.split(" ", 5),
 							   # Using a maxsplit of 5 keeps the last arguments together
 							   env=env,
 							   return_bytes=True,
 							   trap=True)
 	if code != 0:
 		# nonzero returncode indicates error
 		app.logger.error("munin_cgi: munin-cgi-graph returned nonzero exit code, %s", process.returncode)
 		return ("error processing graph image", 500)
 	# /usr/lib/munin/cgi/munin-cgi-graph returns both headers and binary png when successful.
 	# A double-Windows-style-newline always indicates the end of HTTP headers.
 	headers, image_bytes = binout.split(b'\r\n\r\n', 1)
 	response = make_response(image_bytes)
 	for line in headers.splitlines():
 		name, value = line.decode("utf8").split(':', 1)
 		response.headers[name] = value
 	if 'Status' in response.headers and '404' in response.headers['Status']:
 		app.logger.warning("munin_cgi: munin-cgi-graph returned 404 status code. PATH_INFO=%s", env['PATH_INFO'])
 	return response
 def log_failed_login(request):
 	# We need to figure out the ip to list in the message, all our calls are routed
 	# through nginx who will put the original ip in X-Forwarded-For.
 	# During setup we call the management interface directly to determine the user
 	# status. So we can't always use X-Forwarded-For because during setup that header
 	# will not be present.
 	if request.headers.getlist("X-Forwarded-For"):
 		ip = request.headers.getlist("X-Forwarded-For")[0]
 	else:
 		ip = request.remote_addr
 	# We need to add a timestamp to the log message, otherwise /dev/log will eat the "duplicate"
 	# message.
 	app.logger.warning( "Mail-in-a-Box Management Daemon: Failed login attempt from ip %s - timestamp %s" % (ip, time.time()))
 # APP
 if __name__ == '__main__':
--- a/management/daily_tasks.sh
+++ b/management/daily_tasks.sh
@ -13,7 +13,7 @@ export LC_TYPE=en_US.UTF-8
 management/backup.py | management/email_administrator.py "Backup Status"
 # Provision any new certificates for new domains or domains with expiring certificates.
-management/ssl_certificates.py --headless | management/email_administrator.py "Error Provisioning TLS Certificate"
+management/ssl_certificates.py -q --headless | management/email_administrator.py "Error Provisioning TLS Certificate"
 # Run status checks and email the administrator if anything changed.
 management/status_checks.py --show-changes | management/email_administrator.py "Status Checks Change Notice"
--- a/management/dns_update.py
+++ b/management/dns_update.py
@ -175,9 +175,6 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
 		for value in build_sshfp_records():
 			records.append((None, "SSHFP", value, "Optional. Provides an out-of-band method for verifying an SSH key before connecting. Use 'VerifyHostKeyDNS yes' (or 'VerifyHostKeyDNS ask') when connecting with ssh."))
 	# The MX record says where email for the domain should be delivered: Here!
 	records.append((None,  "MX",  "10 %s." % env["PRIMARY_HOSTNAME"], "Required. Specifies the hostname (and priority) of the machine that handles @%s mail." % domain))
 	# Add DNS records for any subdomains of this domain. We should not have a zone for
 	# both a domain and one of its subdomains.
 	subdomains = [d for d in all_domains if d.endswith("." + domain)]
@ -244,6 +241,10 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
 	# Don't pin the list of records that has_rec checks against anymore.
 	has_rec_base = records
 	# The MX record says where email for the domain should be delivered: Here!
 	if not has_rec(None, "MX", prefix="10 "):
 		records.append((None,  "MX",  "10 %s." % env["PRIMARY_HOSTNAME"], "Required. Specifies the hostname (and priority) of the machine that handles @%s mail." % domain))
 	# SPF record: Permit the box ('mx', see above) to send mail on behalf of
 	# the domain, and no one else.
 	# Skip if the user has set a custom SPF record.
@ -273,6 +274,13 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
 		if not has_rec(dmarc_qname, "TXT", prefix="v=DMARC1; "):
 			records.append((dmarc_qname, "TXT", 'v=DMARC1; p=reject', "Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from @%s." % (qname + "." + domain)))
 	# Add CardDAV/CalDAV SRV records on the non-primary hostname that points to the primary hostname.
 	# The SRV record format is priority (0, whatever), weight (0, whatever), port, service provider hostname (w/ trailing dot).
 	if domain != env["PRIMARY_HOSTNAME"]:
 		for dav in ("card", "cal"):
 			qname = "_" + dav + "davs._tcp"
 			if not has_rec(qname, "SRV"):
 				records.append((qname, "SRV", "0 0 443 " + env["PRIMARY_HOSTNAME"] + ".", "Recommended. Specifies the hostname of the server that handles CardDAV/CalDAV services for email addresses on this domain."))
 	# Sort the records. The None records *must* go first in the nsd zone file. Otherwise it doesn't matter.
 	records.sort(key = lambda rec : list(reversed(rec[0].split(".")) if rec[0] is not None else ""))
@ -334,13 +342,25 @@ def build_sshfp_records():
 		"ssh-rsa": 1,
 		"ssh-dss": 2,
 		"ecdsa-sha2-nistp256": 3,
 		"ssh-ed25519": 4,
 	}
 	# Get our local fingerprints by running ssh-keyscan. The output looks
 	# like the known_hosts file: hostname, keytype, fingerprint. The order
 	# of the output is arbitrary, so sort it to prevent spurrious updates
 	# to the zone file (that trigger bumping the serial number).
-	keys = shell("check_output", ["ssh-keyscan", "localhost"])
+
 	# scan the sshd_config and find the ssh ports (port 22 may be closed)
 	with open('/etc/ssh/sshd_config', 'r') as f:
 		ports = []
 		t = f.readlines()
 		for line in t:
 			s = line.split()
 			if len(s) == 2 and s[0] == 'Port':
 				ports = ports + [s[1]]
 	# the keys are the same at each port, so we only need to get
 	# them at the first port found (may not be port 22)
 	keys = shell("check_output", ["ssh-keyscan", "-t", "rsa,dsa,ecdsa,ed25519", "-p", ports[0], "localhost"])
 	for key in sorted(keys.split("\n")):
 		if key.strip() == "" or key[0] == "#": continue
 		try:
@ -747,7 +767,7 @@ def set_custom_dns_record(qname, rtype, value, action, env):
 				v = ipaddress.ip_address(value) # raises a ValueError if there's a problem
 				if rtype == "A" and not isinstance(v, ipaddress.IPv4Address): raise ValueError("That's an IPv6 address.")
 				if rtype == "AAAA" and not isinstance(v, ipaddress.IPv6Address): raise ValueError("That's an IPv4 address.")
-		elif rtype in ("CNAME", "TXT", "SRV", "MX"):
+		elif rtype in ("CNAME", "TXT", "SRV", "MX", "SSHFP"):
 			# anything goes
 			pass
 		else:
@ -862,10 +882,10 @@ def set_secondary_dns(hostnames, env):
 	return do_dns_update(env)
-def get_custom_dns_record(custom_dns, qname, rtype):
+def get_custom_dns_records(custom_dns, qname, rtype):
 	for qname1, rtype1, value in custom_dns:
 		if qname1 == qname and rtype1 == rtype:
-			return value
+			yield value
 	return None
 ########################################################################
--- a/management/email_administrator.py
+++ b/management/email_administrator.py
@ -33,7 +33,7 @@ msg['Subject'] = "[%s] %s" % (env['PRIMARY_HOSTNAME'], subject)
 msg.set_payload(content, "UTF-8")
 # send
-smtpclient = smtplib.SMTP('localhost', 25)
+smtpclient = smtplib.SMTP('127.0.0.1', 25)
 smtpclient.ehlo()
 smtpclient.sendmail(
        admin_addr, # MAIL FROM
--- a/management/mail_log.py
+++ b/management/mail_log.py
@ -1,136 +1,881 @@
 #!/usr/bin/python3
 import argparse
 import datetime
 import gzip
 import os.path
 import re
 import shutil
 import tempfile
 import textwrap
 from collections import defaultdict, OrderedDict
 from collections import defaultdict
 import re, os.path
 import dateutil.parser
 import time
 from dateutil.relativedelta import relativedelta
 import mailconfig
 import utils
-def scan_mail_log(logger, env):
+
 LOG_FILES = (
    '/var/log/mail.log',
    '/var/log/mail.log.1',
    '/var/log/mail.log.2.gz',
    '/var/log/mail.log.3.gz',
    '/var/log/mail.log.4.gz',
    '/var/log/mail.log.5.gz',
    '/var/log/mail.log.6.gz',
 )
 TIME_DELTAS = OrderedDict([
    ('all', datetime.timedelta(weeks=52)),
    ('month', datetime.timedelta(weeks=4)),
    ('2weeks', datetime.timedelta(days=14)),
    ('week', datetime.timedelta(days=7)),
    ('2days', datetime.timedelta(days=2)),
    ('day', datetime.timedelta(days=1)),
    ('12hours', datetime.timedelta(hours=12)),
    ('6hours', datetime.timedelta(hours=6)),
    ('hour', datetime.timedelta(hours=1)),
    ('30min', datetime.timedelta(minutes=30)),
    ('10min', datetime.timedelta(minutes=10)),
    ('5min', datetime.timedelta(minutes=5)),
    ('min', datetime.timedelta(minutes=1)),
    ('today', datetime.datetime.now() - datetime.datetime.now().replace(hour=0, minute=0, second=0))
 ])
 # Start date > end date!
 START_DATE = datetime.datetime.now()
 END_DATE = None
 VERBOSE = False
 # List of strings to filter users with
 FILTERS = None
 # What to show by default
 SCAN_OUT = True  # Outgoing email
 SCAN_IN = True  # Incoming email
 SCAN_CONN = False  # IMAP and POP3 logins
 SCAN_GREY = False  # Greylisted email
 SCAN_BLOCKED = False  # Rejected email
 def scan_files(collector):
    """ Scan files until they run out or the earliest date is reached """
    stop_scan = False
    for fn in LOG_FILES:
        tmp_file = None
        if not os.path.exists(fn):
            continue
        elif fn[-3:] == '.gz':
            tmp_file = tempfile.NamedTemporaryFile()
            shutil.copyfileobj(gzip.open(fn), tmp_file)
        print("Processing file", fn, "...")
        fn = tmp_file.name if tmp_file else fn
        for line in reverse_readline(fn):
            if scan_mail_log_line(line.strip(), collector) is False:
                if stop_scan:
                    return
                stop_scan = True
            else:
                stop_scan = False
 def scan_mail_log(env):
    """ Scan the system's mail log files and collect interesting data
    This function scans the 2 most recent mail log files in /var/log/.
    Args:
        env (dict): Dictionary containing MiaB settings
    """
    collector = {
        "scan_count": 0,  # Number of lines scanned
        "parse_count": 0,  # Number of lines parsed (i.e. that had their contents examined)
        "scan_time": time.time(),  # The time in seconds the scan took
        "sent_mail": OrderedDict(),  # Data about email sent by users
        "received_mail": OrderedDict(),  # Data about email received by users
        "dovecot": OrderedDict(),  # Data about Dovecot activity
        "postgrey": {},  # Data about greylisting of email addresses
        "rejected": OrderedDict(),  # Emails that were blocked
        "known_addresses": None,  # Addresses handled by the Miab installation
        "other-services": set(),
 		"imap-logins": { },
 		"postgrey": { },
 		"rejected-mail": { },
 		"activity-by-hour": { "imap-logins": defaultdict(int), "smtp-sends": defaultdict(int) },
    }
-	collector["real_mail_addresses"] = set(mailconfig.get_mail_users(env)) | set(alias[0] for alias in mailconfig.get_mail_aliases(env))
+    try:
-
+        import mailconfig
-	for fn in ('/var/log/mail.log.1', '/var/log/mail.log'):
+        collector["known_addresses"] = (set(mailconfig.get_mail_users(env)) |
-		if not os.path.exists(fn): continue
+                                        set(alias[0] for alias in mailconfig.get_mail_aliases(env)))
-		with open(fn, 'rb') as log:
+    except ImportError:
 			for line in log:
 				line = line.decode("utf8", errors='replace')
 				scan_mail_log_line(line.strip(), collector)
 	if collector["imap-logins"]:
 		logger.add_heading("Recent IMAP Logins")
 		logger.print_block("The most recent login from each remote IP adddress is show.")
 		for k in utils.sort_email_addresses(collector["imap-logins"], env):
 			for ip, date in sorted(collector["imap-logins"][k].items(), key = lambda kv : kv[1]):
 				logger.print_line(k + "\t" + str(date) + "\t" + ip)
 	if collector["postgrey"]:
 		logger.add_heading("Greylisted Mail")
 		logger.print_block("The following mail was greylisted, meaning the emails were temporarily rejected. Legitimate senders will try again within ten minutes.")
 		logger.print_line("recipient" + "\t" + "received" + "\t" + "sender" + "\t" + "delivered")
 		for recipient in utils.sort_email_addresses(collector["postgrey"], env):
 			for (client_address, sender), (first_date, delivered_date) in sorted(collector["postgrey"][recipient].items(), key = lambda kv : kv[1][0]):
 				logger.print_line(recipient + "\t" + str(first_date) + "\t" + sender + "\t" + (("delivered " + str(delivered_date)) if delivered_date else "no retry yet"))
 	if collector["rejected-mail"]:
 		logger.add_heading("Rejected Mail")
 		logger.print_block("The following incoming mail was rejected.")
 		for k in utils.sort_email_addresses(collector["rejected-mail"], env):
 			for date, sender, message in collector["rejected-mail"][k]:
 				logger.print_line(k + "\t" + str(date) + "\t" + sender + "\t" + message)
 	logger.add_heading("Activity by Hour")
 	for h in range(24):
 		logger.print_line("%d\t%d\t%d" % (h, collector["activity-by-hour"]["imap-logins"][h], collector["activity-by-hour"]["smtp-sends"][h] ))
 	if len(collector["other-services"]) > 0:
 		logger.add_heading("Other")
 		logger.print_block("Unrecognized services in the log: " + ", ".join(collector["other-services"]))
 def scan_mail_log_line(line, collector):
 	m = re.match(r"(\S+ \d+ \d+:\d+:\d+) (\S+) (\S+?)(\[\d+\])?: (.*)", line)
 	if not m: return
 	date, system, service, pid, log = m.groups()
 	date = dateutil.parser.parse(date)
 	if service == "dovecot":
 		scan_dovecot_line(date, log, collector)
 	elif service == "postgrey":
 		scan_postgrey_line(date, log, collector)
 	elif service == "postfix/smtpd":
 		scan_postfix_smtpd_line(date, log, collector)
 	elif service == "postfix/submission/smtpd":
 		scan_postfix_submission_line(date, log, collector)
 	elif service in ("postfix/qmgr", "postfix/pickup", "postfix/cleanup",
 			"postfix/scache", "spampd", "postfix/anvil", "postfix/master",
 			"opendkim", "postfix/lmtp", "postfix/tlsmgr"):
 		# nothing to look at
        pass
    print("Scanning from {:%Y-%m-%d %H:%M:%S} back to {:%Y-%m-%d %H:%M:%S}".format(
        START_DATE, END_DATE)
    )
    # Scan the lines in the log files until the date goes out of range
    scan_files(collector)
    if not collector["scan_count"]:
        print("No log lines scanned...")
        return
    collector["scan_time"] = time.time() - collector["scan_time"]
    print("{scan_count} Log lines scanned, {parse_count} lines parsed in {scan_time:.2f} "
          "seconds\n".format(**collector))
    # Print Sent Mail report
    if collector["sent_mail"]:
        msg = "Sent email between {:%Y-%m-%d %H:%M:%S} and {:%Y-%m-%d %H:%M:%S}"
        print_header(msg.format(END_DATE, START_DATE))
        data = OrderedDict(sorted(collector["sent_mail"].items(), key=email_sort))
        print_user_table(
            data.keys(),
            data=[
                ("sent", [u["sent_count"] for u in data.values()]),
                ("hosts", [len(u["hosts"]) for u in data.values()]),
            ],
            sub_data=[
                ("sending hosts", [u["hosts"] for u in data.values()]),
            ],
            activity=[
                ("sent", [u["activity-by-hour"] for u in data.values()]),
            ],
            earliest=[u["earliest"] for u in data.values()],
            latest=[u["latest"] for u in data.values()],
        )
        accum = defaultdict(int)
        data = collector["sent_mail"].values()
        for h in range(24):
            accum[h] = sum(d["activity-by-hour"][h] for d in data)
        print_time_table(
            ["sent"],
            [accum]
        )
    # Print Received Mail report
    if collector["received_mail"]:
        msg = "Received email between {:%Y-%m-%d %H:%M:%S} and {:%Y-%m-%d %H:%M:%S}"
        print_header(msg.format(END_DATE, START_DATE))
        data = OrderedDict(sorted(collector["received_mail"].items(), key=email_sort))
        print_user_table(
            data.keys(),
            data=[
                ("received", [u["received_count"] for u in data.values()]),
            ],
            activity=[
                ("sent", [u["activity-by-hour"] for u in data.values()]),
            ],
            earliest=[u["earliest"] for u in data.values()],
            latest=[u["latest"] for u in data.values()],
        )
        accum = defaultdict(int)
        for h in range(24):
            accum[h] = sum(d["activity-by-hour"][h] for d in data.values())
        print_time_table(
            ["received"],
            [accum]
        )
    # Print Dovecot report
    if collector["dovecot"]:
        msg = "Email client logins between {:%Y-%m-%d %H:%M:%S} and {:%Y-%m-%d %H:%M:%S}"
        print_header(msg.format(END_DATE, START_DATE))
        data = OrderedDict(sorted(collector["dovecot"].items(), key=email_sort))
        print_user_table(
            data.keys(),
            data=[
                ("imap", [u["imap"] for u in data.values()]),
                ("pop3", [u["pop3"] for u in data.values()]),
            ],
            sub_data=[
                ("IMAP IP addresses", [[k + " (%d)" % v for k, v in u["imap-logins"].items()]
                                       for u in data.values()]),
                ("POP3 IP addresses", [[k + " (%d)" % v for k, v in u["pop3-logins"].items()]
                                       for u in data.values()]),
            ],
            activity=[
                ("imap", [u["activity-by-hour"]["imap"] for u in data.values()]),
                ("pop3", [u["activity-by-hour"]["pop3"] for u in data.values()]),
            ],
            earliest=[u["earliest"] for u in data.values()],
            latest=[u["latest"] for u in data.values()],
        )
        accum = {"imap": defaultdict(int), "pop3": defaultdict(int), "both": defaultdict(int)}
        for h in range(24):
            accum["imap"][h] = sum(d["activity-by-hour"]["imap"][h] for d in data.values())
            accum["pop3"][h] = sum(d["activity-by-hour"]["pop3"][h] for d in data.values())
            accum["both"][h] = accum["imap"][h] + accum["pop3"][h]
        print_time_table(
            ["imap", "pop3", "   +"],
            [accum["imap"], accum["pop3"], accum["both"]]
        )
    if collector["postgrey"]:
        msg = "Greylisted Email {:%Y-%m-%d %H:%M:%S} and {:%Y-%m-%d %H:%M:%S}"
        print_header(msg.format(END_DATE, START_DATE))
        print(textwrap.fill(
            "The following mail was greylisted, meaning the emails were temporarily rejected. "
            "Legitimate senders will try again within ten minutes.",
            width=80, initial_indent=" ", subsequent_indent=" "
        ), end='\n\n')
        data = OrderedDict(sorted(collector["postgrey"].items(), key=email_sort))
        users = []
        received = []
        senders = []
        sender_clients = []
        delivered_dates = []
        for recipient in data:
            sorted_recipients = sorted(data[recipient].items(), key=lambda kv: kv[1][0] or kv[1][1])
            for (client_address, sender), (first_date, delivered_date) in sorted_recipients:
                if first_date:
                    users.append(recipient)
                    received.append(first_date)
                    senders.append(sender)
                    delivered_dates.append(delivered_date)
                    sender_clients.append(client_address)
        print_user_table(
            users,
            data=[
                ("received", received),
                ("sender", senders),
                ("delivered", [str(d) or "no retry yet" for d in delivered_dates]),
                ("sending host", sender_clients)
            ],
            delimit=True,
        )
    if collector["rejected"]:
        msg = "Blocked Email {:%Y-%m-%d %H:%M:%S} and {:%Y-%m-%d %H:%M:%S}"
        print_header(msg.format(END_DATE, START_DATE))
        data = OrderedDict(sorted(collector["rejected"].items(), key=email_sort))
        rejects = []
        if VERBOSE:
            for user_data in data.values():
                user_rejects = []
                for date, sender, message in user_data["blocked"]:
                    if len(sender) > 64:
                        sender = sender[:32] + "…" + sender[-32:]
                    user_rejects.append("%s - %s " % (date, sender))
                    user_rejects.append("  %s" % message)
                rejects.append(user_rejects)
        print_user_table(
            data.keys(),
            data=[
                ("blocked", [len(u["blocked"]) for u in data.values()]),
            ],
            sub_data=[
                ("blocked emails", rejects),
            ],
            earliest=[u["earliest"] for u in data.values()],
            latest=[u["latest"] for u in data.values()],
        )
    if collector["other-services"] and VERBOSE and False:
        print_header("Other services")
        print("The following unkown services were found in the log file.")
        print(" ", *sorted(list(collector["other-services"])), sep='\n│ ')
 def scan_mail_log_line(line, collector):
    """ Scan a log line and extract interesting data """
    m = re.match(r"(\w+[\s]+\d+ \d+:\d+:\d+) ([\w]+ )?([\w\-/]+)[^:]*: (.*)", line)
    if not m:
        return True
    date, system, service, log = m.groups()
    collector["scan_count"] += 1
    # print()
    # print("date:", date)
    # print("host:", system)
    # print("service:", service)
    # print("log:", log)
    # Replaced the dateutil parser for a less clever way of parser that is roughly 4 times faster.
    # date = dateutil.parser.parse(date)
    date = datetime.datetime.strptime(date, '%b %d %H:%M:%S')
    date = date.replace(START_DATE.year)
    # Check if the found date is within the time span we are scanning
    if date > START_DATE:
        # Don't process, but continue
        return True
    elif date < END_DATE:
        # Don't process, and halt
        return False
    if service == "postfix/submission/smtpd":
        if SCAN_OUT:
            scan_postfix_submission_line(date, log, collector)
    elif service == "postfix/lmtp":
        if SCAN_IN:
            scan_postfix_lmtp_line(date, log, collector)
    elif service in ("imap-login", "pop3-login"):
        if SCAN_CONN:
            scan_dovecot_line(date, log, collector, service[:4])
    elif service == "postgrey":
        if SCAN_GREY:
            scan_postgrey_line(date, log, collector)
    elif service == "postfix/smtpd":
        if SCAN_BLOCKED:
            scan_postfix_smtpd_line(date, log, collector)
    elif service in ("postfix/qmgr", "postfix/pickup", "postfix/cleanup", "postfix/scache",
                     "spampd", "postfix/anvil", "postfix/master", "opendkim", "postfix/lmtp",
                     "postfix/tlsmgr", "anvil"):
        # nothing to look at
        return True
    else:
        collector["other-services"].add(service)
        return True
    collector["parse_count"] += 1
    return True
 def scan_dovecot_line(date, log, collector):
 	m = re.match("imap-login: Login: user=<(.*?)>, method=PLAIN, rip=(.*?),", log)
 	if m:
 		login, ip = m.group(1), m.group(2)
 		if ip != "127.0.0.1": # local login from webmail/zpush
 			collector["imap-logins"].setdefault(login, {})[ip] = date
 		collector["activity-by-hour"]["imap-logins"][date.hour] += 1
 def scan_postgrey_line(date, log, collector):
-	m = re.match("action=(greylist|pass), reason=(.*?), (?:delay=\d+, )?client_name=(.*), client_address=(.*), sender=(.*), recipient=(.*)", log)
+    """ Scan a postgrey log line and extract interesting data """
    m = re.match("action=(greylist|pass), reason=(.*?), (?:delay=\d+, )?client_name=(.*), "
                 "client_address=(.*), sender=(.*), recipient=(.*)",
                 log)
    if m:
-		action, reason, client_name, client_address, sender, recipient = m.groups()
+
-		key = (client_address, sender)
+        action, reason, client_name, client_address, sender, user = m.groups()
        if user_match(user):
            # Might be useful to group services that use a lot of mail different servers on sub
            # domains like <sub>1.domein.com
            # if '.' in client_name:
            #     addr = client_name.split('.')
            #     if len(addr) > 2:
            #         client_name = '.'.join(addr[1:])
            key = (client_address if client_name == 'unknown' else client_name, sender)
            rep = collector["postgrey"].setdefault(user, {})
            if action == "greylist" and reason == "new":
-			collector["postgrey"].setdefault(recipient, {})[key] = (date, None)
+                rep[key] = (date, rep[key][1] if key in rep else None)
-		elif action == "pass" and reason == "triplet found" and key in collector["postgrey"].get(recipient, {}):
+            elif action == "pass":
-			collector["postgrey"][recipient][key] = (collector["postgrey"][recipient][key][0], date)
+                rep[key] = (rep[key][0] if key in rep else None, date)
 def scan_postfix_smtpd_line(date, log, collector):
-	m = re.match("NOQUEUE: reject: RCPT from .*?: (.*?); from=<(.*?)> to=<(.*?)>", log)
+    """ Scan a postfix smtpd log line and extract interesting data """
 	if m:
 		message, sender, recipient = m.groups()
 		if recipient in collector["real_mail_addresses"]:
 			# only log mail to real recipients
-			# skip this, is reported in the greylisting report
+    # Check if the incoming mail was rejected
    m = re.match("NOQUEUE: reject: RCPT from .*?: (.*?); from=<(.*?)> to=<(.*?)>", log)
    if m:
        message, sender, user = m.groups()
        # skip this, if reported in the greylisting report
        if "Recipient address rejected: Greylisted" in message:
            return
        # only log mail to known recipients
        if user_match(user):
            if collector["known_addresses"] is None or user in collector["known_addresses"]:
                data = collector["rejected"].get(
                    user,
                    {
                        "blocked": [],
                        "earliest": None,
                        "latest": None,
                    }
                )
                # simplify this one
-			m = re.search(r"Client host \[(.*?)\] blocked using zen.spamhaus.org; (.*)", message)
+                m = re.search(
                    r"Client host \[(.*?)\] blocked using zen.spamhaus.org; (.*)", message
                )
                if m:
                    message = "ip blocked: " + m.group(2)
-
+                else:
                    # simplify this one too
-			m = re.search(r"Sender address \[.*@(.*)\] blocked using dbl.spamhaus.org; (.*)", message)
+                    m = re.search(
                        r"Sender address \[.*@(.*)\] blocked using dbl.spamhaus.org; (.*)", message
                    )
                    if m:
                        message = "domain blocked: " + m.group(2)
-			collector["rejected-mail"].setdefault(recipient, []).append( (date, sender, message) )
+                if data["latest"] is None:
                    data["latest"] = date
                data["earliest"] = date
                data["blocked"].append((date, sender, message))
                collector["rejected"][user] = data
 def scan_dovecot_line(date, log, collector, prot):
    """ Scan a dovecot log line and extract interesting data """
    m = re.match("Info: Login: user=<(.*?)>, method=PLAIN, rip=(.*?),", log)
    if m:
        # TODO: CHECK DIT
        user, rip = m.groups()
        if user_match(user):
            # Get the user data, or create it if the user is new
            data = collector["dovecot"].get(
                user,
                {
                    "imap": 0,
                    "pop3": 0,
                    "earliest": None,
                    "latest": None,
                    "imap-logins": defaultdict(int),
                    "pop3-logins": defaultdict(int),
                    "activity-by-hour": {
                        "imap": defaultdict(int),
                        "pop3": defaultdict(int),
                    },
                }
            )
            data[prot] += 1
            data["activity-by-hour"][prot][date.hour] += 1
            if data["latest"] is None:
                data["latest"] = date
            data["earliest"] = date
            if rip not in ("127.0.0.1", "::1") or True:
                data["%s-logins" % prot][rip] += 1
            collector["dovecot"][user] = data
 def scan_postfix_lmtp_line(date, log, collector):
    """ Scan a postfix lmtp log line and extract interesting data
    It is assumed that every log of postfix/lmtp indicates an email that was successfully
    received by Postfix.
    """
    m = re.match("([A-Z0-9]+): to=<(\S+)>, .* Saved", log)
    if m:
        _, user = m.groups()
        if user_match(user):
            # Get the user data, or create it if the user is new
            data = collector["received_mail"].get(
                user,
                {
                    "received_count": 0,
                    "earliest": None,
                    "latest": None,
                    "activity-by-hour": defaultdict(int),
                }
            )
            data["received_count"] += 1
            data["activity-by-hour"][date.hour] += 1
            if data["latest"] is None:
                data["latest"] = date
            data["earliest"] = date
            collector["received_mail"][user] = data
 def scan_postfix_submission_line(date, log, collector):
-	m = re.match("([A-Z0-9]+): client=(\S+), sasl_method=PLAIN, sasl_username=(\S+)", log)
+    """ Scan a postfix submission log line and extract interesting data
    Lines containing a sasl_method with the values PLAIN or LOGIN are assumed to indicate a sent
    email.
    """
    # Match both the 'plain' and 'login' sasl methods, since both authentication methods are
    # allowed by Dovecot
    m = re.match("([A-Z0-9]+): client=(\S+), sasl_method=(PLAIN|LOGIN), sasl_username=(\S+)", log)
    if m:
-		procid, client, user = m.groups()
+        _, client, method, user = m.groups()
-		collector["activity-by-hour"]["smtp-sends"][date.hour] += 1
+
        if user_match(user):
            # Get the user data, or create it if the user is new
            data = collector["sent_mail"].get(
                user,
                {
                    "sent_count": 0,
                    "hosts": set(),
                    "earliest": None,
                    "latest": None,
                    "activity-by-hour": defaultdict(int),
                }
            )
            data["sent_count"] += 1
            data["hosts"].add(client)
            data["activity-by-hour"][date.hour] += 1
            if data["latest"] is None:
                data["latest"] = date
            data["earliest"] = date
            collector["sent_mail"][user] = data
 # Utility functions
 def reverse_readline(filename, buf_size=8192):
    """ A generator that returns the lines of a file in reverse order
    http://stackoverflow.com/a/23646049/801870
    """
    with open(filename) as fh:
        segment = None
        offset = 0
        fh.seek(0, os.SEEK_END)
        file_size = remaining_size = fh.tell()
        while remaining_size > 0:
            offset = min(file_size, offset + buf_size)
            fh.seek(file_size - offset)
            buff = fh.read(min(remaining_size, buf_size))
            remaining_size -= buf_size
            lines = buff.split('\n')
            # the first line of the buffer is probably not a complete line so
            # we'll save it and append it to the last line of the next buffer
            # we read
            if segment is not None:
                # if the previous chunk starts right from the beginning of line
                # do not concat the segment to the last line of new chunk
                # instead, yield the segment first
                if buff[-1] is not '\n':
                    lines[-1] += segment
                else:
                    yield segment
            segment = lines[0]
            for index in range(len(lines) - 1, 0, -1):
                if len(lines[index]):
                    yield lines[index]
        # Don't yield None if the file was empty
        if segment is not None:
            yield segment
 def user_match(user):
    """ Check if the given user matches any of the filters """
    return FILTERS is None or any(u in user for u in FILTERS)
 def email_sort(email):
    """ Split the given email address into a reverse order tuple, for sorting i.e (domain, name) """
    return tuple(reversed(email[0].split('@')))
 def valid_date(string):
    """ Validate the given date string fetched from the --startdate argument """
    try:
        date = dateutil.parser.parse(string)
    except ValueError:
        raise argparse.ArgumentTypeError("Unrecognized date and/or time '%s'" % string)
    return date
 # Print functions
 def print_time_table(labels, data, do_print=True):
    labels.insert(0, "hour")
    data.insert(0, [str(h) for h in range(24)])
    temp = "│ {:<%d} " % max(len(l) for l in labels)
    lines = []
    for label in labels:
        lines.append(temp.format(label))
    for h in range(24):
        max_len = max(len(str(d[h])) for d in data)
        base = "{:>%d} " % max(2, max_len)
        for i, d in enumerate(data):
            lines[i] += base.format(d[h])
    lines.insert(0, "┬")
    lines.append("└" + (len(lines[-1]) - 2) * "─")
    if do_print:
        print("\n".join(lines))
    else:
        return lines
 def print_user_table(users, data=None, sub_data=None, activity=None, latest=None, earliest=None,
                     delimit=False):
    str_temp = "{:<32} "
    lines = []
    data = data or []
    col_widths = len(data) * [0]
    col_left = len(data) * [False]
    vert_pos = 0
    do_accum = all(isinstance(n, (int, float)) for _, d in data for n in d)
    data_accum = len(data) * ([0] if do_accum else [" "])
    last_user = None
    for row, user in enumerate(users):
        if delimit:
            if last_user and last_user != user:
                lines.append(len(lines[-1]) * "…")
            last_user = user
        line = "{:<32} ".format(user[:31] + "…" if len(user) > 32 else user)
        for col, (l, d) in enumerate(data):
            if isinstance(d[row], str):
                col_str = str_temp.format(d[row][:31] + "…" if len(d[row]) > 32 else d[row])
                col_left[col] = True
            elif isinstance(d[row], datetime.datetime):
                col_str = "{:<20}".format(str(d[row]))
                col_left[col] = True
            else:
                temp = "{:>%s}" % max(5, len(l) + 1, len(str(d[row])) + 1)
                col_str = temp.format(str(d[row]))
            col_widths[col] = max(col_widths[col], len(col_str))
            line += col_str
            if do_accum:
                data_accum[col] += d[row]
        try:
            if None not in [latest, earliest]:
                vert_pos = len(line)
                e = earliest[row]
                l = latest[row]
                timespan = relativedelta(l, e)
                if timespan.months:
                    temp = " │ {:0.1f} months"
                    line += temp.format(timespan.months + timespan.days / 30.0)
                elif timespan.days:
                    temp = " │ {:0.1f} days"
                    line += temp.format(timespan.days + timespan.hours / 24.0)
                elif (e.hour, e.minute) == (l.hour, l.minute):
                    temp = " │ {:%H:%M}"
                    line += temp.format(e)
                else:
                    temp = " │ {:%H:%M} - {:%H:%M}"
                    line += temp.format(e, l)
        except KeyError:
            pass
        lines.append(line.rstrip())
        try:
            if VERBOSE:
                if sub_data is not None:
                    for l, d in sub_data:
                        if d[row]:
                            lines.append("┬")
                            lines.append("│ %s" % l)
                            lines.append("├─%s─" % (len(l) * "─"))
                            lines.append("│")
                            max_len = 0
                            for v in list(d[row]):
                                lines.append("│ %s" % v)
                                max_len = max(max_len, len(v))
                            lines.append("└" + (max_len + 1) * "─")
                if activity is not None:
                    lines.extend(print_time_table(
                        [label for label, _ in activity],
                        [data[row] for _, data in activity],
                        do_print=False
                    ))
        except KeyError:
            pass
    header = str_temp.format("")
    for col, (l, _) in enumerate(data):
        if col_left[col]:
            header += l.ljust(max(5, len(l) + 1, col_widths[col]))
        else:
            header += l.rjust(max(5, len(l) + 1, col_widths[col]))
    if None not in (latest, earliest):
        header += " │ timespan   "
    lines.insert(0, header.rstrip())
    table_width = max(len(l) for l in lines)
    t_line = table_width * "─"
    b_line = table_width * "─"
    if vert_pos:
        t_line = t_line[:vert_pos + 1] + "┼" + t_line[vert_pos + 2:]
        b_line = b_line[:vert_pos + 1] + ("┬" if VERBOSE else "┼") + b_line[vert_pos + 2:]
    lines.insert(1, t_line)
    lines.append(b_line)
    # Print totals
    data_accum = [str(a) for a in data_accum]
    footer = str_temp.format("Totals:" if do_accum else " ")
    for row, (l, _) in enumerate(data):
        temp = "{:>%d}" % max(5, len(l) + 1)
        footer += temp.format(data_accum[row])
    try:
        if None not in [latest, earliest]:
            max_l = max(latest)
            min_e = min(earliest)
            timespan = relativedelta(max_l, min_e)
            if timespan.days:
                temp = " │ {:0.2f} days"
                footer += temp.format(timespan.days + timespan.hours / 24.0)
            elif (min_e.hour, min_e.minute) == (max_l.hour, max_l.minute):
                temp = " │ {:%H:%M}"
                footer += temp.format(min_e)
            else:
                temp = " │ {:%H:%M} - {:%H:%M}"
                footer += temp.format(min_e, max_l)
    except KeyError:
        pass
    lines.append(footer)
    print("\n".join(lines))
 def print_header(msg):
    print('\n' + msg)
    print("═" * len(msg), '\n')
 if __name__ == "__main__":
-	from status_checks import ConsoleOutput
+    try:
-	env = utils.load_environment()
+        env_vars = utils.load_environment()
-	scan_mail_log(ConsoleOutput(), env)
+    except FileNotFoundError:
        env_vars = {}
    parser = argparse.ArgumentParser(
        description="Scan the mail log files for interesting data. By default, this script "
                    "shows today's incoming and outgoing mail statistics. This script was ("
                    "re)written for the Mail-in-a-box email server."
                    "https://github.com/mail-in-a-box/mailinabox",
        add_help=False
    )
    # Switches to determine what to parse and what to ignore
    parser.add_argument("-r", "--received", help="Scan for received emails.",
                        action="store_true")
    parser.add_argument("-s", "--sent", help="Scan for sent emails.",
                        action="store_true")
    parser.add_argument("-l", "--logins", help="Scan for IMAP/POP logins.",
                        action="store_true")
    parser.add_argument("-g", "--grey", help="Scan for greylisted emails.",
                        action="store_true")
    parser.add_argument("-b", "--blocked", help="Scan for blocked emails.",
                        action="store_true")
    parser.add_argument("-t", "--timespan", choices=TIME_DELTAS.keys(), default='today',
                        metavar='<time span>',
                        help="Time span to scan, going back from the start date. Possible values: "
                             "{}. Defaults to 'today'.".format(", ".join(list(TIME_DELTAS.keys()))))
    parser.add_argument("-d", "--startdate",  action="store", dest="startdate",
                        type=valid_date, metavar='<start date>',
                        help="Date and time to start scanning the log file from. If no date is "
                             "provided, scanning will start from the current date and time.")
    parser.add_argument("-u", "--users", action="store", dest="users",
                        metavar='<email1,email2,email...>',
                        help="Comma separated list of (partial) email addresses to filter the "
                             "output with.")
    parser.add_argument('-h', '--help', action='help', help="Print this message and exit.")
    parser.add_argument("-v", "--verbose", help="Output extra data where available.",
                        action="store_true")
    args = parser.parse_args()
    if args.startdate is not None:
        START_DATE = args.startdate
        if args.timespan == 'today':
            args.timespan = 'day'
        print("Setting start date to {}".format(START_DATE))
    END_DATE = START_DATE - TIME_DELTAS[args.timespan]
    VERBOSE = args.verbose
    if args.received or args.sent or args.logins or args.grey or args.blocked:
        SCAN_IN = args.received
        if not SCAN_IN:
            print("Ignoring received emails")
        SCAN_OUT = args.sent
        if not SCAN_OUT:
            print("Ignoring sent emails")
        SCAN_CONN = args.logins
        if not SCAN_CONN:
            print("Ignoring logins")
        SCAN_GREY = args.grey
        if SCAN_GREY:
            print("Showing greylisted emails")
        SCAN_BLOCKED = args.blocked
        if SCAN_BLOCKED:
            print("Showing blocked emails")
    if args.users is not None:
        FILTERS = args.users.strip().split(',')
    scan_mail_log(env_vars)
--- a/management/mailconfig.py
+++ b/management/mailconfig.py
@ -599,8 +599,8 @@ def validate_password(pw):
 		raise ValueError("No password provided.")
 	if re.search(r"[\s]", pw):
 		raise ValueError("Passwords cannot contain spaces.")
-	if len(pw) < 4:
+	if len(pw) < 8:
-		raise ValueError("Passwords must be at least four characters.")
+		raise ValueError("Passwords must be at least eight characters.")
 if __name__ == "__main__":
--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@ -4,7 +4,6 @@
 import os, os.path, re, shutil
 from utils import shell, safe_domain_name, sort_domains
 import idna
 # SELECTING SSL CERTIFICATES FOR USE IN WEB
@ -214,6 +213,7 @@ def get_certificates_to_provision(env, show_extended_problems=True, force_domain
 	# Filter out domains that we can't provision a certificate for.
 	def can_provision_for_domain(domain):
 		from status_checks import normalize_ip
 		# Let's Encrypt doesn't yet support IDNA domains.
 		# We store domains in IDNA (ASCII). To see if this domain is IDNA,
 		# we'll see if its IDNA-decoded form is different.
@ -238,8 +238,22 @@ def get_certificates_to_provision(env, show_extended_problems=True, force_domain
 			except Exception as e:
 				problems[domain] = "DNS isn't configured properly for this domain: DNS lookup had an error: %s." % str(e)
 				return False
-			if len(response) != 1 or str(response[0]) != value:
+
-				problems[domain] = "Domain control validation cannot be performed for this domain because DNS points the domain to another machine (%s %s)." % (rtype, ", ".join(str(r) for r in response))
+			# Unfortunately, the response.__str__ returns bytes
 			# instead of string, if it resulted from an AAAA-query.
 			# We need to convert manually, until this is fixed:
 			# https://github.com/rthalley/dnspython/issues/204
 			#
 			# BEGIN HOTFIX
 			def rdata__str__(r):
 				s = r.to_text()
 				if isinstance(s, bytes):
 					 s = s.decode('utf-8')
 				return s
 			# END HOTFIX
 			if len(response) != 1 or normalize_ip(rdata__str__(response[0])) != normalize_ip(value):
 				problems[domain] = "Domain control validation cannot be performed for this domain because DNS points the domain to another machine (%s %s)." % (rtype, ", ".join(rdata__str__(r) for r in response))
 				return False
 		return True
@ -365,7 +379,7 @@ def provision_certificates(env, agree_to_tos_url=None, logger=None, show_extende
 				"message": "Something unexpected went wrong. It looks like your local Let's Encrypt account data is corrupted. There was a problem with the file " + e.account_file_path + ".",
 			})
-		except (client.InvalidDomainName, client.NeedToTakeAction, client.ChallengeFailed, acme.messages.Error, requests.exceptions.RequestException) as e:
+		except (client.InvalidDomainName, client.NeedToTakeAction, client.ChallengeFailed, client.RateLimited, acme.messages.Error, requests.exceptions.RequestException) as e:
 			ret_item.update({
 				"result": "error",
 				"message": "Something unexpected went wrong: " + str(e),
@ -397,9 +411,11 @@ def provision_certificates(env, agree_to_tos_url=None, logger=None, show_extende
 def provision_certificates_cmdline():
 	import sys
-	from utils import load_environment, exclusive_process
+	from exclusiveprocess import Lock
-	exclusive_process("update_tls_certificates")
+	from utils import load_environment
 	Lock(die=True).forever()
 	env = load_environment()
 	verbose = False
@ -412,7 +428,7 @@ def provision_certificates_cmdline():
 	if args and args[0] == "-v":
 		verbose = True
 		args.pop(0)
-	if args and args[0] == "q":
+	if args and args[0] == "-q":
 		show_extended_problems = False
 		args.pop(0)
 	if args and args[0] == "--headless":
--- a/management/status_checks.py
+++ b/management/status_checks.py
@ -11,13 +11,36 @@ import dateutil.parser, dateutil.tz
 import idna
 import psutil
-from dns_update import get_dns_zones, build_tlsa_record, get_custom_dns_config, get_secondary_dns, get_custom_dns_record
+from dns_update import get_dns_zones, build_tlsa_record, get_custom_dns_config, get_secondary_dns, get_custom_dns_records
 from web_update import get_web_domains, get_domains_with_a_records
 from ssl_certificates import get_ssl_certificates, get_domain_ssl_files, check_certificate
 from mailconfig import get_mail_domains, get_mail_aliases
 from utils import shell, sort_domains, load_env_vars_from_file, load_settings
 def get_services():
 	return [
 		{ "name": "Local DNS (bind9)", "port": 53, "public": False, },
 		#{ "name": "NSD Control", "port": 8952, "public": False, },
 		{ "name": "Local DNS Control (bind9/rndc)", "port": 953, "public": False, },
 		{ "name": "Dovecot LMTP LDA", "port": 10026, "public": False, },
 		{ "name": "Postgrey", "port": 10023, "public": False, },
 		{ "name": "Spamassassin", "port": 10025, "public": False, },
 		{ "name": "OpenDKIM", "port": 8891, "public": False, },
 		{ "name": "OpenDMARC", "port": 8893, "public": False, },
 		{ "name": "Memcached", "port": 11211, "public": False, },
 		{ "name": "Mail-in-a-Box Management Daemon", "port": 10222, "public": False, },
 		{ "name": "SSH Login (ssh)", "port": get_ssh_port(), "public": True, },
 		{ "name": "Public DNS (nsd4)", "port": 53, "public": True, },
 		{ "name": "Incoming Mail (SMTP/postfix)", "port": 25, "public": True, },
 		{ "name": "Outgoing Mail (SMTP 587/postfix)", "port": 587, "public": True, },
 		#{ "name": "Postfix/master", "port": 10587, "public": True, },
 		{ "name": "IMAPS (dovecot)", "port": 993, "public": True, },
 		{ "name": "Mail Filters (Sieve/dovecot)", "port": 4190, "public": True, },
 		{ "name": "HTTP Web (nginx)", "port": 80, "public": True, },
 		{ "name": "HTTPS Web (nginx)", "port": 443, "public": True, },
 	]
 def run_checks(rounded_values, env, output, pool):
 	# run systems checks
 	output.add_heading("System")
@ -61,33 +84,9 @@ def get_ssh_port():
 def run_services_checks(env, output, pool):
 	# Check that system services are running.
 	services = [
 		{ "name": "Local DNS (bind9)", "port": 53, "public": False, },
 		#{ "name": "NSD Control", "port": 8952, "public": False, },
 		{ "name": "Local DNS Control (bind9/rndc)", "port": 953, "public": False, },
 		{ "name": "Dovecot LMTP LDA", "port": 10026, "public": False, },
 		{ "name": "Postgrey", "port": 10023, "public": False, },
 		{ "name": "Spamassassin", "port": 10025, "public": False, },
 		{ "name": "OpenDKIM", "port": 8891, "public": False, },
 		{ "name": "OpenDMARC", "port": 8893, "public": False, },
 		{ "name": "Memcached", "port": 11211, "public": False, },
 		{ "name": "Mail-in-a-Box Management Daemon", "port": 10222, "public": False, },
 		{ "name": "SSH Login (ssh)", "port": get_ssh_port(), "public": True, },
 		{ "name": "Public DNS (nsd4)", "port": 53, "public": True, },
 		{ "name": "Incoming Mail (SMTP/postfix)", "port": 25, "public": True, },
 		{ "name": "Outgoing Mail (SMTP 587/postfix)", "port": 587, "public": True, },
 		#{ "name": "Postfix/master", "port": 10587, "public": True, },
 		{ "name": "IMAPS (dovecot)", "port": 993, "public": True, },
 		{ "name": "Mail Filters (Sieve/dovecot)", "port": 4190, "public": True, },
 		{ "name": "HTTP Web (nginx)", "port": 80, "public": True, },
 		{ "name": "HTTPS Web (nginx)", "port": 443, "public": True, },
 	]
 	all_running = True
 	fatal = False
-	ret = pool.starmap(check_service, ((i, service, env) for i, service in enumerate(services)), chunksize=1)
+	ret = pool.starmap(check_service, ((i, service, env) for i, service in enumerate(get_services())), chunksize=1)
 	for i, running, fatal2, output2 in sorted(ret):
 		if output2 is None: continue # skip check (e.g. no port was set, e.g. no sshd)
 		all_running = all_running and running
@ -169,6 +168,37 @@ def run_system_checks(rounded_values, env, output):
 	check_free_disk_space(rounded_values, env, output)
 	check_free_memory(rounded_values, env, output)
 def check_ufw(env, output):
 	if not os.path.isfile('/usr/sbin/ufw'):
 		output.print_warning("""The ufw program was not installed. If your system is able to run iptables, rerun the setup.""")
 		return
 	code, ufw = shell('check_output', ['ufw', 'status'], trap=True)
 	if code != 0:
 		# The command failed, it's safe to say the firewall is disabled
 		output.print_warning("""The firewall is not working on this machine. An error was received
 					while trying to check the firewall. To investigate run 'sudo ufw status'.""")
 		return
 	ufw = ufw.splitlines()
 	if ufw[0] == "Status: active":
 		not_allowed_ports = 0
 		for service in get_services():
 			if service["public"] and not is_port_allowed(ufw, service["port"]):
 				not_allowed_ports += 1
 				output.print_error("Port %s (%s) should be allowed in the firewall, please re-run the setup." % (service["port"], service["name"]))
 		if not_allowed_ports == 0:
 			output.print_ok("Firewall is active.")
 	else:
 		output.print_warning("""The firewall is disabled on this machine. This might be because the system
 			is protected by an external firewall. We can't protect the system against bruteforce attacks
 			without the local firewall active. Connect to the system via ssh and try to run: ufw enable.""")
 def is_port_allowed(ufw, port):
 	return any(re.match(str(port) +"[/ \t].*", item) for item in ufw)
 def check_ssh_password(env, output):
 	# Check that SSH login with password is disabled. The openssh-server
 	# package may not be installed so check that before trying to access
@ -185,10 +215,13 @@ def check_ssh_password(env, output):
 	else:
 		output.print_ok("SSH disallows password-based login.")
 def is_reboot_needed_due_to_package_installation():
 	return os.path.exists("/var/run/reboot-required")
 def check_software_updates(env, output):
 	# Check for any software package updates.
 	pkgs = list_apt_updates(apt_update=False)
-	if os.path.exists("/var/run/reboot-required"):
+	if is_reboot_needed_due_to_package_installation():
 		output.print_error("System updates have been installed and a reboot of the machine is required.")
 	elif len(pkgs) == 0:
 		output.print_ok("System software is up to date.")
@ -207,15 +240,15 @@ def check_free_disk_space(rounded_values, env, output):
 	st = os.statvfs(env['STORAGE_ROOT'])
 	bytes_total = st.f_blocks * st.f_frsize
 	bytes_free = st.f_bavail * st.f_frsize
-	if not rounded_values:
+	disk_msg = "The disk has %.2f GB space remaining." % (bytes_free/1024.0/1024.0/1024.0)
 		disk_msg = "The disk has %s GB space remaining." % str(round(bytes_free/1024.0/1024.0/1024.0*10.0)/10)
 	else:
 		disk_msg = "The disk has less than %s%% space left." % str(round(bytes_free/bytes_total/10 + .5)*10)
 	if bytes_free > .3 * bytes_total:
 		if rounded_values: disk_msg = "The disk has more than 30% free space."
 		output.print_ok(disk_msg)
 	elif bytes_free > .15 * bytes_total:
 		if rounded_values: disk_msg = "The disk has less than 30% free space."
 		output.print_warning(disk_msg)
 	else:
 		if rounded_values: disk_msg = "The disk has less than 15% free space."
 		output.print_error(disk_msg)
 def check_free_memory(rounded_values, env, output):
@ -237,6 +270,8 @@ def run_network_checks(env, output):
 	output.add_heading("Network")
 	check_ufw(env, output)
 	# Stop if we cannot make an outbound connection on port 25. Many residential
 	# networks block outbound port 25 to prevent their network from sending spam.
 	# See if we can reach one of Google's MTAs with a 5-second timeout.
@ -358,7 +393,7 @@ def check_primary_hostname_dns(domain, env, output, dns_domains, dns_zonefiles):
 	# Check that PRIMARY_HOSTNAME resolves to PUBLIC_IP[V6] in public DNS.
 	ipv6 = query_dns(domain, "AAAA") if env.get("PUBLIC_IPV6") else None
-	if ip == env['PUBLIC_IP'] and ipv6 in (None, env['PUBLIC_IPV6']):
+	if ip == env['PUBLIC_IP'] and not (ipv6 and env['PUBLIC_IPV6'] and normalize_ip(ipv6) != normalize_ip(env['PUBLIC_IPV6'])):
 		output.print_ok("Domain resolves to box's IP address. [%s ↦ %s]" % (env['PRIMARY_HOSTNAME'], my_ips))
 	else:
 		output.print_error("""This domain must resolve to your box's IP address (%s) in public DNS but it currently resolves
@ -450,7 +485,7 @@ def check_dns_zone(domain, env, output, dns_zonefiles):
 	# half working.)
 	custom_dns_records = list(get_custom_dns_config(env)) # generator => list so we can reuse it
-	correct_ip = get_custom_dns_record(custom_dns_records, domain, "A") or env['PUBLIC_IP']
+	correct_ip = "; ".join(sorted(get_custom_dns_records(custom_dns_records, domain, "A"))) or env['PUBLIC_IP']
 	custom_secondary_ns = get_secondary_dns(custom_dns_records, mode="NS")
 	secondary_ns = custom_secondary_ns or ["ns2." + env['PRIMARY_HOSTNAME']]
@ -684,6 +719,23 @@ def query_dns(qname, rtype, nxdomain='[Not Set]', at=None):
 	# periods from responses since that's how qnames are encoded in DNS but is
 	# confusing for us. The order of the answers doesn't matter, so sort so we
 	# can compare to a well known order.
 	# Unfortunately, the response.__str__ returns bytes
 	# instead of string, if it resulted from an AAAA-query.
 	# We need to convert manually, until this is fixed:
 	# https://github.com/rthalley/dnspython/issues/204
 	#
 	# BEGIN HOTFIX
 	response_new = []
 	for r in response:
 		s = r.to_text()
 		if isinstance(s, bytes):
 			s = s.decode('utf-8')
 		response_new.append(s)
 	response = response_new
 	# END HOTFIX
 	return "; ".join(sorted(str(r).rstrip('.') for r in response))
 def check_ssl_cert(domain, rounded_time, ssl_certificates, env, output):
@ -770,8 +822,13 @@ def what_version_is_this(env):
 def get_latest_miab_version():
 	# This pings https://mailinabox.email/setup.sh and extracts the tag named in
 	# the script to determine the current product version.
-	import urllib.request
+    from urllib.request import urlopen, HTTPError, URLError
-	return re.search(b'TAG=(.*)', urllib.request.urlopen("https://mailinabox.email/setup.sh?ping=1").read()).group(1).decode("utf8")
+    from socket import timeout
    try:
        return re.search(b'TAG=(.*)', urlopen("https://mailinabox.email/setup.sh?ping=1", timeout=5).read()).group(1).decode("utf8")
    except (HTTPError, URLError, timeout):
        return None
 def check_miab_version(env, output):
 	config = load_settings(env)
@ -788,6 +845,8 @@ def check_miab_version(env, output):
 		if this_ver == latest_ver:
 			output.print_ok("Mail-in-a-Box is up to date. You are running version %s." % this_ver)
 		elif latest_ver is None:
 			output.print_error("Latest Mail-in-a-Box version could not be determined. You are running version %s." % this_ver)
 		else:
 			output.print_error("A new version of Mail-in-a-Box is available. You are running version %s. The latest version is %s. For upgrade instructions, see https://mailinabox.email. "
 				% (this_ver, latest_ver))
@ -860,6 +919,11 @@ def run_and_output_changes(env, pool):
 	with open(cache_fn, "w") as f:
 		json.dump(cur.buf, f, indent=True)
 def normalize_ip(ip):
 	# Use ipaddress module to normalize the IPv6 notation and ensure we are matching IPv6 addresses written in different representations according to rfc5952.
 	import ipaddress
 	return str(ipaddress.ip_address(ip))
 class FileOutput:
 	def __init__(self, buf, width):
 		self.buf = buf
--- a/management/templates/aliases.html
+++ b/management/templates/aliases.html
@ -106,6 +106,41 @@
  </table>
 </div>
 <h3>Mail aliases API (advanced)</h3>
 <p>Use your box&rsquo;s mail aliases API to add and remove mail aliases from the command-line or custom services you build.</p>
 <p>Usage:</p>
 <pre>curl -X <b>VERB</b> [-d "<b>parameters</b>"] --user {email}:{password} https://{{hostname}}/admin/mail/aliases[<b>action</b>]</pre>
 <p>Brackets denote an optional argument. Please note that the POST body <code>parameters</code> must be URL-encoded.</p>
 <p>The email and password given to the <code>--user</code> option must be an administrative user on this system.</p>
 <h4 style="margin-bottom: 0">Verbs</h4>
 <table class="table" style="margin-top: .5em">
 <thead><th>Verb</th> <th>Action</th><th></th></thead>
 <tr><td>GET</td><td><i>(none)</i></td> <td>Returns a list of existing mail aliases. Adding <code>?format=json</code> to the URL will give JSON-encoded results.</td></tr>
 <tr><td>POST</td><td>/add</td> <td>Adds a new mail alias. Required POST-body parameters are <code>address</code> and <code>forwards_to</code>.</td></tr>
 <tr><td>POST</td><td>/remove</td> <td>Removes a mail alias. Required POST-body parameter is <code>address</code>.</td></tr>
 </table>
 <h4>Examples:</h4>
 <p>Try these examples. For simplicity the examples omit the <code>--user me@mydomain.com:yourpassword</code> command line argument which you must fill in with your email address and password.</p>
 <pre># Gives a JSON-encoded list of all mail aliases
 curl -X GET https://{{hostname}}/admin/mail/aliases?format=json
 # Adds a new alias
 curl -X POST -d "address=new_alias@mydomail.com" -d "forwards_to=my_email@mydomain.com" https://{{hostname}}/admin/mail/aliases/add
 # Removes an alias
 curl -X POST -d "address=new_alias@mydomail.com" https://{{hostname}}/admin/mail/aliases/remove
 </pre>
 <script>
 function show_aliases() {
--- a/management/templates/custom-dns.html
+++ b/management/templates/custom-dns.html
@ -10,7 +10,7 @@
 <p>It is possible to set custom DNS records on domains hosted here.</p>
-<h3>Set Custom DNS Records</h3>
+<h3>Set custom DNS records</h3>
 <p>You can set additional DNS records, such as if you have a website running on another server, to add DKIM records for external mail providers, or for various confirmation-of-ownership tests.</p>
@ -35,7 +35,9 @@
        <option value="AAAA" data-hint="Enter an IPv6 address.">AAAA (IPv6 address)</option>
        <option value="CNAME" data-hint="Enter another domain name followed by a period at the end (e.g. mypage.github.io.).">CNAME (DNS forwarding)</option>
        <option value="TXT" data-hint="Enter arbitrary text.">TXT (text record)</option>
-        <option value="MX" data-hint="Enter record in the form of PRIORIY DOMAIN., including trailing period (e.g. 20 mx.example.com.).">MX (mail exchanger)</option>
+        <option value="MX" data-hint="Enter record in the form of PRIORITY DOMAIN., including trailing period (e.g. 20 mx.example.com.).">MX (mail exchanger)</option>
        <option value="SRV" data-hint="Enter record in the form of PRIORITY WEIGHT PORT TARGET., including trailing period (e.g. 10 10 5060 sip.example.com.).">SRV (service record)</option>
        <option value="SSHFP" data-hint="Enter record in the form of ALGORITHM TYPE FINGERPRINT.">SSHFP (SSH fingerprint record)</option>
      </select>
    </div>
  </div>
@ -65,10 +67,10 @@
  </tbody>
 </table>
-<h3>Using a Secondary Nameserver</h3>
+<h3>Using a secondary nameserver</h3>
 <p>If your TLD requires you to have two separate nameservers, you can either set up <a href="#" onclick="return show_panel('external_dns')">external DNS</a> and ignore the DNS server on this box entirely, or use the DNS server on this box but add a secondary (aka &ldquo;slave&rdquo;) nameserver.</p>
-<p>If you choose to use a seconday nameserver, you must find a seconday nameserver service provider. Your domain name registrar or virtual cloud provider may provide this service for you. Once you set up the seconday nameserver service, enter the hostname (not the IP address) of <em>their</em> secondary nameserver in the box below.</p>
+<p>If you choose to use a secondary nameserver, you must find a secondary nameserver service provider. Your domain name registrar or virtual cloud provider may provide this service for you. Once you set up the secondary nameserver service, enter the hostname (not the IP address) of <em>their</em> secondary nameserver in the box below.</p>
 <form class="form-horizontal" role="form" onsubmit="do_set_secondary_dns(); return false;">
  <div class="form-group">
@ -123,7 +125,7 @@
 <tr><td>email</td> <td>The email address of any administrative user here.</td></tr>
 <tr><td>password</td> <td>That user&rsquo;s password.</td></tr>
 <tr><td>qname</td> <td>The fully qualified domain name for the record you are trying to set. It must be one of the domain names or a subdomain of one of the domain names hosted on this box. (Add mail users or aliases to add new domains.)</td></tr>
-<tr><td>rtype</td> <td>The resource type. Defaults to <code>A</code> if omitted. Possible values: <code>A</code> (an IPv4 address), <code>AAAA</code> (an IPv6 address), <code>TXT</code> (a text string), <code>CNAME</code> (an alias, which is a fully qualified domain name &mdash; don&rsquo;t forget the final period), <code>MX</code>, or <code>SRV</code>.</td></tr>
+<tr><td>rtype</td> <td>The resource type. Defaults to <code>A</code> if omitted. Possible values: <code>A</code> (an IPv4 address), <code>AAAA</code> (an IPv6 address), <code>TXT</code> (a text string), <code>CNAME</code> (an alias, which is a fully qualified domain name &mdash; don&rsquo;t forget the final period), <code>MX</code>, <code>SRV</code>, or <code>SSHFP</code>.</td></tr>
 <tr><td>value</td> <td>For PUT, POST, and DELETE, the record&rsquo;s value. If the <code>rtype</code> is <code>A</code> or <code>AAAA</code> and <code>value</code> is empty or omitted, the IPv4 or IPv6 address of the remote host is used (be sure to use the <code>-4</code> or <code>-6</code> options to curl). This is handy for dynamic DNS!</td></tr>
 </table>
--- a/management/templates/index.html
+++ b/management/templates/index.html
@ -9,7 +9,7 @@
        <meta name="robots" content="noindex, nofollow">
-        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css" integrity="sha256-MfvZlkHCEqatNoGiOXveE8FIwMzZg4W85qfrfIFBfYc=" crossorigin="anonymous">
+        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
        <style>
 	    body {
 		overflow-y: scroll;
@ -63,7 +63,7 @@
 	       margin-bottom: 1em;
 	    }
        </style>
-        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap-theme.min.css" integrity="sha256-bHQiqcFbnJb1Qhh61RY9cMh6kR0gTuQY6iFOBj1yj00=" crossorigin="anonymous">
+        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp" crossorigin="anonymous">
    </head>
    <body>
@ -93,7 +93,7 @@
                <li class="dropdown-header">Advanced Pages</li>
                <li><a href="#custom_dns" onclick="return show_panel(this);">Custom DNS</a></li>
                <li><a href="#external_dns" onclick="return show_panel(this);">External DNS</a></li>
-                <li><a href="/admin/munin">Munin Monitoring</a></li>
+                <li><a href="/admin/munin" target="_blank">Munin Monitoring</a></li>
              </ul>
            </li>
            <li class="dropdown">
@ -192,7 +192,7 @@
        </div>
        <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js" integrity="sha256-rsPUGdUPBXgalvIj4YKJrrUlmLXbOb6Cp7cdxn1qeUc=" crossorigin="anonymous"></script>
-        <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js" integrity="sha256-Sk3nkD6mLTMOF0EOpNtsIry+s1CsaqQC1rVLTAy+0yc=" crossorigin="anonymous"></script>
+        <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>
        <script>
 var global_modal_state = null;
--- a/management/templates/mail-guide.html
+++ b/management/templates/mail-guide.html
@ -42,7 +42,7 @@
 				<h4>Exchange/ActiveSync settings</h4>
-					<p>On iOS devices, devices on this <a href="http://z-push.org/compatibility/">compatibility list</a>, or using Outlook 2007 or later on Windows 7 and later, you may set up your mail as an Exchange or ActiveSync server. However, we&rsquo;ve found this to be more buggy than using IMAP as described above. If you encounter any problems, please use the manual settings above.</p>
+					<p>On iOS devices, devices on this <a href="https://wiki.z-hub.io/display/ZP/Compatibility">compatibility list</a>, or using Outlook 2007 or later on Windows 7 and later, you may set up your mail as an Exchange or ActiveSync server. However, we&rsquo;ve found this to be more buggy than using IMAP as described above. If you encounter any problems, please use the manual settings above.</p>
 					<table class="table">
 					<tr><th>Server</th> <td>{{hostname}}</td></tr>
--- a/management/templates/ssl.html
+++ b/management/templates/ssl.html
@ -8,7 +8,7 @@
 <p>You need a TLS certificate for this box&rsquo;s hostname ({{hostname}}) and every other domain name and subdomain that this box is hosting a website for (see the list below).</p>
 <div id="ssl_provision">
-<h3>Provision a Certificate</h3>
+<h3>Provision a certificate</h3>
 <div id="ssl_provision_p" style="display: none; margin-top: 1.5em">
  <button onclick='return provision_tls_cert();' class='btn btn-primary' style="float: left; margin: 0 1.5em 1em 0;">Provision</button>
@ -36,7 +36,7 @@
 </div>
 </div>
-<h3>Certificate Status</h3>
+<h3>Certificate status</h3>
 <p style="margin-top: 1.5em">Certificates expire after a period of time. All certificates will be automatically renewed through <a href="https://letsencrypt.org/" target="_blank">Let&rsquo;s Encrypt</a> 14 days prior to expiration.</p>
@ -53,9 +53,9 @@
 </table>
-<h3 id="ssl_install_header">Install Certificate</h3>
+<h3 id="ssl_install_header">Install certificate</h3>
-<p>There are many places where you can get a free or cheap certificate. We recommend <a href="https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx">Namecheap&rsquo;s $9 certificate</a>, <a href="https://www.startssl.com/">StartSSL&rsquo;s free express lane</a> or <a href="https://buy.wosign.com/free/">WoSign&rsquo;s free TLS</a></a>.</p>
+<p>If you don't want to use our automatic Let's Encrypt integration, you can give any other certificate provider a try. You can generate the needed CSR below.</p>
 <p>Which domain are you getting a certificate for?</p>
--- a/management/templates/system-backup.html
+++ b/management/templates/system-backup.html
@ -16,16 +16,60 @@
      <select class="form-control" rows="1" id="backup-target-type" onchange="toggle_form()">
        <option value="off">Nowhere (Disable Backups)</option>
        <option value="local">{{hostname}}</option>
        <option value="rsync">rsync</option>
        <option value="s3">Amazon S3</option>
      </select>
    </div>
  </div>
  <!-- LOCAL BACKUP -->
  <div class="form-group backup-target-local">
    <div class="col-sm-10 col-sm-offset-2">
-      <p>Backups are stored on this machine&rsquo;s own hard disk. You are responsible for periodically using SFTP (FTP over SSH) to copy the backup files from <tt id="backup-location"></tt> to a safe location. These files are encrypted, so they are safe to store anywhere.</p>
+      <p>Backups are stored on this machine&rsquo;s own hard disk. You are responsible for periodically using SFTP (FTP over SSH) to copy the backup files from <tt class="backup-location"></tt> to a safe location. These files are encrypted, so they are safe to store anywhere.</p>
      <p>Separately copy the encryption password from <tt class="backup-encpassword-file"></tt> to a safe and secure location. You will need this file to decrypt backup files.</p>
    </div>
  </div>
  <!-- RSYNC BACKUP -->
  <div class="form-group backup-target-rsync">
    <div class="col-sm-10 col-sm-offset-2">
      <p>Backups synced to a remote machine using rsync over SSH, with local
      copies in <tt class="backup-location"></tt>. These files are encrypted, so
      they are safe to store anywhere.</p> <p>Separately copy the encryption
      password from <tt class="backup-encpassword-file"></tt> to a safe and
      secure location. You will need this file to decrypt backup files.</p>
    </div>
  </div>
  <div class="form-group backup-target-rsync">
    <label for="backup-target-rsync-host" class="col-sm-2 control-label">Hostname</label>
    <div class="col-sm-8">
      <input type="text" placeholder="hostname.local" class="form-control" rows="1" id="backup-target-rsync-host">
    </div>
  </div>
  <div class="form-group backup-target-rsync">
    <label for="backup-target-rsync-path" class="col-sm-2 control-label">Path</label>
    <div class="col-sm-8">
        <input type="text" placeholder="/backups/{{hostname}}" class="form-control" rows="1" id="backup-target-rsync-path">
    </div>
  </div>
  <div class="form-group backup-target-rsync">
    <label for="backup-target-rsync-user" class="col-sm-2 control-label">Username</label>
    <div class="col-sm-8">
      <input type="text" class="form-control" rows="1" id="backup-target-rsync-user">
    </div>
  </div>
  <div class="form-group backup-target-rsync">
    <label for="ssh-pub-key" class="col-sm-2 control-label">Public SSH Key</label>
    <div class="col-sm-8">
      <input type="text" class="form-control" rows="1" id="ssh-pub-key" readonly>
      <div class="small" style="margin-top: 2px">
        Copy the Public SSH Key above, and paste it within the <tt>~/.ssh/authorized_keys</tt>
        of target user on the backup server specified above. That way you'll enable secure and
        passwordless authentication from your mail-in-a-box server and your backup server.
      </div>
    </div>
  </div>
  <!-- S3 BACKUP -->
  <div class="form-group backup-target-s3">
    <div class="col-sm-10 col-sm-offset-2">
      <p>Backups are stored in an Amazon Web Services S3 bucket. You must have an AWS account already.</p>
@ -60,7 +104,8 @@
      <input type="text" class="form-control" rows="1" id="backup-target-pass">
    </div>
  </div>
-  <div class="form-group backup-target-local backup-target-s3">
+  <!-- Common -->
  <div class="form-group backup-target-local backup-target-rsync backup-target-s3">
    <label for="min-age" class="col-sm-2 control-label">Days:</label>
    <div class="col-sm-8">
      <input type="number" class="form-control" rows="1" id="min-age">
@ -74,7 +119,7 @@
  </div>
 </form>
-<h3>Available Backups</h3>
+<h3>Available backups</h3>
 <p>The backup location currently contains the backups listed below. The total size of the backups is currently <span id="backup-total-size"></span>.</p>
@ -92,7 +137,7 @@
 function toggle_form() {
  var target_type = $("#backup-target-type").val();
-  $(".backup-target-local, .backup-target-s3").hide();
+  $(".backup-target-local, .backup-target-rsync, .backup-target-s3").hide();
  $(".backup-target-" + target_type).show();
 }
@ -160,16 +205,30 @@ function show_system_backup() {
 }
 function show_custom_backup() {
-    $(".backup-target-local, .backup-target-s3").hide();
+    $(".backup-target-local, .backup-target-rsync, .backup-target-s3").hide();
    api(
      "/system/backup/config",
      "GET",
      { },
      function(r) {
        $("#backup-target-user").val(r.target_user);
        $("#backup-target-pass").val(r.target_pass);
        $("#min-age").val(r.min_age_in_days);
        $(".backup-location").text(r.file_target_directory);
        $(".backup-encpassword-file").text(r.enc_pw_file);
        $("#ssh-pub-key").val(r.ssh_pub_key);
        if (r.target == "file://" + r.file_target_directory) {
          $("#backup-target-type").val("local");
        } else if (r.target == "off") {
          $("#backup-target-type").val("off");
        } else if (r.target.substring(0, 8) == "rsync://") {
          $("#backup-target-type").val("rsync");
          var path = r.target.substring(8).split('//');
          var host_parts = path.shift().split('@');
          $("#backup-target-rsync-user").val(host_parts[0]);
          $("#backup-target-rsync-host").val(host_parts[1]);
          $("#backup-target-rsync-path").val('/'+path[0]);
        } else if (r.target.substring(0, 5) == "s3://") {
          $("#backup-target-type").val("s3");
          var hostpath = r.target.substring(5).split('/');
@ -177,11 +236,6 @@ function show_custom_backup() {
          $("#backup-target-s3-host").val(host);
          $("#backup-target-s3-path").val(hostpath.join('/'));
        }
        $("#backup-target-user").val(r.target_user);
        $("#backup-target-pass").val(r.target_pass);
        $("#min-age").val(r.min_age_in_days);
        $('#backup-location').text(r.file_target_directory);
        $('.backup-encpassword-file').text(r.enc_pw_file);
        toggle_form()
      })
 }
@ -196,6 +250,12 @@ function set_custom_backup() {
    target = target_type;
  else if (target_type == "s3")
    target = "s3://" + $("#backup-target-s3-host").val() + "/" + $("#backup-target-s3-path").val();
  else if (target_type == "rsync") {
    target = "rsync://" + $("#backup-target-rsync-user").val() + "@" + $("#backup-target-rsync-host").val()
                                                                + "/" + $("#backup-target-rsync-path").val();
    target_user = '';
  }
  var min_age = $("#min-age").val();
  api(
--- a/management/templates/system-status.html
+++ b/management/templates/system-status.html
@ -34,19 +34,23 @@
  font-family: monospace;
  white-space: pre-wrap;
 }
 #system-privacy-setting {
  float: right;
  max-width: 20em;
  margin-bottom: 1em;
 }
 </style>
 <div class="row">
 	<div class="col-md-push-9 col-md-3">
 <div id="system-reboot-required" style="display: none; margin-bottom: 1em;">
 	<button type="button" class="btn btn-danger" onclick="confirm_reboot(); return false;">Reboot Box</button>
 	<div>No reboot is necessary.</div>
 </div>
 <div id="system-privacy-setting" style="display: none">
 	<div><a onclick="return enable_privacy(!current_privacy_setting)" href="#"><span>Enable/Disable</span> New-Version Check</a></div>
 	<p style="line-height: 125%"><small>(When enabled, status checks phone-home to check for a new release of Mail-in-a-Box.)</small></p>
 </div>
 	</div> <!-- /col -->
 	<div class="col-md-pull-3 col-md-8">
 <table id="system-checks" class="table" style="max-width: 60em">
  <thead>
@ -55,6 +59,9 @@
  </tbody>
 </table>
 	</div> <!-- /col -->
 </div> <!-- /row -->
 <script>
 function show_system_status() {
  $('#system-checks tbody').html("<tr><td colspan='2' class='text-muted'>Loading...</td></tr>")
@ -70,6 +77,16 @@ function show_system_status() {
      $('#system-privacy-setting p').toggle(r);
    });
  api(
    "/system/reboot",
    "GET",
    { },
    function(r) {
      $('#system-reboot-required').show(); // show when r becomes available
      $('#system-reboot-required').find('button').toggle(r);
      $('#system-reboot-required').find('div').toggle(!r);
    });
  api(
    "/system/status",
    "POST",
@ -122,4 +139,22 @@ function enable_privacy(status) {
    });
  return false; // disable link
 }
 function confirm_reboot() {
  show_modal_confirm(
    "Reboot",
    $("<p>This will reboot your Mail-in-a-Box <code>{{hostname}}</code>.</p> <p>Until the machine is fully restarted, your users will not be able to send and receive email, and you will not be able to connect to this control panel or with SSH. The reboot cannot be cancelled.</p>"),
    "Reboot Now",
    function() {
      api(
        "/system/reboot",
        "POST",
        { },
        function(r) {
          var msg = "<p>Please reload this page after a minute or so.</p>";
          if (r) msg = "<p>The reboot command said:</p> <pre>" + $("<pre/>").text(r).html() + "</pre>"; // successful reboots don't produce any output; the output must be HTML-escaped
          show_modal_error("Reboot", msg);
        });
    });
 }
 </script>
--- a/management/templates/users.html
+++ b/management/templates/users.html
@ -31,7 +31,7 @@
  <button type="submit" class="btn btn-primary">Add User</button>
 </form>
 <ul style="margin-top: 1em; padding-left: 1.5em; font-size: 90%;">
-  <li>Passwords must be at least four characters and may not contain spaces. For best results, <a href="#" onclick="return generate_random_password()">generate a random password</a>.</li>
+  <li>Passwords must be at least eight characters and may not contain spaces. For best results, <a href="#" onclick="return generate_random_password()">generate a random password</a>.</li>
  <li>Use <a href="#" onclick="return show_panel('aliases')">aliases</a> to create email addresses that forward to existing accounts.</li>
  <li>Administrators get access to this control panel.</li>
  <li>User accounts cannot contain any international (non-ASCII) characters, but <a href="#" onclick="return show_panel('aliases');">aliases</a> can.</li>
@ -84,6 +84,48 @@
  </table>
 </div>
 <h3>Mail user API (advanced)</h3>
 <p>Use your box&rsquo;s mail user API to add/change/remove users from the command-line or custom services you build.</p>
 <p>Usage:</p>
 <pre>curl -X <b>VERB</b> [-d "<b>parameters</b>"] --user {email}:{password} https://{{hostname}}/admin/mail/users[<b>action</b>]</pre>
 <p>Brackets denote an optional argument. Please note that the POST body <code>parameters</code> must be URL-encoded.</p>
 <p>The email and password given to the <code>--user</code> option must be an administrative user on this system.</p>
 <h4 style="margin-bottom: 0">Verbs</h4>
 <table class="table" style="margin-top: .5em">
 <thead><th>Verb</th> <th>Action</th><th></th></thead>
 <tr><td>GET</td><td><i>(none)</i></td> <td>Returns a list of existing mail users. Adding <code>?format=json</code> to the URL will give JSON-encoded results.</td></tr>
 <tr><td>POST</td><td>/add</td> <td>Adds a new mail user. Required POST-body parameters are <code>email</code> and <code>password</code>.</td></tr>
 <tr><td>POST</td><td>/remove</td> <td>Removes a mail user. Required POST-by parameter is <code>email</code>.</td></tr>
 <tr><td>POST</td><td>/privileges/add</td> <td>Used to make a mail user an admin. Required POST-body parameters are <code>email</code> and <code>privilege=admin</code>.</td></tr>
 <tr><td>POST</td><td>/privileges/remove</td> <td>Used to remove the admin privilege from a mail user. Required POST-body parameter is <code>email</code>.</td></tr>
 </table>
 <h4>Examples:</h4>
 <p>Try these examples. For simplicity the examples omit the <code>--user me@mydomain.com:yourpassword</code> command line argument which you must fill in with your administrative email address and password.</p>
 <pre># Gives a JSON-encoded list of all mail users
 curl -X GET https://{{hostname}}/admin/mail/users?format=json
 # Adds a new email user
 curl -X POST -d "email=new_user@mydomail.com" -d "password=s3curE_pa5Sw0rD" https://{{hostname}}/admin/mail/users/add
 # Removes a email user
 curl -X POST -d "email=new_user@mydomail.com" https://{{hostname}}/admin/mail/users/remove
 # Adds admin privilege to an email user
 curl -X POST -d "email=new_user@mydomail.com" -d "privilege=admin" https://{{hostname}}/admin/mail/users/privileges/add
 # Removes admin privilege from an email user
 curl -X POST -d "email=new_user@mydomail.com" https://{{hostname}}/admin/mail/users/privileges/remove
 </pre>
 <script>
 function show_users() {
@ -170,7 +212,7 @@ function users_set_password(elem) {
    yourpw = "<p class='text-danger'>If you change your own password, you will be logged out of this control panel and will need to log in again.</p>";
  show_modal_confirm(
-    "Archive User",
+    "Set Password",
    $("<p>Set a new password for <b>" + email + "</b>?</p> <p><label for='users_set_password_pw' style='display: block; font-weight: normal'>New Password:</label><input type='password' id='users_set_password_pw'></p><p><small>Passwords must be at least four characters and may not contain spaces.</small>" + yourpw + "</p>"),
    "Set Password",
    function() {
@ -254,7 +296,7 @@ function mod_priv(elem, add_remove) {
 function generate_random_password() {
  var pw = "";
  var charset = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz23456789"; // confusable characters skipped
-  for (var i = 0; i < 10; i++)
+  for (var i = 0; i < 12; i++)
    pw += charset.charAt(Math.floor(Math.random() * charset.length));
  show_modal_error("Random Password", "<p>Here, try this:</p> <p><code style='font-size: 110%'>" + pw + "</code></pr");
  return false; // cancel click
--- a/management/templates/web.html
+++ b/management/templates/web.html
@ -82,7 +82,7 @@ function show_change_web_root(elem) {
  var root = $(elem).parents('tr').attr('data-custom-web-root');
  show_modal_confirm(
    'Change Root Directory for ' + domain,
-    $('<p>You can change the static directory for <tt>' + domain + '</tt> to:</p> <p><tt>' + root + '</tt></p> <p>First create this directory on the server. Then click Update to scan for the directory and update web settings.'),
+    $('<p>You can change the static directory for <tt>' + domain + '</tt> to:</p> <p><tt>' + root + '</tt></p> <p>First create this directory on the server. Then click Update to scan for the directory and update web settings.</p>'),
    'Update',
    function() { do_web_update(); });
 }
--- a/management/utils.py
+++ b/management/utils.py
@ -106,76 +106,6 @@ def sort_email_addresses(email_addresses, env):
    ret.extend(sorted(email_addresses)) # whatever is left
    return ret
 def exclusive_process(name):
    # Ensure that a process named `name` does not execute multiple
    # times concurrently.
    import os, sys, atexit
    pidfile = '/var/run/mailinabox-%s.pid' % name
    mypid = os.getpid()
    # Attempt to get a lock on ourself so that the concurrency check
    # itself is not executed in parallel.
    with open(__file__, 'r+') as flock:
        # Try to get a lock. This blocks until a lock is acquired. The
        # lock is held until the flock file is closed at the end of the
        # with block.
        os.lockf(flock.fileno(), os.F_LOCK, 0)
        # While we have a lock, look at the pid file. First attempt
        # to write our pid to a pidfile if no file already exists there.
        try:
            with open(pidfile, 'x') as f:
                # Successfully opened a new file. Since the file is new
                # there is no concurrent process. Write our pid.
                f.write(str(mypid))
                atexit.register(clear_my_pid, pidfile)
                return
        except FileExistsError:
            # The pid file already exixts, but it may contain a stale
            # pid of a terminated process.
            with open(pidfile, 'r+') as f:
                # Read the pid in the file.
                existing_pid = None
                try:
                    existing_pid = int(f.read().strip())
                except ValueError:
                    pass # No valid integer in the file.
                # Check if the pid in it is valid.
                if existing_pid:
                    if is_pid_valid(existing_pid):
                        print("Another %s is already running (pid %d)." % (name, existing_pid), file=sys.stderr)
                        sys.exit(1)
                # Write our pid.
                f.seek(0)
                f.write(str(mypid))
                f.truncate()
                atexit.register(clear_my_pid, pidfile)
 def clear_my_pid(pidfile):
    import os
    os.unlink(pidfile)
 def is_pid_valid(pid):
    """Checks whether a pid is a valid process ID of a currently running process."""
    # adapted from http://stackoverflow.com/questions/568271/how-to-check-if-there-exists-a-process-with-a-given-pid
    import os, errno
    if pid <= 0: raise ValueError('Invalid PID.')
    try:
        os.kill(pid, 0)
    except OSError as err:
        if err.errno == errno.ESRCH: # No such process
            return False
        elif err.errno == errno.EPERM: # Not permitted to send signal
            return True
        else: # EINVAL
            raise
    else:
        return True
 def shell(method, cmd_args, env={}, capture_stderr=False, return_bytes=False, trap=False, input=None):
    # A safe way to execute processes.
    # Some processes like apt-get require being given a sane PATH.
--- a/security.md
+++ b/security.md
@ -69,6 +69,16 @@ The [setup guide video](https://mailinabox.email/) explains how to verify the ho
 If DNSSEC is enabled at the box's domain name's registrar, the SSHFP record that the box automatically puts into DNS can also be used to verify the host key fingerprint by setting `VerifyHostKeyDNS yes` in your `ssh/.config` file or by logging in with `ssh -o VerifyHostKeyDNS=yes`. ([source](management/dns_update.py))
 ### Brute-force attack mitigation
 `fail2ban` provides some protection from brute-force login attacks (repeated logins that guess account passwords) by blocking offending IP addresses at the network level.
 The following services are protected: SSH, IMAP (dovecot), SMTP submission (postfix), webmail (roundcube), ownCloud/CalDAV/CardDAV (over HTTP), and the Mail-in-a-Box control panel & munin (over HTTP).
 Some other services running on the box may be missing fail2ban filters.
 `fail2ban` only blocks IPv4 addresses, however. If the box has a public IPv6 address, it is not protected from these attacks.
 Outbound Mail
 -------------
@ -80,7 +90,7 @@ The first step in resolving the destination server for an email address is perfo
 ### Encryption
-The box (along with the vast majority of mail servers) uses [opportunistic encryption](https://en.wikipedia.org/wiki/Opportunistic_encryption), meaning the mail is encrypted in transit and protected from passive eavesdropping, but it is not protected from an active man-in-the-middle attack. Modern encryption settings will be used to the extent the recipient server supports them. ([source](setup/mail-postfix.sh))
+The box (along with the vast majority of mail servers) uses [opportunistic encryption](https://en.wikipedia.org/wiki/Opportunistic_encryption), meaning the mail is encrypted in transit and protected from passive eavesdropping, but it is not protected from an active man-in-the-middle attack. Modern encryption settings (TLSv1 and later, no RC4) will be used to the extent the recipient server supports them. ([source](setup/mail-postfix.sh))
 ### DANE
@ -101,7 +111,7 @@ Incoming Mail
 ### Encryption
-As discussed above, there is no way to require on-the-wire encryption of mail. When the box receives an incoming email (SMTP on port 25), it offers encryption (STARTTLS) but cannot require that senders use it because some senders may not support STARTTLS at all and other senders may support STARTTLS but not with the latest protocols/ciphers. To give senders the best chance at making use of encryption, the box offers protocols back to SSLv3 and ciphers with key lengths as low as 112 bits. Modern clients (senders) will make use of the 256-bit ciphers and Diffie-Hellman ciphers with a 2048-bit key for forward secrecy, however. ([source](setup/mail-postfix.sh))
+As discussed above, there is no way to require on-the-wire encryption of mail. When the box receives an incoming email (SMTP on port 25), it offers encryption (STARTTLS) but cannot require that senders use it because some senders may not support STARTTLS at all and other senders may support STARTTLS but not with the latest protocols/ciphers. To give senders the best chance at making use of encryption, the box offers protocols back to TLSv1 and ciphers with key lengths as low as 112 bits. Modern clients (senders) will make use of the 256-bit ciphers and Diffie-Hellman ciphers with a 2048-bit key for perfect forward secrecy, however. ([source](setup/mail-postfix.sh))
 ### DANE
--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@ -7,7 +7,7 @@
 #########################################################
 if [ -z "$TAG" ]; then
-	TAG=v0.17b
+	TAG=v0.21c
 fi
 # Are we running as root?
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@ -31,7 +31,7 @@ ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
 InternalHosts           refile:/etc/opendkim/TrustedHosts
 KeyTable                refile:/etc/opendkim/KeyTable
 SigningTable            refile:/etc/opendkim/SigningTable
-Socket                  inet:8891@localhost
+Socket                  inet:8891@127.0.0.1
 RequireSafeKeys         false
 EOF
 fi
--- a/setup/firstuser.sh
+++ b/setup/firstuser.sh
@ -35,7 +35,7 @@ if [ -z "`tools/mail.py user`" ]; then
 		else
 			# Use me@PRIMARY_HOSTNAME
 			EMAIL_ADDR=me@$PRIMARY_HOSTNAME
-			EMAIL_PW=1234
+			EMAIL_PW=12345678
 			echo
 			echo "Creating a new administrative mail account for $EMAIL_ADDR with password $EMAIL_PW."
 			echo
--- a/setup/mail-dovecot.sh
+++ b/setup/mail-dovecot.sh
@ -37,8 +37,17 @@ apt_install \
 # of active IMAP connections (at, say, 5 open connections per user that
 # would be 20 users). Set it to 250 times the number of cores this
 # machine has, so on a two-core machine that's 500 processes/100 users).
 # The `default_vsz_limit` is the maximum amount of virtual memory that
 # can be allocated. It should be set *reasonably high* to avoid allocation
 # issues with larger mailboxes. We're setting it to 1/3 of the total
 # available memory (physical mem + swap) to be sure.
 # See here for discussion:
 # - https://www.dovecot.org/list/dovecot/2012-August/137569.html
 # - https://www.dovecot.org/list/dovecot/2011-December/132455.html
 tools/editconf.py /etc/dovecot/conf.d/10-master.conf \
-	default_process_limit=$(echo "`nproc` * 250" | bc)
+	default_process_limit=$(echo "`nproc` * 250" | bc) \
 	default_vsz_limit=$(echo "`free -tom  | tail -1 | awk '{print $2}'` / 3" | bc)M \
 	log_path=/var/log/mail.log
 # The inotify `max_user_instances` default is 128, which constrains
 # the total number of watched (IMAP IDLE push) folders by open connections.
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@ -91,7 +91,8 @@ tools/editconf.py /etc/postfix/main.cf \
 # * Give it a different name in syslog to distinguish it from the port 25 smtpd server.
 # * Add a new cleanup service specific to the submission service ('authclean')
 #   that filters out privacy-sensitive headers on mail being sent out by
-#   authenticated users.
+#   authenticated users.  By default Postfix also applies this to attached
 #   emails but we turn this off by setting nested_header_checks empty.
 tools/editconf.py /etc/postfix/master.cf -s -w \
 	"submission=inet n       -       -       -       -       smtpd
 	  -o syslog_name=postfix/submission
@ -100,7 +101,8 @@ tools/editconf.py /etc/postfix/master.cf -s -w \
 	  -o smtpd_tls_ciphers=high -o smtpd_tls_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4 -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
 	  -o cleanup_service_name=authclean" \
 	"authclean=unix  n       -       -       -       0       cleanup
-	  -o header_checks=pcre:/etc/postfix/outgoing_mail_header_filters"
+	  -o header_checks=pcre:/etc/postfix/outgoing_mail_header_filters
 	  -o nested_header_checks="
 # Install the `outgoing_mail_header_filters` file required by the new 'authclean' service.
 cp conf/postfix_outgoing_mail_header_filters /etc/postfix/outgoing_mail_header_filters
@ -122,8 +124,9 @@ tools/editconf.py /etc/postfix/main.cf \
 	smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \
 	smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \
 	smtpd_tls_dh1024_param_file=$STORAGE_ROOT/ssl/dh2048.pem \
 	smtpd_tls_protocols=\!SSLv2,\!SSLv3 \
 	smtpd_tls_ciphers=medium \
-	smtpd_tls_exclude_ciphers=aNULL \
+	smtpd_tls_exclude_ciphers=aNULL,RC4 \
 	smtpd_tls_received_header=yes
 # Prevent non-authenticated users from sending mail that requires being
@ -158,6 +161,10 @@ tools/editconf.py /etc/postfix/main.cf \
 # even if we don't know if it's to the right party, than to not encrypt at all. Instead we'll
 # now see notices about trusted certs. The CA file is provided by the package `ca-certificates`.
 tools/editconf.py /etc/postfix/main.cf \
 	smtp_tls_protocols=\!SSLv2,\!SSLv3 \
 	smtp_tls_mandatory_protocols=\!SSLv2,\!SSLv3 \
 	smtp_tls_ciphers=medium \
 	smtp_tls_exclude_ciphers=aNULL,RC4 \
 	smtp_tls_security_level=dane \
 	smtp_dns_support_level=dnssec \
 	smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt \
--- a/setup/mail-users.sh
+++ b/setup/mail-users.sh
@ -38,17 +38,19 @@ passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
 }
 userdb {
-  driver = static
+  driver = sql
-  args = uid=mail gid=mail home=$STORAGE_ROOT/mail/mailboxes/%d/%n
+  args = /etc/dovecot/dovecot-sql.conf.ext
 }
 EOF
-# Configure the SQL to query for a user's password.
+# Configure the SQL to query for a user's metadata and password.
 cat > /etc/dovecot/dovecot-sql.conf.ext << EOF;
 driver = sqlite
 connect = $db_path
 default_pass_scheme = SHA512-CRYPT
 password_query = SELECT email as user, password FROM users WHERE email='%u';
 user_query = SELECT email AS user, "mail" as uid, "mail" as gid, "$STORAGE_ROOT/mail/mailboxes/%d/%n" as home FROM users WHERE email='%u';
 iterate_query = SELECT email AS user FROM users;
 EOF
 chmod 0600 /etc/dovecot/dovecot-sql.conf.ext # per Dovecot instructions
--- a/setup/management.sh
+++ b/setup/management.sh
@ -4,7 +4,10 @@ source setup/functions.sh
 echo "Installing Mail-in-a-Box system management daemon..."
-# Install packages.
+# DEPENDENCIES
 # Install Python packages that are available from the Ubuntu
 # apt repository:
 # flask, yaml, dnspython, and dateutil are all for our Python 3 management daemon itself.
 # duplicity does backups. python-pip is so we can 'pip install boto' for Python 2, for duplicity, so it can do backups to AWS S3.
 apt_install python3-flask links duplicity libyaml-dev python3-dnspython python3-dateutil python-pip
@ -12,17 +15,45 @@ apt_install python3-flask links duplicity libyaml-dev python3-dnspython python3-
 # These are required to pip install cryptography.
 apt_install build-essential libssl-dev libffi-dev python3-dev
 # pip<6.1 + setuptools>=34 have a problem with packages that
 # try to update setuptools during installation, like cryptography.
 # See https://github.com/pypa/pip/issues/4253. The Ubuntu 14.04
 # package versions are pip 1.5.4 and setuptools 3.3. When we
 # install cryptography under those versions, it tries to update
 # setuptools to version 34, which now creates the conflict, and
 # then pip gets permanently broken with errors like
 # "ImportError: No module named 'packaging'".
 #
 # Let's test for the error:
 if ! python3 -c "from pkg_resources import load_entry_point" 2&> /dev/null; then
 	# This system seems to be broken already.
 	echo "Fixing broken pip and setuptools..."
 	rm -rf /usr/local/lib/python3.4/dist-packages/{pkg_resources,setuptools}*
 	apt-get install --reinstall python3-setuptools python3-pip python3-pkg-resources
 fi
 #
 # The easiest work-around on systems that aren't already broken is
 # to upgrade pip (to >=9.0.1) and setuptools (to >=34.1) individually
 # before we install any package that tries to update setuptools.
 hide_output pip3 install --upgrade pip
 hide_output pip3 install --upgrade setuptools
 # Install other Python 3 packages used by the management daemon.
 # The first line is the packages that Josh maintains himself!
 # NOTE: email_validator is repeated in setup/questions.sh, so please keep the versions synced.
 # Force acme to be updated because it seems to need it after the
 # pip/setuptools breakage (see above) and the ACME protocol may
 # have changed (I got an error on one of my systems).
 hide_output pip3 install --upgrade \
-	rtyaml "email_validator>=1.0.0" "free_tls_certificates>=0.1.3" \
+	rtyaml "email_validator>=1.0.0" "free_tls_certificates>=0.1.3" "exclusiveprocess" \
-	"idna>=2.0.0" "cryptography>=1.0.2" boto psutil
+	"idna>=2.0.0" "cryptography>=1.0.2" acme boto psutil
 # duplicity uses python 2 so we need to get the python 2 package of boto to have backups to S3.
 # boto from the Ubuntu package manager is too out-of-date -- it doesn't support the newer
 # S3 api used in some regions, which breaks backups to those regions.  See #627, #653.
-hide_output pip install --upgrade boto
+hide_output pip2 install --upgrade boto
 # CONFIGURATION
 # Create a backup directory and a random key for encrypting backups.
 mkdir -p $STORAGE_ROOT/backup
--- a/setup/munin.sh
+++ b/setup/munin.sh
@ -7,7 +7,8 @@ source /etc/mailinabox.conf # load global vars
 # install Munin
 echo "Installing Munin (system monitoring)..."
-apt_install munin munin-node
+apt_install munin munin-node libcgi-fast-perl
 # libcgi-fast-perl is needed by /usr/lib/munin/cgi/munin-cgi-graph
 # edit config
 cat > /etc/munin/munin.conf <<EOF;
@ -19,6 +20,9 @@ tmpldir /etc/munin/templates
 includedir /etc/munin/munin-conf.d
 # path dynazoom uses for requests
 cgiurl_graph /admin/munin/cgi-graph
 # a simple host tree
 [$PRIMARY_HOSTNAME]
 address 127.0.0.1
@ -29,6 +33,10 @@ contact.admin.command mail -s "Munin notification ${var:host}" administrator@$PR
 contact.admin.always_send warning critical
 EOF
 # The Debian installer touches these files and chowns them to www-data:adm for use with spawn-fcgi
 chown munin. /var/log/munin/munin-cgi-html.log
 chown munin. /var/log/munin/munin-cgi-graph.log
 # ensure munin-node knows the name of this machine
 tools/editconf.py /etc/munin/munin-node.conf -s \
 	host_name=$PRIMARY_HOSTNAME
--- a/setup/owncloud.sh
+++ b/setup/owncloud.sh
@ -12,14 +12,10 @@ echo "Installing ownCloud (contacts/calendar)..."
 apt_install \
 	dbconfig-common \
 	php5-cli php5-sqlite php5-gd php5-imap php5-curl php-pear php-apc curl libapr1 libtool libcurl4-openssl-dev php-xml-parser \
-	php5 php5-dev php5-gd php5-fpm memcached php5-memcached unzip
+	php5 php5-dev php5-gd php5-fpm memcached php5-memcached
 apt-get purge -qq -y owncloud*
 # Install ownCloud from source of this version:
 owncloud_ver=8.1.1
 owncloud_hash=34077e78575a3e689825a00964ee37fbf83fbdda
 # Migrate <= v0.10 setups that stored the ownCloud config.php in /usr/local rather than
 # in STORAGE_ROOT. Move the file to STORAGE_ROOT.
 if [ ! -f $STORAGE_ROOT/owncloud/config.php ] \
@ -32,28 +28,35 @@ if [ ! -f $STORAGE_ROOT/owncloud/config.php ] \
 	ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php
 fi
-# Check if ownCloud dir exist, and check if version matches owncloud_ver (if either doesn't - install/upgrade)
+InstallOwncloud() {
-if [ ! -d /usr/local/lib/owncloud/ ] \
+
-	|| ! grep -q $owncloud_ver /usr/local/lib/owncloud/version.php; then
+	version=$1
 	hash=$2
 	echo
 	echo "Upgrading to ownCloud version $version"
 	echo
 	# Remove the current owncloud
 	rm -rf /usr/local/lib/owncloud
 	# Download and verify
-	wget_verify https://download.owncloud.org/community/owncloud-$owncloud_ver.zip $owncloud_hash /tmp/owncloud.zip
+	wget_verify https://download.owncloud.org/community/owncloud-$version.zip $hash /tmp/owncloud.zip
 	# Clear out the existing ownCloud.
 	if [ -d /usr/local/lib/owncloud/ ]; then
 		echo "upgrading ownCloud to $owncloud_ver (backing up existing ownCloud directory to /tmp/owncloud-backup-$$)..."
 		mv /usr/local/lib/owncloud /tmp/owncloud-backup-$$
 	fi
 	# Extract ownCloud
-	unzip -u -o -q /tmp/owncloud.zip -d /usr/local/lib #either extracts new or replaces current files
+	unzip -q /tmp/owncloud.zip -d /usr/local/lib
 	rm -f /tmp/owncloud.zip
-	# The two apps we actually want are not in ownCloud core. Clone them from
+	# The two apps we actually want are not in ownCloud core. Download the releases from
 	# their github repositories.
 	mkdir -p /usr/local/lib/owncloud/apps
-	git_clone https://github.com/owncloudarchive/contacts 4ff855e7c2075309041bead09fbb9eb7df678244 '' /usr/local/lib/owncloud/apps/contacts
+	wget_verify https://github.com/owncloud/contacts/releases/download/v1.4.0.0/contacts.tar.gz c1c22d29699456a45db447281682e8bc3f10e3e7 /tmp/contacts.tgz
-	git_clone https://github.com/owncloudarchive/calendar ec53139b144c0f842c33813305612e8006c42ea5 '' /usr/local/lib/owncloud/apps/calendar
+	tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/contacts.tgz
        wget_verify https://github.com/nextcloud/calendar/releases/download/v1.4.0/calendar.tar.gz c84f3170efca2a99ea6254de34b0af3cb0b3a821 /tmp/calendar.tgz
 	tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/calendar.tgz
 	# Fix weird permissions.
 	chmod 750 /usr/local/lib/owncloud/{apps,config}
@ -69,7 +72,7 @@ if [ ! -d /usr/local/lib/owncloud/ ] \
 	# If this isn't a new installation, immediately run the upgrade script.
 	# Then check for success (0=ok and 3=no upgrade needed, both are success).
-	if [ -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
+	if [ -e $STORAGE_ROOT/owncloud/owncloud.db ]; then
 		# ownCloud 8.1.1 broke upgrades. It may fail on the first attempt, but
 		# that can be OK.
 		sudo -u www-data php /usr/local/lib/owncloud/occ upgrade
@ -81,6 +84,77 @@ if [ ! -d /usr/local/lib/owncloud/ ] \
 			echo "...which seemed to work."
 		fi
 	fi
 }
 owncloud_ver=9.1.4
 owncloud_hash=e637cab7b2ca3346164f3506b1a0eb812b4e841a
 # Check if ownCloud dir exist, and check if version matches owncloud_ver (if either doesn't - install/upgrade)
 if [ ! -d /usr/local/lib/owncloud/ ] \
        || ! grep -q $owncloud_ver /usr/local/lib/owncloud/version.php; then
 	# Stop php-fpm
 	hide_output service php5-fpm stop
        # Backup the existing ownCloud.
 	# Create a backup directory to store the current installation and database to
 	BACKUP_DIRECTORY=$STORAGE_ROOT/owncloud-backup/`date +"%Y-%m-%d-%T"`
 	mkdir -p "$BACKUP_DIRECTORY"
 	if [ -d /usr/local/lib/owncloud/ ]; then
 		echo "upgrading ownCloud to $owncloud_ver (backing up existing ownCloud installation, configuration and database to directory to $BACKUP_DIRECTORY..."
 		cp -r /usr/local/lib/owncloud "$BACKUP_DIRECTORY/owncloud-install"
 	fi
 	if [ -e /home/user-data/owncloud/owncloud.db ]; then
 		cp /home/user-data/owncloud/owncloud.db $BACKUP_DIRECTORY
        fi
        if [ -e /home/user-data/owncloud/config.php ]; then
                cp /home/user-data/owncloud/config.php $BACKUP_DIRECTORY
        fi
 	# We only need to check if we do upgrades when owncloud was previously installed
 	if [ -e /usr/local/lib/owncloud/version.php ]; then
 		if grep -q "8\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then
 			echo "We are running 8.1.x, upgrading to 8.2.3 first"
 			InstallOwncloud 8.2.3 bfdf6166fbf6fc5438dc358600e7239d1c970613
 		fi
 		# If we are upgrading from 8.2.x we should go to 9.0 first. Owncloud doesn't support skipping minor versions
 		if grep -q "8\.2\.[0-9]" /usr/local/lib/owncloud/version.php; then
 			echo "We are running version 8.2.x, upgrading to 9.0.2 first"
 			# We need to disable memcached. The upgrade and install fails
 			# with memcached
 			CONFIG_TEMP=$(/bin/mktemp)
 			php <<EOF > $CONFIG_TEMP && mv $CONFIG_TEMP $STORAGE_ROOT/owncloud/config.php;
 			<?php
 				include("$STORAGE_ROOT/owncloud/config.php");
 				\$CONFIG['memcache.local'] = '\OC\Memcache\APC';
 				echo "<?php\n\\\$CONFIG = ";
 				var_export(\$CONFIG);
 				echo ";";
 			?>
 EOF
 			chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
 			# We can now install owncloud 9.0.2
 			InstallOwncloud 9.0.2 72a3d15d09f58c06fa8bee48b9e60c9cd356f9c5
 			# The owncloud 9 migration doesn't migrate calendars and contacts
 			# The option to migrate these are removed in 9.1
 			# So the migrations should be done when we have 9.0 installed
 			sudo -u www-data php /usr/local/lib/owncloud/occ dav:migrate-addressbooks
 			# The following migration has to be done for each owncloud user
 			for directory in $STORAGE_ROOT/owncloud/*@*/ ; do
 				username=$(basename "${directory}")
 				sudo -u www-data php /usr/local/lib/owncloud/occ dav:migrate-calendar $username
 			done
 			sudo -u www-data php /usr/local/lib/owncloud/occ dav:sync-birthday-calendar
 		fi
 	fi
 	InstallOwncloud $owncloud_ver $owncloud_hash
 fi
 # ### Configuring ownCloud
@ -92,7 +166,6 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
 	mkdir -p $STORAGE_ROOT/owncloud
 	# Create an initial configuration file.
 	TIMEZONE=$(cat /etc/timezone)
 	instanceid=oc$(echo $PRIMARY_HOSTNAME | sha1sum | fold -w 10 | head -n 1)
 	cat > $STORAGE_ROOT/owncloud/config.php <<EOF;
 <?php
@ -108,13 +181,10 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
  'user_backends' => array(
    array(
      'class'=>'OC_User_IMAP',
-      'arguments'=>array('{localhost:993/imap/ssl/novalidate-cert}')
+      'arguments'=>array('{127.0.0.1:993/imap/ssl/novalidate-cert}')
    )
  ),
-  'memcache.local' => '\\OC\\Memcache\\Memcached',
+  'memcache.local' => '\OC\Memcache\APC',
  "memcached_servers" => array (
    array('localhost', 11211),
  ),
  'mail_smtpmode' => 'sendmail',
  'mail_smtpsecure' => '',
  'mail_smtpauthtype' => 'LOGIN',
@ -125,7 +195,6 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
  'mail_smtppassword' => '',
  'mail_from_address' => 'owncloud',
  'mail_domain' => '$PRIMARY_HOSTNAME',
  'logtimezone' => '$TIMEZONE',
 );
 ?>
 EOF
@ -163,7 +232,11 @@ fi
 #   so set it here. It also can change if the box's PRIMARY_HOSTNAME changes, so
 #   this will make sure it has the right value.
 # * Some settings weren't included in previous versions of Mail-in-a-Box.
 # * We need to set the timezone to the system timezone to allow fail2ban to ban
 #   users within the proper timeframe
 # * We need to set the logdateformat to something that will work correctly with fail2ban
 # Use PHP to read the settings file, modify it, and write out the new settings array.
 TIMEZONE=$(cat /etc/timezone)
 CONFIG_TEMP=$(/bin/mktemp)
 php <<EOF > $CONFIG_TEMP && mv $CONFIG_TEMP $STORAGE_ROOT/owncloud/config.php;
 <?php
@ -171,10 +244,13 @@ include("$STORAGE_ROOT/owncloud/config.php");
 \$CONFIG['trusted_domains'] = array('$PRIMARY_HOSTNAME');
-\$CONFIG['memcache.local'] = '\\OC\\Memcache\\Memcached';
+\$CONFIG['memcache.local'] = '\OC\Memcache\APC';
 \$CONFIG['overwrite.cli.url'] = '/cloud';
 \$CONFIG['mail_from_address'] = 'administrator'; # just the local part, matches our master administrator address
 \$CONFIG['logtimezone'] = '$TIMEZONE';
 \$CONFIG['logdateformat'] = 'Y-m-d H:i:s';
 echo "<?php\n\\\$CONFIG = ";
 var_export(\$CONFIG);
 echo ";";
@ -207,6 +283,12 @@ tools/editconf.py /etc/php5/fpm/php.ini -c ';' \
 	max_execution_time=600 \
 	short_open_tag=On
 # If apc is explicitly disabled we need to enable it
 if grep -q apc.enabled=0 /etc/php5/mods-available/apcu.ini; then
 	tools/editconf.py /etc/php5/mods-available/apcu.ini -c ';' \
 		apc.enabled=1
 fi
 # Set up a cron job for owncloud.
 cat > /etc/cron.hourly/mailinabox-owncloud << EOF;
 #!/bin/bash
--- a/setup/preflight.sh
+++ b/setup/preflight.sh
@ -19,20 +19,26 @@ fi
 # Check that we have enough memory.
 #
-# /proc/meminfo reports free memory in kibibytes. Our baseline will be 768 MB,
+# /proc/meminfo reports free memory in kibibytes. Our baseline will be 512 MB,
-# which is 750000 kibibytes.
+# which is 500000 kibibytes.
 #
 # We will display a warning if the memory is below 768 MB which is 750000 kibibytes
 #
 # Skip the check if we appear to be running inside of Vagrant, because that's really just for testing.
 TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}')
-if [ $TOTAL_PHYSICAL_MEM -lt 750000 ]; then
+if [ $TOTAL_PHYSICAL_MEM -lt 500000 ]; then
 if [ ! -d /vagrant ]; then
 	TOTAL_PHYSICAL_MEM=$(expr \( \( $TOTAL_PHYSICAL_MEM \* 1024 \) / 1000 \) / 1000)
 	echo "Your Mail-in-a-Box needs more memory (RAM) to function properly."
-	echo "Please provision a machine with at least 768 MB, 1 GB recommended."
+	echo "Please provision a machine with at least 512 MB, 1 GB recommended."
 	echo "This machine has $TOTAL_PHYSICAL_MEM MB memory."
 	exit
 fi
 fi
 if [ $TOTAL_PHYSICAL_MEM -lt 750000 ]; then
 	echo "WARNING: Your Mail-in-a-Box has less than 768 MB of memory."
 	echo "         It might run unreliably when under heavy load."
 fi
 # Check that tempfs is mounted with exec
 MOUNTED_TMP_AS_NO_EXEC=$(grep "/tmp.*noexec" /proc/mounts)
@ -40,3 +46,23 @@ if [ -n "$MOUNTED_TMP_AS_NO_EXEC" ]; then
 	echo "Mail-in-a-Box has to have exec rights on /tmp, please mount /tmp with exec"
 	exit
 fi
 # Check that no .wgetrc exists
 if [ -e ~/.wgetrc ]; then
 	echo "Mail-in-a-Box expects no overrides to wget defaults, ~/.wgetrc exists"
 	exit
 fi
 # Check that we are running on x86_64 or i686, any other architecture is unsupported and
 # will fail later in the setup when we try to install the custom build lucene packages.
 #
 # Set ARM=1 to ignore this check if you have built the packages yourself. If you do this
 # you are on your own!
 ARCHITECTURE=$(uname -m)
 if [ "$ARCHITECTURE" != "x86_64" ] && [ "$ARCHITECTURE" != "i686" ]; then
 if [ -z "$ARM" ]; then
 	echo "Mail-in-a-Box only supports x86_64 or i686 and will not work on any other architecture, like ARM."
 	echo "Your architecture is $ARCHITECTURE"
 	exit
 fi
 fi
--- a/setup/questions.sh
+++ b/setup/questions.sh
@ -180,9 +180,6 @@ if [ "$PUBLIC_IPV6" = "auto" ]; then
 fi
 if [ "$PRIMARY_HOSTNAME" = "auto" ]; then
 	PRIMARY_HOSTNAME=$(get_default_hostname)
 elif [ "$PRIMARY_HOSTNAME" = "auto-easy" ]; then
 	# Generate a probably-unique subdomain under our justtesting.email domain.
 	PRIMARY_HOSTNAME=`echo $PUBLIC_IP | sha1sum | cut -c1-5`.justtesting.email
 fi
 # Set STORAGE_USER and STORAGE_ROOT to default values (user-data and /home/user-data), unless
--- a/setup/spamassassin.sh
+++ b/setup/spamassassin.sh
@ -48,7 +48,7 @@ echo "public.pyzor.org:24441" > /etc/spamassassin/pyzor/servers
 # * Disable localmode so Pyzor, DKIM and DNS checks can be used.
 tools/editconf.py /etc/default/spampd \
 	DESTPORT=10026 \
-	ADDOPTS="\"--maxsize=500\"" \
+	ADDOPTS="\"--maxsize=2000\"" \
 	LOCALONLY=0
 # Spamassassin normally wraps spam as an attachment inside a fresh
@ -63,7 +63,8 @@ tools/editconf.py /etc/default/spampd \
 # Tell Spamassassin not to modify the original message except for adding
 # the X-Spam-Status mail header and related headers.
 tools/editconf.py /etc/spamassassin/local.cf -s \
-	report_safe=0
+	report_safe=0 \
 	add_header="all Report _REPORT_"
 # Bayesean learning
 # -----------------
@ -78,9 +79,13 @@ tools/editconf.py /etc/spamassassin/local.cf -s \
 # * Writable by the debian-spamd user, which runs /etc/cron.daily/spamassassin.
 #
 # We'll have these files owned by spampd and grant access to the other two processes.
 #
 # Spamassassin will change the access rights back to the defaults, so we must also configure
 # the filemode in the config file.
 tools/editconf.py /etc/spamassassin/local.cf -s \
-	bayes_path=$STORAGE_ROOT/mail/spamassassin/bayes
+	bayes_path=$STORAGE_ROOT/mail/spamassassin/bayes \
 	bayes_file_mode=0666
 mkdir -p $STORAGE_ROOT/mail/spamassassin
 chown -R spampd:spampd $STORAGE_ROOT/mail/spamassassin
--- a/setup/start.sh
+++ b/setup/start.sh
@ -24,6 +24,9 @@ export LC_ALL=en_US.UTF-8
 export LANG=en_US.UTF-8
 export LC_TYPE=en_US.UTF-8
 # Fix so line drawing characters are shown correctly in Putty on Windows. See #744.
 export NCURSES_NO_UTF8_ACS=1
 # Recall the last settings used if we're running this a second time.
 if [ -f /etc/mailinabox.conf ]; then
 	# Run any system migrations before proceeding. Since this is a second run,
@ -108,15 +111,22 @@ source setup/zpush.sh
 source setup/management.sh
 source setup/munin.sh
-# Ping the management daemon to write the DNS and nginx configuration files.
+# Wait for the management daemon to start...
-until nc -z -w 4 localhost 10222
+until nc -z -w 4 127.0.0.1 10222
 do
 	echo Waiting for the Mail-in-a-Box management daemon to start...
 	sleep 2
 done
 # ...and then have it write the DNS and nginx configuration files and start those
 # services.
 tools/dns_update
 tools/web_update
 # Give fail2ban another restart. The log files may not all have been present when
 # fail2ban was first configured, but they should exist now.
 restart_service fail2ban
 # If DNS is already working, try to provision TLS certficates from Let's Encrypt.
 # Suppress extra reasons why domains aren't getting a new certificate.
 management/ssl_certificates.py -q
@ -137,17 +147,17 @@ if management/status_checks.py --check-primary-hostname; then
 	echo https://$PRIMARY_HOSTNAME/admin
 	echo
 	echo "If you have a DNS problem put the box's IP address in the URL"
-	echo "(https://$PUBLIC_IP/admin) but then check the SSL fingerprint:"
+	echo "(https://$PUBLIC_IP/admin) but then check the TLS fingerprint:"
-	openssl x509 -in $STORAGE_ROOT/ssl/ssl_certificate.pem -noout -fingerprint \
+	openssl x509 -in $STORAGE_ROOT/ssl/ssl_certificate.pem -noout -fingerprint -sha256\
-        	| sed "s/SHA1 Fingerprint=//"
+        	| sed "s/SHA256 Fingerprint=//"
 else
 	echo https://$PUBLIC_IP/admin
 	echo
 	echo You will be alerted that the website has an invalid certificate. Check that
 	echo the certificate fingerprint matches:
 	echo
-	openssl x509 -in $STORAGE_ROOT/ssl/ssl_certificate.pem -noout -fingerprint \
+	openssl x509 -in $STORAGE_ROOT/ssl/ssl_certificate.pem -noout -fingerprint -sha256\
-        	| sed "s/SHA1 Fingerprint=//"
+        	| sed "s/SHA256 Fingerprint=//"
 	echo
 	echo Then you can confirm the security exception and continue.
 	echo
--- a/setup/system.sh
+++ b/setup/system.sh
@ -4,6 +4,70 @@ source setup/functions.sh # load our functions
 # Basic System Configuration
 # -------------------------
 # ### Set hostname of the box
 # If the hostname is not correctly resolvable sudo can't be used. This will result in
 # errors during the install
 #
 # First set the hostname in the configuration file, then activate the setting
 echo $PRIMARY_HOSTNAME > /etc/hostname
 hostname $PRIMARY_HOSTNAME
 # ### Add swap space to the system
 # If the physical memory of the system is below 2GB it is wise to create a
 # swap file. This will make the system more resiliant to memory spikes and
 # prevent for instance spam filtering from crashing
 # We will create a 1G file, this should be a good balance between disk usage
 # and buffers for the system. We will only allocate this file if there is more
 # than 5GB of disk space available
 # The following checks are performed:
 # - Check if swap is currently mountend by looking at /proc/swaps
 # - Check if the user intents to activate swap on next boot by checking fstab entries.
 # - Check if a swapfile already exists
 # - Check if the root file system is not btrfs, might be an incompatible version with
 #   swapfiles. User should hanle it them selves.
 # - Check the memory requirements
 # - Check available diskspace
 # See https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-ubuntu-14-04
 # for reference
 SWAP_MOUNTED=$(cat /proc/swaps | tail -n+2)
 SWAP_IN_FSTAB=$(grep "swap" /etc/fstab)
 ROOT_IS_BTRFS=$(grep "\/ .*btrfs" /proc/mounts)
 TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}')
 AVAILABLE_DISK_SPACE=$(df / --output=avail | tail -n 1)
 if
 	[ -z "$SWAP_MOUNTED" ] &&
 	[ -z "$SWAP_IN_FSTAB" ] &&
 	[ ! -e /swapfile ] &&
 	[ -z "$ROOT_IS_BTRFS" ] &&
 	[ $TOTAL_PHYSICAL_MEM -lt 1900000 ] &&
 	[ $AVAILABLE_DISK_SPACE -gt 5242880 ]
 then
 	echo "Adding a swap file to the system..."
 	# Allocate and activate the swap file. Allocate in 1KB chuncks
 	# doing it in one go, could fail on low memory systems
 	dd if=/dev/zero of=/swapfile bs=1024 count=$[1024*1024] status=none
 	if [ -e /swapfile ]; then
 		chmod 600 /swapfile
 		hide_output mkswap /swapfile
 		swapon /swapfile
 	fi
 	# Check if swap is mounted then activate on boot
 	if swapon -s | grep -q "\/swapfile"; then
 		echo "/swapfile   none    swap    sw    0   0" >> /etc/fstab
 	else
 		echo "ERROR: Swap allocation failed"
 	fi
 fi
 # ### Add Mail-in-a-Box's PPA.
 # We've built several .deb packages on our own that we want to include.
@ -52,9 +116,17 @@ apt_get_quiet upgrade
 echo Installing system packages...
 apt_install python3 python3-dev python3-pip \
 	netcat-openbsd wget curl git sudo coreutils bc \
-	haveged pollinate \
+	haveged pollinate unzip \
 	unattended-upgrades cron ntp fail2ban
 # ### Suppress Upgrade Prompts
 # Since Mail-in-a-Box might jump straight to 18.04 LTS, there's no need
 # to be reminded about 16.04 on every login.
 if [ -f /etc/update-manager/release-upgrades ]; then
 	tools/editconf.py /etc/update-manager/release-upgrades Prompt=never
 	rm -f /var/lib/ubuntu-release-upgrader/release-upgrade-available
 fi
 # ### Set the system timezone
 #
 # Some systems are missing /etc/timezone, which we cat into the configs for
@ -144,6 +216,12 @@ pollinate  -q -r
 # Between these two, we really ought to be all set.
 # We need an ssh key to store backups via rsync, if it doesn't exist create one
 if [ ! -f /root/.ssh/id_rsa_miab ]; then
 	echo 'Creating SSH key for backup…'
 	ssh-keygen -t rsa -b 2048 -a 100 -f /root/.ssh/id_rsa_miab -N '' -q
 fi
 # ### Package maintenance
 #
 # Allow apt to install system updates automatically every day.
@ -227,10 +305,17 @@ restart_service resolvconf
 # ### Fail2Ban Service
-# Configure the Fail2Ban installation to prevent dumb bruce-force attacks against dovecot, postfix and ssh
+# Configure the Fail2Ban installation to prevent dumb bruce-force attacks against dovecot, postfix, ssh, etc.
-cat conf/fail2ban/jail.local \
+rm -f /etc/fail2ban/jail.local # we used to use this file but don't anymore
 cat conf/fail2ban/jails.conf \
 	| sed "s/PUBLIC_IP/$PUBLIC_IP/g" \
-	> /etc/fail2ban/jail.local
+	| sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \
-cp conf/fail2ban/dovecotimap.conf /etc/fail2ban/filter.d/dovecotimap.conf
+	> /etc/fail2ban/jail.d/mailinabox.conf
 cp -f conf/fail2ban/filter.d/* /etc/fail2ban/filter.d/
 # On first installation, the log files that the jails look at don't all exist.
 # e.g., The roundcube error log isn't normally created until someone logs into
 # Roundcube for the first time. This causes fail2ban to fail to start. Later
 # scripts will ensure the files exist and then fail2ban is given another
 # restart at the very end of setup.
 restart_service fail2ban
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@ -34,12 +34,21 @@ apt-get purge -qq -y roundcube* #NODOC
 # Install Roundcube from source if it is not already present or if it is out of date.
 # Combine the Roundcube version number with the commit hash of vacation_sieve to track
 # whether we have the latest version.
-VERSION=1.1.4
+VERSION=1.2.4
-HASH=4883c8bb39fadf8af94ffb09ee426cba9f8ef2e3
+HASH=e2091ea775b80eda43ab225130d5a2e888c3789a
 VACATION_SIEVE_VERSION=91ea6f52216390073d1f5b70b5f6bea0bfaee7e5
-PERSISTENT_LOGIN_VERSION=1e9d724476a370ce917a2fcd5b3217b0c306c24e
+PERSISTENT_LOGIN_VERSION=c4516c4be37d12ef653de86497304e073a863c2a
-HTML5_NOTIFIER_VERSION=046eb388dd63b1ec77a3ee485757fc25ae9e684d
+HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5
-UPDATE_KEY=$VERSION:$VACATION_SIEVE_VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:a
+CARDDAV_VERSION=2.0.4
 CARDDAV_HASH=d93f3cfb3038a519e71c7c3212c1d16f5da609a4
 UPDATE_KEY=$VERSION:$VACATION_SIEVE_VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:$CARDDAV_VERSION:a
 # paths that are often reused.
 RCM_DIR=/usr/local/lib/roundcubemail
 RCM_PLUGIN_DIR=${RCM_DIR}/plugins
 RCM_CONFIG=${RCM_DIR}/config/config.inc.php
 needs_update=0 #NODOC
 if [ ! -f /usr/local/lib/roundcubemail/version ]; then
 	# not installed yet #NODOC
@ -51,25 +60,35 @@ fi
 if [ $needs_update == 1 ]; then
 	# install roundcube
 	wget_verify \
-		https://downloads.sourceforge.net/project/roundcubemail/roundcubemail/$VERSION/roundcubemail-$VERSION.tar.gz \
+		https://github.com/roundcube/roundcubemail/releases/download/$VERSION/roundcubemail-$VERSION.tar.gz \
 		$HASH \
 		/tmp/roundcube.tgz
 	tar -C /usr/local/lib --no-same-owner -zxf /tmp/roundcube.tgz
 	rm -rf /usr/local/lib/roundcubemail
-	mv /usr/local/lib/roundcubemail-$VERSION/ /usr/local/lib/roundcubemail
+	mv /usr/local/lib/roundcubemail-$VERSION/ $RCM_DIR
 	rm -f /tmp/roundcube.tgz
 	# install roundcube autoreply/vacation plugin
-	git_clone https://github.com/arodier/Roundcube-Plugins.git $VACATION_SIEVE_VERSION plugins/vacation_sieve /usr/local/lib/roundcubemail/plugins/vacation_sieve
+	git_clone https://github.com/arodier/Roundcube-Plugins.git $VACATION_SIEVE_VERSION plugins/vacation_sieve ${RCM_PLUGIN_DIR}/vacation_sieve
 	# install roundcube persistent_login plugin
-	git_clone https://github.com/mfreiholz/Roundcube-Persistent-Login-Plugin.git $PERSISTENT_LOGIN_VERSION '' /usr/local/lib/roundcubemail/plugins/persistent_login
+	git_clone https://github.com/mfreiholz/Roundcube-Persistent-Login-Plugin.git $PERSISTENT_LOGIN_VERSION '' ${RCM_PLUGIN_DIR}/persistent_login
 	# install roundcube html5_notifier plugin
-	git_clone https://github.com/kitist/html5_notifier.git $HTML5_NOTIFIER_VERSION '' /usr/local/lib/roundcubemail/plugins/html5_notifier
+	git_clone https://github.com/kitist/html5_notifier.git $HTML5_NOTIFIER_VERSION '' ${RCM_PLUGIN_DIR}/html5_notifier
 	# download and verify the full release of the carddav plugin
 	wget_verify \
 		https://github.com/blind-coder/rcmcarddav/releases/download/v${CARDDAV_VERSION}/carddav-${CARDDAV_VERSION}.zip \
 		$CARDDAV_HASH \
 		/tmp/carddav.zip
 	# unzip and cleanup
 	unzip -q /tmp/carddav.zip -d ${RCM_PLUGIN_DIR}
 	rm -f /tmp/carddav.zip
 	# record the version we've installed
-	echo $UPDATE_KEY > /usr/local/lib/roundcubemail/version
+	echo $UPDATE_KEY > ${RCM_DIR}/version
 fi
 # ### Configuring Roundcube
@ -82,7 +101,7 @@ SECRET_KEY=$(dd if=/dev/urandom bs=1 count=18 2>/dev/null | base64 | fold -w 24
 # For security, temp and log files are not stored in the default locations
 # which are inside the roundcube sources directory. We put them instead
 # in normal places.
-cat > /usr/local/lib/roundcubemail/config/config.inc.php <<EOF;
+cat > $RCM_CONFIG <<EOF;
 <?php
 /*
 * Do not edit. Written by Mail-in-a-Box. Regenerated on updates.
@ -94,14 +113,14 @@ cat > /usr/local/lib/roundcubemail/config/config.inc.php <<EOF;
 \$config['default_host'] = 'ssl://localhost';
 \$config['default_port'] = 993;
 \$config['imap_timeout'] = 15;
-\$config['smtp_server'] = 'tls://localhost';
+\$config['smtp_server'] = 'tls://127.0.0.1';
 \$config['smtp_port'] = 587;
 \$config['smtp_user'] = '%u';
 \$config['smtp_pass'] = '%p';
 \$config['support_url'] = 'https://mailinabox.email/';
-\$config['product_name'] = 'Mail-in-a-Box/Roundcube Webmail';
+\$config['product_name'] = '$PRIMARY_HOSTNAME Webmail';
 \$config['des_key'] = '$SECRET_KEY';
-\$config['plugins'] = array('html5_notifier', 'archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'vacation_sieve', 'persistent_login');
+\$config['plugins'] = array('html5_notifier', 'archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'vacation_sieve', 'persistent_login', 'carddav');
 \$config['skin'] = 'classic';
 \$config['login_autocomplete'] = 2;
 \$config['password_charset'] = 'UTF-8';
@ -109,6 +128,26 @@ cat > /usr/local/lib/roundcubemail/config/config.inc.php <<EOF;
 ?>
 EOF
 # Configure CardDav
 cat > ${RCM_PLUGIN_DIR}/carddav/config.inc.php <<EOF;
 <?php
 /* Do not edit. Written by Mail-in-a-Box. Regenerated on updates. */
 \$prefs['_GLOBAL']['hide_preferences'] = true;
 \$prefs['_GLOBAL']['suppress_version_warning'] = true;
 \$prefs['ownCloud'] = array(
 	 'name'         =>  'ownCloud',
 	 'username'     =>  '%u', // login username
 	 'password'     =>  '%p', // login password
 	 'url'          =>  'https://${PRIMARY_HOSTNAME}/cloud/remote.php/carddav/addressbooks/%u/contacts',
 	 'active'       =>  true,
 	 'readonly'     =>  false,
 	 'refresh_time' => '02:00:00',
 	 'fixed'        =>  array('username','password'),
 	 'preemptive_auth' => '1',
 	 'hide'        =>  false,
 );
 EOF
 # Configure vaction_sieve.
 cat > /usr/local/lib/roundcubemail/plugins/vacation_sieve/config.inc.php <<EOF;
 <?php
@ -121,7 +160,7 @@ cat > /usr/local/lib/roundcubemail/plugins/vacation_sieve/config.inc.php <<EOF;
    'transfer' => array(
        'mode' =>  'managesieve',
        'ms_activate_script' => true,
-        'host'   => 'localhost',
+        'host'   => '127.0.0.1',
        'port'   => '4190',
        'usetls' => false,
        'path' => 'vacation',
@ -133,14 +172,17 @@ EOF
 mkdir -p /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
 chown -R www-data.www-data /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
 # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
 sudo -u www-data touch /var/log/roundcubemail/errors
 # Password changing plugin settings
 # The config comes empty by default, so we need the settings
 # we're not planning to change in config.inc.dist...
-cp /usr/local/lib/roundcubemail/plugins/password/config.inc.php.dist \
+cp ${RCM_PLUGIN_DIR}/password/config.inc.php.dist \
-	/usr/local/lib/roundcubemail/plugins/password/config.inc.php
+	${RCM_PLUGIN_DIR}/password/config.inc.php
-tools/editconf.py /usr/local/lib/roundcubemail/plugins/password/config.inc.php \
+tools/editconf.py ${RCM_PLUGIN_DIR}/password/config.inc.php \
-	"\$config['password_minimum_length']=6;" \
+	"\$config['password_minimum_length']=8;" \
 	"\$config['password_db_dsn']='sqlite:///$STORAGE_ROOT/mail/users.sqlite';" \
 	"\$config['password_query']='UPDATE users SET password=%D WHERE email=%u';" \
 	"\$config['password_dovecotpw']='/usr/bin/doveadm pw';" \
@ -157,6 +199,16 @@ chmod 775 $STORAGE_ROOT/mail
 chown root.www-data $STORAGE_ROOT/mail/users.sqlite
 chmod 664 $STORAGE_ROOT/mail/users.sqlite
 # Fix Carddav permissions:
 chown -f -R root.www-data ${RCM_PLUGIN_DIR}/carddav
 # root.www-data need all permissions, others only read
 chmod -R 774 ${RCM_PLUGIN_DIR}/carddav
 # Run Roundcube database migration script (database is created if it does not exist)
 ${RCM_DIR}/bin/updatedb.sh --dir ${RCM_DIR}/SQL --package roundcube
 chown www-data:www-data $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
 chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
 # Enable PHP modules.
 php5enmod mcrypt
 restart_service php5-fpm
--- a/setup/zpush.sh
+++ b/setup/zpush.sh
@ -53,6 +53,7 @@ cp conf/zpush/backend_combined.php /usr/local/lib/z-push/backend/combined/config
 # Configure IMAP
 rm -f /usr/local/lib/z-push/backend/imap/config.php
 cp conf/zpush/backend_imap.php /usr/local/lib/z-push/backend/imap/config.php
 sed -i "s%STORAGE_ROOT%$STORAGE_ROOT%" /usr/local/lib/z-push/backend/imap/config.php
 # Configure CardDav
 rm -f /usr/local/lib/z-push/backend/carddav/config.php
--- a/tests/fail2ban.py
+++ b/tests/fail2ban.py
@ -0,0 +1,221 @@
 # Test that a box's fail2ban setting are working
 # correctly by attempting a bunch of failed logins.
 #
 # Specify a SSH login command (which we use to reset
 # fail2ban after each test) and the hostname to
 # try to log in to.
 ######################################################################
 import sys, os, time, functools
 # parse command line
 if len(sys.argv) != 4:
 	print("Usage: tests/fail2ban.py \"ssh user@hostname\" hostname owncloud_user")
 	sys.exit(1)
 ssh_command, hostname, owncloud_user = sys.argv[1:4]
 # define some test types
 import socket
 socket.setdefaulttimeout(10)
 class IsBlocked(Exception):
 	"""Tests raise this exception when it appears that a fail2ban
 	jail is in effect, i.e. on a connection refused error."""
 	pass
 def smtp_test():
 	import smtplib
 	try:
 		server = smtplib.SMTP(hostname, 587)
 	except ConnectionRefusedError:
 		# looks like fail2ban worked
 		raise IsBlocked()
 	server.starttls()
 	server.ehlo_or_helo_if_needed()
 	try:
 		server.login("fakeuser", "fakepassword")
 		raise Exception("authentication didn't fail")
 	except smtplib.SMTPAuthenticationError:
 		# athentication should fail
 		pass
 	try:
 		server.quit()
 	except:
 		# ignore errors here
 		pass
 def imap_test():
 	import imaplib
 	try:
 		M = imaplib.IMAP4_SSL(hostname)
 	except ConnectionRefusedError:
 		# looks like fail2ban worked
 		raise IsBlocked()
 	try:
 		M.login("fakeuser", "fakepassword")
 		raise Exception("authentication didn't fail")
 	except imaplib.IMAP4.error:
 		# authentication should fail
 		pass
 	finally:
 		M.logout() # shuts down connection, has nothing to do with login()
 def pop_test():
 	import poplib
 	try:
 		M = poplib.POP3_SSL(hostname)
 	except ConnectionRefusedError:
 		# looks like fail2ban worked
 		raise IsBlocked()
 	try:
 		M.user('fakeuser')
 		try:
 			M.pass_('fakepassword')
 		except poplib.error_proto as e:
 			# Authentication should fail.
 			M = None # don't .quit()
 			return
 		M.list()
 		raise Exception("authentication didn't fail")
 	finally:
 		if M:
 			M.quit()
 def http_test(url, expected_status, postdata=None, qsargs=None, auth=None):
 	import urllib.parse
 	import requests
 	from requests.auth import HTTPBasicAuth
 	# form request
 	url = urllib.parse.urljoin("https://" + hostname, url)
 	if qsargs: url += "?" + urllib.parse.urlencode(qsargs)
 	urlopen = requests.get if not postdata else requests.post
 	try:
 		# issue request
 		r = urlopen(
 			url,
 			auth=HTTPBasicAuth(*auth) if auth else None,
 			data=postdata,
 			headers={'User-Agent': 'Mail-in-a-Box fail2ban tester'},
 			timeout=8,
 			verify=False) # don't bother with HTTPS validation, it may not be configured yet
 	except requests.exceptions.ConnectTimeout as e:
 		raise IsBlocked()
 	except requests.exceptions.ConnectionError as e:
 		if "Connection refused" in str(e):
 			raise IsBlocked()
 		raise # some other unexpected condition
 	# return response status code
 	if r.status_code != expected_status:
 		r.raise_for_status() # anything but 200
 		raise IOError("Got unexpected status code %s." % r.status_code)
 # define how to run a test
 def restart_fail2ban_service(final=False):
 	# Log in over SSH to restart fail2ban.
 	command = "sudo fail2ban-client reload"
 	if not final:
 		# Stop recidive jails during testing.
 		command += " && sudo fail2ban-client stop recidive"
 	os.system("%s \"%s\"" % (ssh_command, command))
 def testfunc_runner(i, testfunc, *args):
 	print(i+1, end=" ", flush=True)
 	testfunc(*args)
 def run_test(testfunc, args, count, within_seconds, parallel):
 	# Run testfunc count times in within_seconds seconds (and actually
 	# within a little less time so we're sure we're under the limit).
 	#
 	# Because some services are slow, like IMAP, we can't necessarily
 	# run testfunc sequentially and still get to count requests within
 	# the required time. So we split the requests across threads.
 	import requests.exceptions
 	from multiprocessing import Pool
 	restart_fail2ban_service()
 	# Log.
 	print(testfunc.__name__, " ".join(str(a) for a in args), "...")
 	# Record the start time so we can know how to evenly space our
 	# calls to testfunc.
 	start_time = time.time()
 	with Pool(parallel) as p:
 		# Distribute the requests across the pool.
 		asyncresults = []
 		for i in range(count):
 			ar = p.apply_async(testfunc_runner, [i, testfunc] + list(args))
 			asyncresults.append(ar)
 		# Wait for all runs to finish.
 		p.close()
 		p.join()
 		# Check for errors.
 		for ar in asyncresults:
 			try:
 				ar.get()
 			except IsBlocked:
 				print("Test machine prematurely blocked!")
 				return False
 	# Did we make enough requests within the limit?
 	if (time.time()-start_time) > within_seconds:
 		raise Exception("Test failed to make %s requests in %d seconds." % (count, within_seconds))
 	# Wait a moment for the block to be put into place.
 	time.sleep(4)
 	# The next call should fail.
 	print("*", end=" ", flush=True)
 	try:
 		testfunc(*args)
 	except IsBlocked:
 		# Success -- this one is supposed to be refused.
 		print("blocked [OK]")
 		return True # OK
 	print("not blocked!")
 	return False
 ######################################################################
 if __name__ == "__main__":
 	# run tests
 	# SMTP bans at 10 even though we say 20 in the config because we get
 	# doubled-up warnings in the logs, we'll let that be for now
 	run_test(smtp_test, [], 10, 30, 8)
 	# IMAP
 	run_test(imap_test, [], 20, 30, 4)
 	# POP
 	run_test(pop_test, [], 20, 30, 4)
 	# Mail-in-a-Box control panel
 	run_test(http_test, ["/admin/me", 200], 20, 30, 1)
 	# Munin via the Mail-in-a-Box control panel
 	run_test(http_test, ["/admin/munin/", 401], 20, 30, 1)
 	# ownCloud
 	run_test(http_test, ["/cloud/remote.php/webdav", 401, None, None, [owncloud_user, "aa"]], 20, 120, 1)
 	# restart fail2ban so that this client machine is no longer blocked
 	restart_fail2ban_service(final=True)
--- a/tests/tls_results.txt
+++ b/tests/tls_results.txt
@ -33,7 +33,6 @@ PORT 25
                 AES256-SHA256                 -              256 bits      250 2.0.0 Ok                       
                 AES256-SHA                    -              256 bits      250 2.0.0 Ok                       
                 AES256-GCM-SHA384             -              256 bits      250 2.0.0 Ok                       
                 ECDHE-RSA-RC4-SHA             ECDH-256 bits  128 bits      250 2.0.0 Ok                       
                 ECDHE-RSA-AES128-SHA256       ECDH-256 bits  128 bits      250 2.0.0 Ok                       
                 ECDHE-RSA-AES128-SHA          ECDH-256 bits  128 bits      250 2.0.0 Ok                       
                 ECDHE-RSA-AES128-GCM-SHA256   ECDH-256 bits  128 bits      250 2.0.0 Ok                       
@ -43,8 +42,6 @@ PORT 25
                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits      250 2.0.0 Ok                       
                 DHE-RSA-AES128-GCM-SHA256     DH-2048 bits   128 bits      250 2.0.0 Ok                       
                 SEED-SHA                      -              128 bits      250 2.0.0 Ok                       
                 RC4-SHA                       -              128 bits      250 2.0.0 Ok                       
                 RC4-MD5                       -              128 bits      250 2.0.0 Ok                       
                 CAMELLIA128-SHA               -              128 bits      250 2.0.0 Ok                       
                 AES128-SHA256                 -              128 bits      250 2.0.0 Ok                       
                 AES128-SHA                    -              128 bits      250 2.0.0 Ok                       
@ -62,37 +59,11 @@ PORT 25
                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits      250 2.0.0 Ok                       
                 CAMELLIA256-SHA               -              256 bits      250 2.0.0 Ok                       
                 AES256-SHA                    -              256 bits      250 2.0.0 Ok                       
                 ECDHE-RSA-RC4-SHA             ECDH-256 bits  128 bits      250 2.0.0 Ok                       
                 ECDHE-RSA-AES128-SHA          ECDH-256 bits  128 bits      250 2.0.0 Ok                       
                 DHE-RSA-SEED-SHA              DH-2048 bits   128 bits      250 2.0.0 Ok                       
                 DHE-RSA-CAMELLIA128-SHA       DH-2048 bits   128 bits      250 2.0.0 Ok                       
                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits      250 2.0.0 Ok                       
                 SEED-SHA                      -              128 bits      250 2.0.0 Ok                       
                 RC4-SHA                       -              128 bits      250 2.0.0 Ok                       
                 RC4-MD5                       -              128 bits      250 2.0.0 Ok                       
                 CAMELLIA128-SHA               -              128 bits      250 2.0.0 Ok                       
                 AES128-SHA                    -              128 bits      250 2.0.0 Ok                       
                 ECDHE-RSA-DES-CBC3-SHA        ECDH-256 bits  112 bits      250 2.0.0 Ok                       
                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits      250 2.0.0 Ok                       
                 DES-CBC3-SHA                  -              112 bits      250 2.0.0 Ok                       
  * SSLV3 Cipher Suites:
      Preferred:                       
                 ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      250 2.0.0 Ok                       
      Accepted:                        
                 ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      250 2.0.0 Ok                       
                 DHE-RSA-CAMELLIA256-SHA       DH-2048 bits   256 bits      250 2.0.0 Ok                       
                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits      250 2.0.0 Ok                       
                 CAMELLIA256-SHA               -              256 bits      250 2.0.0 Ok                       
                 AES256-SHA                    -              256 bits      250 2.0.0 Ok                       
                 ECDHE-RSA-RC4-SHA             ECDH-256 bits  128 bits      250 2.0.0 Ok                       
                 ECDHE-RSA-AES128-SHA          ECDH-256 bits  128 bits      250 2.0.0 Ok                       
                 DHE-RSA-SEED-SHA              DH-2048 bits   128 bits      250 2.0.0 Ok                       
                 DHE-RSA-CAMELLIA128-SHA       DH-2048 bits   128 bits      250 2.0.0 Ok                       
                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits      250 2.0.0 Ok                       
                 SEED-SHA                      -              128 bits      250 2.0.0 Ok                       
                 RC4-SHA                       -              128 bits      250 2.0.0 Ok                       
                 RC4-MD5                       -              128 bits      250 2.0.0 Ok                       
                 CAMELLIA128-SHA               -              128 bits      250 2.0.0 Ok                       
                 AES128-SHA                    -              128 bits      250 2.0.0 Ok                       
                 ECDHE-RSA-DES-CBC3-SHA        ECDH-256 bits  112 bits      250 2.0.0 Ok                       
@ -108,23 +79,23 @@ PORT 25
                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits      250 2.0.0 Ok                       
                 CAMELLIA256-SHA               -              256 bits      250 2.0.0 Ok                       
                 AES256-SHA                    -              256 bits      250 2.0.0 Ok                       
                 ECDHE-RSA-RC4-SHA             ECDH-256 bits  128 bits      250 2.0.0 Ok                       
                 ECDHE-RSA-AES128-SHA          ECDH-256 bits  128 bits      250 2.0.0 Ok                       
                 DHE-RSA-SEED-SHA              DH-2048 bits   128 bits      250 2.0.0 Ok                       
                 DHE-RSA-CAMELLIA128-SHA       DH-2048 bits   128 bits      250 2.0.0 Ok                       
                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits      250 2.0.0 Ok                       
                 SEED-SHA                      -              128 bits      250 2.0.0 Ok                       
                 RC4-SHA                       -              128 bits      250 2.0.0 Ok                       
                 RC4-MD5                       -              128 bits      250 2.0.0 Ok                       
                 CAMELLIA128-SHA               -              128 bits      250 2.0.0 Ok                       
                 AES128-SHA                    -              128 bits      250 2.0.0 Ok                       
                 ECDHE-RSA-DES-CBC3-SHA        ECDH-256 bits  112 bits      250 2.0.0 Ok                       
                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits      250 2.0.0 Ok                       
                 DES-CBC3-SHA                  -              112 bits      250 2.0.0 Ok                       
-  Should Not Offer: DHE-RSA-SEED-SHA, ECDHE-RSA-RC4-SHA, EDH-RSA-DES-CBC3-SHA, RC4-MD5, RC4-SHA, SEED-SHA
+  * SSLV3 Cipher Suites:
-  Could Also Offer: DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-DSS-AES256-SHA256, DHE-DSS-CAMELLIA128-SHA, DHE-DSS-CAMELLIA256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-DES-CBC3-SHA, SRP-3DES-EDE-CBC-SHA, SRP-AES-128-CBC-SHA, SRP-AES-256-CBC-SHA, SRP-DSS-3DES-EDE-CBC-SHA, SRP-DSS-AES-128-CBC-SHA, SRP-DSS-AES-256-CBC-SHA, SRP-RSA-3DES-EDE-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-RSA-AES-256-CBC-SHA
+      Server rejected all cipher suites.
-  Supported Clients: OpenSSL/1.0.2, Yahoo Slurp/Jan 2015, BingPreview/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/8/iOS 8.1.2, Safari/7/OS X 10.9, Safari/8/OS X 10.10, Safari/7/iOS 7.1, Safari/6/iOS 6.0.1, Baidu/Jan 2015, Firefox/31.3.0 ESR/Win 7, Android/5.0.0, IE/11/Win 7, Java/8u31, Googlebot/Feb 2015, Chrome/42/OS X, IE Mobile/11/Win Phone 8.1, IE/11/Win 8.1, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, Android/4.3, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Java/7u25, OpenSSL/0.9.8y, Firefox/37/OS X, IE/7/Vista, IE/8-10/Win 7, IE Mobile/10/Win Phone 8.0, Java/6u45, Android/2.3.7, IE/8/XP
+
  Should Not Offer: DHE-RSA-SEED-SHA, EDH-RSA-DES-CBC3-SHA, SEED-SHA
  Could Also Offer: DH-DSS-AES128-GCM-SHA256, DH-DSS-AES128-SHA, DH-DSS-AES128-SHA256, DH-DSS-AES256-GCM-SHA384, DH-DSS-AES256-SHA, DH-DSS-AES256-SHA256, DH-DSS-CAMELLIA128-SHA, DH-DSS-CAMELLIA256-SHA, DH-DSS-DES-CBC3-SHA, DH-RSA-AES128-GCM-SHA256, DH-RSA-AES128-SHA, DH-RSA-AES128-SHA256, DH-RSA-AES256-GCM-SHA384, DH-RSA-AES256-SHA, DH-RSA-AES256-SHA256, DH-RSA-CAMELLIA128-SHA, DH-RSA-CAMELLIA256-SHA, DH-RSA-DES-CBC3-SHA, DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-DSS-AES256-SHA256, DHE-DSS-CAMELLIA128-SHA, DHE-DSS-CAMELLIA256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-DES-CBC3-SHA, SRP-3DES-EDE-CBC-SHA, SRP-AES-128-CBC-SHA, SRP-AES-256-CBC-SHA, SRP-DSS-3DES-EDE-CBC-SHA, SRP-DSS-AES-128-CBC-SHA, SRP-DSS-AES-256-CBC-SHA, SRP-RSA-3DES-EDE-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-RSA-AES-256-CBC-SHA
  Supported Clients: OpenSSL/1.0.2, OpenSSL/1.0.1l, BingPreview/Jan 2015, Yahoo Slurp/Jan 2015, YandexBot/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/OS X 10.10, Safari/8/iOS 8.1.2, Safari/7/OS X 10.9, Safari/6/iOS 6.0.1, Firefox/31.3.0 ESR/Win 7, Baidu/Jan 2015, IE/11/Win 8.1, IE/11/Win 7, IE Mobile/11/Win Phone 8.1, Android/5.0.0, Java/8u31, Chrome/42/OS X, Googlebot/Feb 2015, Android/4.1.1, Android/4.0.4, Safari/6.0.4/OS X 10.8.4, Android/4.2.2, Android/4.3, Safari/5.1.9/OS X 10.6.8, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE/8-10/Win 7, IE/7/Vista, IE Mobile/10/Win Phone 8.0, Android/2.3.7, Java/6u45, IE/8/XP
 PORT 587
 --------
@ -192,9 +163,6 @@ PORT 587
                 CAMELLIA128-SHA               -              128 bits      250 2.0.0 Ok                       
                 AES128-SHA                    -              128 bits      250 2.0.0 Ok                       
  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.
  * TLSV1 Cipher Suites:
      Preferred:                       
                 ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      250 2.0.0 Ok                       
@ -212,9 +180,12 @@ PORT 587
                 CAMELLIA128-SHA               -              128 bits      250 2.0.0 Ok                       
                 AES128-SHA                    -              128 bits      250 2.0.0 Ok                       
  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.
  Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, CAMELLIA128-SHA, CAMELLIA256-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA, DHE-RSA-SEED-SHA, SEED-SHA
  Could Also Offer: DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384
-  Supported Clients: OpenSSL/1.0.2, Yahoo Slurp/Jan 2015, BingPreview/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/8/iOS 8.1.2, Safari/7/OS X 10.9, Safari/8/OS X 10.10, Safari/7/iOS 7.1, IE Mobile/11/Win Phone 8.1, IE/11/Win 8.1, IE/11/Win 7, Safari/6/iOS 6.0.1, Firefox/31.3.0 ESR/Win 7, Baidu/Jan 2015, Android/5.0.0, Chrome/42/OS X, Java/8u31, Googlebot/Feb 2015, Firefox/37/OS X, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, Android/4.3, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, OpenSSL/0.9.8y, IE/7/Vista, IE/8-10/Win 7, IE Mobile/10/Win Phone 8.0, Java/7u25, Java/6u45, Android/2.3.7
+  Supported Clients: OpenSSL/1.0.2, OpenSSL/1.0.1l, BingPreview/Jan 2015, Yahoo Slurp/Jan 2015, YandexBot/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE/11/Win 7, IE Mobile/11/Win Phone 8.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/6/iOS 6.0.1, Firefox/31.3.0 ESR/Win 7, Baidu/Jan 2015, Chrome/42/OS X, Android/5.0.0, Java/8u31, Googlebot/Feb 2015, Firefox/37/OS X, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, Android/4.2.2, Android/4.3, Safari/5.1.9/OS X 10.6.8, IE/8-10/Win 7, IE/7/Vista, IE Mobile/10/Win Phone 8.0, OpenSSL/0.9.8y, Java/7u25, Java/6u45, Android/2.3.7
 PORT 443
 --------
@ -226,22 +197,22 @@ PORT 443
      Client-initiated Renegotiations:   OK - Rejected
      Secure Renegotiation:              OK - Supported
-  * HTTP Strict Transport Security:
+  * OpenSSL Heartbleed:
-      OK - HSTS header received:         max-age=31536000
+      OK - Not vulnerable to Heartbleed  
  * Session Resumption:
      With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
      With TLS Session Tickets:          OK - Supported
-  * OpenSSL Heartbleed:
+  * HTTP Strict Transport Security:
-      OK - Not vulnerable to Heartbleed  
+      OK - HSTS header received:         max-age=31536000
 Unhandled exception when processing --chrome_sha1: 
 exceptions.TypeError - Incorrect padding
  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.
  * Google Chrome SHA-1 Deprecation Status:
      OK - Leaf certificate expires before 2016.
  * TLSV1_2 Cipher Suites:
      Preferred:                       
                 ECDHE-RSA-AES128-GCM-SHA256   ECDH-256 bits  128 bits      HTTP 200 OK                        
@ -270,9 +241,6 @@ PORT 443
                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits      HTTP 200 OK                        
                 DES-CBC3-SHA                  -              112 bits      HTTP 200 OK                        
  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.
  * TLSV1 Cipher Suites:
      Preferred:                       
                 ECDHE-RSA-AES128-SHA          ECDH-256 bits  128 bits      HTTP 200 OK                        
@ -283,9 +251,12 @@ PORT 443
                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits      HTTP 200 OK                        
                 DES-CBC3-SHA                  -              112 bits      HTTP 200 OK                        
  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.
  Should Not Offer: (none -- good)
-  Could Also Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, CAMELLIA128-SHA, CAMELLIA256-SHA, DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-DSS-AES256-SHA256, DHE-DSS-CAMELLIA128-SHA, DHE-DSS-CAMELLIA256-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, SRP-AES-128-CBC-SHA, SRP-AES-256-CBC-SHA, SRP-DSS-AES-128-CBC-SHA, SRP-DSS-AES-256-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-RSA-AES-256-CBC-SHA
+  Could Also Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, CAMELLIA128-SHA, CAMELLIA256-SHA, DH-DSS-AES128-GCM-SHA256, DH-DSS-AES128-SHA, DH-DSS-AES128-SHA256, DH-DSS-AES256-GCM-SHA384, DH-DSS-AES256-SHA, DH-DSS-AES256-SHA256, DH-DSS-CAMELLIA128-SHA, DH-DSS-CAMELLIA256-SHA, DH-RSA-AES128-GCM-SHA256, DH-RSA-AES128-SHA, DH-RSA-AES128-SHA256, DH-RSA-AES256-GCM-SHA384, DH-RSA-AES256-SHA, DH-RSA-AES256-SHA256, DH-RSA-CAMELLIA128-SHA, DH-RSA-CAMELLIA256-SHA, DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-DSS-AES256-SHA256, DHE-DSS-CAMELLIA128-SHA, DHE-DSS-CAMELLIA256-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, SRP-AES-128-CBC-SHA, SRP-AES-256-CBC-SHA, SRP-DSS-AES-128-CBC-SHA, SRP-DSS-AES-256-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-RSA-AES-256-CBC-SHA
-  Supported Clients: YandexBot/Jan 2015, OpenSSL/1.0.2, Yahoo Slurp/Jan 2015, BingPreview/Jan 2015, OpenSSL/1.0.1l, Android/4.4.2, Safari/8/iOS 8.1.2, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/7/iOS 7.1, Safari/6/iOS 6.0.1, Android/5.0.0, Chrome/42/OS X, IE/11/Win 8.1, IE/11/Win 7, Java/8u31, IE Mobile/11/Win Phone 8.1, Googlebot/Feb 2015, Firefox/37/OS X, Firefox/31.3.0 ESR/Win 7, Android/4.2.2, Android/4.0.4, Baidu/Jan 2015, Safari/5.1.9/OS X 10.6.8, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, Android/4.3, OpenSSL/0.9.8y, IE/7/Vista, IE/8-10/Win 7, IE Mobile/10/Win Phone 8.0, Java/7u25, Java/6u45, Android/2.3.7, IE/8/XP
+  Supported Clients: OpenSSL/1.0.2, OpenSSL/1.0.1l, BingPreview/Jan 2015, YandexBot/Jan 2015, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/OS X 10.10, Safari/8/iOS 8.1.2, Safari/7/OS X 10.9, Safari/6/iOS 6.0.1, Chrome/42/OS X, IE/11/Win 8.1, IE/11/Win 7, Android/5.0.0, Java/8u31, IE Mobile/11/Win Phone 8.1, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Firefox/37/OS X, Android/4.1.1, Android/4.0.4, Baidu/Jan 2015, Safari/6.0.4/OS X 10.8.4, Android/4.2.2, Android/4.3, Safari/5.1.9/OS X 10.6.8, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, IE Mobile/10/Win Phone 8.0, Java/7u25, Android/2.3.7, Java/6u45, IE/8/XP
 PORT 993
 --------
@ -299,13 +270,13 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
  * OpenSSL Heartbleed:
      OK - Not vulnerable to Heartbleed  
  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.
  * Session Resumption:
      With Session IDs:                  NOT SUPPORTED (0 successful, 5 failed, 0 errors, 5 total attempts).
      With TLS Session Tickets:          NOT SUPPORTED - TLS ticket assigned but not accepted.
  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.
  * TLSV1_2 Cipher Suites:
      Preferred:                       
                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
@ -336,9 +307,6 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
                 CAMELLIA128-SHA               -              128 bits                                         
                 AES128-SHA                    -              128 bits                                         
  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.
  * TLSV1 Cipher Suites:
      Preferred:                       
                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
@ -354,9 +322,12 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
                 CAMELLIA128-SHA               -              128 bits                                         
                 AES128-SHA                    -              128 bits                                         
  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.
  Should Not Offer: AES128-SHA, AES256-SHA, CAMELLIA128-SHA, CAMELLIA256-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA
  Could Also Offer: DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384
-  Supported Clients: OpenSSL/1.0.2, Baidu/Jan 2015, Yahoo Slurp/Jan 2015, BingPreview/Jan 2015, OpenSSL/1.0.1l, Firefox/31.3.0 ESR/Win 7, Googlebot/Feb 2015, Android/4.2.2, Android/5.0.0, Android/4.0.4, Safari/8/iOS 8.1.2, Safari/7/OS X 10.9, YandexBot/Jan 2015, Safari/8/OS X 10.10, Safari/7/iOS 7.1, Chrome/42/OS X, Safari/5.1.9/OS X 10.6.8, Android/4.1.1, Firefox/37/OS X, Safari/6.0.4/OS X 10.8.4, Android/4.3, Safari/6/iOS 6.0.1, Android/4.4.2, OpenSSL/0.9.8y, IE Mobile/11/Win Phone 8.1, IE/7/Vista, IE/11/Win 8.1, IE/11/Win 7, IE/8-10/Win 7, IE Mobile/10/Win Phone 8.0, Java/8u31, Java/7u25, Java/6u45, Android/2.3.7
+  Supported Clients: OpenSSL/1.0.2, Firefox/31.3.0 ESR/Win 7, OpenSSL/1.0.1l, BingPreview/Jan 2015, Yahoo Slurp/Jan 2015, Baidu/Jan 2015, Safari/7/iOS 7.1, Chrome/42/OS X, Googlebot/Feb 2015, Android/4.0.4, Safari/8/iOS 8.1.2, Android/4.1.1, Android/5.0.0, Safari/6/iOS 6.0.1, YandexBot/Jan 2015, Safari/6.0.4/OS X 10.8.4, Android/4.2.2, Safari/8/OS X 10.10, Firefox/37/OS X, Safari/7/OS X 10.9, Android/4.3, Safari/5.1.9/OS X 10.6.8, Android/4.4.2, IE/8-10/Win 7, IE/7/Vista, IE/11/Win 8.1, IE/11/Win 7, OpenSSL/0.9.8y, IE Mobile/10/Win Phone 8.0, IE Mobile/11/Win Phone 8.1, Java/7u25, Java/8u31, Java/6u45, Android/2.3.7
 PORT 995
 --------
@ -370,13 +341,13 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
  * OpenSSL Heartbleed:
      OK - Not vulnerable to Heartbleed  
  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.
  * Session Resumption:
      With Session IDs:                  NOT SUPPORTED (0 successful, 5 failed, 0 errors, 5 total attempts).
      With TLS Session Tickets:          NOT SUPPORTED - TLS ticket assigned but not accepted.
  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.
  * TLSV1_2 Cipher Suites:
      Preferred:                       
                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
@ -407,9 +378,6 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
                 CAMELLIA128-SHA               -              128 bits                                         
                 AES128-SHA                    -              128 bits                                         
  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.
  * TLSV1 Cipher Suites:
      Preferred:                       
                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
@ -425,7 +393,10 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
                 CAMELLIA128-SHA               -              128 bits                                         
                 AES128-SHA                    -              128 bits                                         
  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.
  Should Not Offer: AES128-SHA, AES256-SHA, CAMELLIA128-SHA, CAMELLIA256-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA
  Could Also Offer: DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384
-  Supported Clients: OpenSSL/1.0.2, Baidu/Jan 2015, Yahoo Slurp/Jan 2015, BingPreview/Jan 2015, OpenSSL/1.0.1l, Firefox/31.3.0 ESR/Win 7, Googlebot/Feb 2015, Android/4.2.2, Android/5.0.0, Android/4.0.4, Safari/8/iOS 8.1.2, Safari/7/OS X 10.9, YandexBot/Jan 2015, Safari/8/OS X 10.10, Safari/7/iOS 7.1, Chrome/42/OS X, Safari/5.1.9/OS X 10.6.8, Android/4.1.1, Firefox/37/OS X, Safari/6.0.4/OS X 10.8.4, Android/4.3, Safari/6/iOS 6.0.1, Android/4.4.2, OpenSSL/0.9.8y, IE Mobile/11/Win Phone 8.1, IE/7/Vista, IE/11/Win 8.1, IE/11/Win 7, IE/8-10/Win 7, IE Mobile/10/Win Phone 8.0, Java/8u31, Java/7u25, Java/6u45, Android/2.3.7
+  Supported Clients: OpenSSL/1.0.2, Firefox/31.3.0 ESR/Win 7, OpenSSL/1.0.1l, BingPreview/Jan 2015, Yahoo Slurp/Jan 2015, Baidu/Jan 2015, Safari/7/iOS 7.1, Chrome/42/OS X, Googlebot/Feb 2015, Android/4.0.4, Safari/8/iOS 8.1.2, Android/4.1.1, Android/5.0.0, Safari/6/iOS 6.0.1, YandexBot/Jan 2015, Safari/6.0.4/OS X 10.8.4, Android/4.2.2, Safari/8/OS X 10.10, Firefox/37/OS X, Safari/7/OS X 10.9, Android/4.3, Safari/5.1.9/OS X 10.6.8, Android/4.4.2, IE/8-10/Win 7, IE/7/Vista, IE/11/Win 8.1, IE/11/Win 7, OpenSSL/0.9.8y, IE Mobile/10/Win Phone 8.0, IE Mobile/11/Win Phone 8.1, Java/7u25, Java/8u31, Java/6u45, Android/2.3.7
--- a/tools/mail.py
+++ b/tools/mail.py
@ -30,8 +30,8 @@ def mgmt(cmd, data=None, is_json=False):
 def read_password():
    while True:
        first = getpass.getpass('password: ')
-        if len(first) < 4:
+        if len(first) < 8:
-            print("Passwords must be at least four characters.")
+            print("Passwords must be at least eight characters.")
            continue
        if re.search(r'[\s]', first):
            print("Passwords cannot contain spaces.")
--- a/tools/owncloud-restore.sh
+++ b/tools/owncloud-restore.sh
@ -0,0 +1,49 @@
 #!/bin/bash
 #
 # This script will restore the backup made during an installation
 source /etc/mailinabox.conf # load global vars
 if [ -z "$1" ]; then
 	echo "Usage: owncloud-restore.sh <backup directory>"
 	echo
 	echo "WARNING: This will restore the database to the point of the installation!"
 	echo "         This means that you will lose all changes made by users after that point"
 	echo
 	echo
 	echo "Backups are stored here: $STORAGE_ROOT/owncloud-backup/"
 	echo
 	echo "Available backups:"
 	echo
 	find $STORAGE_ROOT/owncloud-backup/* -maxdepth 0 -type d
 	echo
 	echo "Supply the directory that was created during the last installation as the only commandline argument"
 	exit
 fi
 if [ ! -f $1/config.php ]; then
 	echo "This isn't a valid backup location"
 	exit
 fi
 echo "Restoring backup from $1"
 service php5-fpm stop
 # remove the current owncloud installation
 rm -rf /usr/local/lib/owncloud/
 # restore the current owncloud application
 cp -r  "$1/owncloud-install" /usr/local/lib/owncloud
 # restore access rights
 chmod 750 /usr/local/lib/owncloud/{apps,config}
 cp "$1/owncloud.db" $STORAGE_ROOT/owncloud/
 cp "$1/config.php" $STORAGE_ROOT/owncloud/
 ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php
 chown -f -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud
 chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
 sudo -u www-data php /usr/local/lib/owncloud/occ maintenance:mode --off
 service php5-fpm start
 echo "Done"