diff --git a/CHANGELOG.md b/CHANGELOG.md
index 519d712c..4a2cdc27 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,23 @@ In Development
 
 Mail:
 
+* Updated to [Roundcube 1.3](https://roundcube.net/news/2017/06/26/roundcube-webmail-1.3.0-released), but unfortunately dropping the Vacation plugin because it has not been supported by its author and is not compatible with Roundcube 1.3.
+* Updated to [Z-Push 2.3.7](http://download.z-push.org/final/2.3/z-push-2.3.7.txt).
+
+Nextcloud:
+
+* Nextcloud updated to 12.0.0.
+
+v0.23a (May 31, 2017)
+---------------------
+
+Corrects a problem in the new way third-party assets are downloaded during setup for the control panel, since v0.23.
+
+v0.23 (May 30, 2017)
+--------------------
+
+Mail:
+
 * The default theme for Roundcube was changed to the nicer Larry theme.
 * Exchange/ActiveSync support has been replaced with z-push 2.3.6 from z-push.org (rather than z-push-contrib).
 
@@ -19,7 +36,7 @@ Control Panel/Management:
 * Fix an error in the control panel showing rsync backup status.
 * Fix an error in the control panel related to IPv6 addresses.
 * TLS certificates for internationalized domain names can now be provisioned from Let's Encrypt automatically.
-* Download management web assets (jQuery/Bootstrap) to the static web root directory.
+* Third-party assets used in the control panel (jQuery/Bootstrap) are now downloaded during setup and served from the box rather than from a CDN.
 
 DNS:
 
diff --git a/README.md b/README.md
index 3dbfc32b..78c0394c 100644
--- a/README.md
+++ b/README.md
@@ -59,7 +59,7 @@ by me:
 	$ curl -s https://keybase.io/joshdata/key.asc | gpg --import
 	gpg: key C10BDD81: public key "Joshua Tauberer <jt@occams.info>" imported
 
-	$ git verify-tag v0.22
+	$ git verify-tag v0.23a
 	gpg: Signature made ..... using RSA key ID C10BDD81
 	gpg: Good signature from "Joshua Tauberer <jt@occams.info>"
 	gpg: WARNING: This key is not certified with a trusted signature!
@@ -72,7 +72,7 @@ and on my [personal homepage](https://razor.occams.info/). (Of course, if this r
 
 Checkout the tag corresponding to the most recent release:
 
-	$ git checkout v0.22
+	$ git checkout v0.23a
 
 Begin the installation.
 
diff --git a/conf/nginx-top.conf b/conf/nginx-top.conf
index 6be9b414..a5822a82 100644
--- a/conf/nginx-top.conf
+++ b/conf/nginx-top.conf
@@ -7,6 +7,6 @@
 ##       your own --- please do not ask for help from us.
 
 upstream php-fpm {
-	server unix:/var/run/php5-fpm.sock;
+	server unix:/var/run/php/php7.0-fpm.sock;
 }
 
diff --git a/management/dns_update.py b/management/dns_update.py
index b3764f7f..76daa40b 100755
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -12,6 +12,11 @@ import dns.resolver
 from mailconfig import get_mail_domains
 from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains
 
+# From https://stackoverflow.com/questions/3026957/how-to-validate-a-domain-name-using-regex-php/16491074#16491074
+# Thanks to Onur Yıldırım
+# This regular expression matches domain names according to RFCs, it also accepts fqdn with an leading dot
+DOMAIN_RE = "^(?!\-)(?:[a-zA-Z\d\-]{0,62}[a-zA-Z\d]\.){1,126}(?!\d+)[a-zA-Z\d]{1,63}(\.?)$"
+
 def get_dns_domains(env):
 	# Add all domain names in use by email users and mail aliases and ensure
 	# PRIMARY_HOSTNAME is in the list.
@@ -144,7 +149,7 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
 		# Define ns2.PRIMARY_HOSTNAME or whatever the user overrides.
 		# User may provide one or more additional nameservers
 		secondary_ns_list = get_secondary_dns(additional_records, mode="NS") \
-			or ["ns2." + env["PRIMARY_HOSTNAME"]] 
+			or ["ns2." + env["PRIMARY_HOSTNAME"]]
 		for secondary_ns in secondary_ns_list:
 			records.append((None,  "NS", secondary_ns+'.', False))
 
@@ -759,6 +764,9 @@ def set_custom_dns_record(qname, rtype, value, action, env):
 		if qname != "_secondary_nameserver":
 			raise ValueError("%s is not a domain name or a subdomain of a domain name managed by this box." % qname)
 
+	if not re.search(DOMAIN_RE, qname):
+		raise ValueError("Invalid name.")
+
 	# validate rtype
 	rtype = rtype.upper()
 	if value is not None and qname != "_secondary_nameserver":
@@ -767,6 +775,16 @@ def set_custom_dns_record(qname, rtype, value, action, env):
 				v = ipaddress.ip_address(value) # raises a ValueError if there's a problem
 				if rtype == "A" and not isinstance(v, ipaddress.IPv4Address): raise ValueError("That's an IPv6 address.")
 				if rtype == "AAAA" and not isinstance(v, ipaddress.IPv6Address): raise ValueError("That's an IPv4 address.")
+		elif rtype in ("CNAME", "NS"):
+			if rtype == "NS" and qname == zone:
+				raise ValueError("NS records can only be set for subdomains.")
+
+			# ensure value has a trailing dot
+			if not value.endswith("."):
+				value = value + "."
+
+			if not re.search(DOMAIN_RE, value):
+				raise ValueError("Invalid value.")
 		elif rtype in ("CNAME", "TXT", "SRV", "MX", "SSHFP", "CAA"):
 			# anything goes
 			pass
diff --git a/management/status_checks.py b/management/status_checks.py
index 42fc876a..3ee1c124 100755
--- a/management/status_checks.py
+++ b/management/status_checks.py
@@ -640,7 +640,7 @@ def check_web_domain(domain, rounded_time, ssl_certificates, env, output):
 		for (rtype, expected) in (("A", env['PUBLIC_IP']), ("AAAA", env.get('PUBLIC_IPV6'))):
 			if not expected: continue # IPv6 is not configured
 			value = query_dns(domain, rtype)
-			if value == expected:
+			if normalize_ip(value) == normalize_ip(expected):
 				ok_values.append(value)
 			else:
 				output.print_error("""This domain should resolve to your box's IP address (%s %s) if you would like the box to serve
diff --git a/management/templates/custom-dns.html b/management/templates/custom-dns.html
index ac530cd2..bd51d151 100644
--- a/management/templates/custom-dns.html
+++ b/management/templates/custom-dns.html
@@ -39,6 +39,7 @@
         <option value="MX" data-hint="Enter record in the form of PRIORITY DOMAIN., including trailing period (e.g. 20 mx.example.com.).">MX (mail exchanger)</option>
         <option value="SRV" data-hint="Enter record in the form of PRIORITY WEIGHT PORT TARGET., including trailing period (e.g. 10 10 5060 sip.example.com.).">SRV (service record)</option>
         <option value="SSHFP" data-hint="Enter record in the form of ALGORITHM TYPE FINGERPRINT.">SSHFP (SSH fingerprint record)</option>
+        <option value="NS" data-hint="Enter a hostname to which this subdomain should be delegated to">NS (DNS subdomain delegation)</option>
       </select>
     </div>
   </div>
@@ -126,7 +127,7 @@
 <tr><td>email</td> <td>The email address of any administrative user here.</td></tr>
 <tr><td>password</td> <td>That user&rsquo;s password.</td></tr>
 <tr><td>qname</td> <td>The fully qualified domain name for the record you are trying to set. It must be one of the domain names or a subdomain of one of the domain names hosted on this box. (Add mail users or aliases to add new domains.)</td></tr>
-<tr><td>rtype</td> <td>The resource type. Defaults to <code>A</code> if omitted. Possible values: <code>A</code> (an IPv4 address), <code>AAAA</code> (an IPv6 address), <code>TXT</code> (a text string), <code>CNAME</code> (an alias, which is a fully qualified domain name &mdash; don&rsquo;t forget the final period), <code>MX</code>, <code>SRV</code>, <code>SSHFP</code> or <code>CAA</code>.</td></tr>
+<tr><td>rtype</td> <td>The resource type. Defaults to <code>A</code> if omitted. Possible values: <code>A</code> (an IPv4 address), <code>AAAA</code> (an IPv6 address), <code>TXT</code> (a text string), <code>CNAME</code> (an alias, which is a fully qualified domain name &mdash; don&rsquo;t forget the final period), <code>MX</code>, <code>SRV</code>, <code>SSHFP</code>, <code>CAA</code> or <code>NS</code>.</td></tr>
 <tr><td>value</td> <td>For PUT, POST, and DELETE, the record&rsquo;s value. If the <code>rtype</code> is <code>A</code> or <code>AAAA</code> and <code>value</code> is empty or omitted, the IPv4 or IPv6 address of the remote host is used (be sure to use the <code>-4</code> or <code>-6</code> options to curl). This is handy for dynamic DNS!</td></tr>
 </table>
 
diff --git a/management/templates/index.html b/management/templates/index.html
index 29d1f74a..33ba47a2 100644
--- a/management/templates/index.html
+++ b/management/templates/index.html
@@ -9,7 +9,7 @@
 
         <meta name="robots" content="noindex, nofollow">
 
-        <link rel="stylesheet" href="/admin/assets/bootstrap.min.css">
+        <link rel="stylesheet" href="/admin/assets/bootstrap/css/bootstrap.min.css">
         <style>
 	    body {
 		overflow-y: scroll;
@@ -63,7 +63,7 @@
 	       margin-bottom: 1em;
 	    }
         </style>
-        <link rel="stylesheet" href="/admin/assets/bootstrap-theme.min.css">
+        <link rel="stylesheet" href="/admin/assets/bootstrap/css/bootstrap-theme.min.css">
     </head>
     <body>
 
@@ -192,7 +192,7 @@
         </div>
 
         <script src="/admin/assets/jquery.min.js"></script>
-        <script src="/admin/assets/bootstrap.min.js"></script>
+        <script src="/admin/assets/bootstrap/js/bootstrap.min.js"></script>
 
         <script>
 var global_modal_state = null;
diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh
index a2701545..d63b8bd4 100644
--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@@ -7,7 +7,7 @@
 #########################################################
 
 if [ -z "$TAG" ]; then
-	TAG=v0.22
+	TAG=v0.23a
 fi
 
 # Are we running as root?
diff --git a/setup/functions.sh b/setup/functions.sh
index 947aa5ab..00cc4d90 100644
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -48,6 +48,15 @@ function apt_install {
 	apt_get_quiet install $PACKAGES
 }
 
+function apt_add_repository_to_unattended_upgrades {
+	if [ -f /etc/apt/apt.conf.d/50unattended-upgrades ]; then
+		if ! grep -q "$1" /etc/apt/apt.conf.d/50unattended-upgrades; then
+			sed -i "/Allowed-Origins/a \
+	    \"$1\";" /etc/apt/apt.conf.d/50unattended-upgrades
+		fi
+	fi
+}
+
 function get_default_hostname {
 	# Guess the machine's hostname. It should be a fully qualified
 	# domain name suitable for DNS. None of these calls may provide
diff --git a/setup/management.sh b/setup/management.sh
index 29bd0d22..21a31828 100755
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -66,6 +66,7 @@ fi
 
 # Make sure we have the directory to save to.
 assets_dir=/usr/local/lib/mailinabox/vendor/assets
+rm -rf $assets_dir
 mkdir -p $assets_dir
 
 # jQuery CDN URL
@@ -77,15 +78,13 @@ wget_verify $jquery_url/jquery-$jquery_version.min.js 43dc554608df885a59ddeece15
 
 # Bootstrap CDN URL
 bootstrap_version=3.3.7
-bootstrap_url=https://maxcdn.bootstrapcdn.com/bootstrap/$bootstrap_version
+bootstrap_url=https://github.com/twbs/bootstrap/releases/download/v$bootstrap_version/bootstrap-$bootstrap_version-dist.zip
 
 # Get Bootstrap
-wget_verify $bootstrap_url/js/bootstrap.min.js 430a443d74830fe9be26efca431f448c1b3740f9 $assets_dir/bootstrap.min.js
-wget_verify $bootstrap_url/css/bootstrap-theme.min.css 8256575374f430476bdcd49de98c77990229ce31 $assets_dir/bootstrap-theme.min.css
-wget_verify $bootstrap_url/css/bootstrap-theme.min.css.map 87f7dfd79d77051ac2eca7d093d961fbd1c8f6eb $assets_dir/bootstrap-theme.min.css.map
-wget_verify $bootstrap_url/css/bootstrap.min.css 6527d8bf3e1e9368bab8c7b60f56bc01fa3afd68 $assets_dir/bootstrap.min.css
-wget_verify $bootstrap_url/css/bootstrap.min.css.map e0d7b2bde55a0bac1b658a507e8ca491a6729e06 $assets_dir/bootstrap.min.css.map
-
+wget_verify $bootstrap_url e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a /tmp/bootstrap.zip
+unzip -q /tmp/bootstrap.zip -d /usr/local/lib/mailinabox/vendor/assets
+mv /usr/local/lib/mailinabox/vendor/assets/bootstrap-$bootstrap_version-dist /usr/local/lib/mailinabox/vendor/assets/bootstrap
+rm -f /tmp/bootstrap.zip
 
 # Link the management server daemon into a well known location.
 rm -f /usr/local/bin/mailinabox-daemon
diff --git a/setup/owncloud.sh b/setup/owncloud.sh
index aba505a1..8602af08 100755
--- a/setup/owncloud.sh
+++ b/setup/owncloud.sh
@@ -9,6 +9,7 @@ source /etc/mailinabox.conf # load global vars
 
 echo "Installing Nextcloud (contacts/calendar)..."
 
+# Keep the php5 dependancies for the owncloud upgrades
 apt_install \
 	dbconfig-common \
 	php5-cli php5-sqlite php5-gd php5-imap php5-curl php-pear php-apc curl libapr1 libtool libcurl4-openssl-dev php-xml-parser \
@@ -16,6 +17,10 @@ apt_install \
 
 apt-get purge -qq -y owncloud*
 
+apt_install php7.0 php7.0-fpm \
+	php7.0-cli php7.0-sqlite php7.0-gd php7.0-imap php7.0-curl php-pear php-apc curl \
+        php7.0-dev php7.0-gd memcached php7.0-memcached php7.0-xml php7.0-mbstring php7.0-zip php7.0-apcu
+
 # Migrate <= v0.10 setups that stored the ownCloud config.php in /usr/local rather than
 # in STORAGE_ROOT. Move the file to STORAGE_ROOT.
 if [ ! -f $STORAGE_ROOT/owncloud/config.php ] \
@@ -28,52 +33,35 @@ if [ ! -f $STORAGE_ROOT/owncloud/config.php ] \
 	ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php
 fi
 
-InstallOwncloud() {
+InstallNextcloud() {
 
 	version=$1
 	hash=$2
-	flavor=$3
 
 	echo
-	echo "Upgrading to $flavor version $version"
+	echo "Upgrading to Nextcloud version $version"
 	echo
 
 	# Remove the current owncloud/Nextcloud
 	rm -rf /usr/local/lib/owncloud
 
 	# Download and verify
-	if [ "$flavor" = "Nextcloud" ]; then
-		wget_verify https://download.nextcloud.com/server/releases/nextcloud-$version.zip $hash /tmp/owncloud.zip
-	else
-		wget_verify https://download.owncloud.org/community/owncloud-$version.zip $hash /tmp/owncloud.zip
-	fi
+	wget_verify https://download.nextcloud.com/server/releases/nextcloud-$version.zip $hash /tmp/nextcloud.zip
 
 	# Extract ownCloud/Nextcloud
-	unzip -q /tmp/owncloud.zip -d /usr/local/lib
-	if [ "$flavor" = "Nextcloud" ]; then
-		mv /usr/local/lib/nextcloud /usr/local/lib/owncloud
-	fi
-	rm -f /tmp/owncloud.zip
+	unzip -q /tmp/nextcloud.zip -d /usr/local/lib
+	mv /usr/local/lib/nextcloud /usr/local/lib/owncloud
+	rm -f /tmp/nextcloud.zip
 
 	# The two apps we actually want are not in Nextcloud core. Download the releases from
 	# their github repositories.
 	mkdir -p /usr/local/lib/owncloud/apps
 
-	if [ "$flavor" = "Nextcloud" ]; then
-		wget_verify https://github.com/nextcloud/contacts/releases/download/v1.5.3/contacts.tar.gz 78c4d49e73f335084feecd4853bd8234cf32615e /tmp/contacts.tgz
-	else
-		wget_verify https://github.com/owncloud/contacts/releases/download/v1.4.0.0/contacts.tar.gz c1c22d29699456a45db447281682e8bc3f10e3e7 /tmp/contacts.tgz
-	fi
-
+	wget_verify https://github.com/nextcloud/contacts/releases/download/v1.5.3/contacts.tar.gz 78c4d49e73f335084feecd4853bd8234cf32615e /tmp/contacts.tgz
 	tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/contacts.tgz
 
-	if [ "$flavor" = "Nextcloud" ]; then
-		wget_verify https://github.com/nextcloud/calendar/releases/download/v1.5.2/calendar.tar.gz 7b8a94e01fe740c5c23017ed5bc211983c780fce /tmp/calendar.tgz
-	else
-    wget_verify https://github.com/nextcloud/calendar/releases/download/v1.4.0/calendar.tar.gz c84f3170efca2a99ea6254de34b0af3cb0b3a821 /tmp/calendar.tgz
-	fi
-
+	wget_verify https://github.com/nextcloud/calendar/releases/download/v1.5.3/calendar.tar.gz b370352d1f280805cc7128f78af4615f623827f8 /tmp/calendar.tgz
 	tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/calendar.tgz
 
@@ -105,15 +93,76 @@ InstallOwncloud() {
 	fi
 }
 
-owncloud_ver=10.0.5
-owncloud_hash=686f6a8e9d7867c32e3bf3ca63b3cc2020564bf6
-owncloud_flavor=Nextcloud
+# We only install ownCloud intermediate versions to be able to seemlesly upgrade to Nextcloud
+InstallOwncloud() {
+
+	version=$1
+	hash=$2
+
+	echo
+	echo "Upgrading to OwnCloud version $version"
+	echo
+
+	# Remove the current owncloud/Nextcloud
+	rm -rf /usr/local/lib/owncloud
+
+	# Download and verify
+	wget_verify https://download.owncloud.org/community/owncloud-$version.zip $hash /tmp/owncloud.zip
+
+
+	# Extract ownCloud
+	unzip -q /tmp/owncloud.zip -d /usr/local/lib
+	rm -f /tmp/owncloud.zip
+
+	# The two apps we actually want are not in Nextcloud core. Download the releases from
+	# their github repositories.
+	mkdir -p /usr/local/lib/owncloud/apps
+
+	wget_verify https://github.com/owncloud/contacts/releases/download/v1.4.0.0/contacts.tar.gz c1c22d29699456a45db447281682e8bc3f10e3e7 /tmp/contacts.tgz
+	tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/
+	rm /tmp/contacts.tgz
+
+	wget_verify https://github.com/nextcloud/calendar/releases/download/v1.4.0/calendar.tar.gz c84f3170efca2a99ea6254de34b0af3cb0b3a821 /tmp/calendar.tgz
+	tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/
+	rm /tmp/calendar.tgz
+
+	# Fix weird permissions.
+	chmod 750 /usr/local/lib/owncloud/{apps,config}
+
+	# Create a symlink to the config.php in STORAGE_ROOT (for upgrades we're restoring the symlink we previously
+	# put in, and in new installs we're creating a symlink and will create the actual config later).
+	ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php
+
+	# Make sure permissions are correct or the upgrade step won't run.
+	# $STORAGE_ROOT/owncloud may not yet exist, so use -f to suppress
+	# that error.
+	chown -f -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud
+
+	# If this isn't a new installation, immediately run the upgrade script.
+	# Then check for success (0=ok and 3=no upgrade needed, both are success).
+	if [ -e $STORAGE_ROOT/owncloud/owncloud.db ]; then
+		# ownCloud 8.1.1 broke upgrades. It may fail on the first attempt, but
+		# that can be OK.
+		sudo -u www-data php5 /usr/local/lib/owncloud/occ upgrade
+		if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then
+			echo "Trying ownCloud upgrade again to work around ownCloud upgrade bug..."
+			sudo -u www-data php5 /usr/local/lib/owncloud/occ upgrade
+			if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi
+			sudo -u www-data php5 /usr/local/lib/owncloud/occ maintenance:mode --off
+			echo "...which seemed to work."
+		fi
+	fi
+}
+
+owncloud_ver=12.0.0
+owncloud_hash=5d64307d9ce513a8905514b2fbe212f563fe76df
 
 # Check if Nextcloud dir exist, and check if version matches owncloud_ver (if either doesn't - install/upgrade)
 if [ ! -d /usr/local/lib/owncloud/ ] \
         || ! grep -q $owncloud_ver /usr/local/lib/owncloud/version.php; then
 
 	# Stop php-fpm
+	hide_output service php7.0-fpm stop
 	hide_output service php5-fpm stop
 
 	# Backup the existing ownCloud/Nextcloud.
@@ -135,7 +184,7 @@ if [ ! -d /usr/local/lib/owncloud/ ] \
 	if [ -e /usr/local/lib/owncloud/version.php ]; then
 		if grep -q "8\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then
 			echo "We are running 8.1.x, upgrading to 8.2.3 first"
-			InstallOwncloud 8.2.3 bfdf6166fbf6fc5438dc358600e7239d1c970613 ownCloud
+			InstallOwncloud 8.2.3 bfdf6166fbf6fc5438dc358600e7239d1c970613
 		fi
 
 		# If we are upgrading from 8.2.x we should go to 9.0 first. Owncloud doesn't support skipping minor versions
@@ -149,7 +198,7 @@ if [ ! -d /usr/local/lib/owncloud/ ] \
 			<?php
 				include("$STORAGE_ROOT/owncloud/config.php");
 
-				\$CONFIG['memcache.local'] = '\OC\Memcache\APC';
+				\$CONFIG['memcache.local'] = '\OC\Memcache\APCu';
 
 				echo "<?php\n\\\$CONFIG = ";
 				var_export(\$CONFIG);
@@ -159,29 +208,40 @@ EOF
 			chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
 
 			# We can now install owncloud 9.0.2
-			InstallOwncloud 9.0.2 72a3d15d09f58c06fa8bee48b9e60c9cd356f9c5 ownCloud
+			InstallOwncloud 9.0.2 72a3d15d09f58c06fa8bee48b9e60c9cd356f9c5
 
 			# The owncloud 9 migration doesn't migrate calendars and contacts
 			# The option to migrate these are removed in 9.1
 			# So the migrations should be done when we have 9.0 installed
-			sudo -u www-data php /usr/local/lib/owncloud/occ dav:migrate-addressbooks
+			sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:migrate-addressbooks
 			# The following migration has to be done for each owncloud user
 			for directory in $STORAGE_ROOT/owncloud/*@*/ ; do
 				username=$(basename "${directory}")
-				sudo -u www-data php /usr/local/lib/owncloud/occ dav:migrate-calendar $username
+				sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:migrate-calendar $username
 			done
-			sudo -u www-data php /usr/local/lib/owncloud/occ dav:sync-birthday-calendar
+			sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:sync-birthday-calendar
 		fi
 
 		# If we are upgrading from 9.0.x we should go to 9.1 first.
 		if grep -q "9\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then
 			echo "We are running ownCloud 9.0.x, upgrading to ownCloud 9.1.4 first"
-			InstallOwncloud 9.1.4 e637cab7b2ca3346164f3506b1a0eb812b4e841a ownCloud
+			InstallOwncloud 9.1.4 e637cab7b2ca3346164f3506b1a0eb812b4e841a
 		fi
 
+		# If we are upgrading from 9.1.x we should go to Nextcloud 10.0 first.
+		if grep -q "9\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then
+			echo "We are running ownCloud 9.1.x, upgrading to Nextcloud 10.0.5 first"
+			InstallNextcloud 10.0.5 686f6a8e9d7867c32e3bf3ca63b3cc2020564bf6
+		fi
+
+		# If we are upgrading from 10.0.x we should go to Nextcloud 11.0 first.
+		if grep -q "10\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then
+			echo "We are running Nextcloud 10.0.x, upgrading to Nextcloud 11.0.3 first"
+			InstallNextcloud 11.0.3 a396aaa1c9f920099a90a86b4a9cd0ec13083c99
+		fi
 	fi
 
-	InstallOwncloud $owncloud_ver $owncloud_hash Nextcloud
+	InstallNextcloud $owncloud_ver $owncloud_hash
 fi
 
 # ### Configuring Nextcloud
@@ -211,7 +271,7 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
       'arguments'=>array('{127.0.0.1:993/imap/ssl/novalidate-cert}')
     )
   ),
-  'memcache.local' => '\OC\Memcache\APC',
+  'memcache.local' => '\OC\Memcache\APCu',
   'mail_smtpmode' => 'sendmail',
   'mail_smtpsecure' => '',
   'mail_smtpauthtype' => 'LOGIN',
@@ -272,7 +332,7 @@ include("$STORAGE_ROOT/owncloud/config.php");
 
 \$CONFIG['trusted_domains'] = array('$PRIMARY_HOSTNAME');
 
-\$CONFIG['memcache.local'] = '\OC\Memcache\APC';
+\$CONFIG['memcache.local'] = '\OC\Memcache\APCu';
 \$CONFIG['overwrite.cli.url'] = '/cloud';
 \$CONFIG['mail_from_address'] = 'administrator'; # just the local part, matches our master administrator address
 
@@ -305,7 +365,7 @@ if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi
 
 # Set PHP FPM values to support large file uploads
 # (semicolon is the comment character in this file, hashes produce deprecation warnings)
-tools/editconf.py /etc/php5/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \
 	upload_max_filesize=16G \
 	post_max_size=16G \
 	output_buffering=16384 \
@@ -313,9 +373,23 @@ tools/editconf.py /etc/php5/fpm/php.ini -c ';' \
 	max_execution_time=600 \
 	short_open_tag=On
 
+# Set Nextcloud recommended opcache settings
+tools/editconf.py /etc/php/7.0/cli/conf.d/10-opcache.ini -c ';' \
+	opcache.enable=1 \
+	opcache.enable_cli=1 \
+	opcache.interned_strings_buffer=8 \
+	opcache.max_accelerated_files=10000 \
+	opcache.memory_consumption=128 \
+	opcache.save_comments=1 \
+	opcache.revalidate_freq=1
+
+# Configure the path environment for php-fpm
+tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \
+        env[PATH]=/usr/local/bin:/usr/bin:/bin
+
 # If apc is explicitly disabled we need to enable it
-if grep -q apc.enabled=0 /etc/php5/mods-available/apcu.ini; then
-	tools/editconf.py /etc/php5/mods-available/apcu.ini -c ';' \
+if grep -q apc.enabled=0 /etc/php/7.0/mods-available/apcu.ini; then
+	tools/editconf.py /etc/php/7.0/mods-available/apcu.ini -c ';' \
 		apc.enabled=1
 fi
 
@@ -337,5 +411,4 @@ chmod +x /etc/cron.hourly/mailinabox-owncloud
 # ```
 
 # Enable PHP modules and restart PHP.
-php5enmod imap
-restart_service php5-fpm
+restart_service php7.0-fpm
diff --git a/setup/system.sh b/setup/system.sh
index c0af3215..791f2776 100755
--- a/setup/system.sh
+++ b/setup/system.sh
@@ -119,6 +119,17 @@ apt_install python3 python3-dev python3-pip \
 	haveged pollinate unzip \
 	unattended-upgrades cron ntp fail2ban
 
+# ### Add PHP7 PPA
+
+# Nextcloud requires PHP7, we will install the ppa from ubuntu php maintainer Ondřej Surý
+# The PPA is located here https://launchpad.net/%7Eondrej/+archive/ubuntu/php
+# Unattended upgrades are activated for the repository
+
+hide_output add-apt-repository -y ppa:ondrej/php
+apt_add_repository_to_unattended_upgrades LP-PPA-ondrej-php:trusty
+hide_output apt-get update
+
+
 # ### Suppress Upgrade Prompts
 # Since Mail-in-a-Box might jump straight to 18.04 LTS, there's no need
 # to be reminded about 16.04 on every login.
diff --git a/setup/web.sh b/setup/web.sh
index 6a412b98..0d94fcfd 100755
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -18,7 +18,11 @@ fi
 # Turn off nginx's default website.
 
 echo "Installing Nginx (web server)..."
-apt_install nginx php5-fpm
+
+apt_install nginx php7.0-cli php7.0-fpm
+
+# Set PHP7 as the default
+update-alternatives --set php /usr/bin/php7.0
 
 rm -f /etc/nginx/sites-enabled/default
 
@@ -40,15 +44,15 @@ tools/editconf.py /etc/nginx/nginx.conf -s \
 	server_names_hash_bucket_size="128;"
 
 # Tell PHP not to expose its version number in the X-Powered-By header.
-tools/editconf.py /etc/php5/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \
 	expose_php=Off
 
 # Set PHPs default charset to UTF-8, since we use it. See #367.
-tools/editconf.py /etc/php5/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \
         default_charset="UTF-8"
 
 # Bump up PHP's max_children to support more concurrent connections
-tools/editconf.py /etc/php5/fpm/pool.d/www.conf -c ';' \
+tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \
 	pm.max_children=8
 
 # Other nginx settings will be configured by the management service
@@ -103,7 +107,7 @@ done #NODOC
 
 # Start services.
 restart_service nginx
-restart_service php5-fpm
+restart_service php7.0-fpm
 
 # Open ports.
 ufw_allow http
diff --git a/setup/webmail.sh b/setup/webmail.sh
index 34eba5f1..67070ec2 100755
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -22,8 +22,10 @@ source /etc/mailinabox.conf # load global vars
 echo "Installing Roundcube (webmail)..."
 apt_install \
 	dbconfig-common \
-	php5 php5-sqlite php5-mcrypt php5-intl php5-json php5-common php-auth php-net-smtp php-net-socket php-net-sieve php-mail-mime php-crypt-gpg php5-gd php5-pspell \
-	tinymce libjs-jquery libjs-jquery-mousewheel libmagic1
+	php7.0-cli php7.0-sqlite php7.0-mcrypt php7.0-intl php7.0-json php7.0-common \
+	php-auth php-net-smtp php-net-socket php-net-sieve php-mail-mime php-crypt-gpg \
+	php7.0-gd php7.0-pspell tinymce libjs-jquery libjs-jquery-mousewheel libmagic1
+
 apt_get_quiet remove php-mail-mimedecode # no longer needed since Roundcube 1.1.3
 
 # We used to install Roundcube from Ubuntu, without triggering the dependencies #NODOC
@@ -32,17 +34,16 @@ apt_get_quiet remove php-mail-mimedecode # no longer needed since Roundcube 1.1.
 apt-get purge -qq -y roundcube* #NODOC
 
 # Install Roundcube from source if it is not already present or if it is out of date.
-# Combine the Roundcube version number with the commit hash of vacation_sieve to track
-# whether we have the latest version.
-VERSION=1.2.4
-HASH=e2091ea775b80eda43ab225130d5a2e888c3789a
-VACATION_SIEVE_VERSION=91ea6f52216390073d1f5b70b5f6bea0bfaee7e5
+# Combine the Roundcube version number with the commit hash of plugins to track
+# whether we have the latest version of everything.
+VERSION=1.3.0
+HASH=634c89b9c51c44fb757bb19c77ad5083cf7aa030
 PERSISTENT_LOGIN_VERSION=c4516c4be37d12ef653de86497304e073a863c2a
 HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5
 CARDDAV_VERSION=2.0.4
 CARDDAV_HASH=d93f3cfb3038a519e71c7c3212c1d16f5da609a4
 
-UPDATE_KEY=$VERSION:$VACATION_SIEVE_VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:$CARDDAV_VERSION:a
+UPDATE_KEY=$VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:$CARDDAV_VERSION
 
 # paths that are often reused.
 RCM_DIR=/usr/local/lib/roundcubemail
@@ -60,7 +61,7 @@ fi
 if [ $needs_update == 1 ]; then
 	# install roundcube
 	wget_verify \
-		https://github.com/roundcube/roundcubemail/releases/download/$VERSION/roundcubemail-$VERSION.tar.gz \
+		https://github.com/roundcube/roundcubemail/releases/download/$VERSION/roundcubemail-$VERSION-complete.tar.gz \
 		$HASH \
 		/tmp/roundcube.tgz
 	tar -C /usr/local/lib --no-same-owner -zxf /tmp/roundcube.tgz
@@ -68,9 +69,6 @@ if [ $needs_update == 1 ]; then
 	mv /usr/local/lib/roundcubemail-$VERSION/ $RCM_DIR
 	rm -f /tmp/roundcube.tgz
 
-	# install roundcube autoreply/vacation plugin
-	git_clone https://github.com/arodier/Roundcube-Plugins.git $VACATION_SIEVE_VERSION plugins/vacation_sieve ${RCM_PLUGIN_DIR}/vacation_sieve
-
 	# install roundcube persistent_login plugin
 	git_clone https://github.com/mfreiholz/Roundcube-Persistent-Login-Plugin.git $PERSISTENT_LOGIN_VERSION '' ${RCM_PLUGIN_DIR}/persistent_login
 
@@ -112,15 +110,27 @@ cat > $RCM_CONFIG <<EOF;
 \$config['db_dsnw'] = 'sqlite:///$STORAGE_ROOT/mail/roundcube/roundcube.sqlite?mode=0640';
 \$config['default_host'] = 'ssl://localhost';
 \$config['default_port'] = 993;
+\$config['imap_conn_options'] = array(
+  'ssl'         => array(
+     'verify_peer'  => false,
+     'verify_peer_name'  => false,
+   ),
+ );
 \$config['imap_timeout'] = 15;
 \$config['smtp_server'] = 'tls://127.0.0.1';
 \$config['smtp_port'] = 587;
 \$config['smtp_user'] = '%u';
 \$config['smtp_pass'] = '%p';
+\$config['smtp_conn_options'] = array(
+  'ssl'         => array(
+     'verify_peer'  => false,
+     'verify_peer_name'  => false,
+   ),
+ );
 \$config['support_url'] = 'https://mailinabox.email/';
 \$config['product_name'] = '$PRIMARY_HOSTNAME Webmail';
 \$config['des_key'] = '$SECRET_KEY';
-\$config['plugins'] = array('html5_notifier', 'archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'vacation_sieve', 'persistent_login', 'carddav');
+\$config['plugins'] = array('html5_notifier', 'archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'persistent_login', 'carddav');
 \$config['skin'] = 'larry';
 \$config['login_autocomplete'] = 2;
 \$config['password_charset'] = 'UTF-8';
@@ -148,26 +158,6 @@ cat > ${RCM_PLUGIN_DIR}/carddav/config.inc.php <<EOF;
 );
 EOF
 
-# Configure vaction_sieve.
-cat > /usr/local/lib/roundcubemail/plugins/vacation_sieve/config.inc.php <<EOF;
-<?php
-/* Do not edit. Written by Mail-in-a-Box. Regenerated on updates. */
-\$rcmail_config['vacation_sieve'] = array(
-    'date_format' => 'd/m/Y',
-    'working_hours' => array(8,18),
-    'msg_format' => 'text',
-    'logon_transform' => array('#([a-z])[a-z]+(\.|\s)([a-z])#i', '\$1\$3'),
-    'transfer' => array(
-        'mode' =>  'managesieve',
-        'ms_activate_script' => true,
-        'host'   => '127.0.0.1',
-        'port'   => '4190',
-        'usetls' => false,
-        'path' => 'vacation',
-    )
-);
-EOF
-
 # Create writable directories.
 mkdir -p /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
 chown -R www-data.www-data /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
@@ -210,5 +200,5 @@ chown www-data:www-data $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
 chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
 
 # Enable PHP modules.
-php5enmod mcrypt
-restart_service php5-fpm
+phpenmod -v php7.0 mcrypt imap
+restart_service php7.0-fpm
diff --git a/setup/zpush.sh b/setup/zpush.sh
index 0a9e3998..d5675baf 100755
--- a/setup/zpush.sh
+++ b/setup/zpush.sh
@@ -17,13 +17,13 @@ source /etc/mailinabox.conf # load global vars
 
 echo "Installing Z-Push (Exchange/ActiveSync server)..."
 apt_install \
-	php-soap php5-imap libawl-php php5-xsl
+	php7.0-soap php7.0-imap libawl-php php7.0-xsl
 
-php5enmod imap
+phpenmod -v php7.0 imap
 
 # Copy Z-Push into place.
-TARGETHASH=131229a8feda09782dfd06449adce3d5a219183f
-VERSION=2.3.6
+TARGETHASH=01cdfafcdf6855f566a9cbc5826b3d9930a9b35b
+VERSION=2.3.7
 needs_update=0 #NODOC
 if [ ! -f /usr/local/lib/z-push/version ]; then
 	needs_update=1 #NODOC
@@ -100,7 +100,7 @@ EOF
 
 # Restart service.
 
-restart_service php5-fpm
+restart_service php7.0-fpm
 
 # Fix states after upgrade
 
diff --git a/tools/owncloud-restore.sh b/tools/owncloud-restore.sh
index 4d647b10..1b006ca1 100755
--- a/tools/owncloud-restore.sh
+++ b/tools/owncloud-restore.sh
@@ -27,6 +27,7 @@ fi
 
 echo "Restoring backup from $1"
 service php5-fpm stop
+service php7.0-fpm stop
 
 # remove the current ownCloud/Nextcloud installation
 rm -rf /usr/local/lib/owncloud/
@@ -46,4 +47,5 @@ chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
 sudo -u www-data php /usr/local/lib/owncloud/occ maintenance:mode --off
 
 service php5-fpm start
+service php7.0-fpm start
 echo "Done"