diff --git a/CHANGELOG.md b/CHANGELOG.md
index cc176f42..41541f7d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,7 +4,20 @@ CHANGELOG
 In Development
 --------------
 
-ownCloud is replaced with Nextcloud 10.0.4.
+Mail:
+
+* The default theme for Roundcube was changed to the nicer Larry theme.
+* Exchange/ActiveSync support has been replaced with z-push 2.3.5 from z-push.org (rather than z-push-contrib).
+
+ownCloud (now Nextcloud):
+
+* ownCloud is replaced with Nextcloud 10.0.5.
+
+Control Panel/Management:
+
+* Fix an error in the control panel showing rsync backup status.
+* Fix an error in the control panel related to IPv6 addresses.
+* TLS certificates for internationalized domain names can now be provisioned from Let's Encrypt automatically.
 
 v0.22 (April 2, 2017)
 ---------------------
diff --git a/README.md b/README.md
index a832dbc4..3dbfc32b 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ It is a one-click email appliance. There are no user-configurable setup options.
 
 The components installed are:
 
-* SMTP ([postfix](http://www.postfix.org/)), IMAP ([dovecot](http://dovecot.org/)), CardDAV/CalDAV ([Nextcloud](https://nextcloud.com/)), Exchange ActiveSync ([z-push](https://github.com/fmbiete/Z-Push-contrib))
+* SMTP ([postfix](http://www.postfix.org/)), IMAP ([dovecot](http://dovecot.org/)), CardDAV/CalDAV ([Nextcloud](https://nextcloud.com/)), Exchange ActiveSync ([z-push](http://z-push.org/))
 * Webmail ([Roundcube](http://roundcube.net/)), static website hosting ([nginx](http://nginx.org/))
 * Spam filtering ([spamassassin](https://spamassassin.apache.org/)), greylisting ([postgrey](http://postgrey.schweikert.ch/))
 * DNS ([nsd4](https://www.nlnetlabs.nl/projects/nsd/)) with [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework), DKIM ([OpenDKIM](http://www.opendkim.org/)), [DMARC](https://en.wikipedia.org/wiki/DMARC), [DNSSEC](https://en.wikipedia.org/wiki/DNSSEC), [DANE TLSA](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities), and [SSHFP](https://tools.ietf.org/html/rfc4255) records automatically set
diff --git a/conf/zpush/autodiscover_config.php b/conf/zpush/autodiscover_config.php
index df6faa1e..1a9a45a1 100644
--- a/conf/zpush/autodiscover_config.php
+++ b/conf/zpush/autodiscover_config.php
@@ -5,11 +5,12 @@
 * Descr     :   Autodiscover configuration file
 ************************************************/
 
+define('TIMEZONE', '');
+
 // Defines the base path on the server
 define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/');
 
-// The Z-Push server location for the autodiscover response
-define('SERVERURL', 'https://PRIMARY_HOSTNAME/Microsoft-Server-ActiveSync');
+define('ZPUSH_HOST', 'PRIMARY_HOSTNAME');
 
 define('USE_FULLEMAIL_FOR_LOGIN', true);
 
@@ -18,6 +19,7 @@ define('LOGFILE', LOGFILEDIR . 'autodiscover.log');
 define('LOGERRORFILE', LOGFILEDIR . 'autodiscover-error.log');
 define('LOGLEVEL', LOGLEVEL_INFO);
 define('LOGUSERLEVEL', LOGLEVEL);
+$specialLogUsers = array();
 
 // the backend data provider
 define('BACKEND_PROVIDER', 'BackendCombined');
diff --git a/conf/zpush/backend_imap.php b/conf/zpush/backend_imap.php
index b1867625..a0c12335 100644
--- a/conf/zpush/backend_imap.php
+++ b/conf/zpush/backend_imap.php
@@ -23,6 +23,9 @@ define('IMAP_FOLDER_TRASH', 'TRASH');
 define('IMAP_FOLDER_SPAM', 'SPAM');
 define('IMAP_FOLDER_ARCHIVE', 'ARCHIVE');
 
+define('IMAP_INLINE_FORWARD', true);
+define('IMAP_EXCLUDED_FOLDERS', '');
+
 define('IMAP_FROM_SQL_DSN', 'sqlite:STORAGE_ROOT/mail/roundcube/roundcube.sqlite');
 define('IMAP_FROM_SQL_USER', '');
 define('IMAP_FROM_SQL_PASSWORD', '');
@@ -49,5 +52,6 @@ global $imap_smtp_params;
 $imap_smtp_params = array('host' => 'ssl://127.0.0.1', 'port' => 587, 'auth' => true, 'username' => 'imap_username', 'password' => 'imap_password');
 
 define('MAIL_MIMEPART_CRLF', "\r\n");
+define('IMAP_MEETING_USE_CALDAV', true);
 
 ?>
diff --git a/management/backup.py b/management/backup.py
index d6189cfe..7c7f5d93 100755
--- a/management/backup.py
+++ b/management/backup.py
@@ -115,7 +115,7 @@ def backup_status(env):
 	# full backup. That full backup frees up this one to be deleted. But, the backup
 	# must also be at least min_age_in_days old too.
 	deleted_in = None
-	if incremental_count > 0 and first_full_size is not None:
+	if incremental_count > 0 and incremental_size > 0 and first_full_size is not None:
 		# How many days until the next incremental backup? First, the part of
 		# the algorithm based on increment sizes:
 		est_days_to_next_full = (.5 * first_full_size - incremental_size) / (incremental_size/incremental_count)
@@ -399,10 +399,11 @@ def list_target_files(config):
 		rsync_fn_size_re = re.compile(r'.*    ([^ ]*) [^ ]* [^ ]* (.*)')
 		rsync_target = '{host}:{path}'
 
-		if not target.path.endswith('/'):
-			target_path = target.path + '/'
-		if target.path.startswith('/'):
-			target_path = target.path[1:]
+		target_path = target.path
+		if not target_path.endswith('/'):
+			target_path = target_path + '/'
+		if target_path.startswith('/'):
+			target_path = target_path[1:]
 
 		rsync_command = [ 'rsync',
 					'-e',
diff --git a/management/ssl_certificates.py b/management/ssl_certificates.py
index 0d282d0c..6785e140 100755
--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@@ -214,12 +214,6 @@ def get_certificates_to_provision(env, show_extended_problems=True, force_domain
 	# Filter out domains that we can't provision a certificate for.
 	def can_provision_for_domain(domain):
 		from status_checks import normalize_ip
-		# Let's Encrypt doesn't yet support IDNA domains.
-		# We store domains in IDNA (ASCII). To see if this domain is IDNA,
-		# we'll see if its IDNA-decoded form is different.
-		if idna.decode(domain.encode("ascii")) != domain:
-			problems[domain] = "Let's Encrypt does not yet support provisioning certificates for internationalized domains."
-			return False
 
 		# Does the domain resolve to this machine in public DNS? If not,
 		# we can't do domain control validation. For IPv6 is configured,
diff --git a/setup/dns.sh b/setup/dns.sh
index 44f6431c..191a3adc 100755
--- a/setup/dns.sh
+++ b/setup/dns.sh
@@ -23,7 +23,7 @@ apt_install nsd ldnsutils openssh-client
 mkdir -p /var/run/nsd
 
 cat > /etc/nsd/nsd.conf << EOF;
-# No not edit. Overwritten by Mail-in-a-Box setup.
+# Do not edit. Overwritten by Mail-in-a-Box setup.
 server:
   hide-version: yes
 
diff --git a/setup/webmail.sh b/setup/webmail.sh
index f198cb59..34eba5f1 100755
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -121,7 +121,7 @@ cat > $RCM_CONFIG <<EOF;
 \$config['product_name'] = '$PRIMARY_HOSTNAME Webmail';
 \$config['des_key'] = '$SECRET_KEY';
 \$config['plugins'] = array('html5_notifier', 'archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'vacation_sieve', 'persistent_login', 'carddav');
-\$config['skin'] = 'classic';
+\$config['skin'] = 'larry';
 \$config['login_autocomplete'] = 2;
 \$config['password_charset'] = 'UTF-8';
 \$config['junk_mbox'] = 'Spam';
diff --git a/setup/zpush.sh b/setup/zpush.sh
index 5cc12c51..cbe2f7bd 100755
--- a/setup/zpush.sh
+++ b/setup/zpush.sh
@@ -22,7 +22,8 @@ apt_install \
 php5enmod imap
 
 # Copy Z-Push into place.
-TARGETHASH=80cbe53de4ab8dd598d1f2af6f0a23fa396c529a
+TARGETHASH=3ce78c23e02198bffe80c983ce247350c27590bd
+VERSION=2.3.5
 needs_update=0 #NODOC
 if [ ! -f /usr/local/lib/z-push/version ]; then
 	needs_update=1 #NODOC
@@ -31,7 +32,13 @@ elif [[ $TARGETHASH != `cat /usr/local/lib/z-push/version` ]]; then
 	needs_update=1 #NODOC
 fi
 if [ $needs_update == 1 ]; then
-	git_clone https://github.com/fmbiete/Z-Push-contrib $TARGETHASH '' /usr/local/lib/z-push
+	wget_verify http://download.z-push.org/final/2.3/z-push-$VERSION.tar.gz $TARGETHASH /tmp/z-push.tar.gz
+
+	rm -rf /usr/local/lib/z-push
+	tar -xzf /tmp/z-push.tar.gz -C /usr/local/lib/
+	rm /tmp/z-push.tar.gz
+	mv /usr/local/lib/z-push-$VERSION /usr/local/lib/z-push
+
 	rm -f /usr/sbin/z-push-{admin,top}
 	ln -s /usr/local/lib/z-push/z-push-admin.php /usr/sbin/z-push-admin
 	ln -s /usr/local/lib/z-push/z-push-top.php /usr/sbin/z-push-top
@@ -67,6 +74,7 @@ cp conf/zpush/backend_caldav.php /usr/local/lib/z-push/backend/caldav/config.php
 rm -f /usr/local/lib/z-push/autodiscover/config.php
 cp conf/zpush/autodiscover_config.php /usr/local/lib/z-push/autodiscover/config.php
 sed -i "s/PRIMARY_HOSTNAME/$PRIMARY_HOSTNAME/" /usr/local/lib/z-push/autodiscover/config.php
+sed -i "s^define('TIMEZONE', .*^define('TIMEZONE', '$(cat /etc/timezone)');^" /usr/local/lib/z-push/autodiscover/config.php
 
 # Some directories it will use.
 
@@ -93,3 +101,7 @@ EOF
 # Restart service.
 
 restart_service php5-fpm
+
+# Fix states after upgrade
+
+hide_output z-push-admin -a fixstates