From ded1b55ebd9feaad47bb4f01d20c5cd75cd9e8b0 Mon Sep 17 00:00:00 2001
From: "github@kiekerjan.isdronken.nl" <github@kiekerjan.isdronken.nl>
Date: Sat, 11 Dec 2021 00:54:56 +0100
Subject: [PATCH 01/22] First steps in migrating to dkimpy-milter

---
 README.md                   |  2 ++
 api/mailinabox.yml          |  4 +--
 management/dns_update.py    | 53 ++++++++++++++++++----------
 management/mail_log.py      |  2 +-
 management/status_checks.py |  2 +-
 setup/dkim.sh               | 70 ++++++++++++++++++++-----------------
 setup/mail-postfix.sh       |  6 ++--
 7 files changed, 81 insertions(+), 58 deletions(-)

diff --git a/README.md b/README.md
index a3847729..4b706dc2 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,8 @@ Functionality changes and additions
   Using check-dnsbl.py from https://github.com/gsauthof/utility
 * Updated ssl security for web and email  
   Removed older cryptos following internet.nl recommendations
+* Replace opendkim with dkimpy (https://launchpad.net/dkimpy-milter)
+  Added support for Ed25519 signing
 
 Bug fixes
 * Munin error report fixed [see github issue](https://github.com/mail-in-a-box/mailinabox/issues/1555)
diff --git a/api/mailinabox.yml b/api/mailinabox.yml
index f3290fb9..2b45fbd1 100644
--- a/api/mailinabox.yml
+++ b/api/mailinabox.yml
@@ -1262,7 +1262,7 @@ paths:
                 $ref: '#/components/schemas/MailUserAddResponse'
               example: |
                 mail user added
-                updated DNS: OpenDKIM configuration
+                updated DNS: DKIM configuration
         400:
           description: Bad request
           content:
@@ -1863,7 +1863,7 @@ components:
       type: string
       example: |
         mail user added
-        updated DNS: OpenDKIM configuration
+        updated DNS: DKIM configuration
       description: |
         Mail user add response.
 
diff --git a/management/dns_update.py b/management/dns_update.py
index 529abe27..1b755460 100755
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -105,21 +105,22 @@ def do_dns_update(env, force=False):
 	if len(updated_domains) > 0:
 		shell('check_call', ["/usr/sbin/service", "nsd", "restart"])
 
-	# Write the OpenDKIM configuration tables for all of the mail domains.
+	# Write the DKIM configuration tables for all of the mail domains.
 	from mailconfig import get_mail_domains
-	if write_opendkim_tables(get_mail_domains(env), env):
-		# Settings changed. Kick opendkim.
-		shell('check_call', ["/usr/sbin/service", "opendkim", "restart"])
+	
+	if write_dkim_tables(get_mail_domains(env), env):
+		# Settings changed. Kick dkimpy.
+		shell('check_call', ["/usr/sbin/service", "dkimpy-milter", "restart"])
 		if len(updated_domains) == 0:
 			# If this is the only thing that changed?
-			updated_domains.append("OpenDKIM configuration")
+			updated_domains.append("DKIM configuration")
 
 	# Clear bind9's DNS cache so our own DNS resolver is up to date.
 	# (ignore errors with trap=True)
 	shell('check_call', ["/usr/sbin/rndc", "flush"], trap=True)
 
 	if len(updated_domains) == 0:
-		# if nothing was updated (except maybe OpenDKIM's files), don't show any output
+		# if nothing was updated (except maybe DKIM's files), don't show any output
 		return ""
 	else:
 		return "updated DNS: " + ",".join(updated_domains) + "\n"
@@ -303,10 +304,18 @@ def build_zone(domain, domain_properties, additional_records, env, is_zone=True)
 		if not has_rec(None, "TXT", prefix="v=spf1 "):
 			records.append((None,  "TXT", 'v=spf1 mx -all', "Recommended. Specifies that only the box is permitted to send @%s mail." % domain))
 
-		# Append the DKIM TXT record to the zone as generated by OpenDKIM.
+		# Append the DKIM TXT record to the zone as generated by DKIMpy.
 		# Skip if the user has set a DKIM record already.
-		opendkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.txt')
-		with open(opendkim_record_file) as orf:
+		dkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim2/box-rsa.dns')
+		with open(dkim_record_file) as orf:
+			m = re.match(r'(\S+)\s+IN\s+TXT\s+\( ((?:"[^"]+"\s+)+)\)', orf.read(), re.S)
+			val = "".join(re.findall(r'"([^"]+)"', m.group(2)))
+			if not has_rec(m.group(1), "TXT", prefix="v=DKIM1; "):
+				records.append((m.group(1), "TXT", val, "Recommended. Provides a way for recipients to verify that this machine sent @%s mail." % domain))
+		
+		# Also add a ed25519 DKIM record
+		dkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim2/box-ed25519.dns')
+		with open(dkim_record_file) as orf:
 			m = re.match(r'(\S+)\s+IN\s+TXT\s+\( ((?:"[^"]+"\s+)+)\)', orf.read(), re.S)
 			val = "".join(re.findall(r'"([^"]+)"', m.group(2)))
 			if not has_rec(m.group(1), "TXT", prefix="v=DKIM1; "):
@@ -817,14 +826,15 @@ def sign_zone(domain, zonefile, env):
 
 ########################################################################
 
-def write_opendkim_tables(domains, env):
-	# Append a record to OpenDKIM's KeyTable and SigningTable for each domain
+def write_dkim_tables(domains, env):
+	# Append a record to DKIMpy's KeyTable and SigningTable for each domain
 	# that we send mail from (zones and all subdomains).
 
-	opendkim_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.private')
+	dkim_rsa_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim2/box-rsa.key')
+	dkim_ed_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim2/box-ed25519.key')
 
-	if not os.path.exists(opendkim_key_file):
-		# Looks like OpenDKIM is not installed.
+	if not os.path.exists(dkim_rsa_key_file) || not os.path.exists(dkim_ed_key_file):
+		# Looks like DKIMpy is not installed.
 		return False
 
 	config = {
@@ -846,7 +856,12 @@ def write_opendkim_tables(domains, env):
 		# signing domain must match the sender's From: domain.
 		"KeyTable":
 			"".join(
-				"{domain} {domain}:mail:{key_file}\n".format(domain=domain, key_file=opendkim_key_file)
+				"{domain} {domain}:box-rsa:{key_file}\n".format(domain=domain, key_file=dkim_rsa_key_file)
+				for domain in domains
+			),
+		"KeyTableEd25519":
+			"".join(
+				"{domain} {domain}:box-ed25519:{key_file}\n".format(domain=domain, key_file=dkim_ed_key_file)
 				for domain in domains
 			),
 	}
@@ -854,18 +869,18 @@ def write_opendkim_tables(domains, env):
 	did_update = False
 	for filename, content in config.items():
 		# Don't write the file if it doesn't need an update.
-		if os.path.exists("/etc/opendkim/" + filename):
-			with open("/etc/opendkim/" + filename) as f:
+		if os.path.exists("/etc/dkim/" + filename):
+			with open("/etc/dkim/" + filename) as f:
 				if f.read() == content:
 					continue
 
 		# The contents needs to change.
-		with open("/etc/opendkim/" + filename, "w") as f:
+		with open("/etc/dkim/" + filename, "w") as f:
 			f.write(content)
 		did_update = True
 
 	# Return whether the files changed. If they didn't change, there's
-	# no need to kick the opendkim process.
+	# no need to kick the dkimpy process.
 	return did_update
 
 ########################################################################
diff --git a/management/mail_log.py b/management/mail_log.py
index 59c32c6e..69c182b0 100755
--- a/management/mail_log.py
+++ b/management/mail_log.py
@@ -376,7 +376,7 @@ def scan_mail_log_line(line, collector):
         if SCAN_BLOCKED:
             scan_postfix_smtpd_line(date, log, collector)
     elif service in ("postfix/qmgr", "postfix/pickup", "postfix/cleanup", "postfix/scache",
-                     "spampd", "postfix/anvil", "postfix/master", "opendkim", "postfix/lmtp",
+                     "spampd", "postfix/anvil", "postfix/master", "dkimpy", "postfix/lmtp",
                      "postfix/tlsmgr", "anvil"):
         # nothing to look at
         return True
diff --git a/management/status_checks.py b/management/status_checks.py
index 90b4d175..03f7eff0 100755
--- a/management/status_checks.py
+++ b/management/status_checks.py
@@ -28,7 +28,7 @@ def get_services():
 		{ "name": "Dovecot LMTP LDA", "port": 10026, "public": False, },
 		{ "name": "Postgrey", "port": 10023, "public": False, },
 		{ "name": "Spamassassin", "port": 10025, "public": False, },
-		{ "name": "OpenDKIM", "port": 8891, "public": False, },
+		{ "name": "DKIMpy", "port": 8892, "public": False, },
 		{ "name": "OpenDMARC", "port": 8893, "public": False, },
 		{ "name": "Mail-in-a-Box Management Daemon", "port": 10222, "public": False, },
 		{ "name": "SSH Login (ssh)", "port": get_ssh_port(), "public": True, },
diff --git a/setup/dkim.sh b/setup/dkim.sh
index b2541a12..5aa60c16 100755
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@@ -1,8 +1,8 @@
 #!/bin/bash
-# OpenDKIM
+# DKIM
 # --------
 #
-# OpenDKIM provides a service that puts a DKIM signature on outbound mail.
+# DKIMpy provides a service that puts a DKIM signature on outbound mail.
 #
 # The DNS configuration for DKIM is done in the management daemon.
 
@@ -10,34 +10,34 @@ source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars
 
 # Install DKIM...
-echo Installing OpenDKIM/OpenDMARC...
-apt_install opendkim opendkim-tools opendmarc
+echo Installing DKIMpy/OpenDMARC...
+apt_install dkimpy-milter opendmarc
 
 # Make sure configuration directories exist.
-mkdir -p /etc/opendkim;
-mkdir -p $STORAGE_ROOT/mail/dkim
+mkdir -p /etc/dkim;
+mkdir -p $STORAGE_ROOT/mail/dkim2
 
 # Used in InternalHosts and ExternalIgnoreList configuration directives.
 # Not quite sure why.
-echo "127.0.0.1" > /etc/opendkim/TrustedHosts
+echo "127.0.0.1" > /etc/dkim/TrustedHosts
 
 # We need to at least create these files, since we reference them later.
-# Otherwise, opendkim startup will fail
-touch /etc/opendkim/KeyTable
-touch /etc/opendkim/SigningTable
+touch /etc/dkim/KeyTable
+touch /etc/dkim/SigningTable
 
-if grep -q "ExternalIgnoreList" /etc/opendkim.conf; then
+if grep -q "ExternalIgnoreList" /etc/dkimpy-milter/dkimpy-milter.conf; then
 	true # already done #NODOC
 else
-	# Add various configuration options to the end of `opendkim.conf`.
-	cat >> /etc/opendkim.conf << EOF;
+	# Add various configuration options to the end of `dkimpy-milter.conf`.
+	cat >> /etc/dkimpy-milter/dkimpy-milter.conf << EOF;
 Canonicalization		relaxed/simple
 MinimumKeyBits          1024
-ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
-InternalHosts           refile:/etc/opendkim/TrustedHosts
-KeyTable                refile:/etc/opendkim/KeyTable
-SigningTable            refile:/etc/opendkim/SigningTable
-Socket                  inet:8891@127.0.0.1
+ExternalIgnoreList      refile:/etc/dkim/TrustedHosts
+InternalHosts           refile:/etc/dkim/TrustedHosts
+KeyTable                refile:/etc/dkim/KeyTable
+KeyTableEd25519         refile:/etc/dkim/KeyTableEd25519
+SigningTable            refile:/etc/dkim/SigningTable
+Socket                  inet:8892@127.0.0.1
 RequireSafeKeys         false
 EOF
 fi
@@ -48,17 +48,21 @@ fi
 # in our DNS setup. Note that the files are named after the
 # 'selector' of the key, which we can change later on to support
 # key rotation.
-#
-# A 1024-bit key is seen as a minimum standard by several providers
-# such as Google. But they and others use a 2048 bit key, so we'll
-# do the same. Keys beyond 2048 bits may exceed DNS record limits.
-if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then
-	opendkim-genkey -b 2048 -r -s mail -D $STORAGE_ROOT/mail/dkim
+if [ ! -f "$STORAGE_ROOT/mail/dkim2/box-rsa.key" ]; then
+	# All defaults are supposed to be ok, default key for rsa is 2048 bit
+	dknewkey --ktype rsa $STORAGE_ROOT/mail/dkim2/box-rsa
+	dknewkey --ktype ed25519 $STORAGE_ROOT/mail/dkim2/box-ed25519
+	
+	# Force them into the format dns_update.py expects
+	sed -i 's/v=DKIM1;/box-rsa._domainkey IN      TXT      ( "v=DKIM1;/' $STORAGE_ROOT/mail/dkim2/box-rsa.dns
+	echo '" )' >> box-rsa.dns
+	sed -i 's/v=DKIM1;/box-ed25519._domainkey IN      TXT      ( "v=DKIM1;/' $STORAGE_ROOT/mail/dkim2/box-ed25519.dns
+	echo '" )' >> box-ed25519.dns
 fi
 
-# Ensure files are owned by the opendkim user and are private otherwise.
-chown -R opendkim:opendkim $STORAGE_ROOT/mail/dkim
-chmod go-rwx $STORAGE_ROOT/mail/dkim
+# Ensure files are owned by the dkimpy-milter user and are private otherwise.
+chown -R dkimpy-milter:dkimpy-milter $STORAGE_ROOT/mail/dkim2
+chmod go-rwx $STORAGE_ROOT/mail/dkim2
 
 tools/editconf.py /etc/opendmarc.conf -s \
 	"Syslog=true" \
@@ -94,23 +98,23 @@ tools/editconf.py /etc/opendmarc.conf -s \
 # domains does not cause the results header field to be added. This added header
 # is used by spamassassin to evaluate the mail for spamminess.
 
-tools/editconf.py /etc/opendkim.conf -s \
+tools/editconf.py /etc/dkimpy-milter/dkimpy-milter.conf -s \
         "AlwaysAddARHeader=true"
 
-# Add OpenDKIM and OpenDMARC as milters to postfix, which is how OpenDKIM
+# Add DKIMpy and OpenDMARC as milters to postfix, which is how DKIMpy
 # intercepts outgoing mail to perform the signing (by adding a mail header)
 # and how they both intercept incoming mail to add Authentication-Results
 # headers. The order possibly/probably matters: OpenDMARC relies on the
-# OpenDKIM Authentication-Results header already being present.
+# DKIM Authentication-Results header already being present.
 #
 # Be careful. If we add other milters later, this needs to be concatenated
 # on the smtpd_milters line.
 #
 # The OpenDMARC milter is skipped in the SMTP submission listener by
-# configuring smtpd_milters there to only list the OpenDKIM milter
+# configuring smtpd_milters there to only list the DKIMpy milter
 # (see mail-postfix.sh).
 tools/editconf.py /etc/postfix/main.cf \
-	"smtpd_milters=inet:127.0.0.1:8891 inet:127.0.0.1:8893"\
+	"smtpd_milters=inet:127.0.0.1:8892 inet:127.0.0.1:8893"\
 	non_smtpd_milters=\$smtpd_milters \
 	milter_default_action=accept
 
@@ -118,7 +122,7 @@ tools/editconf.py /etc/postfix/main.cf \
 hide_output systemctl enable opendmarc
 
 # Restart services.
-restart_service opendkim
+restart_service dkimpy-milter
 restart_service opendmarc
 restart_service postfix
 
diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh
index f0aa5d4e..308e1b53 100755
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@@ -91,12 +91,14 @@ tools/editconf.py /etc/postfix/master.cf -s -w \
 	  -o smtpd_tls_wrappermode=yes
 	  -o smtpd_sasl_auth_enable=yes
 	  -o syslog_name=postfix/submission
-	  -o smtpd_milters=inet:127.0.0.1:8891
+	  -o smtpd_milters=inet:127.0.0.1:8892
+	  -o milter_macro_daemon_name=VERIFYING
 	  -o cleanup_service_name=authclean" \
 	"submission=inet n       -       -       -       -       smtpd
 	  -o smtpd_sasl_auth_enable=yes
 	  -o syslog_name=postfix/submission
-	  -o smtpd_milters=inet:127.0.0.1:8891
+	  -o smtpd_milters=inet:127.0.0.1:8892
+	  -o milter_macro_daemon_name=ORIGINATING
 	  -o smtpd_tls_security_level=encrypt
 	  -o cleanup_service_name=authclean" \
 	"authclean=unix  n       -       -       -       0       cleanup

From acfc71e7fdc75a9f62502df0c413f19516b991f8 Mon Sep 17 00:00:00 2001
From: "github@kiekerjan.isdronken.nl" <github@kiekerjan.isdronken.nl>
Date: Sat, 11 Dec 2021 01:00:02 +0100
Subject: [PATCH 02/22] correct dns tag for DKIM key

---
 setup/dkim.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/setup/dkim.sh b/setup/dkim.sh
index 5aa60c16..d2da740e 100755
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@@ -54,9 +54,9 @@ if [ ! -f "$STORAGE_ROOT/mail/dkim2/box-rsa.key" ]; then
 	dknewkey --ktype ed25519 $STORAGE_ROOT/mail/dkim2/box-ed25519
 	
 	# Force them into the format dns_update.py expects
-	sed -i 's/v=DKIM1;/box-rsa._domainkey IN      TXT      ( "v=DKIM1;/' $STORAGE_ROOT/mail/dkim2/box-rsa.dns
+	sed -i 's/v=DKIM1;/box-rsa._domainkey IN      TXT      ( "v=DKIM1; s=email;/' $STORAGE_ROOT/mail/dkim2/box-rsa.dns
 	echo '" )' >> box-rsa.dns
-	sed -i 's/v=DKIM1;/box-ed25519._domainkey IN      TXT      ( "v=DKIM1;/' $STORAGE_ROOT/mail/dkim2/box-ed25519.dns
+	sed -i 's/v=DKIM1;/box-ed25519._domainkey IN      TXT      ( "v=DKIM1; s=email;/' $STORAGE_ROOT/mail/dkim2/box-ed25519.dns
 	echo '" )' >> box-ed25519.dns
 fi
 

From 96768f1fcbd262dcd59249eae65cdb2bb7d0cf22 Mon Sep 17 00:00:00 2001
From: "github@kiekerjan.isdronken.nl" <github@kiekerjan.isdronken.nl>
Date: Fri, 31 Dec 2021 00:33:34 +0100
Subject: [PATCH 03/22] backport fix for dns resolver in python3-dkim

---
 setup/dkim.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/setup/dkim.sh b/setup/dkim.sh
index c3092753..4d8e44aa 100755
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@@ -11,7 +11,7 @@ source /etc/mailinabox.conf # load global vars
 
 # Install DKIM...
 echo Installing DKIMpy/OpenDMARC...
-apt_install dkimpy-milter opendmarc
+apt_install dkimpy-milter python3-dkim opendmarc
 
 # Make sure configuration directories exist.
 mkdir -p /etc/dkim;
@@ -121,6 +121,9 @@ tools/editconf.py /etc/postfix/main.cf \
 # We need to explicitly enable the opendmarc service, or it will not start
 hide_output systemctl enable opendmarc
 
+# There is a fault in the dkim code for Ubuntu 20.04, let's fix it. Not necessary for Ubuntu 21.04 or newer
+sed -i 's/return b""\.join(r\.items\[0\]\.strings)/return b""\.join(list(r\.items)\[0\]\.strings)/' /usr/lib/python3/dist-packages/dkim/dnsplug.py
+
 # Restart services.
 restart_service dkimpy-milter
 restart_service opendmarc

From 21d4817998adde0726a53f9d3a2237d3b61b1869 Mon Sep 17 00:00:00 2001
From: "github@kiekerjan.isdronken.nl" <github@kiekerjan.isdronken.nl>
Date: Thu, 6 Jan 2022 22:06:27 +0100
Subject: [PATCH 04/22] dkimpy dev and nextcloud installation details

---
 setup/dkim.sh         | 28 ++++++++++++----------------
 setup/mail-postfix.sh |  2 +-
 setup/nextcloud.sh    |  8 +++++++-
 setup/web.sh          |  4 ----
 4 files changed, 20 insertions(+), 22 deletions(-)

diff --git a/setup/dkim.sh b/setup/dkim.sh
index 4d8e44aa..0fa303e2 100755
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@@ -25,22 +25,18 @@ echo "127.0.0.1" > /etc/dkim/TrustedHosts
 touch /etc/dkim/KeyTable
 touch /etc/dkim/SigningTable
 
-if grep -q "ExternalIgnoreList" /etc/dkimpy-milter/dkimpy-milter.conf; then
-	true # already done #NODOC
-else
-	# Add various configuration options to the end of `dkimpy-milter.conf`.
-	cat >> /etc/dkimpy-milter/dkimpy-milter.conf << EOF;
-Canonicalization		relaxed/simple
-MinimumKeyBits          1024
-ExternalIgnoreList      refile:/etc/dkim/TrustedHosts
-InternalHosts           refile:/etc/dkim/TrustedHosts
-KeyTable                refile:/etc/dkim/KeyTable
-KeyTableEd25519         refile:/etc/dkim/KeyTableEd25519
-SigningTable            refile:/etc/dkim/SigningTable
-Socket                  inet:8892@127.0.0.1
-RequireSafeKeys         false
-EOF
-fi
+tools/editconf.py /etc/dkimpy-milter/dkimpy-milter.conf -s \
+    "MacroList=daemon_name|ORIGINATING"
+    "MacroListVerify=daemon_name|VERIFYING"
+    "Canonicalization=relaxed/simple"
+    "MinimumKeyBits=1024"
+    "ExternalIgnoreList=refile:/etc/dkim/TrustedHosts"
+    "InternalHosts=refile:/etc/dkim/TrustedHosts"
+    "KeyTable=refile:/etc/dkim/KeyTable"
+    "KeyTableEd25519=refile:/etc/dkim/KeyTableEd25519"
+    "SigningTable=refile:/etc/dkim/SigningTable"
+    "Socket=inet:8892@127.0.0.1"
+    "RequireSafeKeys=false"
 
 # Create a new DKIM key. This creates mail.private and mail.txt
 # in $STORAGE_ROOT/mail/dkim. The former is the private key and
diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh
index 308e1b53..96f86c45 100755
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@@ -92,7 +92,7 @@ tools/editconf.py /etc/postfix/master.cf -s -w \
 	  -o smtpd_sasl_auth_enable=yes
 	  -o syslog_name=postfix/submission
 	  -o smtpd_milters=inet:127.0.0.1:8892
-	  -o milter_macro_daemon_name=VERIFYING
+	  -o milter_macro_daemon_name=ORIGINATING
 	  -o cleanup_service_name=authclean" \
 	"submission=inet n       -       -       -       -       smtpd
 	  -o smtpd_sasl_auth_enable=yes
diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index 15834d1c..46f1124e 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -16,6 +16,12 @@ apt_install php php-fpm \
 	php-dev php-gd php-xml php-mbstring php-zip php-apcu php-json \
 	php-intl php-imagick php-gmp php-bcmath
 
+# Enable apc is required before installing nextcloud 21
+tools/editconf.py /etc/php/$(php_version)/mods-available/apcu.ini -c ';' \
+    apc.enable_cli=1
+
+restart_service php$(php_version)-fpm
+
 InstallNextcloud() {
 
 	version=$1
@@ -341,7 +347,7 @@ sudo -u www-data \
 	| (grep -v "No such app enabled" || /bin/true)
 
 # Install interesting apps
-installed=$(sudo -u www-data php /usr/local/lib/owncloud/occ app:list | grep 'notes')
+installed=$(sudo -u www-data php /usr/local/lib/owncloud/occ app:list | grep "notes")
 
 if [ -z "$installed" ]; then
     sudo -u www-data php /usr/local/lib/owncloud/occ app:install notes
diff --git a/setup/web.sh b/setup/web.sh
index b2cbaf6b..12133fe2 100755
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -63,10 +63,6 @@ tools/editconf.py /etc/php/$(php_version)/fpm/php.ini -c ';' \
 tools/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
 	env[PATH]=/usr/local/bin:/usr/bin:/bin \
 
-# Enable apc is required before installing nextcloud 21
-tools/editconf.py /etc/php/$(php_version)/mods-available/apcu.ini -c ';' \
-    apc.enabled=1
-
 # Configure php-fpm based on the amount of memory the machine has
 # This is based on the nextcloud manual for performance tuning: https://docs.nextcloud.com/server/17/admin_manual/installation/server_tuning.html
 # Some synchronisation issues can occur when many people access the site at once.

From 3a739823af8908f77d1a23b93aee18811ac1dd45 Mon Sep 17 00:00:00 2001
From: steadfasterX <steadfasterX@users.noreply.github.com>
Date: Tue, 23 Nov 2021 17:06:17 +0100
Subject: [PATCH 05/22] fix: key flag id for KSK, fix format (#2063)

as mentioned (https://github.com/mail-in-a-box/mailinabox/pull/2033#issuecomment-976365087) KSK is 257, not 256
---
 management/status_checks.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/management/status_checks.py b/management/status_checks.py
index 03f7eff0..e772d567 100755
--- a/management/status_checks.py
+++ b/management/status_checks.py
@@ -663,7 +663,7 @@ def check_dnssec(domain, env, output, dns_zonefiles, is_checking_primary=False):
 		output.print_line("Option " + str(i+1) + ":")
 		output.print_line("----------")
 		output.print_line("Key Tag: " + ds_suggestion['keytag'])
-		output.print_line("Key Flags: KSK (256)")
+		output.print_line("Key Flags: KSK / 257")
 		output.print_line("Algorithm: %s / %s" % (ds_suggestion['alg'], ds_suggestion['alg_name']))
 		output.print_line("Digest Type: %s / %s" % (ds_suggestion['digalg'], ds_suggestion['digalg_name']))
 		output.print_line("Digest: " + ds_suggestion['digest'])

From e952a69486323c7649abb436d09e40d43da61469 Mon Sep 17 00:00:00 2001
From: Ilnahro <36730161+Ilnahro@users.noreply.github.com>
Date: Wed, 1 Dec 2021 00:50:01 +0000
Subject: [PATCH 06/22] Include rsync to the installed basic packages (#2067)

Some VPS providers strip this package from their Ubuntu 18.04 VM images. This will help avoid errors.
---
 setup/management.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/management.sh b/setup/management.sh
index cea65d41..7961aecb 100755
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -25,7 +25,7 @@ done
 #
 # certbot installs EFF's certbot which we use to
 # provision free TLS certificates.
-apt_install duplicity python3-pip virtualenv certbot
+apt_install duplicity python3-pip virtualenv certbot rsync
 
 # b2sdk is used for backblaze backups.
 # boto is used for amazon aws backups.

From 2496f4783f9cf47ab1fa065cca336de90a9b1b89 Mon Sep 17 00:00:00 2001
From: KiekerJan <kiekerjan@users.noreply.github.com>
Date: Mon, 6 Dec 2021 23:22:11 +0100
Subject: [PATCH 07/22] upgrade nextcloud to 21

---
 setup/nextcloud.sh | 53 ++++++++++++++++++++++++----------------------
 setup/web.sh       |  4 ++++
 2 files changed, 32 insertions(+), 25 deletions(-)

diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index e646d690..05cb7efc 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -100,8 +100,8 @@ InstallNextcloud() {
 }
 
 # Nextcloud Version to install. Checks are done down below to step through intermediate versions.
-nextcloud_ver=20.0.14
-nextcloud_hash=92cac708915f51ee2afc1787fd845476fd090c81
+nextcloud_ver=21.0.7
+nextcloud_hash=f5c7079c5b56ce1e301c6a27c0d975d608bb01c9
 contacts_ver=4.0.0
 contacts_hash=f893ca57a543b260c9feeecbb5958c00b6998e18
 calendar_ver=2.2.2
@@ -167,28 +167,33 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc
 			CURRENT_NEXTCLOUD_VER="15.0.8"
 		fi
 		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^15 ]]; then
-                        InstallNextcloud 16.0.6 0bb3098455ec89f5af77a652aad553ad40a88819 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
-                        CURRENT_NEXTCLOUD_VER="16.0.6"
-        	fi
-	        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^16 ]]; then
-                        InstallNextcloud 17.0.6 50b98d2c2f18510b9530e558ced9ab51eb4f11b0 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
-                        CURRENT_NEXTCLOUD_VER="17.0.6"
-	        fi
-	        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^17 ]]; then
+			InstallNextcloud 16.0.6 0bb3098455ec89f5af77a652aad553ad40a88819 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
+			CURRENT_NEXTCLOUD_VER="16.0.6"
+		fi
+        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^16 ]]; then
+			InstallNextcloud 17.0.6 50b98d2c2f18510b9530e558ced9ab51eb4f11b0 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
+			CURRENT_NEXTCLOUD_VER="17.0.6"
+        fi
+        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^17 ]]; then
 			echo "ALTER TABLE oc_flow_operations ADD COLUMN entity VARCHAR;" | sqlite3 $STORAGE_ROOT/owncloud/owncloud.db
-                        InstallNextcloud 18.0.10 39c0021a8b8477c3f1733fddefacfa5ebf921c68 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
-                        CURRENT_NEXTCLOUD_VER="18.0.10"
-	        fi
-	        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^18 ]]; then
-                        InstallNextcloud 19.0.4 01e98791ba12f4860d3d4047b9803f97a1b55c60 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
-                        CURRENT_NEXTCLOUD_VER="19.0.4"
-	        fi
+            InstallNextcloud 18.0.10 39c0021a8b8477c3f1733fddefacfa5ebf921c68 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
+            CURRENT_NEXTCLOUD_VER="18.0.10"
+	    fi
+		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^18 ]]; then
+			InstallNextcloud 19.0.4 01e98791ba12f4860d3d4047b9803f97a1b55c60 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
+			CURRENT_NEXTCLOUD_VER="19.0.4"
+		fi
+		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^19 ]]; then
+			InstallNextcloud 19.0.4 01e98791ba12f4860d3d4047b9803f97a1b55c60 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
+			InstallNextcloud 20.0.14 92cac708915f51ee2afc1787fd845476fd090c81 4.0.0 f893ca57a543b260c9feeecbb5958c00b6998e18 2.2.2 923846d48afb5004a456b9079cf4b46d23b3ef3a 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
+			CURRENT_NEXTCLOUD_VER="20.0.14"
+			
+			# Nextcloud 20 needs to have some optional columns added
+			sudo -u www-data php /usr/local/lib/owncloud/occ db:add-missing-columns
+		fi
 	fi
 
 	InstallNextcloud $nextcloud_ver $nextcloud_hash $contacts_ver $contacts_hash $calendar_ver $calendar_hash $user_external_ver $user_external_hash
-
-	# Nextcloud 20 needs to have some optional columns added
-	sudo -u www-data php /usr/local/lib/owncloud/occ db:add-missing-columns
 fi
 
 # ### Configuring Nextcloud
@@ -359,11 +364,9 @@ tools/editconf.py /etc/php/$(php_version)/cli/conf.d/10-opcache.ini -c ';' \
 	opcache.save_comments=1 \
 	opcache.revalidate_freq=1
 
-# If apc is explicitly disabled we need to enable it
-if grep -q apc.enabled=0 /etc/php/$(php_version)/mods-available/apcu.ini; then
-	tools/editconf.py /etc/php/$(php_version)/mods-available/apcu.ini -c ';' \
-		apc.enabled=1
-fi
+# Enable apc is required before installing nextcloud 21
+tools/editconf.py /etc/php/$(php_version)/mods-available/apcu.ini -c ';' \
+	apc.enabled=1
 
 # Set up a cron job for Nextcloud.
 cat > /etc/cron.d/mailinabox-nextcloud << EOF;
diff --git a/setup/web.sh b/setup/web.sh
index 12133fe2..b2cbaf6b 100755
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -63,6 +63,10 @@ tools/editconf.py /etc/php/$(php_version)/fpm/php.ini -c ';' \
 tools/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
 	env[PATH]=/usr/local/bin:/usr/bin:/bin \
 
+# Enable apc is required before installing nextcloud 21
+tools/editconf.py /etc/php/$(php_version)/mods-available/apcu.ini -c ';' \
+    apc.enabled=1
+
 # Configure php-fpm based on the amount of memory the machine has
 # This is based on the nextcloud manual for performance tuning: https://docs.nextcloud.com/server/17/admin_manual/installation/server_tuning.html
 # Some synchronisation issues can occur when many people access the site at once.

From a041737f88433d9feabdbe7759eb7c0750376141 Mon Sep 17 00:00:00 2001
From: KiekerJan <kiekerjan@users.noreply.github.com>
Date: Mon, 6 Dec 2021 23:25:31 +0100
Subject: [PATCH 08/22] move command to web.sh setup

---
 setup/nextcloud.sh | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index 05cb7efc..2612497a 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -364,10 +364,6 @@ tools/editconf.py /etc/php/$(php_version)/cli/conf.d/10-opcache.ini -c ';' \
 	opcache.save_comments=1 \
 	opcache.revalidate_freq=1
 
-# Enable apc is required before installing nextcloud 21
-tools/editconf.py /etc/php/$(php_version)/mods-available/apcu.ini -c ';' \
-	apc.enabled=1
-
 # Set up a cron job for Nextcloud.
 cat > /etc/cron.d/mailinabox-nextcloud << EOF;
 #!/bin/bash

From 59cf51ab30c9363386e6eede3be6b17060971664 Mon Sep 17 00:00:00 2001
From: KiekerJan <kiekerjan@users.noreply.github.com>
Date: Mon, 6 Dec 2021 23:32:24 +0100
Subject: [PATCH 09/22] updated readme

---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 4b706dc2..84e547af 100644
--- a/README.md
+++ b/README.md
@@ -20,7 +20,8 @@ Functionality changes and additions
 * Configure domain names for which only www will be hosted  
   Edit /etc/miabwwwdomains.conf to configure. The box will handle incoming traffic asking for these domain names. The DNS entries are entered in an external DNS provider! If you want this box to handle the DNS entries, simply add a mail alias. (existing functionality of the vanilla Mail-in-a-Box)
 * Add some munin plugins
-* Update nextcloud to 20.0.13
+* Update nextcloud to 21.0.7
+  And updated apps
 * Add nextcloud notes app
 * Update roundcube carddav plugin to 4.1.1
 * Add roundcube context menu plugin

From 2f86aa4eee7ca7586b74137318da55be760f799a Mon Sep 17 00:00:00 2001
From: KiekerJan <kiekerjan@users.noreply.github.com>
Date: Tue, 7 Dec 2021 22:41:00 +0100
Subject: [PATCH 10/22] upgraded nextcloud to 22

---
 README.md          | 2 +-
 setup/nextcloud.sh | 9 ++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 84e547af..b80b0f4b 100644
--- a/README.md
+++ b/README.md
@@ -20,7 +20,7 @@ Functionality changes and additions
 * Configure domain names for which only www will be hosted  
   Edit /etc/miabwwwdomains.conf to configure. The box will handle incoming traffic asking for these domain names. The DNS entries are entered in an external DNS provider! If you want this box to handle the DNS entries, simply add a mail alias. (existing functionality of the vanilla Mail-in-a-Box)
 * Add some munin plugins
-* Update nextcloud to 21.0.7
+* Update nextcloud to 22.2.3
   And updated apps
 * Add nextcloud notes app
 * Update roundcube carddav plugin to 4.1.1
diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index 2612497a..a7503495 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -100,8 +100,8 @@ InstallNextcloud() {
 }
 
 # Nextcloud Version to install. Checks are done down below to step through intermediate versions.
-nextcloud_ver=21.0.7
-nextcloud_hash=f5c7079c5b56ce1e301c6a27c0d975d608bb01c9
+nextcloud_ver=22.2.3
+nextcloud_hash=58d2d897ba22a057aa03d29c762c5306211fefd2
 contacts_ver=4.0.0
 contacts_hash=f893ca57a543b260c9feeecbb5958c00b6998e18
 calendar_ver=2.2.2
@@ -184,13 +184,16 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc
 			CURRENT_NEXTCLOUD_VER="19.0.4"
 		fi
 		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^19 ]]; then
-			InstallNextcloud 19.0.4 01e98791ba12f4860d3d4047b9803f97a1b55c60 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
 			InstallNextcloud 20.0.14 92cac708915f51ee2afc1787fd845476fd090c81 4.0.0 f893ca57a543b260c9feeecbb5958c00b6998e18 2.2.2 923846d48afb5004a456b9079cf4b46d23b3ef3a 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
 			CURRENT_NEXTCLOUD_VER="20.0.14"
 			
 			# Nextcloud 20 needs to have some optional columns added
 			sudo -u www-data php /usr/local/lib/owncloud/occ db:add-missing-columns
 		fi
+		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^20 ]]; then
+			InstallNextcloud 21.0.7 f5c7079c5b56ce1e301c6a27c0d975d608bb01c9 4.0.0 f893ca57a543b260c9feeecbb5958c00b6998e18 2.2.2 923846d48afb5004a456b9079cf4b46d23b3ef3a 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
+			CURRENT_NEXTCLOUD_VER="21.0.7"
+		fi
 	fi
 
 	InstallNextcloud $nextcloud_ver $nextcloud_hash $contacts_ver $contacts_hash $calendar_ver $calendar_hash $user_external_ver $user_external_hash

From 464c36ee3d7b08b283acfd86ad832b03b5e7a57c Mon Sep 17 00:00:00 2001
From: Arno Hautala <arno@alum.wpi.edu>
Date: Sun, 19 Dec 2021 08:33:59 -0500
Subject: [PATCH 11/22] regex change to exclude comma from sasl_username
 (#2074)

as proposed in #2071 by @jvolkenant
---
 management/mail_log.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/management/mail_log.py b/management/mail_log.py
index 69c182b0..5fa27876 100755
--- a/management/mail_log.py
+++ b/management/mail_log.py
@@ -549,8 +549,9 @@ def scan_postfix_submission_line(date, log, collector):
     """
 
     # Match both the 'plain' and 'login' sasl methods, since both authentication methods are
-    # allowed by Dovecot
-    m = re.match("([A-Z0-9]+): client=(\S+), sasl_method=(PLAIN|LOGIN), sasl_username=(\S+)", log)
+    # allowed by Dovecot. Exclude trailing comma after the username when additional fields 
+	# follow after.
+    m = re.match("([A-Z0-9]+): client=(\S+), sasl_method=(PLAIN|LOGIN), sasl_username=(\S+)(?<!,)", log)
 
     if m:
         _, client, method, user = m.groups()

From 28b801607ddf780ced626f9799a1f53964b4b7de Mon Sep 17 00:00:00 2001
From: jvolkenant <jeff@volkenant.net>
Date: Sat, 25 Dec 2021 07:17:34 -0800
Subject: [PATCH 12/22] Don't die if column already exists on Nextcloud 18
 upgrade (#2078)

---
 setup/nextcloud.sh | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index a7503495..106d7e55 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -170,15 +170,16 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc
 			InstallNextcloud 16.0.6 0bb3098455ec89f5af77a652aad553ad40a88819 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
 			CURRENT_NEXTCLOUD_VER="16.0.6"
 		fi
-        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^16 ]]; then
+		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^16 ]]; then
 			InstallNextcloud 17.0.6 50b98d2c2f18510b9530e558ced9ab51eb4f11b0 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
 			CURRENT_NEXTCLOUD_VER="17.0.6"
-        fi
-        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^17 ]]; then
-			echo "ALTER TABLE oc_flow_operations ADD COLUMN entity VARCHAR;" | sqlite3 $STORAGE_ROOT/owncloud/owncloud.db
-            InstallNextcloud 18.0.10 39c0021a8b8477c3f1733fddefacfa5ebf921c68 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
-            CURRENT_NEXTCLOUD_VER="18.0.10"
-	    fi
+		fi
+		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^17 ]]; then
+			# Don't exit the install if this column already exists (see #2076)
+			(echo "ALTER TABLE oc_flow_operations ADD COLUMN entity VARCHAR;" | sqlite3 $STORAGE_ROOT/owncloud/owncloud.db 2>/dev/null) || true
+			InstallNextcloud 18.0.10 39c0021a8b8477c3f1733fddefacfa5ebf921c68 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
+			CURRENT_NEXTCLOUD_VER="18.0.10"
+		fi
 		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^18 ]]; then
 			InstallNextcloud 19.0.4 01e98791ba12f4860d3d4047b9803f97a1b55c60 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
 			CURRENT_NEXTCLOUD_VER="19.0.4"

From 8d5f52db0f98355dda8e16fb19a7a63f2f279d13 Mon Sep 17 00:00:00 2001
From: "github@kiekerjan.isdronken.nl" <github@kiekerjan.isdronken.nl>
Date: Wed, 29 Dec 2021 22:27:15 +0100
Subject: [PATCH 13/22] update nextcloud and webmail plugins

---
 setup/nextcloud.sh | 28 ++++++++++++++++++++--------
 setup/webmail.sh   |  6 +++---
 2 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index 106d7e55..e5bc31e3 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -49,11 +49,23 @@ InstallNextcloud() {
 	# their github repositories.
 	mkdir -p /usr/local/lib/owncloud/apps
 
-	wget_verify https://github.com/nextcloud/contacts/releases/download/v$version_contacts/contacts.tar.gz $hash_contacts /tmp/contacts.tgz
+	contacts_cutoff="3.5.1" # this version was the last posted version on 12/27/2021 that supported the old url format
+	if [ ${contacts_cutoff//.} -gt ${version_contacts//.} ]; then
+		wget_verify https://github.com/nextcloud/contacts/releases/download/v$version_contacts/contacts.tar.gz $hash_contacts /tmp/contacts.tgz
+	else
+		wget_verify https://github.com/nextcloud-releases/contacts/releases/download/v$version_contacts/contacts-v$version_contacts.tar.gz $hash_contacts /tmp/contacts.tgz
+	fi
+
 	tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/contacts.tgz
 
-	wget_verify https://github.com/nextcloud/calendar/releases/download/v$version_calendar/calendar.tar.gz $hash_calendar /tmp/calendar.tgz
+	calendar_cutoff="2.0.5" # this version was the last posted version on 12/27/2021 that supported the old url format
+	if [ ${calendar_cutoff//.} -gt ${version_calendar//.} ]; then
+		wget_verify https://github.com/nextcloud/calendar/releases/download/v$version_calendar/calendar.tar.gz $hash_calendar /tmp/calendar.tgz
+	else
+		wget_verify https://github.com/nextcloud-releases/calendar/releases/download/v$version_calendar/calendar.tar.gz $hash_calendar /tmp/calendar.tgz
+	fi
+
 	tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/calendar.tgz
 
@@ -102,12 +114,12 @@ InstallNextcloud() {
 # Nextcloud Version to install. Checks are done down below to step through intermediate versions.
 nextcloud_ver=22.2.3
 nextcloud_hash=58d2d897ba22a057aa03d29c762c5306211fefd2
-contacts_ver=4.0.0
-contacts_hash=f893ca57a543b260c9feeecbb5958c00b6998e18
-calendar_ver=2.2.2
-calendar_hash=923846d48afb5004a456b9079cf4b46d23b3ef3a
-user_external_ver=1.0.0
-user_external_hash=3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
+contacts_ver=4.0.7
+contacts_hash=8ab31d205408e4f12067d8a4daa3595d46b513e3
+calendar_ver=3.0.2
+calendar_hash=dcc62633f81c2cb53ce202348c79a0ab5bf4c9a8
+user_external_ver=2.1.0
+user_external_hash=6e5afe7f36f398f864bfdce9cad72200e70322aa
 
 # Current Nextcloud Version, #1623
 # Checking /usr/local/lib/owncloud/version.php shows version of the Nextcloud application, not the DB
diff --git a/setup/webmail.sh b/setup/webmail.sh
index b2173b5b..e4ee18c4 100755
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -36,8 +36,8 @@ HTML5_NOTIFIER_VERSION=68d9ca194212e15b3c7225eb6085dbcf02fd13d7 # version 0.6.4+
 CONTEXT_MENU_VERSION=602a3812922fb8f71814eb3b8d91e9b7859aab7e # version 3.2.1
 TWOFACT_COMMIT=a3944c4604fe86fc020847f281beea031e14e58e # master @ 17-10-2021
 
-CARDDAV_VERSION=4.1.1
-CARDDAV_HASH=87b73661b7799b2079c28324311eddb4241242bb
+CARDDAV_VERSION=4.3.0
+CARDDAV_HASH=4ad7df8843951062878b1375f77c614f68bc5c61
 
 UPDATE_KEY=$VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:$CARDDAV_VERSION:$CONTEXT_MENU_VERSION:$TWOFACT_COMMIT
 
@@ -78,7 +78,7 @@ if [ $needs_update == 1 ]; then
 	# install roundcube html5_notifier plugin
 	git_clone https://github.com/kitist/html5_notifier.git $HTML5_NOTIFIER_VERSION '' ${RCM_PLUGIN_DIR}/html5_notifier
 
-	# download and verify the full release of the carddav plugin. Can't use github because does not include all dependencies
+	# download and verify the full release of the carddav plugin. Can't use git_clone because repository does not include all dependencies
 	wget_verify \
 		https://github.com/mstilkerich/rcmcarddav/releases/download/v${CARDDAV_VERSION}/carddav-v${CARDDAV_VERSION}.tar.gz \
 		$CARDDAV_HASH \

From 3350fecd925a367a8d1812eab3dbe88260c2403d Mon Sep 17 00:00:00 2001
From: "github@kiekerjan.isdronken.nl" <github@kiekerjan.isdronken.nl>
Date: Fri, 31 Dec 2021 00:33:34 +0100
Subject: [PATCH 14/22] backport fix for dns resolver in python3-dkim

---
 setup/dkim.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/setup/dkim.sh b/setup/dkim.sh
index d2da740e..c86f6145 100755
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@@ -11,7 +11,7 @@ source /etc/mailinabox.conf # load global vars
 
 # Install DKIM...
 echo Installing DKIMpy/OpenDMARC...
-apt_install dkimpy-milter opendmarc
+apt_install dkimpy-milter python3-dkim opendmarc
 
 # Make sure configuration directories exist.
 mkdir -p /etc/dkim;
@@ -121,6 +121,9 @@ tools/editconf.py /etc/postfix/main.cf \
 # We need to explicitly enable the opendmarc service, or it will not start
 hide_output systemctl enable opendmarc
 
+# There is a fault in the dkim code for Ubuntu 20.04, let's fix it. Not necessary for Ubuntu 21.04 or newer
+sed -i 's/return b""\.join(r\.items\[0\]\.strings)/return b""\.join(list(r\.items)\[0\]\.strings)/' /usr/lib/python3/dist-packages/dkim/dnsplug.py
+
 # Restart services.
 restart_service dkimpy-milter
 restart_service opendmarc

From 99c960fc563ebf1b1a14d615b7b71f92c2975b8e Mon Sep 17 00:00:00 2001
From: "github@kiekerjan.isdronken.nl" <github@kiekerjan.isdronken.nl>
Date: Thu, 6 Jan 2022 22:06:27 +0100
Subject: [PATCH 15/22] dkimpy dev and nextcloud installation details

---
 setup/dkim.sh         | 28 ++++++++++++----------------
 setup/mail-postfix.sh |  2 +-
 setup/nextcloud.sh    |  8 +++++++-
 setup/web.sh          |  4 ----
 4 files changed, 20 insertions(+), 22 deletions(-)

diff --git a/setup/dkim.sh b/setup/dkim.sh
index c86f6145..9aa8a6b6 100755
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@@ -25,22 +25,18 @@ echo "127.0.0.1" > /etc/dkim/TrustedHosts
 touch /etc/dkim/KeyTable
 touch /etc/dkim/SigningTable
 
-if grep -q "ExternalIgnoreList" /etc/dkimpy-milter/dkimpy-milter.conf; then
-	true # already done #NODOC
-else
-	# Add various configuration options to the end of `dkimpy-milter.conf`.
-	cat >> /etc/dkimpy-milter/dkimpy-milter.conf << EOF;
-Canonicalization		relaxed/simple
-MinimumKeyBits          1024
-ExternalIgnoreList      refile:/etc/dkim/TrustedHosts
-InternalHosts           refile:/etc/dkim/TrustedHosts
-KeyTable                refile:/etc/dkim/KeyTable
-KeyTableEd25519         refile:/etc/dkim/KeyTableEd25519
-SigningTable            refile:/etc/dkim/SigningTable
-Socket                  inet:8892@127.0.0.1
-RequireSafeKeys         false
-EOF
-fi
+tools/editconf.py /etc/dkimpy-milter/dkimpy-milter.conf -s \
+    "MacroList=daemon_name|ORIGINATING"
+    "MacroListVerify=daemon_name|VERIFYING"
+    "Canonicalization=relaxed/simple"
+    "MinimumKeyBits=1024"
+    "ExternalIgnoreList=refile:/etc/dkim/TrustedHosts"
+    "InternalHosts=refile:/etc/dkim/TrustedHosts"
+    "KeyTable=refile:/etc/dkim/KeyTable"
+    "KeyTableEd25519=refile:/etc/dkim/KeyTableEd25519"
+    "SigningTable=refile:/etc/dkim/SigningTable"
+    "Socket=inet:8892@127.0.0.1"
+    "RequireSafeKeys=false"
 
 # Create a new DKIM key. This creates mail.private and mail.txt
 # in $STORAGE_ROOT/mail/dkim. The former is the private key and
diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh
index 308e1b53..96f86c45 100755
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@@ -92,7 +92,7 @@ tools/editconf.py /etc/postfix/master.cf -s -w \
 	  -o smtpd_sasl_auth_enable=yes
 	  -o syslog_name=postfix/submission
 	  -o smtpd_milters=inet:127.0.0.1:8892
-	  -o milter_macro_daemon_name=VERIFYING
+	  -o milter_macro_daemon_name=ORIGINATING
 	  -o cleanup_service_name=authclean" \
 	"submission=inet n       -       -       -       -       smtpd
 	  -o smtpd_sasl_auth_enable=yes
diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index e5bc31e3..5a06fef6 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -16,6 +16,12 @@ apt_install php php-fpm \
 	php-dev php-gd php-xml php-mbstring php-zip php-apcu php-json \
 	php-intl php-imagick php-gmp php-bcmath
 
+# Enable apc is required before installing nextcloud 21
+tools/editconf.py /etc/php/$(php_version)/mods-available/apcu.ini -c ';' \
+    apc.enable_cli=1
+
+restart_service php$(php_version)-fpm
+
 InstallNextcloud() {
 
 	version=$1
@@ -341,7 +347,7 @@ sudo -u www-data \
 	| (grep -v "No such app enabled" || /bin/true)
 
 # Install interesting apps
-installed=$(sudo -u www-data php /usr/local/lib/owncloud/occ app:list | grep 'notes')
+installed=$(sudo -u www-data php /usr/local/lib/owncloud/occ app:list | grep "notes")
 
 if [ -z "$installed" ]; then
     sudo -u www-data php /usr/local/lib/owncloud/occ app:install notes
diff --git a/setup/web.sh b/setup/web.sh
index b2cbaf6b..12133fe2 100755
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -63,10 +63,6 @@ tools/editconf.py /etc/php/$(php_version)/fpm/php.ini -c ';' \
 tools/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
 	env[PATH]=/usr/local/bin:/usr/bin:/bin \
 
-# Enable apc is required before installing nextcloud 21
-tools/editconf.py /etc/php/$(php_version)/mods-available/apcu.ini -c ';' \
-    apc.enabled=1
-
 # Configure php-fpm based on the amount of memory the machine has
 # This is based on the nextcloud manual for performance tuning: https://docs.nextcloud.com/server/17/admin_manual/installation/server_tuning.html
 # Some synchronisation issues can occur when many people access the site at once.

From 4c89d503b67b783fb6108cfb8b4e4fba32631020 Mon Sep 17 00:00:00 2001
From: KiekerJan <kiekerjan@users.noreply.github.com>
Date: Mon, 6 Dec 2021 23:22:11 +0100
Subject: [PATCH 16/22] upgrade nextcloud to 21

---
 setup/nextcloud.sh | 26 ++++++++++++++++++++++++++
 setup/web.sh       |  4 ++++
 2 files changed, 30 insertions(+)

diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index 5a06fef6..ecd5b301 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -188,6 +188,7 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc
 			InstallNextcloud 16.0.6 0bb3098455ec89f5af77a652aad553ad40a88819 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
 			CURRENT_NEXTCLOUD_VER="16.0.6"
 		fi
+<<<<<<< HEAD
 		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^16 ]]; then
 			InstallNextcloud 17.0.6 50b98d2c2f18510b9530e558ced9ab51eb4f11b0 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
 			CURRENT_NEXTCLOUD_VER="17.0.6"
@@ -198,21 +199,39 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc
 			InstallNextcloud 18.0.10 39c0021a8b8477c3f1733fddefacfa5ebf921c68 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
 			CURRENT_NEXTCLOUD_VER="18.0.10"
 		fi
+=======
+        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^16 ]]; then
+			InstallNextcloud 17.0.6 50b98d2c2f18510b9530e558ced9ab51eb4f11b0 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
+			CURRENT_NEXTCLOUD_VER="17.0.6"
+        fi
+        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^17 ]]; then
+			echo "ALTER TABLE oc_flow_operations ADD COLUMN entity VARCHAR;" | sqlite3 $STORAGE_ROOT/owncloud/owncloud.db
+            InstallNextcloud 18.0.10 39c0021a8b8477c3f1733fddefacfa5ebf921c68 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
+            CURRENT_NEXTCLOUD_VER="18.0.10"
+	    fi
+>>>>>>> 9850ae5 (upgrade nextcloud to 21)
 		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^18 ]]; then
 			InstallNextcloud 19.0.4 01e98791ba12f4860d3d4047b9803f97a1b55c60 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
 			CURRENT_NEXTCLOUD_VER="19.0.4"
 		fi
 		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^19 ]]; then
+<<<<<<< HEAD
+=======
+			InstallNextcloud 19.0.4 01e98791ba12f4860d3d4047b9803f97a1b55c60 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
+>>>>>>> 9850ae5 (upgrade nextcloud to 21)
 			InstallNextcloud 20.0.14 92cac708915f51ee2afc1787fd845476fd090c81 4.0.0 f893ca57a543b260c9feeecbb5958c00b6998e18 2.2.2 923846d48afb5004a456b9079cf4b46d23b3ef3a 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
 			CURRENT_NEXTCLOUD_VER="20.0.14"
 			
 			# Nextcloud 20 needs to have some optional columns added
 			sudo -u www-data php /usr/local/lib/owncloud/occ db:add-missing-columns
 		fi
+<<<<<<< HEAD
 		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^20 ]]; then
 			InstallNextcloud 21.0.7 f5c7079c5b56ce1e301c6a27c0d975d608bb01c9 4.0.0 f893ca57a543b260c9feeecbb5958c00b6998e18 2.2.2 923846d48afb5004a456b9079cf4b46d23b3ef3a 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
 			CURRENT_NEXTCLOUD_VER="21.0.7"
 		fi
+=======
+>>>>>>> 9850ae5 (upgrade nextcloud to 21)
 	fi
 
 	InstallNextcloud $nextcloud_ver $nextcloud_hash $contacts_ver $contacts_hash $calendar_ver $calendar_hash $user_external_ver $user_external_hash
@@ -386,6 +405,13 @@ tools/editconf.py /etc/php/$(php_version)/cli/conf.d/10-opcache.ini -c ';' \
 	opcache.save_comments=1 \
 	opcache.revalidate_freq=1
 
+<<<<<<< HEAD
+=======
+# Enable apc is required before installing nextcloud 21
+tools/editconf.py /etc/php/$(php_version)/mods-available/apcu.ini -c ';' \
+	apc.enabled=1
+
+>>>>>>> 9850ae5 (upgrade nextcloud to 21)
 # Set up a cron job for Nextcloud.
 cat > /etc/cron.d/mailinabox-nextcloud << EOF;
 #!/bin/bash
diff --git a/setup/web.sh b/setup/web.sh
index 12133fe2..b2cbaf6b 100755
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -63,6 +63,10 @@ tools/editconf.py /etc/php/$(php_version)/fpm/php.ini -c ';' \
 tools/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
 	env[PATH]=/usr/local/bin:/usr/bin:/bin \
 
+# Enable apc is required before installing nextcloud 21
+tools/editconf.py /etc/php/$(php_version)/mods-available/apcu.ini -c ';' \
+    apc.enabled=1
+
 # Configure php-fpm based on the amount of memory the machine has
 # This is based on the nextcloud manual for performance tuning: https://docs.nextcloud.com/server/17/admin_manual/installation/server_tuning.html
 # Some synchronisation issues can occur when many people access the site at once.

From 7e3af574d22f64745ffb736186480c70708611eb Mon Sep 17 00:00:00 2001
From: KiekerJan <kiekerjan@users.noreply.github.com>
Date: Mon, 6 Dec 2021 23:25:31 +0100
Subject: [PATCH 17/22] move command to web.sh setup

---
 setup/nextcloud.sh | 26 --------------------------
 1 file changed, 26 deletions(-)

diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index ecd5b301..5a06fef6 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -188,7 +188,6 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc
 			InstallNextcloud 16.0.6 0bb3098455ec89f5af77a652aad553ad40a88819 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
 			CURRENT_NEXTCLOUD_VER="16.0.6"
 		fi
-<<<<<<< HEAD
 		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^16 ]]; then
 			InstallNextcloud 17.0.6 50b98d2c2f18510b9530e558ced9ab51eb4f11b0 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
 			CURRENT_NEXTCLOUD_VER="17.0.6"
@@ -199,39 +198,21 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc
 			InstallNextcloud 18.0.10 39c0021a8b8477c3f1733fddefacfa5ebf921c68 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
 			CURRENT_NEXTCLOUD_VER="18.0.10"
 		fi
-=======
-        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^16 ]]; then
-			InstallNextcloud 17.0.6 50b98d2c2f18510b9530e558ced9ab51eb4f11b0 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
-			CURRENT_NEXTCLOUD_VER="17.0.6"
-        fi
-        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^17 ]]; then
-			echo "ALTER TABLE oc_flow_operations ADD COLUMN entity VARCHAR;" | sqlite3 $STORAGE_ROOT/owncloud/owncloud.db
-            InstallNextcloud 18.0.10 39c0021a8b8477c3f1733fddefacfa5ebf921c68 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
-            CURRENT_NEXTCLOUD_VER="18.0.10"
-	    fi
->>>>>>> 9850ae5 (upgrade nextcloud to 21)
 		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^18 ]]; then
 			InstallNextcloud 19.0.4 01e98791ba12f4860d3d4047b9803f97a1b55c60 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
 			CURRENT_NEXTCLOUD_VER="19.0.4"
 		fi
 		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^19 ]]; then
-<<<<<<< HEAD
-=======
-			InstallNextcloud 19.0.4 01e98791ba12f4860d3d4047b9803f97a1b55c60 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
->>>>>>> 9850ae5 (upgrade nextcloud to 21)
 			InstallNextcloud 20.0.14 92cac708915f51ee2afc1787fd845476fd090c81 4.0.0 f893ca57a543b260c9feeecbb5958c00b6998e18 2.2.2 923846d48afb5004a456b9079cf4b46d23b3ef3a 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
 			CURRENT_NEXTCLOUD_VER="20.0.14"
 			
 			# Nextcloud 20 needs to have some optional columns added
 			sudo -u www-data php /usr/local/lib/owncloud/occ db:add-missing-columns
 		fi
-<<<<<<< HEAD
 		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^20 ]]; then
 			InstallNextcloud 21.0.7 f5c7079c5b56ce1e301c6a27c0d975d608bb01c9 4.0.0 f893ca57a543b260c9feeecbb5958c00b6998e18 2.2.2 923846d48afb5004a456b9079cf4b46d23b3ef3a 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
 			CURRENT_NEXTCLOUD_VER="21.0.7"
 		fi
-=======
->>>>>>> 9850ae5 (upgrade nextcloud to 21)
 	fi
 
 	InstallNextcloud $nextcloud_ver $nextcloud_hash $contacts_ver $contacts_hash $calendar_ver $calendar_hash $user_external_ver $user_external_hash
@@ -405,13 +386,6 @@ tools/editconf.py /etc/php/$(php_version)/cli/conf.d/10-opcache.ini -c ';' \
 	opcache.save_comments=1 \
 	opcache.revalidate_freq=1
 
-<<<<<<< HEAD
-=======
-# Enable apc is required before installing nextcloud 21
-tools/editconf.py /etc/php/$(php_version)/mods-available/apcu.ini -c ';' \
-	apc.enabled=1
-
->>>>>>> 9850ae5 (upgrade nextcloud to 21)
 # Set up a cron job for Nextcloud.
 cat > /etc/cron.d/mailinabox-nextcloud << EOF;
 #!/bin/bash

From f827364c834f80685d8e74d42286b890e1c11225 Mon Sep 17 00:00:00 2001
From: "github@kiekerjan.isdronken.nl" <github@kiekerjan.isdronken.nl>
Date: Thu, 6 Jan 2022 22:06:27 +0100
Subject: [PATCH 18/22] dkimpy dev and nextcloud installation details

---
 setup/web.sh | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/setup/web.sh b/setup/web.sh
index b2cbaf6b..12133fe2 100755
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -63,10 +63,6 @@ tools/editconf.py /etc/php/$(php_version)/fpm/php.ini -c ';' \
 tools/editconf.py /etc/php/$(php_version)/fpm/pool.d/www.conf -c ';' \
 	env[PATH]=/usr/local/bin:/usr/bin:/bin \
 
-# Enable apc is required before installing nextcloud 21
-tools/editconf.py /etc/php/$(php_version)/mods-available/apcu.ini -c ';' \
-    apc.enabled=1
-
 # Configure php-fpm based on the amount of memory the machine has
 # This is based on the nextcloud manual for performance tuning: https://docs.nextcloud.com/server/17/admin_manual/installation/server_tuning.html
 # Some synchronisation issues can occur when many people access the site at once.

From d017c8b04c1dcfae518008f1ac9eee275150a040 Mon Sep 17 00:00:00 2001
From: "github@kiekerjan.isdronken.nl" <github@kiekerjan.isdronken.nl>
Date: Tue, 1 Feb 2022 22:48:09 +0100
Subject: [PATCH 19/22] fixes to installer

---
 setup/dkim.sh      | 20 ++++++++++----------
 setup/nextcloud.sh |  8 ++++----
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/setup/dkim.sh b/setup/dkim.sh
index 0fa303e2..ee3efa8a 100755
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@@ -26,16 +26,16 @@ touch /etc/dkim/KeyTable
 touch /etc/dkim/SigningTable
 
 tools/editconf.py /etc/dkimpy-milter/dkimpy-milter.conf -s \
-    "MacroList=daemon_name|ORIGINATING"
-    "MacroListVerify=daemon_name|VERIFYING"
-    "Canonicalization=relaxed/simple"
-    "MinimumKeyBits=1024"
-    "ExternalIgnoreList=refile:/etc/dkim/TrustedHosts"
-    "InternalHosts=refile:/etc/dkim/TrustedHosts"
-    "KeyTable=refile:/etc/dkim/KeyTable"
-    "KeyTableEd25519=refile:/etc/dkim/KeyTableEd25519"
-    "SigningTable=refile:/etc/dkim/SigningTable"
-    "Socket=inet:8892@127.0.0.1"
+    "MacroList=daemon_name|ORIGINATING" \
+    "MacroListVerify=daemon_name|VERIFYING" \
+    "Canonicalization=relaxed/simple" \
+    "MinimumKeyBits=1024" \
+    "ExternalIgnoreList=refile:/etc/dkim/TrustedHosts" \
+    "InternalHosts=refile:/etc/dkim/TrustedHosts" \
+    "KeyTable=refile:/etc/dkim/KeyTable" \
+    "KeyTableEd25519=refile:/etc/dkim/KeyTableEd25519" \
+    "SigningTable=refile:/etc/dkim/SigningTable" \
+    "Socket=inet:8892@127.0.0.1" \
     "RequireSafeKeys=false"
 
 # Create a new DKIM key. This creates mail.private and mail.txt
diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index 5a06fef6..ff7175cb 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -349,17 +349,17 @@ sudo -u www-data \
 # Install interesting apps
 installed=$(sudo -u www-data php /usr/local/lib/owncloud/occ app:list | grep "notes")
 
-if [ -z "$installed" ]; then
+#if [ -z "$installed" ]; then
     sudo -u www-data php /usr/local/lib/owncloud/occ app:install notes
-fi
+#fi
 
 hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:enable notes
 
 installed=$(sudo -u www-data php /usr/local/lib/owncloud/occ app:list | grep 'twofactor_totp')
 
-if [ -z "$installed" ]; then
+#if [ -z "$installed" ]; then
 	sudo -u www-data php /usr/local/lib/owncloud/occ app:install twofactor_totp
-fi
+#fi
 
 hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:enable twofactor_totp
 

From 72b08d6b9ad8cc09fcc7392c91d5f3a0fa106578 Mon Sep 17 00:00:00 2001
From: KiekerJan <github@kiekerjan.isdronken.nl>
Date: Tue, 1 Feb 2022 23:14:26 +0100
Subject: [PATCH 20/22] fix installer bugs

---
 management/dns_update.py |  2 +-
 setup/dkim.sh            |  4 ++--
 setup/nextcloud.sh       | 12 ++----------
 3 files changed, 5 insertions(+), 13 deletions(-)

diff --git a/management/dns_update.py b/management/dns_update.py
index e009392a..1c4e6647 100755
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -833,7 +833,7 @@ def write_dkim_tables(domains, env):
 	dkim_rsa_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/box-rsa.key')
 	dkim_ed_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/box-ed25519.key')
 
-	if not os.path.exists(dkim_rsa_key_file) || not os.path.exists(dkim_ed_key_file):
+	if not os.path.exists(dkim_rsa_key_file) or not os.path.exists(dkim_ed_key_file):
 		# Looks like DKIMpy is not installed.
 		return False
 
diff --git a/setup/dkim.sh b/setup/dkim.sh
index ee3efa8a..4235841d 100755
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@@ -51,9 +51,9 @@ if [ ! -f "$STORAGE_ROOT/mail/dkim/box-rsa.key" ]; then
 	
 	# Force them into the format dns_update.py expects
 	sed -i 's/v=DKIM1;/box-rsa._domainkey IN      TXT      ( "v=DKIM1; s=email;/' $STORAGE_ROOT/mail/dkim/box-rsa.dns
-	echo '" )' >> box-rsa.dns
+	echo '" )' >> $STORAGE_ROOT/mail/dkim/box-rsa.dns
 	sed -i 's/v=DKIM1;/box-ed25519._domainkey IN      TXT      ( "v=DKIM1; s=email;/' $STORAGE_ROOT/mail/dkim/box-ed25519.dns
-	echo '" )' >> box-ed25519.dns
+	echo '" )' >> $STORAGE_ROOT/mail/dkim/box-ed25519.dns
 fi
 
 # Ensure files are owned by the dkimpy-milter user and are private otherwise.
diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index ff7175cb..b0637c12 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -347,19 +347,11 @@ sudo -u www-data \
 	| (grep -v "No such app enabled" || /bin/true)
 
 # Install interesting apps
-installed=$(sudo -u www-data php /usr/local/lib/owncloud/occ app:list | grep "notes")
-
-#if [ -z "$installed" ]; then
-    sudo -u www-data php /usr/local/lib/owncloud/occ app:install notes
-#fi
+(sudo -u www-data php /usr/local/lib/owncloud/occ app:install notes) || true
 
 hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:enable notes
 
-installed=$(sudo -u www-data php /usr/local/lib/owncloud/occ app:list | grep 'twofactor_totp')
-
-#if [ -z "$installed" ]; then
-	sudo -u www-data php /usr/local/lib/owncloud/occ app:install twofactor_totp
-#fi
+(sudo -u www-data php /usr/local/lib/owncloud/occ app:install twofactor_totp) || true
 
 hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:enable twofactor_totp
 

From 686e878af597d5b1116bd1ff00f9faf74dd84b3f Mon Sep 17 00:00:00 2001
From: "github@kiekerjan.isdronken.nl" <github@kiekerjan.isdronken.nl>
Date: Wed, 2 Feb 2022 12:15:22 +0100
Subject: [PATCH 21/22] merge master

---
 CHANGELOG.md                            | 24 ++++++--
 CONTRIBUTING.md                         |  4 +-
 README.md                               |  2 +-
 Vagrantfile                             |  2 +-
 management/dns_update.py                |  2 +-
 management/templates/system-backup.html |  2 +-
 setup/additionals.sh                    |  6 --
 setup/bootstrap.sh                      |  2 +-
 setup/nextcloud.sh                      | 76 ++++++++++++++-----------
 setup/system.sh                         |  9 ++-
 setup/webmail.sh                        | 17 ++++--
 11 files changed, 90 insertions(+), 56 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bff4d661..d796970e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,12 +1,28 @@
 CHANGELOG
 =========
 
+Version 56 (January 19, 2022)
+-----------------------------
 
-In Development
---------------
+Software updates:
 
-Mail:
-* Roundcube's persistent_login plugin update to better support Roundcube 1.5
+* Roundcube updated to 1.5.2 (from 1.5.0), and the persistent_login and CardDAV (to 4.3.0 from 3.0.3) plugins are updated.
+* Nextcloud updated to 20.0.14 (from 20.0.8), contacts to 4.0.7 (from 3.5.1), and calendar to 3.0.4 (from 2.2.0).
+
+Setup:
+
+* Fixed failed setup if a previous attempt failed while updating Nextcloud.
+
+Control panel:
+
+* Fixed a crash if a custom DNS entry is not under a zone managed by the box.
+* Fix DNSSEC instructions typo.
+
+Other:
+
+* Set systemd journald log retention to 10 days (from no limit) to reduce disk usage.
+* Fixed log processing for submission lines that have a sasl_sender or other extra information.
+* Fix DNS secondary nameserver refesh failure retry period.
 
 Version 55 (October 18, 2021)
 -----------------------------
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 00e15ec7..953c9016 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -20,9 +20,9 @@ _If you're seeing an error message about your *IP address being listed in the Sp
 
 ### Modifying your `hosts` file
 
-After a while, Mail-in-a-Box will be available at `192.168.50.4` (unless you changed that in your `Vagrantfile`). To be able to use the web-based bits, we recommend to add a hostname to your `hosts` file:
+After a while, Mail-in-a-Box will be available at `192.168.56.4` (unless you changed that in your `Vagrantfile`). To be able to use the web-based bits, we recommend to add a hostname to your `hosts` file:
 
-    $ echo "192.168.50.4 mailinabox.lan" | sudo tee -a /etc/hosts
+    $ echo "192.168.56.4 mailinabox.lan" | sudo tee -a /etc/hosts
 
 You should now be able to navigate to https://mailinabox.lan/admin using your browser. There should be an initial admin user with the name `me@mailinabox.lan` and the password `12345678`.
 
diff --git a/README.md b/README.md
index b80b0f4b..b4cffa55 100644
--- a/README.md
+++ b/README.md
@@ -119,7 +119,7 @@ Clone this repository and checkout the tag corresponding to the most recent rele
 
 	$ git clone https://github.com/mail-in-a-box/mailinabox
 	$ cd mailinabox
-	$ git checkout v55
+	$ git checkout v56
 
 Begin the installation.
 
diff --git a/Vagrantfile b/Vagrantfile
index aaf7ce9f..da235aca 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -9,7 +9,7 @@ Vagrant.configure("2") do |config|
   # the machine's box will let anyone log into it. So instead we'll put the
   # machine on a private network.
   config.vm.hostname = "mailinabox.lan"
-  config.vm.network "private_network", ip: "192.168.50.4"
+  config.vm.network "private_network", ip: "192.168.56.4"
 
   config.vm.provision :shell, :inline => <<-SH
     # Set environment variables so that the setup script does
diff --git a/management/dns_update.py b/management/dns_update.py
index 1c4e6647..edeaa9c2 100755
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -510,7 +510,7 @@ def write_nsd_zone(domain, zonefile, records, env, force):
 	# @ the PRIMARY_HOSTNAME. Hopefully that's legit.
 	#
 	# For the refresh through TTL fields, a good reference is:
-	# http://www.peerwisdom.org/2013/05/15/dns-understanding-the-soa-record/
+	# https://www.ripe.net/publications/docs/ripe-203
 	
 	# Time To Refresh – How long in seconds a nameserver should wait prior to checking for a Serial Number 
 	#     increase within the primary zone file. An increased Serial Number means a transfer is needed to sync
diff --git a/management/templates/system-backup.html b/management/templates/system-backup.html
index 6cbcc4fa..3075b912 100644
--- a/management/templates/system-backup.html
+++ b/management/templates/system-backup.html
@@ -5,7 +5,7 @@
 
 <h2>Backup Status</h2>
 
-<p>The box makes an incremental backup each night. By default the backup is stored on the machine itself, but you can also store in on S3-compatible services like Amazon Web Services (AWS).</p>
+<p>The box makes an incremental backup each night. By default the backup is stored on the machine itself, but you can also store it on S3-compatible services like Amazon Web Services (AWS).</p>
 
 <h3>Configuration</h3>
 
diff --git a/setup/additionals.sh b/setup/additionals.sh
index d29d86f7..f1b87e4e 100644
--- a/setup/additionals.sh
+++ b/setup/additionals.sh
@@ -15,12 +15,6 @@ sed -i "s/#\& stop/\& stop/g" /etc/rsyslog.d/20-ufw.conf
 
 restart_service rsyslog
 
-# decrease time journal is stored
-tools/editconf.py /etc/systemd/journald.conf MaxRetentionSec=2month
-tools/editconf.py /etc/systemd/journald.conf MaxFileSec=1week
-
-hide_output systemctl restart systemd-journald.service
-
 # Create forward for root emails
 cat > /root/.forward << EOF;
 administrator@$PRIMARY_HOSTNAME
diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh
index c7d9622c..0fe4fc44 100644
--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@@ -24,7 +24,7 @@ if [ -z "$TAG" ]; then
 		
 	elif [ "$(lsb_release -d | sed 's/.*:\s*//' | sed 's/18\.04\.[0-9]/18.04/' )" == "Ubuntu 18.04 LTS" ]; then
 		# This machine is running Ubuntu 18.04.
-		TAG=v55
+		TAG=v56
 
 	elif [ "$(lsb_release -d | sed 's/.*:\s*//' | sed 's/14\.04\.[0-9]/14.04/' )" == "Ubuntu 14.04 LTS" ]; then
 		# This machine is running Ubuntu 14.04.
diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index b0637c12..29ff1214 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -9,6 +9,39 @@ source /etc/mailinabox.conf # load global vars
 
 echo "Installing Nextcloud (contacts/calendar)..."
 
+# Nextcloud core and app (plugin) versions to install.
+# With each version we store a hash to ensure we install what we expect.
+
+# Nextcloud core
+# --------------
+# * See https://nextcloud.com/changelog for the latest version.
+# * Check https://docs.nextcloud.com/server/latest/admin_manual/installation/system_requirements.html
+#   for whether it supports the version of PHP available on this machine.
+# * Since Nextcloud only supports upgrades from consecutive major versions,
+#   we automatically install intermediate versions as needed.
+# * The hash is the SHA1 hash of the ZIP package, which you can find by just running this script and
+#   copying it from the error message when it doesn't match what is below.
+nextcloud_ver=22.2.3
+nextcloud_hash=58d2d897ba22a057aa03d29c762c5306211fefd2
+
+# Nextcloud apps
+# --------------
+# * Find the most recent tag that is compatible with the Nextcloud version above by
+#   consulting the <dependencies>...<nextcloud> node at:
+#   https://github.com/nextcloud-releases/contacts/blob/maaster/appinfo/info.xml
+#   https://github.com/nextcloud-releases/calendar/blob/master/appinfo/info.xml
+#   https://github.com/nextcloud/user_external/blob/master/appinfo/info.xml
+# * The hash is the SHA1 hash of the ZIP package, which you can find by just running this script and
+#   copying it from the error message when it doesn't match what is below.
+contacts_ver=4.0.7
+contacts_hash=8ab31d205408e4f12067d8a4daa3595d46b513e3
+calendar_ver=3.0.4
+calendar_hash=6fb1e998d307c53245faf1c37a96eb982bbee8ba
+user_external_ver=2.1.0
+user_external_hash=6e5afe7f36f398f864bfdce9cad72200e70322aa
+
+# Clear prior packages and install dependencies from apt.
+
 apt-get purge -qq -y owncloud* # we used to use the package manager
 
 apt_install php php-fpm \
@@ -18,8 +51,9 @@ apt_install php php-fpm \
 
 # Enable apc is required before installing nextcloud 21
 tools/editconf.py /etc/php/$(php_version)/mods-available/apcu.ini -c ';' \
+    apc.enabled=1 \
     apc.enable_cli=1
-
+    
 restart_service php$(php_version)-fpm
 
 InstallNextcloud() {
@@ -55,23 +89,11 @@ InstallNextcloud() {
 	# their github repositories.
 	mkdir -p /usr/local/lib/owncloud/apps
 
-	contacts_cutoff="3.5.1" # this version was the last posted version on 12/27/2021 that supported the old url format
-	if [ ${contacts_cutoff//.} -gt ${version_contacts//.} ]; then
-		wget_verify https://github.com/nextcloud/contacts/releases/download/v$version_contacts/contacts.tar.gz $hash_contacts /tmp/contacts.tgz
-	else
-		wget_verify https://github.com/nextcloud-releases/contacts/releases/download/v$version_contacts/contacts-v$version_contacts.tar.gz $hash_contacts /tmp/contacts.tgz
-	fi
-
+	wget_verify https://github.com/nextcloud-releases/contacts/releases/download/v$version_contacts/contacts-v$version_contacts.tar.gz $hash_contacts /tmp/contacts.tgz
 	tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/contacts.tgz
 
-	calendar_cutoff="2.0.5" # this version was the last posted version on 12/27/2021 that supported the old url format
-	if [ ${calendar_cutoff//.} -gt ${version_calendar//.} ]; then
-		wget_verify https://github.com/nextcloud/calendar/releases/download/v$version_calendar/calendar.tar.gz $hash_calendar /tmp/calendar.tgz
-	else
-		wget_verify https://github.com/nextcloud-releases/calendar/releases/download/v$version_calendar/calendar.tar.gz $hash_calendar /tmp/calendar.tgz
-	fi
-
+	wget_verify https://github.com/nextcloud-releases/calendar/releases/download/v$version_calendar/calendar-v$version_calendar.tar.gz $hash_calendar /tmp/calendar.tgz
 	tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/calendar.tgz
 
@@ -117,16 +139,6 @@ InstallNextcloud() {
 	fi
 }
 
-# Nextcloud Version to install. Checks are done down below to step through intermediate versions.
-nextcloud_ver=22.2.3
-nextcloud_hash=58d2d897ba22a057aa03d29c762c5306211fefd2
-contacts_ver=4.0.7
-contacts_hash=8ab31d205408e4f12067d8a4daa3595d46b513e3
-calendar_ver=3.0.2
-calendar_hash=dcc62633f81c2cb53ce202348c79a0ab5bf4c9a8
-user_external_ver=2.1.0
-user_external_hash=6e5afe7f36f398f864bfdce9cad72200e70322aa
-
 # Current Nextcloud Version, #1623
 # Checking /usr/local/lib/owncloud/version.php shows version of the Nextcloud application, not the DB
 # $STORAGE_ROOT/owncloud is kept together even during a backup.  It is better to rely on config.php than
@@ -188,16 +200,16 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc
 			InstallNextcloud 16.0.6 0bb3098455ec89f5af77a652aad553ad40a88819 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
 			CURRENT_NEXTCLOUD_VER="16.0.6"
 		fi
-		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^16 ]]; then
+        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^16 ]]; then
 			InstallNextcloud 17.0.6 50b98d2c2f18510b9530e558ced9ab51eb4f11b0 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437
 			CURRENT_NEXTCLOUD_VER="17.0.6"
-		fi
-		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^17 ]]; then
-			# Don't exit the install if this column already exists (see #2076)
+        fi
+        if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^17 ]]; then
+        	# Don't exit the install if this column already exists (see #2076)
 			(echo "ALTER TABLE oc_flow_operations ADD COLUMN entity VARCHAR;" | sqlite3 $STORAGE_ROOT/owncloud/owncloud.db 2>/dev/null) || true
-			InstallNextcloud 18.0.10 39c0021a8b8477c3f1733fddefacfa5ebf921c68 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
-			CURRENT_NEXTCLOUD_VER="18.0.10"
-		fi
+            InstallNextcloud 18.0.10 39c0021a8b8477c3f1733fddefacfa5ebf921c68 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
+            CURRENT_NEXTCLOUD_VER="18.0.10"
+	    fi
 		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^18 ]]; then
 			InstallNextcloud 19.0.4 01e98791ba12f4860d3d4047b9803f97a1b55c60 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a
 			CURRENT_NEXTCLOUD_VER="19.0.4"
diff --git a/setup/system.sh b/setup/system.sh
index e52dd049..b6d16f27 100755
--- a/setup/system.sh
+++ b/setup/system.sh
@@ -75,7 +75,14 @@ then
 	fi
 fi
 
-# Certbot doesn't require a PPA in Debian
+# ### Set log retention policy.
+
+# Set the systemd journal log retention from infinite to 10 days,
+# since over time the logs take up a large amount of space.
+# (See https://discourse.mailinabox.email/t/journalctl-reclaim-space-on-small-mailinabox/6728/11.)
+tools/editconf.py /etc/systemd/journald.conf MaxRetentionSec=10day
+
+hide_output systemctl restart systemd-journald.service
 
 # ### Update Packages
 
diff --git a/setup/webmail.sh b/setup/webmail.sh
index e4ee18c4..d8994895 100755
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -28,16 +28,21 @@ apt_install \
 # Install Roundcube from source if it is not already present or if it is out of date.
 # Combine the Roundcube version number with the commit hash of plugins to track
 # whether we have the latest version of everything.
-
-VERSION=1.5.0
-HASH=2a9d11d9c10c8e8756120606c47eef702f00fe6d
+# For the latest versions, see:
+#   https://github.com/roundcube/roundcubemail/releases
+#   https://github.com/mfreiholz/persistent_login/commits/master
+#   https://github.com/stremlau/html5_notifier/commits/master
+#   https://github.com/mstilkerich/rcmcarddav/releases
+# The easiest way to get the package hashes is to run this script and get the hash from
+# the error message.
+VERSION=1.5.2
+HASH=208ce4ca0be423cc0f7070ff59bd03588b4439bf
 PERSISTENT_LOGIN_VERSION=59ca1b0d3a02cff5fa621c1ad581d15f9d642fe8
 HTML5_NOTIFIER_VERSION=68d9ca194212e15b3c7225eb6085dbcf02fd13d7 # version 0.6.4+
-CONTEXT_MENU_VERSION=602a3812922fb8f71814eb3b8d91e9b7859aab7e # version 3.2.1
-TWOFACT_COMMIT=a3944c4604fe86fc020847f281beea031e14e58e # master @ 17-10-2021
-
 CARDDAV_VERSION=4.3.0
 CARDDAV_HASH=4ad7df8843951062878b1375f77c614f68bc5c61
+CONTEXT_MENU_VERSION=602a3812922fb8f71814eb3b8d91e9b7859aab7e # version 3.2.1
+TWOFACT_COMMIT=a3944c4604fe86fc020847f281beea031e14e58e # master @ 17-10-2021
 
 UPDATE_KEY=$VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:$CARDDAV_VERSION:$CONTEXT_MENU_VERSION:$TWOFACT_COMMIT
 

From d4e7fb985de12f3f068f6e12ecc5001eb3149558 Mon Sep 17 00:00:00 2001
From: "github@kiekerjan.isdronken.nl" <github@kiekerjan.isdronken.nl>
Date: Sun, 6 Feb 2022 22:01:08 +0100
Subject: [PATCH 22/22] remove openDKIM if present

---
 setup/dkim.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/setup/dkim.sh b/setup/dkim.sh
index 4235841d..7929260e 100755
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@@ -9,7 +9,10 @@
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars
 
-# Install DKIM...
+# Remove openDKIM if present
+apt-get purge -qq -y opendkim opendkim-tools
+
+# Install DKIMpy-Milter
 echo Installing DKIMpy/OpenDMARC...
 apt_install dkimpy-milter python3-dkim opendmarc