release v0.26

no need to do a second apt-get update after 'installing' the PHP7 PPA if the PPA was already installed
install Python 3 packages in a virtualenv
2026-03-12 17:07:23 +01:00 · 2018-01-18 17:10:23 -05:00 · 2018-01-15 13:28:18 -05:00 · 2018-01-15 13:27:04 -05:00 · 2018-01-15 11:29:12 -05:00 · 2018-01-15 10:33:05 -05:00
34 changed files with 472 additions and 250 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,67 @@
 CHANGELOG
 =========
 v0.26 (January 18, 2018)
 ------------------------
 Security:
 * HTTPS, IMAP, and POP's TLS settings have been updated to Mozilla's intermediate cipher list recommendation. Some extremely old devices that use less secure TLS ciphers may no longer be able to connect to IMAP/POP.
 * Updated web HSTS header to use longer six month duration.
 Mail:
 * Adding attachments in Roundcube broke after the last update for some users after rebooting because a temporary directory was deleted on reboot. The temporary directory is now moved from /tmp to /var so that it is persistent.
 * `X-Spam-Score` header is added to incoming mail.
 Control panel:
 * RSASHA256 is now used for DNSSEC for .lv domains.
 * Some documentation/links improvements.
 Installer:
 * We now run `apt-get autoremove` at the start of setup to clear out old packages, especially old kernels that take up a lot of space. On the first run, this step may take a long time.
 * We now fetch Z-Push from its tagged git repository, fixing an installation problem.
 * Some old PHP5 packages are removed from setup, fixing an installation bug where Apache would get installed.
 * Python 3 packages for the control panel are now installed using a virtualenv to prevent installation errors.
 v0.25 (November 15, 2017)
 -------------------------
 This update is a security update addressing [CVE-2017-16651, a vulnerability in Roundcube webmail that allows logged-in users to access files on the local filesystem](https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10).
 Mail:
 * Update to Roundcube 1.3.3.
 Control Panel:
 * Allow custom DNS records to be set for DNS wildcard subdomains (i.e. `*`).
 v0.24 (October 3, 2017)
 -----------------------
 System:
 * Install PHP7 via a PPA. Switch to the on-demand process manager.
 Mail:
 * Updated to [Roundcube 1.3.1](https://roundcube.net/news/2017/06/26/roundcube-webmail-1.3.0-released), but unfortunately dropping the Vacation plugin because it has not been supported by its author and is not compatible with Roundcube 1.3, and updated the persistent login plugin.
 * Updated to [Z-Push 2.3.8](http://download.z-push.org/final/2.3/z-push-2.3.8.txt).
 * Dovecot now uses stronger 2048 bit DH params for better forward secrecy.
 Nextcloud:
 * Nextcloud updated to 12.0.3, using PHP7.
 Control Panel:
 * Nameserver (NS) records can now be set on custom domains.
 * Fix an erroneous status check error due to IPv6 address formatting.
 * Aliases for administrative addresses can now be set to send mail to +tag administrative addresses.
 v0.23a (May 31, 2017)
 ---------------------
--- a/README.md
+++ b/README.md
@@ -59,7 +59,7 @@ by me:
 	$ curl -s https://keybase.io/joshdata/key.asc | gpg --import
 	gpg: key C10BDD81: public key "Joshua Tauberer <jt@occams.info>" imported
-	$ git verify-tag v0.23a
+	$ git verify-tag v0.26
 	gpg: Signature made ..... using RSA key ID C10BDD81
 	gpg: Good signature from "Joshua Tauberer <jt@occams.info>"
 	gpg: WARNING: This key is not certified with a trusted signature!
@@ -72,7 +72,7 @@ and on my [personal homepage](https://razor.occams.info/). (Of course, if this r
 Checkout the tag corresponding to the most recent release:
-	$ git checkout v0.23a
+	$ git checkout v0.26
 Begin the installation.
--- a/conf/management-initscript
+++ b/conf/management-initscript
@@ -14,7 +14,7 @@
 PATH=/sbin:/usr/sbin:/bin:/usr/bin
 DESC="Mail-in-a-Box Management Daemon"
 NAME=mailinabox
-DAEMON=/usr/local/bin/mailinabox-daemon
+DAEMON=/usr/local/lib/mailinabox/start
 PIDFILE=/var/run/$NAME.pid
 SCRIPTNAME=/etc/init.d/$NAME
--- a/conf/nginx-primaryonly.conf
+++ b/conf/nginx-primaryonly.conf
@@ -12,7 +12,6 @@
 		add_header X-Frame-Options "DENY";
 		add_header X-Content-Type-Options nosniff;
 		add_header Content-Security-Policy "frame-ancestors 'none';";
 		add_header Strict-Transport-Security max-age=31536000;
 	}
 	# Nextcloud configuration.
--- a/conf/nginx-ssl.conf
+++ b/conf/nginx-ssl.conf
@@ -1,5 +1,5 @@
-# from: https://gist.github.com/konklone/6532544
+# from https://gist.github.com/konklone/6532544 and https://mozilla.github.io/server-side-tls/ssl-config-generator/
-###################################################################################
+###################################################################################################################
 # Basically the nginx configuration I use at konklone.com. 
 # I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
@@ -27,17 +27,17 @@
 # 
 # Reference client: https://www.ssllabs.com/ssltest/analyze.html
 ssl_prefer_server_ciphers on;
-ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 # Cut out (the old, broken) SSLv3 entirely. 
 # This **excludes IE6 users** and (apparently) Yandexbot.
 # Just comment out if you need to support IE6, bless your soul.
 ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
-# Turn on session resumption, using a 10 min cache shared across nginx processes,
+# Turn on session resumption, using a cache shared across nginx processes,
 # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
-ssl_session_cache   shared:SSL:10m;
+ssl_session_cache shared:SSL:50m;
-ssl_session_timeout 10m;
+ssl_session_timeout 1d;
 #keepalive_timeout   70; # in Ubuntu 14.04/nginx 1.4.6 the default is 65, so plenty good
 # Buffer size of 1400 bytes fits in one MTU.
--- a/conf/nginx-top.conf
+++ b/conf/nginx-top.conf
@@ -7,6 +7,6 @@
 ##       your own --- please do not ask for help from us.
 upstream php-fpm {
-	server unix:/var/run/php5-fpm.sock;
+	server unix:/var/run/php/php7.0-fpm.sock;
 }
--- a/management/backup.py
+++ b/management/backup.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/local/lib/mailinabox/env/bin/python
 # This script performs a backup of all user data:
 # 1) System services are stopped.
@@ -267,7 +267,7 @@ def perform_backup(full_backup):
 			if quit:
 				sys.exit(code)
-	service_command("php5-fpm", "stop", quit=True)
+	service_command("php7.0-fpm", "stop", quit=True)
 	service_command("postfix", "stop", quit=True)
 	service_command("dovecot", "stop", quit=True)
@@ -301,7 +301,7 @@ def perform_backup(full_backup):
 		# Start services again.
 		service_command("dovecot", "start", quit=False)
 		service_command("postfix", "start", quit=False)
-		service_command("php5-fpm", "start", quit=False)
+		service_command("php7.0-fpm", "start", quit=False)
 	# Once the migrated backup is included in a new backup, it can be deleted.
 	if os.path.isdir(migrated_unencrypted_backup_dir):
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -1,5 +1,3 @@
 #!/usr/bin/python3
 import os, os.path, re, json, time
 import subprocess
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/local/lib/mailinabox/env/bin/python
 # Creates DNS zone files for all of the domains of all of the mail users
 # and mail aliases and restarts nsd.
@@ -12,6 +12,12 @@ import dns.resolver
 from mailconfig import get_mail_domains
 from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains
 # From https://stackoverflow.com/questions/3026957/how-to-validate-a-domain-name-using-regex-php/16491074#16491074
 # This regular expression matches domain names according to RFCs, it also accepts fqdn with an leading dot,
 # underscores, as well as asteriks which are allowed in domain names but not hostnames (i.e. allowed in
 # DNS but not in URLs), which are common in certain record types like for DKIM.
 DOMAIN_RE = "^(?!\-)(?:[*][.])?(?:[a-zA-Z\d\-_]{0,62}[a-zA-Z\d_]\.){1,126}(?!\d+)[a-zA-Z\d_]{1,63}(\.?)$"
 def get_dns_domains(env):
 	# Add all domain names in use by email users and mail aliases and ensure
 	# PRIMARY_HOSTNAME is in the list.
@@ -144,7 +150,7 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
 		# Define ns2.PRIMARY_HOSTNAME or whatever the user overrides.
 		# User may provide one or more additional nameservers
 		secondary_ns_list = get_secondary_dns(additional_records, mode="NS") \
-			or ["ns2." + env["PRIMARY_HOSTNAME"]] 
+			or ["ns2." + env["PRIMARY_HOSTNAME"]]
 		for secondary_ns in secondary_ns_list:
 			records.append((None,  "NS", secondary_ns+'.', False))
@@ -522,12 +528,13 @@ zone:
 def dnssec_choose_algo(domain, env):
 	if '.' in domain and domain.rsplit('.')[-1] in \
-		("email", "guide", "fund", "be"):
+		("email", "guide", "fund", "be", "lv"):
 		# At GoDaddy, RSASHA256 is the only algorithm supported
 		# for .email and .guide.
 		# A variety of algorithms are supported for .fund. This
 		# is preferred.
 		# Gandi tells me that .be does not support RSASHA1-NSEC3-SHA1
        # Nic.lv does not support RSASHA1-NSEC3-SHA1 for .lv tld's
 		return "RSASHA256"
 	# For any domain we were able to sign before, don't change the algorithm
@@ -762,11 +769,24 @@ def set_custom_dns_record(qname, rtype, value, action, env):
 	# validate rtype
 	rtype = rtype.upper()
 	if value is not None and qname != "_secondary_nameserver":
 		if not re.search(DOMAIN_RE, qname):
 			raise ValueError("Invalid name.")
 		if rtype in ("A", "AAAA"):
 			if value != "local": # "local" is a special flag for us
 				v = ipaddress.ip_address(value) # raises a ValueError if there's a problem
 				if rtype == "A" and not isinstance(v, ipaddress.IPv4Address): raise ValueError("That's an IPv6 address.")
 				if rtype == "AAAA" and not isinstance(v, ipaddress.IPv6Address): raise ValueError("That's an IPv4 address.")
 		elif rtype in ("CNAME", "NS"):
 			if rtype == "NS" and qname == zone:
 				raise ValueError("NS records can only be set for subdomains.")
 			# ensure value has a trailing dot
 			if not value.endswith("."):
 				value = value + "."
 			if not re.search(DOMAIN_RE, value):
 				raise ValueError("Invalid value.")
 		elif rtype in ("CNAME", "TXT", "SRV", "MX", "SSHFP", "CAA"):
 			# anything goes
 			pass
--- a/management/email_administrator.py
+++ b/management/email_administrator.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/local/lib/mailinabox/env/bin/python
 # Reads in STDIN. If the stream is not empty, mail it to the system administrator.
--- a/management/mail_log.py
+++ b/management/mail_log.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/local/lib/mailinabox/env/bin/python
 import argparse
 import datetime
 import gzip
--- a/management/mailconfig.py
+++ b/management/mailconfig.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/local/lib/mailinabox/env/bin/python
 import subprocess, shutil, os, sqlite3, re
 import utils
@@ -435,9 +435,11 @@ def add_mail_alias(address, forwards_to, permitted_senders, env, update_if_exist
 				email = email.strip()
 				if email == "": continue
 				email = sanitize_idn_email_address(email) # Unicode => IDNA
 				# Strip any +tag from email alias and check privileges
 				privileged_email = re.sub(r"(?=\+)[^@]*(?=@)",'',email)
 				if not validate_email(email):
 					return ("Invalid receiver email address (%s)." % email, 400)
-				if is_dcv_source and not is_dcv_address(email) and "admin" not in get_mail_user_privileges(email, env, empty_on_error=True):
+				if is_dcv_source and not is_dcv_address(email) and "admin" not in get_mail_user_privileges(privileged_email, env, empty_on_error=True):
 					# Make domain control validation hijacking a little harder to mess up by
 					# requiring aliases for email addresses typically used in DCV to forward
 					# only to accounts that are administrators on this system.
--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/local/lib/mailinabox/env/bin/python
 # Utilities for installing and selecting SSL certificates.
 import os, os.path, re, shutil
--- a/management/status_checks.py
+++ b/management/status_checks.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/local/lib/mailinabox/env/bin/python
 #
 # Checks that the upstream DNS has been set correctly and that
 # TLS certificates have been signed, etc., and if not tells the user
@@ -640,7 +640,7 @@ def check_web_domain(domain, rounded_time, ssl_certificates, env, output):
 		for (rtype, expected) in (("A", env['PUBLIC_IP']), ("AAAA", env.get('PUBLIC_IPV6'))):
 			if not expected: continue # IPv6 is not configured
 			value = query_dns(domain, rtype)
-			if value == expected:
+			if normalize_ip(value) == normalize_ip(expected):
 				ok_values.append(value)
 			else:
 				output.print_error("""This domain should resolve to your box's IP address (%s %s) if you would like the box to serve
--- a/management/templates/custom-dns.html
+++ b/management/templates/custom-dns.html
@@ -31,14 +31,15 @@
    <label for="customdnsType" class="col-sm-1 control-label">Type</label>
    <div class="col-sm-10">
      <select id="customdnsType" class="form-control" style="max-width: 400px" onchange="show_customdns_rtype_hint()">
-        <option value="A" data-hint="Enter an IPv4 address (i.e. a dotted quad, such as 123.456.789.012).">A (IPv4 address)</option>
+        <option value="A" data-hint="Enter an IPv4 address (i.e. a dotted quad, such as 123.456.789.012).  The 'local' alias sets the record to this box's public IPv4 address.">A (IPv4 address)</option>
-        <option value="AAAA" data-hint="Enter an IPv6 address.">AAAA (IPv6 address)</option>
+        <option value="AAAA" data-hint="Enter an IPv6 address.  The 'local' alias sets the record to this box's public IPv6 address.">AAAA (IPv6 address)</option>
        <option value="CAA" data-hint="Enter a CA that can issue certificates for this domain in the form of FLAG TAG VALUE. (0 issuewild &quot;letsencrypt.org&quot;)">CAA (Certificate Authority Authorization)</option>
        <option value="CNAME" data-hint="Enter another domain name followed by a period at the end (e.g. mypage.github.io.).">CNAME (DNS forwarding)</option>
        <option value="TXT" data-hint="Enter arbitrary text.">TXT (text record)</option>
        <option value="MX" data-hint="Enter record in the form of PRIORITY DOMAIN., including trailing period (e.g. 20 mx.example.com.).">MX (mail exchanger)</option>
        <option value="SRV" data-hint="Enter record in the form of PRIORITY WEIGHT PORT TARGET., including trailing period (e.g. 10 10 5060 sip.example.com.).">SRV (service record)</option>
        <option value="SSHFP" data-hint="Enter record in the form of ALGORITHM TYPE FINGERPRINT.">SSHFP (SSH fingerprint record)</option>
        <option value="NS" data-hint="Enter a hostname to which this subdomain should be delegated to">NS (DNS subdomain delegation)</option>
      </select>
    </div>
  </div>
@@ -126,7 +127,7 @@
 <tr><td>email</td> <td>The email address of any administrative user here.</td></tr>
 <tr><td>password</td> <td>That user&rsquo;s password.</td></tr>
 <tr><td>qname</td> <td>The fully qualified domain name for the record you are trying to set. It must be one of the domain names or a subdomain of one of the domain names hosted on this box. (Add mail users or aliases to add new domains.)</td></tr>
-<tr><td>rtype</td> <td>The resource type. Defaults to <code>A</code> if omitted. Possible values: <code>A</code> (an IPv4 address), <code>AAAA</code> (an IPv6 address), <code>TXT</code> (a text string), <code>CNAME</code> (an alias, which is a fully qualified domain name &mdash; don&rsquo;t forget the final period), <code>MX</code>, <code>SRV</code>, <code>SSHFP</code> or <code>CAA</code>.</td></tr>
+<tr><td>rtype</td> <td>The resource type. Defaults to <code>A</code> if omitted. Possible values: <code>A</code> (an IPv4 address), <code>AAAA</code> (an IPv6 address), <code>TXT</code> (a text string), <code>CNAME</code> (an alias, which is a fully qualified domain name &mdash; don&rsquo;t forget the final period), <code>MX</code>, <code>SRV</code>, <code>SSHFP</code>, <code>CAA</code> or <code>NS</code>.</td></tr>
 <tr><td>value</td> <td>For PUT, POST, and DELETE, the record&rsquo;s value. If the <code>rtype</code> is <code>A</code> or <code>AAAA</code> and <code>value</code> is empty or omitted, the IPv4 or IPv6 address of the remote host is used (be sure to use the <code>-4</code> or <code>-6</code> options to curl). This is handy for dynamic DNS!</td></tr>
 </table>
--- a/management/templates/index.html
+++ b/management/templates/index.html
@@ -108,7 +108,7 @@
            <li><a href="#web" onclick="return show_panel(this);">Web</a></li>
          </ul>
          <ul class="nav navbar-nav navbar-right">
-            <li><a href="#" onclick="do_logout(); return false;" style="color: white">Log out?</a></li>
+            <li><a href="#" onclick="do_logout(); return false;" style="color: white">Log out</a></li>
          </ul>
        </div><!--/.navbar-collapse -->
      </div>
--- a/management/templates/sync-guide.html
+++ b/management/templates/sync-guide.html
@@ -30,7 +30,7 @@
 			<table class="table">
 			<thead><tr><th>For...</th> <th>Use...</th></tr></thead>
-			<tr><td>Contacts and Calendar</td> <td><a href="https://play.google.com/store/apps/details?id=at.bitfire.davdroid">DAVdroid</a> ($3.69; free <a href="https://f-droid.org/repository/browse/?fdfilter=dav&fdid=at.bitfire.davdroid">here</a>)</td></tr>
+			<tr><td>Contacts and Calendar</td> <td><a href="https://play.google.com/store/apps/details?id=at.bitfire.davdroid">DAVdroid</a> ($3.69; free <a href="https://f-droid.org/packages/at.bitfire.davdroid/">here</a>)</td></tr>
 			<tr><td>Only Contacts</td> <td><a href="https://play.google.com/store/apps/details?id=org.dmfs.carddav.sync">CardDAV-Sync free beta</a> (free)</td></tr>
 			<tr><td>Only Calendar</td> <td><a href="https://play.google.com/store/apps/details?id=org.dmfs.caldav.lib">CalDAV-Sync</a> ($2.89)</td></tr>
 			</table>
--- a/management/web_update.py
+++ b/management/web_update.py
@@ -158,9 +158,9 @@ def make_domain_config(domain, templates, ssl_certificates, env):
 	# Add the HSTS header.
 	if hsts == "yes":
-		nginx_conf_extra += "add_header Strict-Transport-Security max-age=31536000;\n"
+		nginx_conf_extra += "add_header Strict-Transport-Security max-age=15768000;\n"
 	elif hsts == "preload":
-		nginx_conf_extra += "add_header Strict-Transport-Security \"max-age=10886400; includeSubDomains; preload\";\n"
+		nginx_conf_extra += "add_header Strict-Transport-Security \"max-age=15768000; includeSubDomains; preload\";\n"
 	# Add in any user customizations in the includes/ folder.
 	nginx_conf_custom_include = os.path.join(env["STORAGE_ROOT"], "www", safe_domain_name(domain) + ".conf")
--- a/ppa/Makefile
+++ b/ppa/Makefile
@@ -14,7 +14,7 @@ build_postgrey: clean
 	git clone git://git.debian.org/git/collab-maint/postgrey.git /tmp/build/postgrey
 	# Download the corresponding upstream package.
-	wget -O /tmp/build/postgrey_1.35.orig.tar.gz http://postgrey.schweikert.ch/pub/postgrey-1.35.tar.gz
+	wget -O /tmp/build/postgrey_1.35.orig.tar.gz http://postgrey.schweikert.ch/pub/old/postgrey-1.35.tar.gz
 	# Add our source patch to the debian packaging listing.
 	cp postgrey_sources.diff /tmp/build/postgrey/debian/patches/mailinabox
--- a/security.md
+++ b/security.md
@@ -40,21 +40,14 @@ The services all follow these rules:
 * TLS certificates are generated with 2048-bit RSA keys and SHA-256 fingerprints. The box provides a self-signed certificate by default. The [setup guide](https://mailinabox.email/guide.html) explains how to verify the certificate fingerprint on first login. Users are encouraged to replace the certificate with a proper CA-signed one. ([source](setup/ssl.sh))
 * Only TLSv1, TLSv1.1 and TLSv1.2 are offered (the older SSL protocols are not offered).
-* Export-grade ciphers, the anonymous DH/ECDH algorithms (aNULL), and clear-text ciphers (eNULL) are not offered.
+* HTTPS, IMAP, and POP track the [Mozilla Intermediate Ciphers Recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS), balancing security with supporting a wide range of mail clients. Diffie-Hellman ciphers use a 2048-bit key for forward secrecy. For more details, see the [output of SSLyze for these ports](tests/tls_results.txt).
-* The minimum cipher key length offered is 112 bits. The maximum is 256 bits. Diffie-Hellman ciphers use a 2048-bit key for forward secrecy.
+* SMTP (port 25) uses the Postfix medium grade ciphers and SMTP Submission (port 587) uses the Postfix high grade ciphers ([more info](http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_ciphers)).
 Additionally:
 * SMTP Submission (port 587) will not accept user credentials without STARTTLS (true also of SMTP on port 25 in case of client misconfiguration), and the submission port won't accept mail without encryption. The minimum cipher key length is 128 bits. (The box is of course configured not to be an open relay. User credentials are required to send outbound mail.) ([source](setup/mail-postfix.sh))
 * HTTPS (port 443): The HTTPS Strict Transport Security header is set. A redirect from HTTP to HTTPS is offered. The [Qualys SSL Labs test](https://www.ssllabs.com/ssltest) should report an A+ grade. ([source 1](conf/nginx-ssl.conf), [source 2](conf/nginx.conf))
 For more details, see the [output of SSLyze for these ports](tests/tls_results.txt).
 The cipher and protocol selection are chosen to support the following clients:
 * For HTTPS: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7.
 * For other protocols: TBD.
 ### Password Storage
 The passwords for mail users are stored on disk using the [SHA512-CRYPT](http://man7.org/linux/man-pages/man3/crypt.3.html) hashing scheme. ([source](management/mailconfig.py))
--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@@ -7,7 +7,7 @@
 #########################################################
 if [ -z "$TAG" ]; then
-	TAG=v0.23a
+	TAG=v0.26
 fi
 # Are we running as root?
--- a/setup/functions.sh
+++ b/setup/functions.sh
@@ -48,6 +48,15 @@ function apt_install {
 	apt_get_quiet install $PACKAGES
 }
 function apt_add_repository_to_unattended_upgrades {
 	if [ -f /etc/apt/apt.conf.d/50unattended-upgrades ]; then
 		if ! grep -q "$1" /etc/apt/apt.conf.d/50unattended-upgrades; then
 			sed -i "/Allowed-Origins/a \
 	    \"$1\";" /etc/apt/apt.conf.d/50unattended-upgrades
 		fi
 	fi
 }
 function get_default_hostname {
 	# Guess the machine's hostname. It should be a fully qualified
 	# domain name suitable for DNS. None of these calls may provide
--- a/setup/mail-dovecot.sh
+++ b/setup/mail-dovecot.sh
@@ -46,7 +46,7 @@ apt_install \
 # - https://www.dovecot.org/list/dovecot/2011-December/132455.html
 tools/editconf.py /etc/dovecot/conf.d/10-master.conf \
 	default_process_limit=$(echo "`nproc` * 250" | bc) \
-	default_vsz_limit=$(echo "`free -tom  | tail -1 | awk '{print $2}'` / 3" | bc)M \
+	default_vsz_limit=$(echo "`free -tm  | tail -1 | awk '{print $2}'` / 3" | bc)M \
 	log_path=/var/log/mail.log
 # The inotify `max_user_instances` default is 128, which constrains
@@ -79,12 +79,15 @@ tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \
 # Enable SSL, specify the location of the SSL certificate and private key files.
 # Disable obsolete SSL protocols and allow only good ciphers per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/.
 # Enable strong ssl dh parameters
 tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
 	ssl=required \
 	"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
 	"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
 	"ssl_protocols=!SSLv3 !SSLv2" \
-	"ssl_cipher_list=TLSv1+HIGH !SSLv2 !RC4 !aNULL !eNULL !3DES @STRENGTH"
+	"ssl_cipher_list=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" \
 	"ssl_prefer_server_ciphers = yes" \
 	"ssl_dh_parameters_length = 2048"
 # Disable in-the-clear IMAP/POP because there is no reason for a user to transmit
 # login credentials outside of an encrypted connection. Only the over-TLS versions
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -6,21 +6,33 @@ echo "Installing Mail-in-a-Box system management daemon..."
 # DEPENDENCIES
-# Install Python packages that are available from the Ubuntu
+# duplicity is used to make backups of user data. It uses boto
-# apt repository:
+# (via Python 2) to do backups to AWS S3. boto from the Ubuntu
-# flask, yaml, dnspython, and dateutil are all for our Python 3 management daemon itself.
+# package manager is too out-of-date -- it doesn't support the newer
-# duplicity does backups. python-pip is so we can 'pip install boto' for Python 2, for duplicity, so it can do backups to AWS S3.
+# S3 api used in some regions, which breaks backups to those regions.
-apt_install python3-flask links duplicity libyaml-dev python3-dnspython python3-dateutil python-pip
+# See #627, #653.
 apt_install duplicity python-pip
 hide_output pip2 install --upgrade boto
-# These are required to pip install cryptography.
+# These are required to build/install the cryptography Python package
-apt_install build-essential libssl-dev libffi-dev python3-dev
+# used by our management daemon.
 apt_install python-virtualenv build-essential libssl-dev libffi-dev python3-dev
-# pip<6.1 + setuptools>=34 have a problem with packages that
+# Create a virtualenv for the installation of Python 3 packages
 # used by the management daemon.
 inst_dir=/usr/local/lib/mailinabox
 mkdir -p $inst_dir
 venv=$inst_dir/env
 if [ ! -d $venv ]; then
 	virtualenv -ppython3 $venv
 fi
 # pip<6.1 + setuptools>=34 had a problem with packages that
 # try to update setuptools during installation, like cryptography.
 # See https://github.com/pypa/pip/issues/4253. The Ubuntu 14.04
-# package versions are pip 1.5.4 and setuptools 3.3. When we
+# package versions are pip 1.5.4 and setuptools 3.3. When we used to
-# install cryptography under those versions, it tries to update
+# instal cryptography system-wide under those versions, it updated
-# setuptools to version 34, which now creates the conflict, and
+# setuptools to version 34, which created the conflict, and
 # then pip gets permanently broken with errors like
 # "ImportError: No module named 'packaging'".
 #
@@ -35,8 +47,8 @@ fi
 # The easiest work-around on systems that aren't already broken is
 # to upgrade pip (to >=9.0.1) and setuptools (to >=34.1) individually
 # before we install any package that tries to update setuptools.
-hide_output pip3 install --upgrade pip
+hide_output $venv/bin/pip install --upgrade pip
-hide_output pip3 install --upgrade setuptools
+hide_output $venv/bin/pip install --upgrade setuptools
 # Install other Python 3 packages used by the management daemon.
 # The first line is the packages that Josh maintains himself!
@@ -44,15 +56,11 @@ hide_output pip3 install --upgrade setuptools
 # Force acme to be updated because it seems to need it after the
 # pip/setuptools breakage (see above) and the ACME protocol may
 # have changed (I got an error on one of my systems).
-hide_output pip3 install --upgrade \
+hide_output $venv/bin/pip install --upgrade \
 	rtyaml "email_validator>=1.0.0" "free_tls_certificates>=0.1.3" "exclusiveprocess" \
 	flask dnspython python-dateutil \
 	"idna>=2.0.0" "cryptography>=1.0.2" acme boto psutil
 # duplicity uses python 2 so we need to get the python 2 package of boto to have backups to S3.
 # boto from the Ubuntu package manager is too out-of-date -- it doesn't support the newer
 # S3 api used in some regions, which breaks backups to those regions.  See #627, #653.
 hide_output pip2 install --upgrade boto
 # CONFIGURATION
 # Create a backup directory and a random key for encrypting backups.
@@ -65,7 +73,7 @@ fi
 # Download jQuery and Bootstrap local files
 # Make sure we have the directory to save to.
-assets_dir=/usr/local/lib/mailinabox/vendor/assets
+assets_dir=$inst_dir/vendor/assets
 rm -rf $assets_dir
 mkdir -p $assets_dir
@@ -82,16 +90,19 @@ bootstrap_url=https://github.com/twbs/bootstrap/releases/download/v$bootstrap_ve
 # Get Bootstrap
 wget_verify $bootstrap_url e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a /tmp/bootstrap.zip
-unzip -q /tmp/bootstrap.zip -d /usr/local/lib/mailinabox/vendor/assets
+unzip -q /tmp/bootstrap.zip -d $assets_dir
-mv /usr/local/lib/mailinabox/vendor/assets/bootstrap-$bootstrap_version-dist /usr/local/lib/mailinabox/vendor/assets/bootstrap
+mv $assets_dir/bootstrap-$bootstrap_version-dist $assets_dir/bootstrap
 rm -f /tmp/bootstrap.zip
 # Link the management server daemon into a well known location.
 rm -f /usr/local/bin/mailinabox-daemon
 ln -s `pwd`/management/daemon.py /usr/local/bin/mailinabox-daemon
 # Create an init script to start the management daemon and keep it
 # running after a reboot.
 rm -f /usr/local/bin/mailinabox-daemon # old path
 cat > $inst_dir/start <<EOF;
 #!/bin/bash
 source $venv/bin/activate
 python `pwd`/management/daemon.py
 EOF
 chmod +x $inst_dir/start
 rm -f /etc/init.d/mailinabox
 ln -s $(pwd)/conf/management-initscript /etc/init.d/mailinabox
 hide_output update-rc.d mailinabox defaults
--- a/setup/owncloud.sh
+++ b/setup/owncloud.sh
@@ -9,6 +9,7 @@ source /etc/mailinabox.conf # load global vars
 echo "Installing Nextcloud (contacts/calendar)..."
 # Keep the php5 dependancies for the owncloud upgrades
 apt_install \
 	dbconfig-common \
 	php5-cli php5-sqlite php5-gd php5-imap php5-curl php-pear php-apc curl libapr1 libtool libcurl4-openssl-dev php-xml-parser \
@@ -16,6 +17,10 @@ apt_install \
 apt-get purge -qq -y owncloud*
 apt_install php7.0 php7.0-fpm \
 	php7.0-cli php7.0-sqlite php7.0-gd php7.0-imap php7.0-curl php-pear php-apc curl \
        php7.0-dev php7.0-gd memcached php7.0-memcached php7.0-xml php7.0-mbstring php7.0-zip php7.0-apcu
 # Migrate <= v0.10 setups that stored the ownCloud config.php in /usr/local rather than
 # in STORAGE_ROOT. Move the file to STORAGE_ROOT.
 if [ ! -f $STORAGE_ROOT/owncloud/config.php ] \
@@ -28,52 +33,35 @@ if [ ! -f $STORAGE_ROOT/owncloud/config.php ] \
 	ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php
 fi
-InstallOwncloud() {
+InstallNextcloud() {
 	version=$1
 	hash=$2
 	flavor=$3
 	echo
-	echo "Upgrading to $flavor version $version"
+	echo "Upgrading to Nextcloud version $version"
 	echo
 	# Remove the current owncloud/Nextcloud
 	rm -rf /usr/local/lib/owncloud
 	# Download and verify
-	if [ "$flavor" = "Nextcloud" ]; then
+	wget_verify https://download.nextcloud.com/server/releases/nextcloud-$version.zip $hash /tmp/nextcloud.zip
 		wget_verify https://download.nextcloud.com/server/releases/nextcloud-$version.zip $hash /tmp/owncloud.zip
 	else
 		wget_verify https://download.owncloud.org/community/owncloud-$version.zip $hash /tmp/owncloud.zip
 	fi
 	# Extract ownCloud/Nextcloud
-	unzip -q /tmp/owncloud.zip -d /usr/local/lib
+	unzip -q /tmp/nextcloud.zip -d /usr/local/lib
-	if [ "$flavor" = "Nextcloud" ]; then
+	mv /usr/local/lib/nextcloud /usr/local/lib/owncloud
-		mv /usr/local/lib/nextcloud /usr/local/lib/owncloud
+	rm -f /tmp/nextcloud.zip
 	fi
 	rm -f /tmp/owncloud.zip
 	# The two apps we actually want are not in Nextcloud core. Download the releases from
 	# their github repositories.
 	mkdir -p /usr/local/lib/owncloud/apps
-	if [ "$flavor" = "Nextcloud" ]; then
+	wget_verify https://github.com/nextcloud/contacts/releases/download/v1.5.3/contacts.tar.gz 78c4d49e73f335084feecd4853bd8234cf32615e /tmp/contacts.tgz
 		wget_verify https://github.com/nextcloud/contacts/releases/download/v1.5.3/contacts.tar.gz 78c4d49e73f335084feecd4853bd8234cf32615e /tmp/contacts.tgz
 	else
 		wget_verify https://github.com/owncloud/contacts/releases/download/v1.4.0.0/contacts.tar.gz c1c22d29699456a45db447281682e8bc3f10e3e7 /tmp/contacts.tgz
 	fi
 	tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/contacts.tgz
-	if [ "$flavor" = "Nextcloud" ]; then
+	wget_verify https://github.com/nextcloud/calendar/releases/download/v1.5.3/calendar.tar.gz b370352d1f280805cc7128f78af4615f623827f8 /tmp/calendar.tgz
 		wget_verify https://github.com/nextcloud/calendar/releases/download/v1.5.2/calendar.tar.gz 7b8a94e01fe740c5c23017ed5bc211983c780fce /tmp/calendar.tgz
 	else
    wget_verify https://github.com/nextcloud/calendar/releases/download/v1.4.0/calendar.tar.gz c84f3170efca2a99ea6254de34b0af3cb0b3a821 /tmp/calendar.tgz
 	fi
 	tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/calendar.tgz
@@ -105,16 +93,77 @@ InstallOwncloud() {
 	fi
 }
-owncloud_ver=10.0.5
+# We only install ownCloud intermediate versions to be able to seemlesly upgrade to Nextcloud
-owncloud_hash=686f6a8e9d7867c32e3bf3ca63b3cc2020564bf6
+InstallOwncloud() {
-owncloud_flavor=Nextcloud
+
 	version=$1
 	hash=$2
 	echo
 	echo "Upgrading to OwnCloud version $version"
 	echo
 	# Remove the current owncloud/Nextcloud
 	rm -rf /usr/local/lib/owncloud
 	# Download and verify
 	wget_verify https://download.owncloud.org/community/owncloud-$version.zip $hash /tmp/owncloud.zip
 	# Extract ownCloud
 	unzip -q /tmp/owncloud.zip -d /usr/local/lib
 	rm -f /tmp/owncloud.zip
 	# The two apps we actually want are not in Nextcloud core. Download the releases from
 	# their github repositories.
 	mkdir -p /usr/local/lib/owncloud/apps
 	wget_verify https://github.com/owncloud/contacts/releases/download/v1.4.0.0/contacts.tar.gz c1c22d29699456a45db447281682e8bc3f10e3e7 /tmp/contacts.tgz
 	tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/contacts.tgz
 	wget_verify https://github.com/nextcloud/calendar/releases/download/v1.4.0/calendar.tar.gz c84f3170efca2a99ea6254de34b0af3cb0b3a821 /tmp/calendar.tgz
 	tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/calendar.tgz
 	# Fix weird permissions.
 	chmod 750 /usr/local/lib/owncloud/{apps,config}
 	# Create a symlink to the config.php in STORAGE_ROOT (for upgrades we're restoring the symlink we previously
 	# put in, and in new installs we're creating a symlink and will create the actual config later).
 	ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php
 	# Make sure permissions are correct or the upgrade step won't run.
 	# $STORAGE_ROOT/owncloud may not yet exist, so use -f to suppress
 	# that error.
 	chown -f -R www-data.www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud
 	# If this isn't a new installation, immediately run the upgrade script.
 	# Then check for success (0=ok and 3=no upgrade needed, both are success).
 	if [ -e $STORAGE_ROOT/owncloud/owncloud.db ]; then
 		# ownCloud 8.1.1 broke upgrades. It may fail on the first attempt, but
 		# that can be OK.
 		sudo -u www-data php5 /usr/local/lib/owncloud/occ upgrade
 		if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then
 			echo "Trying ownCloud upgrade again to work around ownCloud upgrade bug..."
 			sudo -u www-data php5 /usr/local/lib/owncloud/occ upgrade
 			if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi
 			sudo -u www-data php5 /usr/local/lib/owncloud/occ maintenance:mode --off
 			echo "...which seemed to work."
 		fi
 	fi
 }
 owncloud_ver=12.0.3
 owncloud_hash=beab41f6a748a43f0accfa6a9808387aef718c61
 # Check if Nextcloud dir exist, and check if version matches owncloud_ver (if either doesn't - install/upgrade)
 if [ ! -d /usr/local/lib/owncloud/ ] \
        || ! grep -q $owncloud_ver /usr/local/lib/owncloud/version.php; then
-	# Stop php-fpm
+	# Stop php-fpm if running. If theyre not running (which happens on a previously failed install), dont bail.
-	hide_output service php5-fpm stop
+	service php7.0-fpm stop &> /dev/null || /bin/true
 	service php5-fpm stop &> /dev/null || /bin/true
 	# Backup the existing ownCloud/Nextcloud.
 	# Create a backup directory to store the current installation and database to
@@ -133,13 +182,13 @@ if [ ! -d /usr/local/lib/owncloud/ ] \
 	# We only need to check if we do upgrades when owncloud/Nextcloud was previously installed
 	if [ -e /usr/local/lib/owncloud/version.php ]; then
-		if grep -q "8\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then
+		if grep -q "OC_VersionString = '8\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then
 			echo "We are running 8.1.x, upgrading to 8.2.3 first"
-			InstallOwncloud 8.2.3 bfdf6166fbf6fc5438dc358600e7239d1c970613 ownCloud
+			InstallOwncloud 8.2.3 bfdf6166fbf6fc5438dc358600e7239d1c970613
 		fi
 		# If we are upgrading from 8.2.x we should go to 9.0 first. Owncloud doesn't support skipping minor versions
-		if grep -q "8\.2\.[0-9]" /usr/local/lib/owncloud/version.php; then
+		if grep -q "OC_VersionString = '8\.2\.[0-9]" /usr/local/lib/owncloud/version.php; then
 			echo "We are running version 8.2.x, upgrading to 9.0.2 first"
 			# We need to disable memcached. The upgrade and install fails
@@ -149,7 +198,7 @@ if [ ! -d /usr/local/lib/owncloud/ ] \
 			<?php
 				include("$STORAGE_ROOT/owncloud/config.php");
-				\$CONFIG['memcache.local'] = '\OC\Memcache\APC';
+				\$CONFIG['memcache.local'] = '\OC\Memcache\APCu';
 				echo "<?php\n\\\$CONFIG = ";
 				var_export(\$CONFIG);
@@ -159,29 +208,40 @@ EOF
 			chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
 			# We can now install owncloud 9.0.2
-			InstallOwncloud 9.0.2 72a3d15d09f58c06fa8bee48b9e60c9cd356f9c5 ownCloud
+			InstallOwncloud 9.0.2 72a3d15d09f58c06fa8bee48b9e60c9cd356f9c5
 			# The owncloud 9 migration doesn't migrate calendars and contacts
 			# The option to migrate these are removed in 9.1
 			# So the migrations should be done when we have 9.0 installed
-			sudo -u www-data php /usr/local/lib/owncloud/occ dav:migrate-addressbooks
+			sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:migrate-addressbooks
 			# The following migration has to be done for each owncloud user
 			for directory in $STORAGE_ROOT/owncloud/*@*/ ; do
 				username=$(basename "${directory}")
-				sudo -u www-data php /usr/local/lib/owncloud/occ dav:migrate-calendar $username
+				sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:migrate-calendar $username
 			done
-			sudo -u www-data php /usr/local/lib/owncloud/occ dav:sync-birthday-calendar
+			sudo -u www-data php5 /usr/local/lib/owncloud/occ dav:sync-birthday-calendar
 		fi
 		# If we are upgrading from 9.0.x we should go to 9.1 first.
-		if grep -q "9\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then
+		if grep -q "OC_VersionString = '9\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then
 			echo "We are running ownCloud 9.0.x, upgrading to ownCloud 9.1.4 first"
-			InstallOwncloud 9.1.4 e637cab7b2ca3346164f3506b1a0eb812b4e841a ownCloud
+			InstallOwncloud 9.1.4 e637cab7b2ca3346164f3506b1a0eb812b4e841a
 		fi
 		# If we are upgrading from 9.1.x we should go to Nextcloud 10.0 first.
 		if grep -q "OC_VersionString = '9\.1\.[0-9]" /usr/local/lib/owncloud/version.php; then
 			echo "We are running ownCloud 9.1.x, upgrading to Nextcloud 10.0.5 first"
 			InstallNextcloud 10.0.5 686f6a8e9d7867c32e3bf3ca63b3cc2020564bf6
 		fi
 		# If we are upgrading from 10.0.x we should go to Nextcloud 11.0 first.
 		if grep -q "OC_VersionString = '10\.0\.[0-9]" /usr/local/lib/owncloud/version.php; then
 			echo "We are running Nextcloud 10.0.x, upgrading to Nextcloud 11.0.3 first"
 			InstallNextcloud 11.0.3 a396aaa1c9f920099a90a86b4a9cd0ec13083c99
 		fi
 	fi
-	InstallOwncloud $owncloud_ver $owncloud_hash Nextcloud
+	InstallNextcloud $owncloud_ver $owncloud_hash
 fi
 # ### Configuring Nextcloud
@@ -211,7 +271,7 @@ if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
      'arguments'=>array('{127.0.0.1:993/imap/ssl/novalidate-cert}')
    )
  ),
-  'memcache.local' => '\OC\Memcache\APC',
+  'memcache.local' => '\OC\Memcache\APCu',
  'mail_smtpmode' => 'sendmail',
  'mail_smtpsecure' => '',
  'mail_smtpauthtype' => 'LOGIN',
@@ -272,7 +332,7 @@ include("$STORAGE_ROOT/owncloud/config.php");
 \$CONFIG['trusted_domains'] = array('$PRIMARY_HOSTNAME');
-\$CONFIG['memcache.local'] = '\OC\Memcache\APC';
+\$CONFIG['memcache.local'] = '\OC\Memcache\APCu';
 \$CONFIG['overwrite.cli.url'] = '/cloud';
 \$CONFIG['mail_from_address'] = 'administrator'; # just the local part, matches our master administrator address
@@ -305,7 +365,7 @@ if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi
 # Set PHP FPM values to support large file uploads
 # (semicolon is the comment character in this file, hashes produce deprecation warnings)
-tools/editconf.py /etc/php5/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \
 	upload_max_filesize=16G \
 	post_max_size=16G \
 	output_buffering=16384 \
@@ -313,9 +373,23 @@ tools/editconf.py /etc/php5/fpm/php.ini -c ';' \
 	max_execution_time=600 \
 	short_open_tag=On
 # Set Nextcloud recommended opcache settings
 tools/editconf.py /etc/php/7.0/cli/conf.d/10-opcache.ini -c ';' \
 	opcache.enable=1 \
 	opcache.enable_cli=1 \
 	opcache.interned_strings_buffer=8 \
 	opcache.max_accelerated_files=10000 \
 	opcache.memory_consumption=128 \
 	opcache.save_comments=1 \
 	opcache.revalidate_freq=1
 # Configure the path environment for php-fpm
 tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \
        env[PATH]=/usr/local/bin:/usr/bin:/bin
 # If apc is explicitly disabled we need to enable it
-if grep -q apc.enabled=0 /etc/php5/mods-available/apcu.ini; then
+if grep -q apc.enabled=0 /etc/php/7.0/mods-available/apcu.ini; then
-	tools/editconf.py /etc/php5/mods-available/apcu.ini -c ';' \
+	tools/editconf.py /etc/php/7.0/mods-available/apcu.ini -c ';' \
 		apc.enabled=1
 fi
@@ -337,5 +411,4 @@ chmod +x /etc/cron.hourly/mailinabox-owncloud
 # ```
 # Enable PHP modules and restart PHP.
-php5enmod imap
+restart_service php7.0-fpm
 restart_service php5-fpm
--- a/setup/spamassassin.sh
+++ b/setup/spamassassin.sh
@@ -61,10 +61,11 @@ tools/editconf.py /etc/default/spampd \
 # content or execute scripts, and it is probably confusing to most users.
 #
 # Tell Spamassassin not to modify the original message except for adding
-# the X-Spam-Status mail header and related headers.
+# the X-Spam-Status & X-Spam-Score mail headers and related headers.
 tools/editconf.py /etc/spamassassin/local.cf -s \
 	report_safe=0 \
-	add_header="all Report _REPORT_"
+	add_header="all Report _REPORT_" \
    add_header="all Score _SCORE_"
 # Bayesean learning
 # -----------------
--- a/setup/ssl.sh
+++ b/setup/ssl.sh
@@ -74,7 +74,7 @@ if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
 	CSR=/tmp/ssl_cert_sign_req-$$.csr
 	hide_output \
 	openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $CSR \
-	  -sha256 -subj "/C=/ST=/L=/O=/CN=$PRIMARY_HOSTNAME"
+	  -sha256 -subj "/CN=$PRIMARY_HOSTNAME"
 	# Generate the self-signed certificate.
 	CERT=$STORAGE_ROOT/ssl/$PRIMARY_HOSTNAME-selfsigned-$(date --rfc-3339=date | sed s/-//g).pem
--- a/setup/system.sh
+++ b/setup/system.sh
@@ -96,6 +96,12 @@ echo Updating system packages...
 hide_output apt-get update
 apt_get_quiet upgrade
 # Old kernels pile up over time and take up a lot of disk space, and because of Mail-in-a-Box
 # changes there may be other packages that are no longer needed. Clear out anything apt knows
 # is safe to delete.
 apt_get_quiet autoremove
 # ### Install System Packages
 # Install basic utilities.
@@ -119,6 +125,18 @@ apt_install python3 python3-dev python3-pip \
 	haveged pollinate unzip \
 	unattended-upgrades cron ntp fail2ban
 # ### Add PHP7 PPA
 # Nextcloud requires PHP7, we will install the ppa from ubuntu php maintainer Ondřej Surý
 # The PPA is located here https://launchpad.net/%7Eondrej/+archive/ubuntu/php
 # Unattended upgrades are activated for the repository If it appears it's already
 # installed, don't do it again so we can avoid an unnecessary call to apt-get update.
 if [ ! -f /etc/apt/sources.list.d/ondrej-php-trusty.list ]; then
 hide_output add-apt-repository -y ppa:ondrej/php
 apt_add_repository_to_unattended_upgrades LP-PPA-ondrej-php:trusty
 hide_output apt-get update
 fi
 # ### Suppress Upgrade Prompts
 # Since Mail-in-a-Box might jump straight to 18.04 LTS, there's no need
 # to be reminded about 16.04 on every login.
@@ -230,7 +248,7 @@ cat > /etc/apt/apt.conf.d/02periodic <<EOF;
 APT::Periodic::MaxAge "7";
 APT::Periodic::Update-Package-Lists "1";
 APT::Periodic::Unattended-Upgrade "1";
-APT::Periodic::Verbose "1";
+APT::Periodic::Verbose "0";
 EOF
 # ### Firewall
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -18,7 +18,11 @@ fi
 # Turn off nginx's default website.
 echo "Installing Nginx (web server)..."
-apt_install nginx php5-fpm
+
 apt_install nginx php7.0-cli php7.0-fpm
 # Set PHP7 as the default
 update-alternatives --set php /usr/bin/php7.0
 rm -f /etc/nginx/sites-enabled/default
@@ -40,15 +44,19 @@ tools/editconf.py /etc/nginx/nginx.conf -s \
 	server_names_hash_bucket_size="128;"
 # Tell PHP not to expose its version number in the X-Powered-By header.
-tools/editconf.py /etc/php5/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \
 	expose_php=Off
 # Set PHPs default charset to UTF-8, since we use it. See #367.
-tools/editconf.py /etc/php5/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/7.0/fpm/php.ini -c ';' \
        default_charset="UTF-8"
 # Switch from the dynamic process manager to the ondemand manager see #1216
 tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \
 	pm=ondemand
 # Bump up PHP's max_children to support more concurrent connections
-tools/editconf.py /etc/php5/fpm/pool.d/www.conf -c ';' \
+tools/editconf.py /etc/php/7.0/fpm/pool.d/www.conf -c ';' \
 	pm.max_children=8
 # Other nginx settings will be configured by the management service
@@ -103,7 +111,7 @@ done #NODOC
 # Start services.
 restart_service nginx
-restart_service php5-fpm
+restart_service php7.0-fpm
 # Open ports.
 ufw_allow http
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -22,8 +22,9 @@ source /etc/mailinabox.conf # load global vars
 echo "Installing Roundcube (webmail)..."
 apt_install \
 	dbconfig-common \
-	php5 php5-sqlite php5-mcrypt php5-intl php5-json php5-common php-auth php-net-smtp php-net-socket php-net-sieve php-mail-mime php-crypt-gpg php5-gd php5-pspell \
+	php7.0-cli php7.0-sqlite php7.0-mcrypt php7.0-intl php7.0-json php7.0-common \
-	tinymce libjs-jquery libjs-jquery-mousewheel libmagic1
+	php7.0-gd php7.0-pspell tinymce libjs-jquery libjs-jquery-mousewheel libmagic1 php7.0-mbstring
 apt_get_quiet remove php-mail-mimedecode # no longer needed since Roundcube 1.1.3
 # We used to install Roundcube from Ubuntu, without triggering the dependencies #NODOC
@@ -32,17 +33,16 @@ apt_get_quiet remove php-mail-mimedecode # no longer needed since Roundcube 1.1.
 apt-get purge -qq -y roundcube* #NODOC
 # Install Roundcube from source if it is not already present or if it is out of date.
-# Combine the Roundcube version number with the commit hash of vacation_sieve to track
+# Combine the Roundcube version number with the commit hash of plugins to track
-# whether we have the latest version.
+# whether we have the latest version of everything.
-VERSION=1.2.4
+VERSION=1.3.3
-HASH=e2091ea775b80eda43ab225130d5a2e888c3789a
+HASH=903a4eb1bfc25e9a08d782a7f98502cddfa579de
-VACATION_SIEVE_VERSION=91ea6f52216390073d1f5b70b5f6bea0bfaee7e5
+PERSISTENT_LOGIN_VERSION=dc5ca3d3f4415cc41edb2fde533c8a8628a94c76
 PERSISTENT_LOGIN_VERSION=c4516c4be37d12ef653de86497304e073a863c2a
 HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5
 CARDDAV_VERSION=2.0.4
 CARDDAV_HASH=d93f3cfb3038a519e71c7c3212c1d16f5da609a4
-UPDATE_KEY=$VERSION:$VACATION_SIEVE_VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:$CARDDAV_VERSION:a
+UPDATE_KEY=$VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:$CARDDAV_VERSION
 # paths that are often reused.
 RCM_DIR=/usr/local/lib/roundcubemail
@@ -60,7 +60,7 @@ fi
 if [ $needs_update == 1 ]; then
 	# install roundcube
 	wget_verify \
-		https://github.com/roundcube/roundcubemail/releases/download/$VERSION/roundcubemail-$VERSION.tar.gz \
+		https://github.com/roundcube/roundcubemail/releases/download/$VERSION/roundcubemail-$VERSION-complete.tar.gz \
 		$HASH \
 		/tmp/roundcube.tgz
 	tar -C /usr/local/lib --no-same-owner -zxf /tmp/roundcube.tgz
@@ -68,9 +68,6 @@ if [ $needs_update == 1 ]; then
 	mv /usr/local/lib/roundcubemail-$VERSION/ $RCM_DIR
 	rm -f /tmp/roundcube.tgz
 	# install roundcube autoreply/vacation plugin
 	git_clone https://github.com/arodier/Roundcube-Plugins.git $VACATION_SIEVE_VERSION plugins/vacation_sieve ${RCM_PLUGIN_DIR}/vacation_sieve
 	# install roundcube persistent_login plugin
 	git_clone https://github.com/mfreiholz/Roundcube-Persistent-Login-Plugin.git $PERSISTENT_LOGIN_VERSION '' ${RCM_PLUGIN_DIR}/persistent_login
@@ -108,19 +105,31 @@ cat > $RCM_CONFIG <<EOF;
 */
 \$config = array();
 \$config['log_dir'] = '/var/log/roundcubemail/';
-\$config['temp_dir'] = '/tmp/roundcubemail/';
+\$config['temp_dir'] = '/var/tmp/roundcubemail/';
 \$config['db_dsnw'] = 'sqlite:///$STORAGE_ROOT/mail/roundcube/roundcube.sqlite?mode=0640';
 \$config['default_host'] = 'ssl://localhost';
 \$config['default_port'] = 993;
 \$config['imap_conn_options'] = array(
  'ssl'         => array(
     'verify_peer'  => false,
     'verify_peer_name'  => false,
   ),
 );
 \$config['imap_timeout'] = 15;
 \$config['smtp_server'] = 'tls://127.0.0.1';
 \$config['smtp_port'] = 587;
 \$config['smtp_user'] = '%u';
 \$config['smtp_pass'] = '%p';
 \$config['smtp_conn_options'] = array(
  'ssl'         => array(
     'verify_peer'  => false,
     'verify_peer_name'  => false,
   ),
 );
 \$config['support_url'] = 'https://mailinabox.email/';
 \$config['product_name'] = '$PRIMARY_HOSTNAME Webmail';
 \$config['des_key'] = '$SECRET_KEY';
-\$config['plugins'] = array('html5_notifier', 'archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'vacation_sieve', 'persistent_login', 'carddav');
+\$config['plugins'] = array('html5_notifier', 'archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'persistent_login', 'carddav');
 \$config['skin'] = 'larry';
 \$config['login_autocomplete'] = 2;
 \$config['password_charset'] = 'UTF-8';
@@ -148,29 +157,9 @@ cat > ${RCM_PLUGIN_DIR}/carddav/config.inc.php <<EOF;
 );
 EOF
 # Configure vaction_sieve.
 cat > /usr/local/lib/roundcubemail/plugins/vacation_sieve/config.inc.php <<EOF;
 <?php
 /* Do not edit. Written by Mail-in-a-Box. Regenerated on updates. */
 \$rcmail_config['vacation_sieve'] = array(
    'date_format' => 'd/m/Y',
    'working_hours' => array(8,18),
    'msg_format' => 'text',
    'logon_transform' => array('#([a-z])[a-z]+(\.|\s)([a-z])#i', '\$1\$3'),
    'transfer' => array(
        'mode' =>  'managesieve',
        'ms_activate_script' => true,
        'host'   => '127.0.0.1',
        'port'   => '4190',
        'usetls' => false,
        'path' => 'vacation',
    )
 );
 EOF
 # Create writable directories.
-mkdir -p /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
+mkdir -p /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
-chown -R www-data.www-data /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
+chown -R www-data.www-data /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
 # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
 sudo -u www-data touch /var/log/roundcubemail/errors
@@ -210,5 +199,5 @@ chown www-data:www-data $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
 chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
 # Enable PHP modules.
-php5enmod mcrypt
+phpenmod -v php7.0 mcrypt imap
-restart_service php5-fpm
+restart_service php7.0-fpm
--- a/setup/zpush.sh
+++ b/setup/zpush.sh
@@ -17,32 +17,32 @@ source /etc/mailinabox.conf # load global vars
 echo "Installing Z-Push (Exchange/ActiveSync server)..."
 apt_install \
-	php-soap php5-imap libawl-php php5-xsl
+	php7.0-soap php7.0-imap libawl-php php7.0-xsl
-php5enmod imap
+phpenmod -v php7.0 imap
 # Copy Z-Push into place.
-TARGETHASH=131229a8feda09782dfd06449adce3d5a219183f
+VERSION=2.3.8
 VERSION=2.3.6
 needs_update=0 #NODOC
 if [ ! -f /usr/local/lib/z-push/version ]; then
 	needs_update=1 #NODOC
-elif [[ $TARGETHASH != `cat /usr/local/lib/z-push/version` ]]; then
+elif [[ $VERSION != `cat /usr/local/lib/z-push/version` ]]; then
 	# checks if the version
 	needs_update=1 #NODOC
 fi
 if [ $needs_update == 1 ]; then
 	wget_verify http://download.z-push.org/final/2.3/z-push-$VERSION.tar.gz $TARGETHASH /tmp/z-push.tar.gz
 	rm -rf /usr/local/lib/z-push
-	tar -xzf /tmp/z-push.tar.gz -C /usr/local/lib/
+
-	rm /tmp/z-push.tar.gz
+	git_clone https://stash.z-hub.io/scm/zp/z-push.git $VERSION '' /tmp/z-push
-	mv /usr/local/lib/z-push-$VERSION /usr/local/lib/z-push
+
 	mkdir /usr/local/lib/z-push
 	cp -r /tmp/z-push/src/* /usr/local/lib/z-push
 	rm -rf /tmp/z-push
 	rm -f /usr/sbin/z-push-{admin,top}
 	ln -s /usr/local/lib/z-push/z-push-admin.php /usr/sbin/z-push-admin
 	ln -s /usr/local/lib/z-push/z-push-top.php /usr/sbin/z-push-top
-	echo $TARGETHASH > /usr/local/lib/z-push/version
+	echo $VERSION > /usr/local/lib/z-push/version
 fi
 # Configure default config.
@@ -100,7 +100,7 @@ EOF
 # Restart service.
-restart_service php5-fpm
+restart_service php7.0-fpm
 # Fix states after upgrade
--- a/tests/tls.py
+++ b/tests/tls.py
@@ -61,9 +61,9 @@ common_opts = ["--sslv2", "--sslv3", "--tlsv1", "--tlsv1_1", "--tlsv1_2", "--ren
 # Assumes TLSv1, TLSv1.1, TLSv1.2.
 #
 # The 'old' ciphers bring compatibility back to Win XP IE 6.
-MOZILLA_CIPHERS_MODERN = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
+MOZILLA_CIPHERS_MODERN = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
-MOZILLA_CIPHERS_INTERMEDIATE = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
+MOZILLA_CIPHERS_INTERMEDIATE = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
-MOZILLA_CIPHERS_OLD = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
+MOZILLA_CIPHERS_OLD = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP"
 ######################################################################
--- a/tests/tls_results.txt
+++ b/tests/tls_results.txt
@@ -93,9 +93,9 @@ PORT 25
  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.
-  Should Not Offer: DHE-RSA-SEED-SHA, EDH-RSA-DES-CBC3-SHA, SEED-SHA
+  Should Not Offer: (none -- good)
-  Could Also Offer: DH-DSS-AES128-GCM-SHA256, DH-DSS-AES128-SHA, DH-DSS-AES128-SHA256, DH-DSS-AES256-GCM-SHA384, DH-DSS-AES256-SHA, DH-DSS-AES256-SHA256, DH-DSS-CAMELLIA128-SHA, DH-DSS-CAMELLIA256-SHA, DH-DSS-DES-CBC3-SHA, DH-RSA-AES128-GCM-SHA256, DH-RSA-AES128-SHA, DH-RSA-AES128-SHA256, DH-RSA-AES256-GCM-SHA384, DH-RSA-AES256-SHA, DH-RSA-AES256-SHA256, DH-RSA-CAMELLIA128-SHA, DH-RSA-CAMELLIA256-SHA, DH-RSA-DES-CBC3-SHA, DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-DSS-AES256-SHA256, DHE-DSS-CAMELLIA128-SHA, DHE-DSS-CAMELLIA256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-DES-CBC3-SHA, SRP-3DES-EDE-CBC-SHA, SRP-AES-128-CBC-SHA, SRP-AES-256-CBC-SHA, SRP-DSS-3DES-EDE-CBC-SHA, SRP-DSS-AES-128-CBC-SHA, SRP-DSS-AES-256-CBC-SHA, SRP-RSA-3DES-EDE-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-RSA-AES-256-CBC-SHA
+  Could Also Offer: DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-DSS-AES256-SHA256, DHE-DSS-CAMELLIA128-SHA, DHE-DSS-CAMELLIA256-SHA, DHE-DSS-SEED-SHA, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-DES-CBC3-SHA
-  Supported Clients: OpenSSL/1.0.2, OpenSSL/1.0.1l, BingPreview/Jan 2015, Yahoo Slurp/Jan 2015, YandexBot/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/OS X 10.10, Safari/8/iOS 8.1.2, Safari/7/OS X 10.9, Safari/6/iOS 6.0.1, Firefox/31.3.0 ESR/Win 7, Baidu/Jan 2015, IE/11/Win 8.1, IE/11/Win 7, IE Mobile/11/Win Phone 8.1, Android/5.0.0, Java/8u31, Chrome/42/OS X, Googlebot/Feb 2015, Android/4.1.1, Android/4.0.4, Safari/6.0.4/OS X 10.8.4, Android/4.2.2, Android/4.3, Safari/5.1.9/OS X 10.6.8, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE/8-10/Win 7, IE/7/Vista, IE Mobile/10/Win Phone 8.0, Android/2.3.7, Java/6u45, IE/8/XP
+  Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, Yahoo Slurp/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, Baidu/Jan 2015, Firefox/31.3.0 ESR/Win 7, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Chrome/42/OS X, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Android/2.3.7, Java/6u45, IE/8/XP
 PORT 587
 --------
@@ -183,9 +183,9 @@ PORT 587
  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.
-  Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, CAMELLIA128-SHA, CAMELLIA256-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA, DHE-RSA-SEED-SHA, SEED-SHA
+  Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, CAMELLIA128-SHA, CAMELLIA256-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA, DHE-RSA-SEED-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, SEED-SHA
-  Could Also Offer: DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384
+  Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384
-  Supported Clients: OpenSSL/1.0.2, OpenSSL/1.0.1l, BingPreview/Jan 2015, Yahoo Slurp/Jan 2015, YandexBot/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, IE/11/Win 8.1, Safari/8/iOS 8.1.2, IE/11/Win 7, IE Mobile/11/Win Phone 8.1, Safari/8/OS X 10.10, Safari/7/OS X 10.9, Safari/6/iOS 6.0.1, Firefox/31.3.0 ESR/Win 7, Baidu/Jan 2015, Chrome/42/OS X, Android/5.0.0, Java/8u31, Googlebot/Feb 2015, Firefox/37/OS X, Android/4.0.4, Android/4.1.1, Safari/6.0.4/OS X 10.8.4, Android/4.2.2, Android/4.3, Safari/5.1.9/OS X 10.6.8, IE/8-10/Win 7, IE/7/Vista, IE Mobile/10/Win Phone 8.0, OpenSSL/0.9.8y, Java/7u25, Java/6u45, Android/2.3.7
+  Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, Yahoo Slurp/Jan 2015, OpenSSL/1.0.1l, YandexBot/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, IE/11/Win 7, IE/11/Win 8.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, IE Mobile/11/Win Phone 8.1, Safari/8/OS X 10.10, Baidu/Jan 2015, Firefox/31.3.0 ESR/Win 7, Java/8u31, Android/5.0.0, Chrome/42/OS X, Googlebot/Feb 2015, Firefox/37/OS X, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, OpenSSL/0.9.8y, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/7u25, Android/2.3.7, Java/6u45
 PORT 443
 --------
@@ -200,16 +200,16 @@ PORT 443
  * OpenSSL Heartbleed:
      OK - Not vulnerable to Heartbleed  
  * Session Resumption:
      With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
      With TLS Session Tickets:          OK - Supported
  * HTTP Strict Transport Security:
-      OK - HSTS header received:         max-age=31536000
+      OK - HSTS header received:         max-age=15768000
 Unhandled exception when processing --chrome_sha1: 
 exceptions.TypeError - Incorrect padding
  * Session Resumption:
      With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
      With TLS Session Tickets:          OK - Supported
  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.
@@ -223,12 +223,20 @@ exceptions.TypeError - Incorrect padding
                 DHE-RSA-AES256-SHA256         DH-2048 bits   256 bits      HTTP 200 OK                        
                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits      HTTP 200 OK                        
                 DHE-RSA-AES256-GCM-SHA384     DH-2048 bits   256 bits      HTTP 200 OK                        
                 AES256-SHA256                 -              256 bits      HTTP 200 OK                        
                 AES256-SHA                    -              256 bits      HTTP 200 OK                        
                 AES256-GCM-SHA384             -              256 bits      HTTP 200 OK                        
                 ECDHE-RSA-AES128-SHA256       ECDH-256 bits  128 bits      HTTP 200 OK                        
                 ECDHE-RSA-AES128-SHA          ECDH-256 bits  128 bits      HTTP 200 OK                        
                 ECDHE-RSA-AES128-GCM-SHA256   ECDH-256 bits  128 bits      HTTP 200 OK                        
                 DHE-RSA-AES128-SHA256         DH-2048 bits   128 bits      HTTP 200 OK                        
                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits      HTTP 200 OK                        
                 DHE-RSA-AES128-GCM-SHA256     DH-2048 bits   128 bits      HTTP 200 OK                        
                 AES128-SHA256                 -              128 bits      HTTP 200 OK                        
                 AES128-SHA                    -              128 bits      HTTP 200 OK                        
                 AES128-GCM-SHA256             -              128 bits      HTTP 200 OK                        
                 ECDHE-RSA-DES-CBC3-SHA        ECDH-256 bits  112 bits      HTTP 200 OK                        
                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits      HTTP 200 OK                        
                 DES-CBC3-SHA                  -              112 bits      HTTP 200 OK                        
  * TLSV1_1 Cipher Suites:
@@ -237,8 +245,12 @@ exceptions.TypeError - Incorrect padding
      Accepted:                        
                 ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 200 OK                        
                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits      HTTP 200 OK                        
                 AES256-SHA                    -              256 bits      HTTP 200 OK                        
                 ECDHE-RSA-AES128-SHA          ECDH-256 bits  128 bits      HTTP 200 OK                        
                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits      HTTP 200 OK                        
                 AES128-SHA                    -              128 bits      HTTP 200 OK                        
                 ECDHE-RSA-DES-CBC3-SHA        ECDH-256 bits  112 bits      HTTP 200 OK                        
                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits      HTTP 200 OK                        
                 DES-CBC3-SHA                  -              112 bits      HTTP 200 OK                        
  * TLSV1 Cipher Suites:
@@ -247,16 +259,20 @@ exceptions.TypeError - Incorrect padding
      Accepted:                        
                 ECDHE-RSA-AES256-SHA          ECDH-256 bits  256 bits      HTTP 200 OK                        
                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits      HTTP 200 OK                        
                 AES256-SHA                    -              256 bits      HTTP 200 OK                        
                 ECDHE-RSA-AES128-SHA          ECDH-256 bits  128 bits      HTTP 200 OK                        
                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits      HTTP 200 OK                        
                 AES128-SHA                    -              128 bits      HTTP 200 OK                        
                 ECDHE-RSA-DES-CBC3-SHA        ECDH-256 bits  112 bits      HTTP 200 OK                        
                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits      HTTP 200 OK                        
                 DES-CBC3-SHA                  -              112 bits      HTTP 200 OK                        
  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.
  Should Not Offer: (none -- good)
-  Could Also Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, CAMELLIA128-SHA, CAMELLIA256-SHA, DH-DSS-AES128-GCM-SHA256, DH-DSS-AES128-SHA, DH-DSS-AES128-SHA256, DH-DSS-AES256-GCM-SHA384, DH-DSS-AES256-SHA, DH-DSS-AES256-SHA256, DH-DSS-CAMELLIA128-SHA, DH-DSS-CAMELLIA256-SHA, DH-RSA-AES128-GCM-SHA256, DH-RSA-AES128-SHA, DH-RSA-AES128-SHA256, DH-RSA-AES256-GCM-SHA384, DH-RSA-AES256-SHA, DH-RSA-AES256-SHA256, DH-RSA-CAMELLIA128-SHA, DH-RSA-CAMELLIA256-SHA, DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-DSS-AES256-SHA256, DHE-DSS-CAMELLIA128-SHA, DHE-DSS-CAMELLIA256-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, SRP-AES-128-CBC-SHA, SRP-AES-256-CBC-SHA, SRP-DSS-AES-128-CBC-SHA, SRP-DSS-AES-256-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-RSA-AES-256-CBC-SHA
+  Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-DES-CBC3-SHA
-  Supported Clients: OpenSSL/1.0.2, OpenSSL/1.0.1l, BingPreview/Jan 2015, YandexBot/Jan 2015, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/OS X 10.10, Safari/8/iOS 8.1.2, Safari/7/OS X 10.9, Safari/6/iOS 6.0.1, Chrome/42/OS X, IE/11/Win 8.1, IE/11/Win 7, Android/5.0.0, Java/8u31, IE Mobile/11/Win Phone 8.1, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Firefox/37/OS X, Android/4.1.1, Android/4.0.4, Baidu/Jan 2015, Safari/6.0.4/OS X 10.8.4, Android/4.2.2, Android/4.3, Safari/5.1.9/OS X 10.6.8, IE/8-10/Win 7, IE/7/Vista, OpenSSL/0.9.8y, IE Mobile/10/Win Phone 8.0, Java/7u25, Android/2.3.7, Java/6u45, IE/8/XP
+  Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, OpenSSL/1.0.1l, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Chrome/42/OS X, Baidu/Jan 2015, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/6u45, Android/2.3.7, IE/8/XP
 PORT 993
 --------
@@ -270,64 +286,73 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
  * OpenSSL Heartbleed:
      OK - Not vulnerable to Heartbleed  
  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.
  * Session Resumption:
      With Session IDs:                  NOT SUPPORTED (0 successful, 5 failed, 0 errors, 5 total attempts).
      With TLS Session Tickets:          NOT SUPPORTED - TLS ticket assigned but not accepted.
  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.
  * TLSV1_2 Cipher Suites:
      Preferred:                       
-                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
+                 ECDHE-RSA-AES128-GCM-SHA256   ECDH-384 bits  128 bits                                         
      Accepted:                        
                 ECDHE-RSA-AES256-SHA384       ECDH-384 bits  256 bits                                         
                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
-                 DHE-RSA-CAMELLIA256-SHA       DH-1024 bits   256 bits                                         
+                 ECDHE-RSA-AES256-GCM-SHA384   ECDH-384 bits  256 bits                                         
-                 DHE-RSA-AES256-SHA            DH-1024 bits   256 bits                                         
+                 DHE-RSA-AES256-SHA256         DH-2048 bits   256 bits                                         
-                 CAMELLIA256-SHA               -              256 bits                                         
+                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits                                         
                 DHE-RSA-AES256-GCM-SHA384     DH-2048 bits   256 bits                                         
                 AES256-SHA256                 -              256 bits                                         
                 AES256-SHA                    -              256 bits                                         
                 AES256-GCM-SHA384             -              256 bits                                         
                 ECDHE-RSA-AES128-SHA256       ECDH-384 bits  128 bits                                         
                 ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
-                 DHE-RSA-CAMELLIA128-SHA       DH-1024 bits   128 bits                                         
+                 ECDHE-RSA-AES128-GCM-SHA256   ECDH-384 bits  128 bits                                         
-                 DHE-RSA-AES128-SHA            DH-1024 bits   128 bits                                         
+                 DHE-RSA-AES128-SHA256         DH-2048 bits   128 bits                                         
-                 CAMELLIA128-SHA               -              128 bits                                         
+                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits                                         
                 DHE-RSA-AES128-GCM-SHA256     DH-2048 bits   128 bits                                         
                 AES128-SHA256                 -              128 bits                                         
                 AES128-SHA                    -              128 bits                                         
                 AES128-GCM-SHA256             -              128 bits                                         
                 ECDHE-RSA-DES-CBC3-SHA        ECDH-384 bits  112 bits                                         
                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits                                         
                 DES-CBC3-SHA                  -              112 bits                                         
  * TLSV1_1 Cipher Suites:
      Preferred:                       
-                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
+                 ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
      Accepted:                        
                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
-                 DHE-RSA-CAMELLIA256-SHA       DH-1024 bits   256 bits                                         
+                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits                                         
                 DHE-RSA-AES256-SHA            DH-1024 bits   256 bits                                         
                 CAMELLIA256-SHA               -              256 bits                                         
                 AES256-SHA                    -              256 bits                                         
                 ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
-                 DHE-RSA-CAMELLIA128-SHA       DH-1024 bits   128 bits                                         
+                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits                                         
                 DHE-RSA-AES128-SHA            DH-1024 bits   128 bits                                         
                 CAMELLIA128-SHA               -              128 bits                                         
                 AES128-SHA                    -              128 bits                                         
                 ECDHE-RSA-DES-CBC3-SHA        ECDH-384 bits  112 bits                                         
                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits                                         
                 DES-CBC3-SHA                  -              112 bits                                         
  * TLSV1 Cipher Suites:
      Preferred:                       
-                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
+                 ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
      Accepted:                        
                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
-                 DHE-RSA-CAMELLIA256-SHA       DH-1024 bits   256 bits                                         
+                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits                                         
                 DHE-RSA-AES256-SHA            DH-1024 bits   256 bits                                         
                 CAMELLIA256-SHA               -              256 bits                                         
                 AES256-SHA                    -              256 bits                                         
                 ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
-                 DHE-RSA-CAMELLIA128-SHA       DH-1024 bits   128 bits                                         
+                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits                                         
                 DHE-RSA-AES128-SHA            DH-1024 bits   128 bits                                         
                 CAMELLIA128-SHA               -              128 bits                                         
                 AES128-SHA                    -              128 bits                                         
                 ECDHE-RSA-DES-CBC3-SHA        ECDH-384 bits  112 bits                                         
                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits                                         
                 DES-CBC3-SHA                  -              112 bits                                         
  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.
-  Should Not Offer: AES128-SHA, AES256-SHA, CAMELLIA128-SHA, CAMELLIA256-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA
+  Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, DES-CBC3-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA
-  Could Also Offer: DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384
+  Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384
-  Supported Clients: OpenSSL/1.0.2, Firefox/31.3.0 ESR/Win 7, OpenSSL/1.0.1l, BingPreview/Jan 2015, Yahoo Slurp/Jan 2015, Baidu/Jan 2015, Safari/7/iOS 7.1, Chrome/42/OS X, Googlebot/Feb 2015, Android/4.0.4, Safari/8/iOS 8.1.2, Android/4.1.1, Android/5.0.0, Safari/6/iOS 6.0.1, YandexBot/Jan 2015, Safari/6.0.4/OS X 10.8.4, Android/4.2.2, Safari/8/OS X 10.10, Firefox/37/OS X, Safari/7/OS X 10.9, Android/4.3, Safari/5.1.9/OS X 10.6.8, Android/4.4.2, IE/8-10/Win 7, IE/7/Vista, IE/11/Win 8.1, IE/11/Win 7, OpenSSL/0.9.8y, IE Mobile/10/Win Phone 8.0, IE Mobile/11/Win Phone 8.1, Java/7u25, Java/8u31, Java/6u45, Android/2.3.7
+  Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, OpenSSL/1.0.1l, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Chrome/42/OS X, Baidu/Jan 2015, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/6u45, Android/2.3.7, IE/8/XP
 PORT 995
 --------
@@ -341,62 +366,71 @@ _nassl.OpenSSLError - error:140940F5:SSL routines:ssl3_read_bytes:unexpected rec
  * OpenSSL Heartbleed:
      OK - Not vulnerable to Heartbleed  
  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.
  * Session Resumption:
      With Session IDs:                  NOT SUPPORTED (0 successful, 5 failed, 0 errors, 5 total attempts).
      With TLS Session Tickets:          NOT SUPPORTED - TLS ticket assigned but not accepted.
  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.
  * TLSV1_2 Cipher Suites:
      Preferred:                       
-                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
+                 ECDHE-RSA-AES128-GCM-SHA256   ECDH-384 bits  128 bits                                         
      Accepted:                        
                 ECDHE-RSA-AES256-SHA384       ECDH-384 bits  256 bits                                         
                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
-                 DHE-RSA-CAMELLIA256-SHA       DH-1024 bits   256 bits                                         
+                 ECDHE-RSA-AES256-GCM-SHA384   ECDH-384 bits  256 bits                                         
-                 DHE-RSA-AES256-SHA            DH-1024 bits   256 bits                                         
+                 DHE-RSA-AES256-SHA256         DH-2048 bits   256 bits                                         
-                 CAMELLIA256-SHA               -              256 bits                                         
+                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits                                         
                 DHE-RSA-AES256-GCM-SHA384     DH-2048 bits   256 bits                                         
                 AES256-SHA256                 -              256 bits                                         
                 AES256-SHA                    -              256 bits                                         
                 AES256-GCM-SHA384             -              256 bits                                         
                 ECDHE-RSA-AES128-SHA256       ECDH-384 bits  128 bits                                         
                 ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
-                 DHE-RSA-CAMELLIA128-SHA       DH-1024 bits   128 bits                                         
+                 ECDHE-RSA-AES128-GCM-SHA256   ECDH-384 bits  128 bits                                         
-                 DHE-RSA-AES128-SHA            DH-1024 bits   128 bits                                         
+                 DHE-RSA-AES128-SHA256         DH-2048 bits   128 bits                                         
-                 CAMELLIA128-SHA               -              128 bits                                         
+                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits                                         
                 DHE-RSA-AES128-GCM-SHA256     DH-2048 bits   128 bits                                         
                 AES128-SHA256                 -              128 bits                                         
                 AES128-SHA                    -              128 bits                                         
                 AES128-GCM-SHA256             -              128 bits                                         
                 ECDHE-RSA-DES-CBC3-SHA        ECDH-384 bits  112 bits                                         
                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits                                         
                 DES-CBC3-SHA                  -              112 bits                                         
  * TLSV1_1 Cipher Suites:
      Preferred:                       
-                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
+                 ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
      Accepted:                        
                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
-                 DHE-RSA-CAMELLIA256-SHA       DH-1024 bits   256 bits                                         
+                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits                                         
                 DHE-RSA-AES256-SHA            DH-1024 bits   256 bits                                         
                 CAMELLIA256-SHA               -              256 bits                                         
                 AES256-SHA                    -              256 bits                                         
                 ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
-                 DHE-RSA-CAMELLIA128-SHA       DH-1024 bits   128 bits                                         
+                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits                                         
                 DHE-RSA-AES128-SHA            DH-1024 bits   128 bits                                         
                 CAMELLIA128-SHA               -              128 bits                                         
                 AES128-SHA                    -              128 bits                                         
                 ECDHE-RSA-DES-CBC3-SHA        ECDH-384 bits  112 bits                                         
                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits                                         
                 DES-CBC3-SHA                  -              112 bits                                         
  * TLSV1 Cipher Suites:
      Preferred:                       
-                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
+                 ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
      Accepted:                        
                 ECDHE-RSA-AES256-SHA          ECDH-384 bits  256 bits                                         
-                 DHE-RSA-CAMELLIA256-SHA       DH-1024 bits   256 bits                                         
+                 DHE-RSA-AES256-SHA            DH-2048 bits   256 bits                                         
                 DHE-RSA-AES256-SHA            DH-1024 bits   256 bits                                         
                 CAMELLIA256-SHA               -              256 bits                                         
                 AES256-SHA                    -              256 bits                                         
                 ECDHE-RSA-AES128-SHA          ECDH-384 bits  128 bits                                         
-                 DHE-RSA-CAMELLIA128-SHA       DH-1024 bits   128 bits                                         
+                 DHE-RSA-AES128-SHA            DH-2048 bits   128 bits                                         
                 DHE-RSA-AES128-SHA            DH-1024 bits   128 bits                                         
                 CAMELLIA128-SHA               -              128 bits                                         
                 AES128-SHA                    -              128 bits                                         
                 ECDHE-RSA-DES-CBC3-SHA        ECDH-384 bits  112 bits                                         
                 EDH-RSA-DES-CBC3-SHA          DH-2048 bits   112 bits                                         
                 DES-CBC3-SHA                  -              112 bits                                         
  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.
-  Should Not Offer: AES128-SHA, AES256-SHA, CAMELLIA128-SHA, CAMELLIA256-SHA, DHE-RSA-CAMELLIA128-SHA, DHE-RSA-CAMELLIA256-SHA
+  Should Not Offer: AES128-GCM-SHA256, AES128-SHA, AES128-SHA256, AES256-GCM-SHA384, AES256-SHA, AES256-SHA256, DES-CBC3-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA
-  Could Also Offer: DHE-DSS-AES128-GCM-SHA256, DHE-DSS-AES128-SHA256, DHE-DSS-AES256-GCM-SHA384, DHE-DSS-AES256-SHA, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256, DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384
+  Could Also Offer: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384
-  Supported Clients: OpenSSL/1.0.2, Firefox/31.3.0 ESR/Win 7, OpenSSL/1.0.1l, BingPreview/Jan 2015, Yahoo Slurp/Jan 2015, Baidu/Jan 2015, Safari/7/iOS 7.1, Chrome/42/OS X, Googlebot/Feb 2015, Android/4.0.4, Safari/8/iOS 8.1.2, Android/4.1.1, Android/5.0.0, Safari/6/iOS 6.0.1, YandexBot/Jan 2015, Safari/6.0.4/OS X 10.8.4, Android/4.2.2, Safari/8/OS X 10.10, Firefox/37/OS X, Safari/7/OS X 10.9, Android/4.3, Safari/5.1.9/OS X 10.6.8, Android/4.4.2, IE/8-10/Win 7, IE/7/Vista, IE/11/Win 8.1, IE/11/Win 7, OpenSSL/0.9.8y, IE Mobile/10/Win Phone 8.0, IE Mobile/11/Win Phone 8.1, Java/7u25, Java/8u31, Java/6u45, Android/2.3.7
+  Supported Clients: BingPreview/Jan 2015, OpenSSL/1.0.2, YandexBot/Jan 2015, OpenSSL/1.0.1l, Yahoo Slurp/Jan 2015, Android/4.4.2, Safari/7/iOS 7.1, Safari/8/iOS 8.1.2, Safari/6/iOS 6.0.1, Safari/7/OS X 10.9, Safari/8/OS X 10.10, IE/11/Win 7, IE/11/Win 8.1, IE Mobile/11/Win Phone 8.1, Java/8u31, Android/5.0.0, Googlebot/Feb 2015, Firefox/31.3.0 ESR/Win 7, Chrome/42/OS X, Baidu/Jan 2015, Android/4.1.1, Android/4.3, Android/4.0.4, Android/4.2.2, Safari/5.1.9/OS X 10.6.8, Safari/6.0.4/OS X 10.8.4, Firefox/37/OS X, OpenSSL/0.9.8y, Java/7u25, IE Mobile/10/Win Phone 8.0, IE/8-10/Win 7, IE/7/Vista, Java/6u45, Android/2.3.7, IE/8/XP
--- a/tools/owncloud-restore.sh
+++ b/tools/owncloud-restore.sh
@@ -27,6 +27,7 @@ fi
 echo "Restoring backup from $1"
 service php5-fpm stop
 service php7.0-fpm stop
 # remove the current ownCloud/Nextcloud installation
 rm -rf /usr/local/lib/owncloud/
@@ -46,4 +47,5 @@ chown www-data.www-data $STORAGE_ROOT/owncloud/config.php
 sudo -u www-data php /usr/local/lib/owncloud/occ maintenance:mode --off
 service php5-fpm start
 service php7.0-fpm start
 echo "Done"
Author	SHA1	Message	Date
Joshua Tauberer	b5c0736d27	release v0.26	2018-01-18 17:10:23 -05:00
Joshua Tauberer	8ee7de6ff3	no need to do a second apt-get update after 'installing' the PHP7 PPA if the PPA was already installed	2018-01-15 13:28:18 -05:00
Joshua Tauberer	0088fb4553	install Python 3 packages in a virtualenv The cryptography package has created all sorts of installation trouble over the last few years, probably because of mismatches between OS-installed packages and pip-installed packages. Using a virtualenv for all Python packages used by the management daemon should make sure everything is consistent. See #1298, see #1264.	2018-01-15 13:27:04 -05:00
Joshua Tauberer	b2d103145f	remove php5 packages from webmail.sh The PHP5 packages have a dependency on (apache2 or php5-cgi or php5-fpm), and since removing php5-fpm apache2 started getting installed during setup, which caused a conflict with nginx of course. These packages don't seem to be needed by Roundcube or Nextcloud --- Roundcube includes the ones it needs. see #1264, #1298	2018-01-15 11:29:12 -05:00
Joshua Tauberer	fc9e279cec	partial revert of `441bd350`, accidentally uncommented something	2018-01-15 10:33:05 -05:00
yeah	257983d559	Fix typo in CHANGELOG.md (#1312 )	2017-12-25 17:46:31 -05:00
Joshua Tauberer	e924459140	revert f25801e/#1233 - use Mozilla intermediate ciphers for IMAP/POP not modern ciphers fixes #1300	2017-12-24 14:41:41 -05:00
Joshua Tauberer	441bd35053	update CHANGELOG	2017-12-23 18:01:41 -05:00
Michael Kroes	a0e603a3c6	Change z-push to use the git repository instead of the tar ball (#1305 )	2017-12-23 17:51:18 -05:00
sam-banks	88604074d6	Bugfix for free command (#1278 ) A quick fix - there's no "o" option for free.	2017-12-18 08:21:28 -05:00
yeah	d43111eb48	Add X-Spam-Score header to checked mail (#1292 ) To enable users to do custom spam filtering based on score, it's helpful to render the actual spam score as a float in a separate header rather than as part of X-Spam-Status where it only appears in a comma separated list.	2017-12-18 08:17:47 -05:00
Jim Bailey	6729588d8c	Changed temp_dir to /var/temp/roundcube to avoid loss on reboot. (#1302 )	2017-12-18 08:12:45 -05:00
Joshua Tauberer	5f14eca67f	merge v0.25 security release	2017-11-15 11:27:30 -05:00
Joshua Tauberer	8944cd7980	v0.25	2017-11-15 11:27:00 -05:00
yeah	2bbbc9dfa3	Update Roundcube to protect against CVE-2017-16651 See https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10. merges #1287	2017-11-15 11:14:21 -05:00
John Olten	544f155948	Add support for DNS wildcard [merges #1281 ]	2017-11-15 11:10:59 -05:00
Joshua Tauberer	f080eabb3a	run apt-get autoremove after updating system packages Old kernels can build up and some packages may not be needed anymore. See https://discourse.mailinabox.email/t/storage-space-decreasing/2525/5.	2017-11-15 11:05:43 -05:00
Jānis (Yannis)	7bf377eed1	use RSASHA256 for .lv domains DNSSEC (#1277 )	2017-10-31 18:01:47 -04:00
Nicolas North	cd554cf480	document the "local" alias pointing to this box in Custom DNS (#1261 )	2017-10-20 17:20:21 -04:00
Michael Kroes	e5448405ae	add php7.0-mbstring to webmail.sh (#1268 )	2017-10-15 07:53:01 -04:00
Tristan Hill	a7eff8fb35	turn off apt verbose in unattended upgrades (#1255 )	2017-10-06 08:16:40 -04:00
Fabian Bucher	341aa8695a	update F-Droid DAVdroid link (#1253 ) the information about the invalid link comes from here -> https://discourse.mailinabox.email/t/admin-sync-guide-contacts-and-calendar-davdroid-3-69-free-here/2528	2017-10-04 17:47:15 -04:00
Joshua Tauberer	5efdd72f41	update TLS test to record changes in the ciphers we offer on the open ports	2017-10-03 12:01:10 -04:00
Joshua Tauberer	f25801e88d	Merge #1233 - Limit Dovecot ciphers to the Mozilla modern set	2017-10-03 11:55:16 -04:00
Joshua Tauberer	cc7be13098	update nginx cipher list to Mozilla's current intermediate ciphers and update HSTS header to be six months * The Mozilla recommendations must have been updated in the last few years. * The HSTS header must have >=6 months to get an A+ at ssllabs.com/ssltest.	2017-10-03 11:47:32 -04:00
Joshua Tauberer	2556e3fbc2	HSTS header does not belong here, will result in multiple headers	2017-10-03 11:38:15 -04:00
Joshua Tauberer	00898b2ff5	v0.24	2017-10-03 10:49:04 -04:00
Joshua Tauberer	35b8a149d8	fix dns regex: underscores are allowed in domain names even though they are not allowed in hostnames	2017-09-22 12:31:49 -04:00
Joshua Tauberer	d0423afd18	Nextcloud install shouldn't fail if php-fpm isn't already running	2017-09-22 11:10:48 -04:00
Joshua Tauberer	edf42df835	update Roundcube (1.3.1), persistent login plugin, Z-Push (2.3.8), and Nextcloud (12.0.3)	2017-09-22 11:10:40 -04:00
Joshua Tauberer	734745a4a6	Nextcloud 12.0.2, fix Nextcloud 12 upgrades seeing the wrong version Nextcloud 12 adds a new OC_VersionCanBeUpgradedFrom field to /usr/local/lib/owncloud/version.php which lists prior NC/OC version numbers, which confuses our check for what the installed version is. Make our regex more strict. merges #1238	2017-09-01 07:58:07 -04:00
dofl	dbebaba8b9	switch PHP's process manager to on demand merges #1216	2017-08-30 13:39:25 -04:00
Joshua Tauberer	cb765dfe2a	changelog entries	2017-08-30 13:11:58 -04:00
Lloyd Smart	81258e2189	Implement upstream issue #1228 for stronger dh parameters in Dovecot. (#1232 )	2017-08-30 13:04:22 -04:00
Lloyd Smart	4dd4b4232a	Limited ciphers to the Mozilla modern set from https://mozilla.github.io/server-side-tls/ssl-config-generator/ as requested in issue #1228 .	2017-08-29 15:02:58 +01:00
Marius Blüm	48ff664ee9	Remove the ? from "Log out" (#1231 ) Signed-off-by: Marius Blüm <marius@lineone.io>	2017-08-23 19:46:45 -04:00
Michael Kroes	a52c56e571	only set the CN field when generating initial CSR to prevent issues with the php7 ppa version of openssl (#1223 ) OpenSSL 1.1.0f now validates the other subject fields and rejects the empty string (for the country?) because it isn't two characters.	2017-07-30 08:11:39 -04:00
Jon Hermansen	6ace97e482	update PPA build URL for postgrey 1.35. Fixes #1211 (#1212 )	2017-07-21 15:13:57 -04:00
Git Repository	19a928e4ec	[Issue #1159 ] Remove any +tag name in email alias before checking privileges (#1181 ) * [Issue #1159] Remove any +tag name in email alias before checking privileges * Move priprivileged email check after the conversion to unicode so only IDNA serves as input	2017-07-21 11:10:16 -04:00
Michael Kroes	78f2fe213e	Secondary name server could not be set (#1209 )	2017-07-21 08:20:37 -04:00
Michael Kroes	a16855ecf0	Backup script should now stop php7.0-fpm instead of php5-fpm (#1206 )	2017-07-17 09:45:40 -04:00
yodax	d773140502	Update to Nextcloud 12 using PHP7 * Install PHP7 via a PPA, enable unattended upgrades for the PPA, and switch all of our PHP configuration to the PHP7 install. * Keep installing PHP5 for ownCloud/Nextcloud packages because we need it to possibly run transitional updates to ownCloud/Nextcloud versions less than 12. But replace PHP5 packages with PHP7 packages elsewhere. * Update to Nextcloud 12 which requires PHP7, with a transitional upgrade to Nextcloud 11.0.3. * Disable TLS cert validation by Roundcube when connecting to localhost IMAP and SMTP. Validation became the default in PHP7 but we don't necessarily have a (non-self-)signed certificate and it definitely isn't valid for the IP address 127.0.0.1. Merges #1140	2017-07-14 06:48:22 -04:00
Michael Kroes	2c324d0bc9	web_domains should also normalize ipv6 addresses (#1201 )	2017-07-13 07:16:12 -04:00
Joshua Tauberer	2bd6cc4d6b	update to Z-Push 2.3.7	2017-07-10 18:01:21 -04:00
Joshua Tauberer	b11157e0b6	updated to Roundcube 1.3, but unfortunately dropping the vacation plugin Switched to the -complete download which has vendored assets. See https://github.com/mail-in-a-box/mailinabox/pull/1140.	2017-07-10 17:31:59 -04:00
François Deppierraz	46ba62b7b1	Add support for NS records in custom domains (#1177 )	2017-06-11 07:56:30 -04:00
`@@ -1,4 +1,4 @@`
	`#!/usr/bin/python3`	`#!/usr/local/lib/mailinabox/env/bin/python`

	`# Reads in STDIN. If the stream is not empty, mail it to the system administrator.`	`# Reads in STDIN. If the stream is not empty, mail it to the system administrator.`