diff --git a/README.md b/README.md
index 09a44b3ae7e42df0bfb35b1a77bb8b5211ef2843..91f5232afdf56b469c23397714d236031464462b 100644
--- a/README.md
+++ b/README.md
@@ -125,6 +125,7 @@ CNAME | autoconfig.yourdomain.com | mail.yourdomain.com |
CNAME | autodiscover.yourdomain.com | mail.yourdomain.com | -
CNAME | spam.yourdomain.com | mail.yourdomain.com | -
CNAME | welcome.yourdomain.com | mail.yourdomain.com | -
+CNAME | mta-sts.yourdomain.com | mail.yourdomain.com | -
=================================================================================================================================
=================================================================================================================================
diff --git a/config/autodiscover/xml/autodiscover-error.xml.tera b/config/autodiscover/xml/autodiscover-error.xml.tera
new file mode 100644
index 0000000000000000000000000000000000000000..c72a8b71be6b4ec8776bf82149ca8e24f647c028
--- /dev/null
+++ b/config/autodiscover/xml/autodiscover-error.xml.tera
@@ -0,0 +1,10 @@
+
+
+
+
+ 601
+ Provider is not available
+
+
+
+
diff --git a/config/autodiscover/xml/autodiscover-mobilesync.xml.tera b/config/autodiscover/xml/autodiscover-mobilesync.xml.tera
new file mode 100644
index 0000000000000000000000000000000000000000..2578513482095a67a7bd4009e47e05e6e9e7eeae
--- /dev/null
+++ b/config/autodiscover/xml/autodiscover-mobilesync.xml.tera
@@ -0,0 +1,19 @@
+
+
+
+ en:en
+
+ {{ display_name }}
+ {{ email_address }}
+
+
+
+
+ MobileSync
+ https://example.org/TODOmobilesyncURL
+ TODO: Mobile sync name
+
+
+
+
+
diff --git a/config/autodiscover/xml/autodiscover.xml.tera b/config/autodiscover/xml/autodiscover.xml.tera
new file mode 100644
index 0000000000000000000000000000000000000000..a865d5d04e70c7728f1fe3cfc222ea4899ad1faf
--- /dev/null
+++ b/config/autodiscover/xml/autodiscover.xml.tera
@@ -0,0 +1,32 @@
+
+
+
+
+ email
+ settings
+
+
+ IMAP
+ {{ imap_hostname }}
+ 993
+ on
+ {{ domain }}
+ off
+ on
+ on
+
+
+
+ SMTP
+ {{ smtp_hostname }}
+ 587
+ on
+ {{ domain }}
+ off
+ on
+ on
+
+
+
+
+
diff --git a/config/autodiscover/xml/config-v1.1.xml.tera b/config/autodiscover/xml/config-v1.1.xml.tera
new file mode 100644
index 0000000000000000000000000000000000000000..654db27e5d855556198624cdc43d60930f622471
--- /dev/null
+++ b/config/autodiscover/xml/config-v1.1.xml.tera
@@ -0,0 +1,33 @@
+
+
+
+
+ {{ domain }}
+ {{ display_name }}
+ %EMAILLOCALPART%
+
+
+ {{ imap_hostname }}
+ 993
+ SSL
+ password-cleartext
+ %EMAILADDRESS%
+
+
+ {{ imap_hostname }}
+ 143
+ STARTTLS
+ password-cleartext
+ %EMAILADDRESS%
+
+
+
+ {{ smtp_hostname }}
+ 587
+ STARTTLS
+ password-cleartext
+ %EMAILADDRESS%
+
+
+
+
diff --git a/config/autodiscover/xml/email_mobileconfig.tera b/config/autodiscover/xml/email_mobileconfig.tera
new file mode 100644
index 0000000000000000000000000000000000000000..038d76c6108a0e8039ce5f2ebbf6e75b4f218c1f
--- /dev/null
+++ b/config/autodiscover/xml/email_mobileconfig.tera
@@ -0,0 +1,77 @@
+
+
+
+
+ PayloadContent
+
+
+ EmailAccountDescription
+ {{ display_name }}
+ EmailAccountName
+ {{ display_name }}
+ EmailAccountType
+ EmailTypeIMAP
+ EmailAddress
+ {{ email_address }}
+ IncomingMailServerAuthentication
+ EmailAuthPassword
+ IncomingMailServerHostName
+ {{ imap_hostname }}
+ IncomingMailServerPortNumber
+ 993
+ IncomingMailServerUseSSL
+
+ IncomingMailServerUsername
+ {{ username }}
+ OutgoingMailServerAuthentication
+ EmailAuthPassword
+ OutgoingMailServerHostName
+ {{ smtp_hostname }}
+ OutgoingMailServerPortNumber
+ 587
+ OutgoingMailServerUseSSL
+
+ OutgoingMailServerUsername
+ {{ username }}
+ OutgoingPasswordSameAsIncomingPassword
+
+ PayloadDescription
+ Email account configuration for {{ email_address }}
+ PayloadDisplayName
+ {{ display_name }}
+ PayloadIdentifier
+ {{ domain }}.autoconfig.{{ profile_uuid }}
+ PayloadType
+ com.apple.mail.managed
+ PayloadUUID
+ {{ profile_uuid }}
+ PayloadVersion
+ 1
+ SMIMEEnablePerMessageSwitch
+
+ SMIMEEnabled
+
+ SMIMESigningEnabled
+
+ disableMailRecentsSyncing
+
+
+
+ PayloadDescription
+ Email account configuration for {{ email_address }}
+ PayloadDisplayName
+ {{ display_name }}
+ PayloadIdentifier
+ {{ domain }}.autoconfig.{{ mail_uuid }}
+ PayloadOrganization
+ {{ domain }}
+ PayloadRemovalDisallowed
+
+ PayloadType
+ Configuration
+ PayloadUUID
+ {{ mail_uuid }}
+ PayloadVersion
+ 1
+
+
diff --git a/config/automx/.keep b/config/mta-sts/.well-known/.keep
similarity index 100%
rename from config/automx/.keep
rename to config/mta-sts/.well-known/.keep
diff --git a/scripts/init-repo.sh b/scripts/init-repo.sh
index f7005c9bafe9ac21092b7133df3eafa960a2adb9..c9a865f12cb28fff7e0ac3dc9b1e7ba74d991744 100755
--- a/scripts/init-repo.sh
+++ b/scripts/init-repo.sh
@@ -58,7 +58,7 @@ source /mnt/repo-base/scripts/base.sh
DC_DIR="templates/docker-compose/"
cat "${DC_DIR}docker-compose.yml" > docker-compose.yml
-NUM_CERTIFICATES="3"
+NUM_CERTIFICATES="4"
# To be constructed repo specific
echo "VHOSTS_ACCOUNTS=welcome.$DOMAIN" >> "$ENVFILE"
@@ -73,14 +73,20 @@ echo "VIRTUAL_HOST=$VIRTUAL_HOST" >> "$ENVFILE"
# fill autorenew config
rm -f "/mnt/repo-base/config/letsencrypt/autorenew/ssl-domains.dat"
-echo "$DOMAIN,$VIRTUAL_HOST,mail.$DOMAIN,spam.$DOMAIN,welcome.$DOMAIN" | tr "," "\n" | while read CURDOMAIN; do
+echo "$DOMAIN,$VIRTUAL_HOST,mail.$DOMAIN,spam.$DOMAIN,welcome.$DOMAIN,mta-sts.$DOMAIN" | tr "," "\n" | while read CURDOMAIN; do
echo "$CURDOMAIN" >> config/letsencrypt/autorenew/ssl-domains.dat
:; done
+# Configure autodiscover
+#Generate 2 random UUIDs
+UUID1=$(cat /proc/sys/kernel/random/uuid)
+UUID2=$(cat /proc/sys/kernel/random/uuid)
+echo "AUTODISCOVER_AM_UUID=$UUID1" >> "$ENVFILE"
+echo "AUTODISCOVER_AP_UUID=$UUID2" >> "$ENVFILE"
-# Configure automx
-cat templates/automx/automx.conf | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config/automx/automx.conf"
-chown www-data:www-data "config/automx/automx.conf"
+# Configure MTA-STS
+cat templates/mta-sts/mta-sts.txt | sed "s/@@@SMTP_HOST@@@/mail.$DOMAIN/g" > "config/mta-sts/.well-known/mta-sts.txt"
+chown -R www-data:www-data "config/mta-sts/"
# Configure rspamd whitelist
cat templates/mail/rspamd/ecloud/whitelist.sender.domain.map | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config/mail/rspamd/ecloud/whitelist.sender.domain.map"
@@ -91,7 +97,7 @@ chown -R 107:109 "config/mail/rspamd/ecloud/"
# Configure nginx vhost
-# automx
+# autodiscover
echo "$DOMAIN,$ADD_DOMAINS" | tr "," "\n" | while read CURDOMAIN; do
cat "templates/nginx/sites-enabled/autoconfig.conf" | sed "s/@@@DOMAIN@@@/$CURDOMAIN/g" | sed "s/@@@SERVICE@@@/autoconfig/g" > "config/nginx/sites-enabled/autoconfig.$CURDOMAIN.conf"
cat "templates/nginx/sites-enabled/autoconfig.conf" | sed "s/@@@DOMAIN@@@/$CURDOMAIN/g" | sed "s/@@@SERVICE@@@/autodiscover/g" > "config/nginx/sites-enabled/autodiscover.$CURDOMAIN.conf"
@@ -102,6 +108,7 @@ cat "templates/nginx/sites-enabled/nextcloud.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN
cat "templates/nginx/sites-enabled/postfixadmin.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config/nginx/sites-enabled/postfixadmin.conf"
cat "templates/nginx/sites-enabled/rspamd.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config/nginx/sites-enabled/rspamd.conf"
cat "templates/nginx/sites-enabled/welcome.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config/nginx/sites-enabled/welcome.conf"
+cat "templates/nginx/sites-enabled/mta-sts.conf" | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config/nginx/sites-enabled/mta-sts.conf"
# confirm DNS is ready
echo ""
@@ -121,7 +128,7 @@ echo "$ADD_DOMAINS" | tr "," "\n" | while read CURDOMAIN; do
:; done
echo "PTR(For reverse DNS),|,,|,mail.$DOMAIN,|,-" >> "$tempfile"
echo ""
-echo "$VIRTUAL_HOST,spam.$DOMAIN,welcome.$DOMAIN" | tr "," "\n" | while read CURDOMAIN; do
+echo "$VIRTUAL_HOST,spam.$DOMAIN,welcome.$DOMAIN,mta-sts.$DOMAIN" | tr "," "\n" | while read CURDOMAIN; do
echo "CNAME,|,$CURDOMAIN,|,mail.$DOMAIN,|,-" >> "$tempfile"
:; done
column "$tempfile" -t -s ","
@@ -162,7 +169,7 @@ echo "NC_HOST_IP=$IP" >> "$ENVFILE"
bash scripts/ssl-renew.sh
# verify LE status
-CTR_LE=$(find config/letsencrypt/certstore/live/mail.$DOMAIN/privkey.pem config/letsencrypt/certstore/live/spam.$DOMAIN/privkey.pem config/letsencrypt/certstore/live/welcome.$DOMAIN/privkey.pem 2>/dev/null| wc -l)
+CTR_LE=$(find config/letsencrypt/certstore/live/mail.$DOMAIN/privkey.pem config/letsencrypt/certstore/live/spam.$DOMAIN/privkey.pem config/letsencrypt/certstore/live/welcome.$DOMAIN/privkey.pem config/letsencrypt/certstore/live/mta-sts.$DOMAIN/privkey.pem 2>/dev/null| wc -l)
CTR_AC_LE=$(echo "$VIRTUAL_HOST" | tr "," "\n" | while read CURDOMAIN; do find config/letsencrypt/certstore/live/$CURDOMAIN/privkey.pem 2>/dev/null | grep $CURDOMAIN && echo found || echo missing; done | grep missing | wc -l)
if [ "$CTR_LE$CTR_AC_LE" = "${NUM_CERTIFICATES}0" ]
diff --git a/scripts/postinstall.sh b/scripts/postinstall.sh
index 115235e047d1567d3efc0ba6cf51a3349d9a0258..8002a8ffd841b4a3d147b530f6870350f23d1558 100755
--- a/scripts/postinstall.sh
+++ b/scripts/postinstall.sh
@@ -51,10 +51,13 @@ docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enabl
docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable selfhost-theme-helper
docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable murena-dashboard
docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable murena_launcher
+docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable drop_account
+docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable bruteforcesettings
+docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable suspicious_login
+docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:enable twofactor_totp
docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:disable firstrunwizard
docker-compose exec -T --user www-data nextcloud php /var/www/html/occ config:app:set snappymail snappymail-autologin-with-email --value 1
docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install tasks
-docker-compose exec -T --user www-data nextcloud php /var/www/html/occ app:install drop_account
docker-compose exec -T --user www-data nextcloud php /var/www/html/occ config:system:set integrity.check.disabled --value='true' --type=boolean
@@ -71,7 +74,6 @@ echo "Performing some Nextcloud administrative tasks"
docker-compose exec -T --user www-data nextcloud php /var/www/html/occ db:add-missing-indices
# Set default domain
-docker exec -u www-data nextcloud /var/www/html/occ config:system:set main_domain --value $DOMAIN
docker exec -u www-data nextcloud /var/www/html/occ config:system:set legacy_domain --value $DOMAIN
docker-compose exec -T --user www-data nextcloud php occ maintenance:mode --off
@@ -173,6 +175,10 @@ find /mnt/repo-base/volumes/mail/dkim/ -maxdepth 1 -mindepth 1 -type d | while r
echo "_dmarc IN TXT 'v=DMARC1;p=reject;sp=reject;pct=100;rua=mailto:postmaster@$DOMAIN;ri=86400;aspf=r;adkim=r;fo=1'"
echo " - SPF record (TXT) for $DOMAIN:"
echo "@ IN TXT 'v=spf1 a ip4:$IP ~all'"
+ echo " - MTA-STS records (TXT) for $DOMAIN:"
+ echo "_smtp._tls IN TXT 'v=TLSRPTv1; rua=mailto:postmaster@'$DOMAIN'"
+ echo "_mta-sts IN TXT 'v=STSv1;id='$(date +%Y%m%d%H)'"
+
done
echo "================================================================================================================================="
diff --git a/templates/automx/automx.conf b/templates/automx/automx.conf
deleted file mode 100644
index 8c69952ab92cde571995fe37195eb272520d70be..0000000000000000000000000000000000000000
--- a/templates/automx/automx.conf
+++ /dev/null
@@ -1,56 +0,0 @@
-# file: /etc/automx.conf
-
-[automx]
-provider = @@@DOMAIN@@@
-domains = *
-
-#debug = yes
-#logfile = /var/log/automx/automx.log
-
-# Protect against DoS
-#memcache = 127.0.0.1:11211
-#memcache_ttl = 600
-#client_error_limit = 20
-#rate_limit_exception_networks = 127.0.0.0/8, ::1/128
-
-# The DEFAULT section is always merged into each other section. Each section
-# can overwrite settings done here.
-[DEFAULT]
-account_type = email
-account_name = %s
-account_name_short = %s
-
-
-# If a domain is listed in the automx section, it may have its own section. If
-# none is found here, the global section is used.
-[global]
-backend = static
-action = settings
-
-
-# If you want to sign mobileconfig profiles, enable these options. Make sure
-# that your webserver has proper privileges to read the key. The cert file
-# must contain the server certificate and all intermediate certificates. You
-# can simply concatenate these certificates.
-#sign_mobileconfig = yes
-#sign_cert = /certs/autodiscover.eelo.io.crt
-#sign_key = /certs/autodiscover.eelo.io.key
-
-smtp = yes
-smtp_server = mail.@@@DOMAIN@@@
-smtp_port = 587
-smtp_encryption = starttls
-smtp_auth = plaintext
-smtp_auth_identity = %s
-smtp_refresh_ttl = 6
-smtp_default = yes
-
-imap = yes
-imap_server = mail.@@@DOMAIN@@@
-imap_port = 993
-imap_encryption = ssl
-imap_auth = plaintext
-imap_auth_identity = %s
-imap_refresh_ttl = 6
-
-pop = no
diff --git a/templates/docker-compose/docker-compose.yml b/templates/docker-compose/docker-compose.yml
index 8a37e6d28a2258e3f5c3dc9625c5c8e55a97c66a..15a734e40c74806131dccbde4ae98cdca7455a2f 100644
--- a/templates/docker-compose/docker-compose.yml
+++ b/templates/docker-compose/docker-compose.yml
@@ -2,7 +2,7 @@ version: '3'
services:
mailserver:
- image: mailserver2/mailserver:1.1.14
+ image: mailserver2/mailserver:1.1.16
container_name: mailserver
domainname: ${DOMAIN} # Mail server A/MX/FQDN & reverse PTR = mail.${DOMAIN}.
hostname: mail
@@ -13,7 +13,7 @@ services:
- "25:25" # SMTP - Required
- "110:110" # POP3 STARTTLS - Optional - For webmails/desktop clients
- "143:143" # IMAP STARTTLS - Optional - For webmails/desktop clients
- # - "465:465" # SMTPS SSL/TLS - Optional - Enabled for compatibility reason, otherwise disabled
+ # - "465:465" # SMTPS SSL/TLS - Optional - Enabled for compatibility reason, otherwise disabled
- "587:587" # Submission STARTTLS - Optional - For webmails/desktop clients
- "993:993" # IMAPS SSL/TLS - Optional - For webmails/desktop clients
- "995:995" # POP3S SSL/TLS - Optional - For webmails/desktop clients
@@ -80,6 +80,7 @@ services:
volumes:
- /mnt/repo-base/volumes/mysql/db/data:/var/lib/mysql
- /mnt/repo-base/config/mariadb/:/etc/mysql/conf.d/:ro
+
redis:
image: redis:6.2-alpine
container_name: redis
@@ -127,7 +128,7 @@ services:
- "mail.${DOMAIN}:${NC_HOST_IP}"
nextcloud:
- image: registry.gitlab.e.foundation/e/infra/ecloud/nextcloud/selfhost:25-0-8-19
+ image: registry.gitlab.e.foundation/e/infra/ecloud/nextcloud/selfhost:26-0-8
container_name: nextcloud
restart: always
networks:
@@ -153,19 +154,23 @@ services:
- mariadb
- redis
- automx:
- image: registry.gitlab.e.foundation/e/infra/docker-mailstack:automx-0.1.0
- container_name: automx
- hostname: automx
- environment:
- - VIRTUAL_HOST=${VIRTUAL_HOST}
- - DOMAIN=${DOMAIN}
- - HOSTNAME=automx
+ mail-autodiscover-autoconfig:
+ image: wdes/mail-autodiscover-autoconfig:latest
+ container_name: mail-autodiscover-autoconfig
restart: always
networks:
- default
+ environment:
+ ROCKET_PROFILE: production
+ ROCKET_ADDRESS: "0.0.0.0"
+ ROCKET_PORT: "80"
+ APPLE_MAIL_UUID: ${AUTODISCOVER_AM_UUID}
+ APPLE_PROFILE_UUID: ${AUTODISCOVER_AP_UUID}
+ IMAP_HOSTNAME: ${SMTP_HOST}
+ POP_HOSTNAME: ${SMTP_HOST}
+ SMTP_HOSTNAME: ${SMTP_HOST}
volumes:
- - /mnt/repo-base/config/automx/automx.conf:/etc/automx.conf
+ - /mnt/repo-base/config/autodiscover/xml:/usr/lib/mail-autodiscover-autoconfig/templates/xml
nginx:
image: nginx:stable-alpine
@@ -183,9 +188,10 @@ services:
- /mnt/repo-base/config/nginx/passwds:/passwds
- /mnt/repo-base/config/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge
- /mnt/repo-base/volumes/nextcloud/html:/var/www/html
+ - /mnt/repo-base/config/mta-sts:/var/www/mta-sts
depends_on:
- nextcloud
- - automx
+ - mail-autodiscover-autoconfig
- postfixadmin
- welcome
- mailserver
diff --git a/templates/mta-sts/mta-sts.txt b/templates/mta-sts/mta-sts.txt
new file mode 100644
index 0000000000000000000000000000000000000000..fd8358038299b5e1f607640a84ffdca16739cb24
--- /dev/null
+++ b/templates/mta-sts/mta-sts.txt
@@ -0,0 +1,4 @@
+version: STSv1
+mode: enforce
+max_age: 10368000
+mx: @@@SMTP_HOST@@@
diff --git a/templates/nginx/sites-enabled/autoconfig.conf b/templates/nginx/sites-enabled/autoconfig.conf
index 9be565284f780649651260925c1d3097bb9a81c3..a590f5295c0d7e9d3309ba45b00a062fdc673574 100644
--- a/templates/nginx/sites-enabled/autoconfig.conf
+++ b/templates/nginx/sites-enabled/autoconfig.conf
@@ -26,7 +26,7 @@ server {
#auth_basic_user_file /passwds/.htpasswd;
location / {
- proxy_pass http://automx:80;
+ proxy_pass http://mail-autodiscover-autoconfig:80;
include /etc/nginx/params/proxy_params;
}
}
diff --git a/templates/nginx/sites-enabled/mta-sts.conf b/templates/nginx/sites-enabled/mta-sts.conf
new file mode 100644
index 0000000000000000000000000000000000000000..a3110a785ab029760e734575b9b237f66377566e
--- /dev/null
+++ b/templates/nginx/sites-enabled/mta-sts.conf
@@ -0,0 +1,12 @@
+server {
+ listen 4430 ssl http2;
+ server_name mta-sts.@@@DOMAIN@@@;
+
+ ssl_certificate /certs/live/mta-sts.@@@DOMAIN@@@/fullchain.pem;
+ ssl_certificate_key /certs/live/mta-sts.@@@DOMAIN@@@/privkey.pem;
+
+ include /etc/nginx/params/ssl_params;
+ include /etc/nginx/params/headers_params;
+
+ root /var/www/mta-sts;
+}
diff --git a/templates/nginx/sites-enabled/nextcloud.conf b/templates/nginx/sites-enabled/nextcloud.conf
index ab4d31dba09549f74b7b2d508f678486911670f9..22525091c28c48bbc15a225d421cdddb6825f890 100644
--- a/templates/nginx/sites-enabled/nextcloud.conf
+++ b/templates/nginx/sites-enabled/nextcloud.conf
@@ -80,7 +80,7 @@ server {
deny all;
}
- location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy)\.php(?:$|/) {
+ location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|.+/richdocumentscode/proxy)\.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
@@ -95,7 +95,7 @@ server {
fastcgi_request_buffering off;
}
- location ~ ^/(?:updater|oc[ms]-provider)(?:$|/) {
+ location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
diff --git a/templates/rainloop/application.ini b/templates/rainloop/application.ini
deleted file mode 100644
index 486ec0c66030c0f43467b56ee858e71bc67941b2..0000000000000000000000000000000000000000
--- a/templates/rainloop/application.ini
+++ /dev/null
@@ -1,7 +0,0 @@
-[webmail]
-title = "Email - /e/"
-theme = "Clear"
-
-[login]
-default_domain = "@@@DOMAIN@@@"
-
diff --git a/templates/rainloop/domain-config.ini b/templates/rainloop/domain-config.ini
deleted file mode 100644
index 179cbc3bf63fc8a5bcbcef3370c9c94d9b518f31..0000000000000000000000000000000000000000
--- a/templates/rainloop/domain-config.ini
+++ /dev/null
@@ -1,16 +0,0 @@
-imap_host = "mailserver"
-imap_port = 993
-imap_secure = "SSL"
-imap_short_login = Off
-sieve_use = Off
-sieve_allow_raw = Off
-sieve_host = "mailserver"
-sieve_port = 4190
-sieve_secure = "TLS"
-smtp_host = "mailserver"
-smtp_port = 587
-smtp_secure = "TLS"
-smtp_short_login = Off
-smtp_auth = On
-smtp_php_mail = Off
-white_list = ""
diff --git a/upgrade-guides/upgrade-to-26.0.8.23.md b/upgrade-guides/upgrade-to-26.0.8.23.md
new file mode 100644
index 0000000000000000000000000000000000000000..65aee6376bc426b848a38ead4fc272011932cb95
--- /dev/null
+++ b/upgrade-guides/upgrade-to-26.0.8.23.md
@@ -0,0 +1,93 @@
+# To upgrade from ecloud 25.0.8.19 to 26.0.8.23
+
+
+- As usual, upgrade your OS with latest patchs, optionally take backup/snapshot
+ - NB: you may want to filter out incomming email (TCP 25 & 587) during this upgrade, to avoid losing any messages in case of a rollback
+
+- Go to `/mnt/repo_base`, then run:
+ - `docker-compose stop`
+ - `git pull origin master`
+
+- Please make sure that all changes from https://gitlab.e.foundation/e/infra/ecloud-selfhosting/-/merge_requests/95/diffs are pulled.
+
+- In your `docker-compose.yml` file update the following:
+ - Set the nextcloud image to `registry.gitlab.e.foundation/e/infra/ecloud/nextcloud/selfhost:26-0-8`
+ - Set the mailserver image to `mailserver2/mailserver:1.1.16`
+ - In the `nginx:` service, `depends_on:` section, replace `- automx` with `- mail-autodiscover-autoconfig`
+ - Replace the whole `automx:` service with:
+```
+ mail-autodiscover-autoconfig:
+ image: wdes/mail-autodiscover-autoconfig:latest
+ container_name: mail-autodiscover-autoconfig
+ restart: always
+ networks:
+ - default
+ environment:
+ ROCKET_PROFILE: production
+ ROCKET_ADDRESS: "0.0.0.0"
+ ROCKET_PORT: "80"
+ APPLE_MAIL_UUID: ${AUTODISCOVER_AM_UUID}
+ APPLE_PROFILE_UUID: ${AUTODISCOVER_AP_UUID}
+ IMAP_HOSTNAME: ${SMTP_HOST}
+ POP_HOSTNAME: ${SMTP_HOST}
+ SMTP_HOSTNAME: ${SMTP_HOST}
+ volumes:
+ - /mnt/repo-base/config/autodiscover/xml:/usr/lib/mail-autodiscover-autoconfig/templates/xml
+
+```
+ - Add this line to `nginx:` service, `volumes:` section:
+```
+ - /mnt/repo-base/config/mta-sts:/var/www/mta-sts
+```
+
+- Run:
+ - `. scripts/base.sh`
+
+- In you DNS zone, add the records generated by the following commands:
+ - `echo "_smtp._tls.$DOMAIN TXT" '"v=TLSRPTv1; rua=mailto:postmaster@'$DOMAIN'"'`
+ - `echo "_mta-sts.$DOMAIN" TXT '"v=STSv1;id='$(date +%Y%m%d%H)'"'`
+ - `echo "mta-sts.$DOMAIN CNAME mail.$DOMAIN"`
+
+- Run:
+ - `rm -rf config/automx/`
+ - `echo "AUTODISCOVER_AM_UUID=$(cat /proc/sys/kernel/random/uuid)" >> "$ENVFILE"`
+ - `echo "AUTODISCOVER_AP_UUID=$(cat /proc/sys/kernel/random/uuid)" >> "$ENVFILE"`
+ - `cat templates/mta-sts/mta-sts.txt | sed "s/@@@SMTP_HOST@@@/$SMTP_HOST/g" > "config/mta-sts/.well-known/mta-sts.txt"`
+ - `chown -R www-data:www-data "config/mta-sts/"`
+ - `cat templates/nginx/sites-enabled/mta-sts.conf | sed "s/@@@DOMAIN@@@/$DOMAIN/g" > "config/nginx/sites-enabled/mta-sts.conf"`
+ - `echo "mta-sts.$DOMAIN" >> config/letsencrypt/autorenew/ssl-domains.dat`
+ - `bash scripts/ssl-renew.sh`
+
+- In your `config/nginx/sites-enabled/nextcloud.conf` file change the following:
+ - replace all occurences of `oc[ms]-provider` with `ocs-provider` (2 occurences, lines 83 & 98) (reference: https://github.com/nextcloud/server/issues/40803#issuecomment-1751717926)
+
+- In your `config/nginx/sites-enabled/autoconfig.$DOMAIN.conf` and `config/nginx/sites-enabled/autodiscover.$DOMAIN.conf` files change the following:
+ - replace `proxy_pass http://automx:80;` with `proxy_pass http://mail-autodiscover-autoconfig:80;`
+
+- Run `docker-compose pull`
+- If pulls are OK, run `docker-compose up -d`
+
+- Examine `docker-compose logs --tail=500 nextcloud` for the following messages:
+ - `nextcloud | Upgrading nextcloud from x.x.x.x ...` (x.x.x.x is your previous Nextcloud version)
+ - `nextcloud | Update successful`
+
+- Run:
+ - `docker-compose exec -T --user www-data nextcloud php occ db:add-missing-indices`
+ - `docker exec -u www-data nextcloud /var/www/html/occ -f app:enable bruteforcesettings`
+ - `docker exec -u www-data nextcloud /var/www/html/occ -f app:enable suspicious_login`
+ - `docker exec -u www-data nextcloud /var/www/html/occ -f app:enable twofactor_totp`
+ - `docker exec -u www-data nextcloud /var/www/html/occ -f app:enable user_backend_sql_raw`
+ - `docker exec -u www-data nextcloud /var/www/html/occ config:system:set main_domain`
+
+- Check all settings subsections starting from `/settings/admin/overview` while logged in with the admin user account to identify any issues found post upgrade
+
+- Check your new MTA-STS:
+ - On your server, launch: `docker logs --details --timestamps --since 10m --follow nginx`
+ - Check you server with: https://www.hardenize.com/
+ - You should see a line like `GET /.well-known/mta-sts.txt HTTP/1.1" 200 65 "-" "curl/7.54" "-"` in your log
+ - Check Hardenize report about MTA-STS
+ - Exit log viewer with Ctrl+C
+
+- Examine Docker situation with `docker ps` and `docker images`
+ - If everything is OK (all needed containers running), you can cleanup with `docker system prune -a`
+